CC5 2 Security Guide

Security Guide

Virsa Compliance Calibrator™ Version 5.2for SAP ERP Systems

COPYRIGHT

© Copyright 2006 SAP AG. All rights reserved.

SAP Library document classification: PUBLIC

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, and Informix are trademarks or registered trademarks of IBM Corporation in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

Virsa, Virsa Systems, Access Enforcer, ComplianceOne, Compliance Calibrator, Confident Compliance, Continuous Compliance, Firefighter, Risk Terminator, Role Expert, the respective taglines, logos and service marks are trademarks of SAP Governance, Risk and Compliance, Inc., which may be registered in certain jurisdictions.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

2

SAP—Important Disclaimers

SAP Library document classification: PUBLIC

This document is for informational purposes only. Its content is subject to change without notice, and SAP does not warrant that it is error‐free. SAP MAKES NO WARRANTIES, EXPRESS OR IMPLIED, OR OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.

Coding Samples

Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or were grossly negligent.

Internet Hyperlinks

The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint where to find supplementary documentation. SAP does not warrant the availability and correctness of such supplementary documentation or the ability to serve for a particular purpose. SAP shall not be liable for any damages caused by the use of such documentation unless such damages have been caused by SAP’s gross negligence or willful misconduct.

Accessibility

The information contained in the SAP Library documentation represents SAP’s current view of accessibility criteria as of the date of publication; it is in no way intended to be a binding guideline on how to ensure accessibility of software products. SAP specifically disclaims any liability with respect to this document and no contractual obligations or commitments are formed either directly or indirectly by this document. This document is for internal use only and may not be circulated or distributed outside your organization without SAP’s prior written authorization.

3

4

CONTENTS

Preface

About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Alert Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Product Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Documentation Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Installation Guide, Configuration Guide, User Guide, and Release Notes . . . . . . . . . . . . . . . . . . . . .9

Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Contacting SAP GRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

1 Role Definitions

/VIRSA/Z_CC_ADMINISTRATOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12/VIRSA/Z_CC_SECURITY_ADMIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13/VIRSA/Z_CC_USER_ADMIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16/VIRSA/Z_CC_BUSINESS_OWNER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17/VIRSA/Z_CC_REPORTING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

2 Authorization Object Definitions

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24ZVRAT_0001—Table Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24ZVRAT_0002—Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26ZVRAT_0003—User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26ZVRAT_0004—Organizational Rule ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26ZVRAT_0005—Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ZVRAT_0006—Mitigation by Business Unit ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ZVRAT_0007—Mitigation by Risk ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ZVRAT_0008—Mitigation by Role Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27ZVRAT_0009—Mitigation by HR Object ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ZVRAT_0010—Function Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ZVRAT_0011—Risk Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ZVRAT_0012—Rules Display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28ZVRAT_0013—Business Process Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

5

Virsa Compliance Calibrator Version 5.2Security Guide

3 Table Maintenance Authorization Groups

S_TABU_DIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

4 Virsa Tool Box Reports and Utilities Authorization Groups

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37

5 Line-Oriented Authorizations

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

Design Organization Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Define Organization Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Define Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Assign Attributes to Table Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Include Authorizations for S_TABU_LIN in Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

Activate Organization Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Cross‐Table Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

S_TABU_LIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

6 Authorization Check Flowchart

Authorization Check Flowchart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48

7 Actions Required for NetWeaver

Actions and Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

8 RFC Authorizations

RFC Authorizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

6

PREFACE

TOPICS COVERED IN THIS PREFACE

About this Guide

Conventions

Alert Statements

Product Documentation

Documentation Formats

Installation Guide, Configuration Guide, User Guide, and Release Notes

Online Help

Contacting SAP GRC

7


About this Guide

Conventions

The following conventions are observed throughout this document:

• Bold sans‐serif text is used to designate file and folder names, dialog titles, names of buttons, icons, and menus, and terms that are objects of a user selection.

• Bold text is used to indicate defined terms and word emphasis.

• Italic text is used to indicate user‐specified text, document titles, and word emphasis.

• Monospace text (Courier) is used to show literal text as you would enter it, or as it would appear onscreen.

Alert Statements

The alert statements—Note, Important, and Warning—are formatted in the following styles:

Note Information that is related to the main text flow, or a point or tip provided in addition to the previous statement or instruction.

Important Advises of important information, such machine or data error that could occur should the user fail to take or avoid a specified action.

Warning Requires immediate action by the user to prevent actual loss of data or where an action is irreversible, or when physical damage to the machine or devices is possible.

8

Product DocumentationPreface

Product Documentation

Documentation Formats

Documentation is provided in the following electronic formats:

• Adobe® Acrobat® PDF files

• Online help

You must have Adobe® Reader® installed to read the PDF files. Adobe Reader installation programs for common operating systems are available for free download from the Adobe Web site at www.adobe.com.

Installation Guide, Configuration Guide, User Guide, and Release Notes

You can download the Installation Guide, Configuration Guide, User Guide, and Release Notes in PDF format.

Online Help

You can access online help by clicking the Help link from within the application.

9


Contacting SAP GRC

For information on contacting SAP Governance, Risks, and Compliance (SAP GRC), go to the SAP Support Portal which can be found on the SAP Service Marketplace at: service.sap.com.

In order to use the SAP Support Portal you will need to log in using your SAP user account. If you do not already have an existing SAP user account, you must first create a new account. At the bottom right area of the SAP Service Marketplace page, under the “Questions Regarding Login?” heading, click the “New User? Register here!” link. You will be prompted for a Customer Number or Installation Number which you can get from your SAP Basis Administrator. (In an SAP system you can find your installation number under System ‐> Status ‐> SAP System data.)

To submit your support request(s) from the SAP Support Portal, use the quick‐link “Messages” and follow the “SAP Message Wizard” procedure. All support requests should be logged under the following SAP GRC support components:

• GRC‐SAE Virsa Access Enforcer for SAP

• GRC‐SCC Virsa Compliance Calibrator for SAP

• GRC‐SFF Virsa Firefighter for SAP

• GRC‐SRE Virsa Role Expert for SAP

For more information on the SAP Support Portal, use the quick‐links provided below:

• SAP Notes Search Here you can search for reference material and possible solutions for any questions regarding the GRC components.

• Messages Here you can create Support Messages for the GRC components.

• Software Download Here you can download installations, upgrades, and support packages.

• SAP Service Channel ‐ Your Inbox Here you can monitor the status of your open messages.

10

1ROLE DEFINITIONS

TOPICS COVERED IN THIS CHAPTER

/VIRSA/Z_CC_ADMINISTRATOR

/VIRSA/Z_CC_SECURITY_ADMIN

/VIRSA/Z_CC_USER_ADMIN

/VIRSA/Z_CC_BUSINESS_OWNER

/VIRSA/Z_CC_REPORTING

11


/VIRSA/Z_CC_ADMINISTRATOR

The SAP Compliance Calibrator Administrator role has complete access to all programs and tables. Users assigned to this role can access Rule Architect, Mitigation Controls, Alerts, Configuration Options, the Compliance Calibrator Tool Box reports and Utilities, and all Risk Analysis reports and simulations running in the foreground or background.

Table 1 Authorization Objects

Authorization Object

Field Name Field Value

ZVRAT_0001 Action *

ZVRAT_0002 Activity *

ZVRAT_0003 User group in user master main *

ZVRAT_0004 Org. Rule ID *

ZVRAT_0005 Mitigating Control ID *

Risk ID *

ZVRAT_0006 Business Unit ID *

ZVRAT_0007 Risk ID *

ZVRAT_0008 Role Name *

ZVRAT_0009 Object ID *


Function *


ID *



ID *

12

/VIRSA/Z_CC_SECURITY_ADMINChapter 1 Role Definitions

/VIRSA/Z_CC_SECURITY_ADMIN

Security administrators assigned to the Compliance Calibrator Security_Admin role have the following abilities and access:

• Access to perform user and role analysis

• Access to perform rule maintenance

• Ability to display alerts

• Ability to maintain mitigating control references & approvers

• Ability to assign mitigation controls to roles and profiles

• Ability to execute Tool Box utilities

• Ability to display all tables in authorization groups ZC* and ZV* [S_TABU_DIS]

• Ability to maintain select tables in authorization groups ZC* and ZV* [S_TABU_DIS]

• Read/write access to /VIRSA/* ABAP programs [S_DATASET]

• Execute programs in authorization group ZVRAT* [S_PROGRAM]

Table 2 Additional Authorization Objects



S_TCODE Transaction /VIRSA/ZVRAT, /VIRSA/ZVRAT*, /VIRSA/ALERTGEN, /VIRSA/ORG*

S_DATASET Activity 33, 34

Physical file name *

ABAP program name /VIRSA/*

S_TABU_DIS Activity *

Authorization Group ZC*, ZV*

S_DEVELOP Activity 03

Package /VIRSA/*

Object Name /VIRSA/ZVRAT_TOOLS

Object Type MENU

Auth Group ABAP/4 program *

S_Program User Action ABAP/4 program *

Auth Group ABAP/4 program ZVRAT*

13


Table 3 Virsa Authorization Objects



ZVRAT_0001 Action AOBJ, ATCD, CAUT, CPAR, CPRF, CROL, CTCD, MBUA, MBUS, MHRO, MMAP, MMON, MPRO, MREF, MREP, MRIS, MROL, OBJT, ORGR, TCOD, V*

ZVRAT_0002 Activity 16, 37, 48


ZVRAT_0004 Org. Rule ID *

ZVRAT_0005 Mitigating Control ID Inactive

Risk ID Inactive






Function *


ID *


ZVRAT_0013 Activity Inactive

Business Process ID *

14

/VIRSA/Z_CC_SECURITY_ADMINChapter 1 Role Definitions




S_TCODE Transaction Pre‐existing:/VIRSA/ALERTGEN, /VIRSA/ORGRULES, /VIRSA/ORGUSERS, /VIRSA/ORGUSRMAPPING, /VIRSA/ZVRAT, /VIRSA/ZVRAT_C01, /VIRSA/ZVRAT_M01, /VIRSA/ZVRAT_M02 /VIRSA/ZVRAT_M03, /VIRSA/ZVRAT_M04, /VIRSA/ZVRAT_P01, /VIRSA/ZVRAT_R01, /VIRSA/ZVRAT_RB3, /VIRSA/ZVRAT_S01, /VIRSA/ZVRAT_S05, /VIRSA/ZVRAT_S06, /VIRSA/ZVRAT_S07, /VIRSA/ZVRAT_S08, /VIRSA/ZVRAT_S09, /VIRSA/ZVRAT_S10, /VIRSA/ZVRAT_S11, /VIRSA/ZVRAT_S13, /VIRSA/ZVRAT_S14, /VIRSA/ZVRAT_S15, /VIRSA/ZVRAT_S16, /VIRSA/ZVRAT_U01 /VIRSA/ZVRATU02, /VIRSA/ZVRAT_U03, /VIRSA/ZVRAT_UO5

New for SP2:/VIRSA/ZVRAT_M05/VIRSA/ZVRAT_MG1

S_DATASET Activity 33, 34

Physical file name *

ABAP program name /VIRSA/*

S_TABU_DIS Activity 03

Authorization Group ZC&*, ZV&*

Activity 02

Authorization Group ZC&A, ZC&B, ZC&C, ZC&D, ZC&E, ZC&F, ZC&G, ZC&H, ZC&I, ZC&J, ZC&K, ZC&L, ZC&M, ZM&O, ZV&A, ZV&B, ZV&C, ZV&D, ZV&E, ZV&G, ZV&I, ZV&J, ZV&K, ZV&L, ZV&M, ZV&N, ZV&Q, ZV&R, ZV&S


Package /VIRSA/*


Object Type MENU


15


/VIRSA/Z_CC_USER_ADMIN

User administrators assigned to the Compliance Calibrator User_Admin role have the following abilities and access:

• Ability to perform user and role analysis

• Ability to assign mitigation controls to users

• Ability to perform simulations and role assignment from simulation

• Ability to maintain tables in authorization groups ZV&H [S_TABU_DIS]

• Access to display all tables in authorization groups ZC* and ZV* [S_TABU_DIS]

• Execute programs in authorization groups ZVRAT* [S_PROGRAM]



Table 4 Additional Authorization Objects (Continued)






ZVRAT_0001 Action MUSR, UASG, V*



ZVRAT_0004 Org. Rule ID Inactive


Risk ID Inactive






Function Inactive


ID Inactive

ZVRAT_0012 Risk ID Inactive

16

/VIRSA/Z_CC_BUSINESS_OWNERChapter 1 Role Definitions

/VIRSA/Z_CC_BUSINESS_OWNER

Business owners assigned to the Compliance Calibrator Business_Owner role have the following abilities and access:


• Ability to execute select reports in the Tool Box

• Access to display Rule Architect and Mitigation Controls modules

• Access to display all Compliance Calibrator tables

• Access to display select tables in authorization groups ZC* and ZV* [S_TABU_DIS]

• Execute programs in authorization group ZVRA* [S_PROGRAM]






S_TCODE Transaction /VIRSA/ZVRAT


Authorization Group ZC&*, ZV&*

Activity 02

Authorization Group ZV&H


Package /VIRSA/*


Object Type MENU







Note If business owners should have authorization to clear alerts, the Business_Owner role needs to include object ZVRAT_0005. This object is not included by default.

17





ZVRAT_0001 Action V*





Risk ID Inactive

ZVRAT_0006 Business Unit ID Inactive


ZVRAT_0008 Role Name Inactive

ZVRAT_0009 Object ID Inactive


Function Inactive


ID Inactive







S_TCODE Transaction /VIRSA/ZVRAT, /VIRSA/ZVRAT_C01, /VIRSA/ZVRAT_D01, /VIRSA/ZVRAT_M02, /VIRSA/ZVRAT_P01, /VIRSA/ZVRAT_R01, /VIRSA/ZVRAT_S01, /VIRSA/ZVRAT_S08, /VIRSA/ZVRAT_U01, /VIRSA/ZVRAT_U03, /VIRSA/ZVRAT_U05




18

/VIRSA/Z_CC_REPORTINGChapter 1 Role Definitions

/VIRSA/Z_CC_REPORTING

Business owners assigned to the Compliance Calibrator Business_Owner role have the following abilities and access permissions:


• Ability to display Rule Architect, Mitigation Controls, and Alerts modules

• Ability to execute select reports in the Tool Box

• Access to display select tables in authorization groups ZC* and ZV* [S_TABU_DIS]

• Execute programs in authorization groups ZVRAT* [S_PROGRAM]

Package /VIRSA/*


Object Type MENU



Auth Group ABAP/4 program ZVRA*

Table 8 Additional Authorization Objects (Continued)



Note There are no security restrictions for creating business processes. All other Rule Architect features are limited to display only.

19





ZVRAT_0001 Action V*





Risk ID Inactive

ZVRAT_0006 Business Unit ID Inactive


ZVRAT_0008 Role Name Inactive

ZVRAT_0009 Object ID Inactive


Function Inactive


ID Inactive







S_TCODE Transaction /VIRSA/ZVRAT, /VIRSA/ZVRAT_D01, /VIRSA/ZVRAT_M02, /VIRSA/ZVRAT_P01, /VIRSA/ZVRAT_R01, /VIRSA/ZVRAT_S01, /VIRSA/ZVRAT_S08, /VIRSA/ZVRAT_U01, /VIRSA/ZVRAT_U03, /VIRSA/ZVRAT_U05




Package /VIRSA/*

20

/VIRSA/Z_CC_REPORTINGChapter 1 Role Definitions


Object Type MENU



Auth Group ABAP/4 program ZVRA*




21


22

2AUTHORIZATION

OBJECT DEFINITIONS


Introduction

ZVRAT_0001—Table Maintenance

ZVRAT_0002—Execution

ZVRAT_0003—User Groups

ZVRAT_0004—Organizational Rule ID

ZVRAT_0005—Alerts

ZVRAT_0006—Mitigation by Business Unit ID

ZVRAT_0007—Mitigation by Risk ID

ZVRAT_0008—Mitigation by Role Name

ZVRAT_0009—Mitigation by HR Object ID

ZVRAT_0010—Function Maintenance

ZVRAT_0011—Risk Maintenance

ZVRAT_0012—Rules Display

ZVRAT_0013—Business Process Maintenance

23


Introduction

All object field actions employ the following naming convention. Object field action names begin with “/VIRSA/” and are followed by the name of the field action.

ZVRAT_0001—Table Maintenance

Authorization object ZVRAT_0001 controls the maintenance of Compliance Calibrator tables.

The object has only one field, /VIRSA/ATN (Action). Table maintenance is controlled by the action values of authorization object ZVRAT_0001.

This authorization object also controls the type of analysis that can be performed using Compliance Calibrator. The action codes shaded gray control analysis types.

Defined Field

/VIRSA/ATN (Action)

Table 11 Object Values

Action Code

Description Table

* All activities (complete access)

TCOD SoD Transaction Code Table /VIRSA/ZSODTC

CTCD Critical Transactions Table /VIRSA/ZCRTRAN

OBJT SoD Authorization Object Level Table /VIRSA/ZCRAUTH

CROL Critical Roles Table /VIRSA/ZCRROLES

CPRF Critical Profiles Table /VIRSA/ZCRPROF

CNFG Configuration Table /VIRSA/ZVRATCNFG

MUSR Mitigating Control User Table /VIRSA/ZMITCNTL

MREF Mitigating Controls Table /VIRSA/ZMITREF

MROL Mitigating Control Role Table /VIRSA/ZMITROLE

MPRO Mitigating Control Profile Table /VIRSA/ZMITPROF

MHRO Mitigating Control HR Object Table /VIRSA/ZMITHROBJ

MMON Mitigating Control Monitor Table /VIRSA/ZMITAPVR

MBUA Business Unit Approvers /VIRSA/BUAPPVR

MBUS Mitigating Business Units /VIRSA/ZBUSUNIT

MMAP Monitors and Approvers /VIRSA/ZMITMON

MREP Mitigating Reports /VIRSA/MITREPORT

24

ZVRAT_0001—Table MaintenanceChapter 2 Authorization Object Definitions

MRIS Associated Risks /VIRSA/ZMITRISKS

CCTC Custom Critical Transactions Table (Custom Utilities Restricted Transactions)

/VIRSA/ZCRTRANC1

CCSO Custom SoD Object Table (Custom Utilities Restricted Objects)

/VIRSA/ZCRAUTHC1

CPAR SoD (Object) level Supp. Table /VIRSA/ZCRPARAM

CCST Custom SoD TCode Table (Custom Utilities SoD Summary)

/VIRSA/ZSODTCC1

CAUT Critical Authorization Objects /VIRSA/ZCRAUTHOB

ATCD Analyzed Transactions /VIRSA/ZANALTRAN

AOBJ Analyzed Authorization Objects /VIRSA/ZANALOBJT

ORGR Organizational Rule ID /VIRSA/ORGRULES

VJOB Job Level Execution

VORG Organization Level Execution

VPOS Position Level Execution

VPRF Profile Level Execution

VROL Role Level Execution

VUGP User Group Level Execution

VUSR User Level Execution

UASG Role Assignment to Users

BMON Business Unit Monitors /VIRSA/BUMONITOR

FSCM Forceful Scan

MGUP Update Management Report

Table 11 Object Values (Continued)

Action Code

Description Table

25


ZVRAT_0002—Execution

Authorization object ZVRAT_0002 restricts the execution of the Compliance Calibrator transaction and the ability to upload and download Compliance Calibrator tables.

This object has one field, /VIRSA/ACT (Activity).

Defined Field

/VIRSA/ACT (Activity)

ZVRAT_0003—User Groups

Authorization object ZVRAT_0003 is used to restrict Compliance Calibrator users to certain user groups.

This object has only one field, CLASS.

Defined Field

CLASS—User group in user master maintenance

ZVRAT_0004—Organizational Rule ID

Authorization object ZVRAT_0004 is used to restrict Compliance Calibrator analysis by Organizational Rule ID.

This object has only one field, /VIRSA/ORG.

Defined Field

/VIRSA/ORG—Organizational Rule ID values defined in the /VIRSA/ORGRULES table

Table 12 Object Values

Activity Code

Description

16 Execute (foreground)

37 Schedule in background

48 Simulation

DL Download

UL Upload

26

ZVRAT_0005—AlertsChapter 2 Authorization Object Definitions

ZVRAT_0005—Alerts

Authorization object ZVRAT_0005 is used to restrict clearing alerts.

This object has two fields, /VIRSA/MIT and /VIRSA/RSD.

Defined Fields

/VIRSA/MIT—Mitigating Control ID—Mitigation Control ID values stored in the /VIRSA/ZMITREF table

/VIRSA/RSD—Risk ID—Risk ID values defined in the /VIRSA/ZCRTRAN table (critical transactions) and Risk ID values stored in the /VIRSA/RISKS table

ZVRAT_0006—Mitigation by Business Unit ID

Authorization object ZVRAT_0006 is used to restrict mitigation by Business Unit ID.

This object has one field, /VIRSA/BUS.

Defined Field

/VIRSA/BUS—Business Unit ID values stored in the /VIRSA/ZBUSUNIT table

ZVRAT_0007—Mitigation by Risk ID

Authorization object ZVRAT_0007 is used to restrict mitigation by Risk ID.

This object has one field, /VIRSA/RSD.

Defined Field

/VIRSA/RSD—Risk ID values stored in the /VIRSA/ZMITRISKS table

ZVRAT_0008—Mitigation by Role Name

Authorization object ZVRAT_0008 is used to restrict mitigation by Role Name.

This object has one field, /VIRSA/ROL.

Defined Field

/VIRSA/ROL—Role Name

27


ZVRAT_0009—Mitigation by HR Object ID

Authorization object ZVRAT_0009 is used to restrict mitigation by HR Object ID.

This object has one field, /VIRSA/OBJ.

Defined Field

/VIRSA/OBJ—HR Object ID

ZVRAT_0010—Function Maintenance

Authorization object ZVRAT_0010 is used to restrict function maintenance by Function ID.

This object has two fields, ACTVT and /VIRSA/FUN.

Defined Fields

ACTVT—Activity

/VIRSA/FUN—Function ID values stored in the /VIRSA/FUNCTION table

ZVRAT_0011—Risk Maintenance

Authorization object ZVRAT_0011 is used to restrict Risk maintenance by Risk ID.

This object has two fields, ACTVT and /VIRSA/RSK.

Defined Fields

ACTVT—Activity

/VIRSA/RSK—Risk ID values stored in the /VIRSA/RISKS table

ZVRAT_0012—Rules Display

Authorization object ZVRAT_0012 is used to restrict rules display by Rule ID.

This object has one field, /VIRSA/RSD.

Defined Fields

/VIRSA/RSD—Risk ID values stored in the /VIRSA/RISKS table

28

ZVRAT_0013—Business Process MaintenanceChapter 2 Authorization Object Definitions

ZVRAT_0013—Business Process Maintenance

Authorization object ZVRAT_0013 is used to restrict business process maintenance by Business Process ID.

This object has two fields, ACTVT and /VIRSA/V01.

Defined Fields

ACTVT—Activity

/VIRSA/V01—Business Process ID values stored in the /VIRSA/BUSSPROC table

29


30

3TABLE MAINTENANCE

AUTHORIZATION GROUPS


S_TABU_DIS

31


S_TABU_DIS

S_TABU_DIS is checked when maintaining tables. Each table is protected with a unique authorization group. The mapping of authorization groups to the tables is shown in Table 13.

Note If you are implementing additional customer-specific functionality, you need access to the highlighted tables.

Table 13 Table Authorization Groups

Table Name Description Auth. Group

/VIRSA/ALMAILIDS Compliance Calibrator Alert Email IDs ZC&N

/VIRSA/BUAPPVR Business Unit Approver ZC&M

/VIRSA/ORGRULES Organizational values ZC&I

/VIRSA/ORGUSERS Mapping between users and the organizational values ZC&J

/VIRSA/ZANALOBJT Analyzed authorization objects ZV&Q

/VIRSA/ZANALTRAN Analyzed transactions ZV&I

/VIRSA/ZBUSUNIT Business Units ZC&L

/VIRSA/ZCRAUTH Authorization Objects ZV&C

/VIRSA/ZCRAUTHC1 Restricted Critical Authorizations ZV&M

/VIRSA/ZCRAUTHL1 SoD Authorization Object ZC&C

/VIRSA/ZCRAUTHL2 SoD Authorization Object ZC&D

/VIRSA/ZCRAUTHL3 SoD Authorization Object ZC&E

/VIRSA/ZCRAUTHL4 SoD Authorization Object ZC&F

/VIRSA/ZCRAUTHL5 SoD Authorization Object ZC&G

/VIRSA/ZCRAUTHOB Critical Authorization Objects ZV&J

/VIRSA/ZCRPARAM SoD (Object Level) Supp.Table ZV&O

/VIRSA/ZCRPROF Critical Profiles ZV&D

/VIRSA/ZCRROLES Critical Roles ZV&E

/VIRSA/ZCRTRAN Critical Transactions ZV&B

/VIRSA/ZCRTRANC1 Restricted Transactions ZV&L

/VIRSA/ZMITAPVR Mitigating Control Monitors ZV&N

/VIRSA/ZMITCNTL Mitigating Control—Users ZV&H

/VIRSA/ZMITHROBJ Mitigating Control—HR Object ZC&H

/VIRSA/ZMITMON Mitigating Monitors and Approvers ZV&S

/VIRSA/ZMITPROF Mitigating Control—Profile ZC&B

/VIRSA/ZMITREF Mitigating Controls ZV&G

32

S_TABU_DISChapter 3 Table Maintenance Authorization Groups

/VIRSA/ZMITRISKS Mitigating Risks ZV&R

/VIRSA/ZMITROLE Mitigating Control—Role ZV&K

/VIRSA/ZSODMIT SoD Group Id and Mitigating Reference Number Relationship

ZC&K

/VIRSA/ZSODTC SoD (TCode) ZV&A

/VIRSA/ZSODTCC1 Restricted SoD at TCode Level ZV&P

/VIRSA/ZVRATCNFG Compliance Calibrator Configuration ZV&F

/VIRSA/BUMONITOR Business unit monitors ZC&O

Table 13 Table Authorization Groups

Table Name Description Auth. Group

33


34

4VIRSA TOOL BOX REPORTS

AND UTILITIES

AUTHORIZATION GROUPS


Introduction

Example

35


Introduction

All reports and utilities in the Virsa Tool Box are assigned authorization groups. This means that a user needs authorization for object S_PROGRAM to execute a report. The following authorization groups have been assigned to the reports/utilities in the Tool Box:

Table 14 Program Authorization Groups

Program Name Description Auth. Group

/VIRSA/ALERTGEN Activity Monitoring ZVRATAL

/VIRSA/ORGUSRMAPPING Program to maintain ORGUSERS table ZVRATOR

/VIRSA/ZVRAT Compliance Calibrator ZVRAT

/VIRSA/ZVRATBAK Compliance Calibrator ZVRAT

/VIRSA/ZVRATBAKC1 Custom Reports ZVRAT

/VIRSA/ZVRAT_C01 Security & Controls Policies and Procedures

ZVRATC01

/VIRSA/ZVRAT_D01 Download Spool Requests by Job Name ZVRATD01

/VIRSA/ZVRAT_DOWNLOAD Download a table ZVRATUPL

/VIRSA/ZVRAT_M01 Upload/Download Compliance Calibrator Tables

ZVRATM01

/VIRSA/ZVRAT_M02 Where used list for Mitigating Control Id/Monitor

ZVRATM02

/VIRSA/ZVRAT_M03 Analyze disabled SoD TCodes and objects ZVRATM02

/VIRSA/ZVRAT_M04 Optimizer for SoD Data Table ZVRATM03

/VIRSA/ZVRAT_M05 Where used list for Control ID Monitor ZVRATM05

/VIRSA/ZVRAT_P01 Display changes to Profiles ZVRATP01

/VIRSA/ZVRAT_R01 Count authorizations in roles ZVRATR01

/VIRSA/ZVRAT_RB2 Rule Architect Wizard ZVRATS05

/VIRSA/ZVRAT_RB3 SoD Rule Builder Wizard ZVRATS05

/VIRSA/ZVRAT_S01 Monitor actual usage of Conflicting & Critical Transactions

ZVRATS01

/VIRSA/ZVRAT_S02 Identify Transactions executed by User(s) ZVRATS02

/VIRSA/ZVRAT_S03 Download Authorization Objects for the SoD Transaction Codes

ZVRATS03

/VIRSA/ZVRAT_S04 Build SoD Object Level Rules from SoD TCodes & Auth. Objects

ZVRATS04

/VIRSA/ZVRAT_S05 SoD Rule Builder Wizard ZVRATS05

/VIRSA/ZVRAT_S06 SoD Rule Validation Tool ZVRATS06

/VIRSA/ZVRAT_S07 Non Reference Report—TCodes by Roles/Profiles, not in SoD tables

ZVRATS07

36

IntroductionChapter 4 Virsa Tool Box Reports and Utilities Authorization Groups

Example

To execute report ‘Upload/Download Compliance Calibrator tables’, a user needs the following authorizations:

Object: S_PROGRAM

Field: User Action

Value: SUBMIT

Field: Auth Group

Value: ZVRATM01

/VIRSA/ZVRAT_S08 User Access Report ZVRATS08

/VIRSA/ZVRAT_S09 Comparing different SoD Matrices ZVRATS09

/VIRSA/ZVRAT_S10 TCodes by Roles/Profiles, never executed in a specific time period

ZVRATS10

/VIRSA/ZVRAT_S11 Authorization Object by Roles/Profiles Report (not in SoD Tables)

ZVRATS11

/VIRSA/ZVRAT_S13 Comparing Critical Transaction Matrices ZVRATS13

/VIRSA/ZVRAT_S14 Comparing SoD Authorization Objects ZVRATS14

/VIRSA/ZVRAT_S15 Compare SoD TCode Matrix with SoD Authorization Object TCodes

ZVRATS15

/VIRSA/ZVRAT_S16 Compliance Calibrator Data Maintenance ZVRATS16

/VIRSA/ZVRAT_U01 Count authorizations for Users ZVRATU01

/VIRSA/ZVRAT_U02 Analysis of called transactions in Custom Code

ZVRATU02

/VIRSA/ZVRAT_U03 Management Report for SoD Remediation ZVRATU03

/VIRSA/ZVRAT_U05 List Expired and Expiring Roles for Users ZVRATU05

/VIRSA/ZVRAT_UPDWNLOAD Program for Upload and Download of data ZVRATUD

/VIRSA/ZVRAT_UPLOAD Upload a table ZVRATUPL

/VIRSA/ZVRAT_CONV Conversion of Compliance Calibrator tables, old to new

ZVRATCN

Table 14 Program Authorization Groups (Continued)

Program Name Description Auth. Group

37


38

5LINE-ORIENTED

AUTHORIZATIONS


Introduction

Use

Implementation

Design Organization Criteria

Define Organization Criteria

Define Attributes

Assign Attributes to Table Fields

Include Authorizations for S_TABU_LIN in Roles

Activate Organization Criteria

Cross-Table Check

S_TABU_LIN

Test

39


Introduction

This chapter discusses the use and implementation of line‐oriented authorizations in SAP. Line‐oriented authorizations are used to restrict users in the modification of SoD Object and Mitigation controls at line level.

Use

Access to customizing tables can be controlled at the row level for display or maintenance using line‐oriented authorizations. Previously, this access can only be controlled at the table level. The user can either have access or not have access to the entire table. Now, authorization object S_TABU_LIN is used to control access at the row level. This check is carried out in addition to authorization objects S_TABU_DIS and S_TABU_CLI. The use of line‐oriented authorization is optional.

In addition to the existing authorization concept, the new authorization object S_TABU_LIN now allows client‐specific assignment of authorizations for business entities. Organizational criterion in a cross‐client table, which only allows a user to display and change table contents for one work area, for example a country, can also be defined. The organizational criterion enables a business concept to be mapped to table key fields.

Implementation

The following procedures are executed to implement line‐oriented authorization:

• Design Organization Criteria

• Define Organization Criteria

• Define Attributes

• Assign Attributes to Table Fields

• Include Authorizations for S_TABU_LIN in Roles

• Activate Organization Criteria

The following sections describe these procedures in more detail.

Note These line-oriented authorizations only work for data display customization and maintenance transactions. At this point, they do not work for data browser transactions such as SE16 and SE17.

40

ImplementationChapter 5 Line-Oriented Authorizations

Design Organization Criteria

• Analyze requirements.

• Identify tables and fields to be protected.

• Identify users and roles to be impacted.

• Review design.

Define Organization Criteria

1 Execute transaction SPRO and navigate to Basis Components > Users and Authorizations > Line-oriented Authorizations > Define Organizational Criteria.

2 Click New Entries.

Figure 1 Change View Organization Criteria Overview

3 Enter the technical name and description of the organization criteria.

Figure 2 Overview of Added Entries

41


Define Attributes

1 Select the organization criteria and double‐click Attributes.


3 Enter the attribute name, assign the field to the authorization field, and enter the description for the field.

4 Click Save when finished.

Figure 3 Overview of Added Entries—Table Fields

Assign Attributes to Table Fields

1 Select the attribute and double‐click Table Fields.


3 Enter the table name and field name to be protected.

Figure 4 Details of Added Entries

42


Include Authorizations for S_TABU_LIN in Roles

1 Enter the authorizations for S_TABU_LIN in the appropriate roles.

2 Insert the object manually, click on any field, and select the organization criteria.

Figure 5 Change Roles: Restrict Values Range

3 Enter the allowed values for authorizations fields and click Transfer.

Figure 6 Change Role: Organizational Criterion Values

4 Generate authorizations and assign authorized users to the role.

43


Activate Organization Criteria

1 Execute transaction SPRO and navigate to Basis Components > Users and Authorizations > Line-oriented Authorizations > Activate Organizational Criteria.

2 Select the Activ check box to activate the organization criteria.

Figure 7 Change View: Organization Criteria Activation

Cross-Table Check

To check for a field for all tables, select the table-ind check box in the Org Criteria page.

Figure 8 Change View: Organization Criteria Overview

44


S_TABU_LIN

This object has the following fields:

• Activity—02, 03

Organization Criterion—Link to table key fields

Org Criterion Attribute1


Org Criterion Attribute3 ←Field Values of (?)

Org Criterion Attribute4 tables (?)





Test

• User is only allowed to maintain/display table T77UA for Work Center Profile Y^WORKCNTR only.

Figure 9 Change View: User Authorizations

Note Security needs to protect the tables that store the configuration of line-oriented authorizations. Only the Security team should have maintenance authorizations to these tables.

45


46

6AUTHORIZATION CHECK

FLOWCHART


Authorization Check Flowchart

47


Authorization Check Flowchart

Figure 10 Flowchart of Authorization Check

48

Authorization Check FlowchartChapter 6 Authorization Check Flowchart

49


50

7ACTIONS REQUIRED FOR

NETWEAVER


Actions and Descriptions

51


Actions and Descriptions

Virsa Compliance Calibrator uses the following actions when connecting to a NetWeaver server. The system account used for the Compliance Calibrator connection to the NetWeaver server must be authorized to perform these actions.

Table 15 Defined Actions—/VIRSA/ATN

Action Name Description

com.virsa.cc.CreateRuleSet Permission to create rule sets

com.virsa.cc.ChangeRuleSet Permission to change rule sets

com.virsa.cc.DeleteRuleSet Permission to delete rule sets

com.virsa.cc.ViewInformer Permission to view Informer

com.virsa.cc.ViewRuleArchitect Permission to view Rule Architect

com.virsa.cc.ViewMitigation Permission to view Mitigation

com.virsa.cc.ViewAlertMonitor Permission to view Alert Monitor

com.virsa.cc.ViewConfiguration Permission to view Configuration

com.virsa.cc.ViewMgmtReport Permission to view Management Reports

com.virsa.cc.RunRiskAnalysis Permission to run Risk Analysis

com.virsa.cc.RunAuditReports Permission to run Audit Reports

com.virsa.cc.RunSecurityReports Permission to run Security Reports

com.virsa.cc.CreateBP Permission to create Business Processes

com.virsa.cc.ChangeBP Permission to change Business Processes

com.virsa.cc.DeleteBP Permission to delete Business Processes

com.virsa.cc.CreateFunction Permission to create Functions

com.virsa.cc.ChangeFunction Permission to change Functions

com.virsa.cc.DeleteFunction Permission to delete Functions

com.virsa.cc.MassFuncMaint Permission for mass maintenance of Functions

com.virsa.cc.CreateRisks Permission to create Risks

com.virsa.cc.ChangeRisks Permission to change Risks

com.virsa.cc.DeleteRisks Permission to delete Risks

com.virsa.cc.CreateCrActions Permission to create Critical Actions

com.virsa.cc.ChangeCrActions Permission to change Critical Actions

com.virsa.cc.DeleteCrActions Permission to delete Critical Actions

com.virsa.cc.CreateCrRoles Permission to create Critical Roles

com.virsa.cc.ChangeCrRoles Permission to change Critical Roles

com.virsa.cc.DeleteCrRoles Permission to delete Critical Roles

52

Actions and DescriptionsChapter 7 Actions Required for NetWeaver

com.virsa.cc.CreateCrProfiles Permission to create Critical Profiles

com.virsa.cc.ChangeCrProfiles Permission to change Critical Profiles

com.virsa.cc.DeleteCrProfiles Permission to delete Critical Profiles

com.virsa.cc.CreateOrgRules Permission to create Organizational Rules

com.virsa.cc.ChangeOrgRules Permission to change Organizational Rules

com.virsa.cc.DeleteOrgRules Permission to delete Organizational Rules

com.virsa.cc.CreateAdmins Permission to create Administrators

com.virsa.cc.ChangeAdmins Permission to change Administrators

com.virsa.cc.DeleteAdmins Permission to delete Administrators

com.virsa.cc.CreateBUnit Permission to create Business Units

com.virsa.cc.ChangeBUnit Permission to change Business Units

com.virsa.cc.DeleteBUnit Permission to delete Business Units

com.virsa.cc.CreateMitCntl Permission to create Mitigating Controls

com.virsa.cc.ChangeMitCntl Permission to change Mitigating Controls

com.virsa.cc.DeleteMitCntl Permission to delete Mitigating Controls

com.virsa.cc.CreateMitUser Permission to create Mitigating Users

com.virsa.cc.ChangeMitUser Permission to change Mitigating Users

com.virsa.cc.DeleteMitUser Permission to delete Mitigating Users

com.virsa.cc.CreateMitRole Permission to create Mitigating Roles

com.virsa.cc.ChangeMitRole Permission to change Mitigating Roles

com.virsa.cc.DeleteMitRole Permission to delete Mitigating Roles

com.virsa.cc.CreateMitProfile Permission to create Mitigating Profiles

com.virsa.cc.ChangeMitProfile Permission to change Mitigating Profiles

com.virsa.cc.DeleteMitProfile Permission to delete Mitigating Profiles

com.virsa.cc.CreateMitHRObject Permission to create Mitigating HR Objects

com.virsa.cc.ChangeMitHRObject Permission to change Mitigating HR Objects

com.virsa.cc.DeleteMitHRsObject Permission to delete Mitigating HR Objects

com.virsa.cc.GenerateAlert Permission to generate alerts

com.virsa.cc.DeleteAlert Permission to delete Alerts

com.virsa.cc.ClearAlert Permission to clear Alerts

com.virsa.cc.CreateSupplementRule Permission to create a Supplement Rule

com.virsa.cc.ChangeSupplementRule Permission to change a Supplement Rule

com.virsa.cc.DeleteSupplementRule Permission to delete a Supplement Rule

Table 15 Defined Actions—/VIRSA/ATN

Action Name Description

53


Roles

Virsa Compliance Calibrator includes the following roles, which you import after installation, during the initial setup operations described in the Configuration section of the Compliance Calibrator User and Administrator Guide. These predefined roles include permissions to perform Compliance Calibrator‐specific actions, grouped to provide built‐in support for some commonly performed tasks, such as generating reports and performing administrative activities.

Table 16 Defined Roles—/VIRSA/ATN

Role Name and Description Permissions for CC Actions (com.virsa.cc.)

VIRSA_CC_ADMINISTRATORVirsa Compliance Calibrator Administrator

CreateRuleSetChangeRuleSetDeleteRuleSetViewInformerViewRuleArchitectViewMitigationViewAlertMonitorViewConfigurationViewMgmtReport

RunRiskAnalysisRunAuditReportsRunSecurityReportsCreateBPChangeBPDeleteBPCreateFunctionChangeFunctionDeleteFunctionMassFuncMaintCreateRisksChangeRisksDeleteRisksCreateCrActionsChangeCrActionsDeleteCrActionsCreateCrRolesChangeCrRolesDeleteCrRoles

54

RolesChapter 7 Actions Required for NetWeaver

VIRSA_CC_ADMINISTRATORVirsa Compliance Calibrator Administrator

CreateCrProfilesChangeCrProfilesDeleteCrProfilesCreateOrgRulesChangeOrgRulesDeleteOrgRulesCreateSupplementRuleChangeSupplementRuleDeleteSupplementRuleCreateAdminsChangeAdminsDeleteAdminsCreateBUnitChangeBUnitDeleteBUnitCreateMitCntlChangeMitCntlDeleteMitCntlCreateMitUserChangeMitUserDeleteMitUserCreateMitRoleChangeMitRoleDeleteMitRoleCreateMitProfileChangeMitProfileDeleteMitProfileCreateMitHRObjectChangeMitHRObjectDeleteMitHRsObjectGenerateAlert DeleteAlertClearAlertExportRulesImportRulesViewBgJobLog



55




VIRSA_CC_REPORTRole for Generating Virsa Compliance Calibrator Reports Only

ViewInformerViewMitigationViewAlertMonitorViewMgmtReportRunRiskAnalysisRunAuditReportsRunSecurityReports

56




VIRSA_CC_SECURITY_ADMINVirsa Compliance Calibrator Security Admininstrator

CreateRuleSetChangeRuleSetDeleteRuleSetViewInformerViewRuleArchitectViewMitigationViewAlertMonitorViewConfigurationViewMgmtReportRunRiskAnalysisRunAuditReportsRunSecurityReportsCreateBPChangeBPDeleteBPCreateFunctionChangeFunctionDeleteFunctionMassFuncMaintCreateRisksChangeRisksDeleteRisksCreateCrActionsChangeCrActionsDeleteCrActionsCreateCrRolesChangeCrRolesDeleteCrRolesCreateCrProfilesChangeCrProfilesDeleteCrProfilesCreateOrgRulesChangeOrgRulesDeleteOrgRules

57


VIRSA_CC_SECURITY_ADMINVirsa Compliance Calibrator Admininstrator

CreateSupplementRuleChangeSupplementRuleDeleteSupplementRuleCreateBUnitChangeBUnitDeleteBUnitGenerateAlertDeleteAlertClearAlertExportRulesImportRulesViewBgJobLog



58




VIRSA_CC_BUSINESS_OWNERVirsa Compliance Calibrator Business Owner

ViewInformerViewRuleArchitectViewMitigationViewAlertMonitorViewConfigurationViewMgmtReportRunRiskAnalysisRunAuditReportsRunSecurityReportsCreateBUnitChangeBUnitDeleteBUnitCreateMitCntlChangeMitCntlDeleteMitCntlCreateMitUserChangeMitUserDeleteMitUserCreateMitRoleChangeMitRoleDeleteMitRoleCreateMitProfileChangeMitProfileDeleteMitProfileCreateMitHRObjectChangeMitHRObjectDeleteMitHRsObject

59


VIRSA_CC_SECURITY_ADMINVirsa Compliance Calibrator Admininstrator

CreateSupplementRuleChangeSupplementRuleDeleteSupplementRuleCreateBUnitChangeBUnitDeleteBUnitGenerateAlertDeleteAlertClearAlertExportRulesImportRulesViewBgJobLog



60

8RFC AUTHORIZATIONS


RFC Authorizations

61


RFC Authorizations

The following objects and field values are required for the RFC user in SAP R/3 and SAP NetWeaver:

S_RFC

ACTVT = ʹ16ʹ

RFC_NAME = ʹ/VIRSA/*ʹ,ʹRFC*ʹ,ʹSDDOʹ,ʹSDIFʹ,ʹSDTXʹ,ʹSSCVʹ,ʹSYSTʹ

RFC_TYPE = ʹFUGRʹ

S_TABU_DIS

AVTVT = ʹ03ʹ

DICBERCLS = ʹ * ʹ

S_TABU_CLI

CLIIDMAINT = ʹXʹ

The objects and values listed above provide the following permissions, which are required by the SAP Compliance Calibrator when making RFC connections to back‐end systems:

• S_BTCH_JOB — Authorization to release background jobs

• S_GUI — Authorization to perform user interface‐related operations

• S_RFC — Authorization to make RFC connections

• S_TABU_DIS — Authorization to perform table maintenance

• S_TABU_CLI — Authorization to perform cross‐client table maintenance

62

Documents

CC5 2 Security Guide