GRC100 - GRC Principles and Harmonization(Col96).pdf

GRC100GRC Principles and Harmonization

other solution

Date

Training Center

Instructors

Education Website

Participant HandbookCourse Version: 96Course Duration: 2 DaysMaterial Number: 50104436

An SAP course - use it to learn, reference it for work

Copyright

Copyright © 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without theexpress permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary softwarecomponents of other software vendors.

Trademarks

• Microsoft®, WINDOWS®, NT®, EXCEL®, Word®, PowerPoint® and SQL Server® areregistered trademarks of Microsoft Corporation.

• IBM®, DB2®, OS/2®, DB2/6000®, Parallel Sysplex®, MVS/ESA®, RS/6000®, AIX®, S/390®,AS/400®, OS/390®, and OS/400® are registered trademarks of IBM Corporation.

• ORACLE® is a registered trademark of ORACLE Corporation.• INFORMIX®-OnLine for SAP and INFORMIX® Dynamic ServerTM are registered trademarks

of Informix Software Incorporated.• UNIX®, X/Open®, OSF/1®, and Motif® are registered trademarks of the Open Group.• Citrix®, the Citrix logo, ICA®, Program Neighborhood®, MetaFrame®, WinFrame®,

VideoFrame®, MultiWin® and other Citrix product names referenced herein are trademarks ofCitrix Systems, Inc.

• HTML, DHTML, XML, XHTML are trademarks or registered trademarks of W3C®, World WideWeb Consortium, Massachusetts Institute of Technology.

• JAVA® is a registered trademark of Sun Microsystems, Inc.• JAVASCRIPT® is a registered trademark of Sun Microsystems, Inc., used under license for

technology invented and implemented by Netscape.• SAP, SAP Logo, R/2, RIVA, R/3, SAP ArchiveLink, SAP Business Workflow, WebFlow, SAP

EarlyWatch, BAPI, SAPPHIRE, Management Cockpit, mySAP.com Logo and mySAP.com aretrademarks or registered trademarks of SAP AG in Germany and in several other countries allover the world. All other products mentioned are trademarks or registered trademarks of theirrespective companies.

Disclaimer

THESE MATERIALS ARE PROVIDED BY SAP ON AN "AS IS" BASIS, AND SAP EXPRESSLYDISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR APPLIED, INCLUDING WITHOUTLIMITATION WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULARPURPOSE, WITH RESPECT TO THESE MATERIALS AND THE SERVICE, INFORMATION, TEXT,GRAPHICS, LINKS, OR ANY OTHER MATERIALS AND PRODUCTS CONTAINED HEREIN. INNO EVENT SHALL SAP BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL,CONSEQUENTIAL, OR PUNITIVE DAMAGES OF ANY KIND WHATSOEVER, INCLUDINGWITHOUT LIMITATION LOST REVENUES OR LOST PROFITS, WHICH MAY RESULT FROMTHE USE OF THESE MATERIALS OR INCLUDED SOFTWARE COMPONENTS.

g2011717113749

About This HandbookThis handbook is intended to complement the instructor-led presentation of thiscourse, and serve as a source of reference. It is not suitable for self-study.

Typographic ConventionsAmerican English is the standard used in this handbook. The following typographicconventions are also used.

Type Style Description

Example text Words or characters that appear on the screen. Theseinclude field names, screen titles, pushbuttons as well asmenu names, paths, and options.

Also used for cross-references to other documentationboth internal and external.

Example text Emphasized words or phrases in body text, titles ofgraphics, and tables

EXAMPLE TEXT Names of elements in the system. These include reportnames, program names, transaction codes, table names,and individual key words of a programming language,when surrounded by body text, for example SELECTand INCLUDE.

Example text Screen output. This includes file and directory namesand their paths, messages, names of variables andparameters, and passages of the source text of a program.

Example text Exact user entry. These are words and characters thatyou enter in the system exactly as they appear in thedocumentation.

<Example text> Variable user entry. Pointed brackets indicate that youreplace these words and characters with appropriateentries.

2011 © 2011 SAP AG. All rights reserved. iii

About This Handbook GRC100

Icons in Body TextThe following icons are used in this handbook.

Icon Meaning

For more information, tips, or background

Note or further explanation of previous point

Exception or caution

Procedures

Indicates that the item is displayed in the instructor'spresentation.

iv © 2011 SAP AG. All rights reserved. 2011

ContentsCourse Overview ............................................................................. vii

Course Goals.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .viiCourse Objectives ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii

Unit 1: Introduction to SAP BusinessObjects Governance, Risk, andCompliance (GRC) 10.0........................................................................1

Introduction to SAP BusinessObjects Governance, Risk, and Compliance (GRC)10.0 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

GRC Solution Overview... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17GRC Convergence ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24Key Features and Benefits .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Integration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Unit 2: Information Architecture, Security and Authorizations .................... 67Information Architecture .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68Security and Authorizations ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Unit 3: The GRC 10.0 User Interface ..................................................... 99Work Centers.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100Harmonized Navigation in the GRC 10.0 Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121

Unit 4: Common Functions and Data ...................................................143Common Functions and Data Overview... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144User Interface Configuration Framework ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151Shared Master Data ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Unit 5: Implementation and Configuration ............................................183Streamlined Configuration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184Functional Implementation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Unit 6: Reporting ............................................................................217Harmonized Reporting Framework... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218

2011 © 2011 SAP AG. All rights reserved. v

Contents GRC100

vi © 2011 SAP AG. All rights reserved. 2011

Course OverviewThis hands-on workshop provides an introduction to SAP BusinessObjectsGovernance, Risk, and Compliance (GRC) 10.0, including solution harmonization,the implementation process, and how GRC helps you to manage compliance andregulations.

Target AudienceThis course is intended for the following audiences:

• Implementation Consultants• Key Technical Business Users involved in a GRC 10.0 project• IT Governance Experts• Consultants for SAP Security and GRC IT Auditors• Business Project Team Leaders

Course PrerequisitesRequired Knowledge

• Knowledge of integrated processes in an SAP system• Knowledge of authorization concepts in an SAP system

Recommended Knowledge

• Practical knowledge of business processes• Practical knowledge of software implementations

2011 © 2011 SAP AG. All rights reserved. vii

Course Overview GRC100

Course GoalsThis course will prepare you to:

• Discuss the integrated GRC 10.0 solution and its business benefits• Describe solution key features and benefits• Describe solution integrations and their business use• Explain relevant information architecture, security and authorization topics• Navigate work centers, assign delegates, and personalize the Work Inbox• Explain shared master data concepts• Identify common and component-specific IMG nodes• Describe project teams and key steps in the functional implementation process• Use report functionality in the harmonized reporting framework

Course ObjectivesAfter completing this course, you will be able to:

• Introduce SAP BusinessObjects Governance, Risk, and Compliance (GRC)10.0• Identify key governance, risk, and compliance processes supported in the GRC

10.0 solution• Describe key features and business benefits of the integrated solution• Identify applications that integrate with the GRC 10.0 solution• Describe the purpose and location of key user interface components• Discuss harmonized navigation and how authorizations affect what users see• Describe how common functions and relative master data are shared across

GRC solutions• Describe the IMG organization for GRC 10.0• Describe a general implementation process and key steps• Configure report presentation, structure, and content

viii © 2011 SAP AG. All rights reserved. 2011

Unit 1Introduction to SAP BusinessObjectsGovernance, Risk, and Compliance

(GRC) 10.0

Unit OverviewThis unit introduces the GRC solution, presents examples of compliance regulationsfrom various regions of the world, and provides an overview of solution components.GRC convergence and the business benefits of an integrated solution are discussed,as well as how GRC addresses disconnects between risks, policies, and compliance.Solution key features and benefits, as well as Integration topics are also presented.

Unit ObjectivesAfter completing this unit, you will be able to:

• Explain how SAP BusinessObjects Governance, Risk, and Compliance solutionscontribute to improved performance

• Identify compliance regulations from various regions and the importance ofan integrated solution

• Identify key governance, risk, and compliance processes supported in GRC 10.0• Explain the business benefits of an integrated solution• Describe a business example of how the GRC solution addresses the issue of

disconnects between risks, policies, and compliance• Identify and describe key benefits of enhancements to the GRC 10.0 solution• Discuss how particular applications integrate with the GRC 10.0 solution

Unit ContentsLesson: Introduction to SAP BusinessObjects Governance, Risk, andCompliance (GRC) 10.0... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3Lesson: GRC Solution Overview ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Lesson: GRC Convergence ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

2011 © 2011 SAP AG. All rights reserved. 1

Unit 1: Introduction to SAP BusinessObjects Governance, Risk, and Compliance(GRC) 10.0 GRC100

Lesson: Key Features and Benefits .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Lesson: Integration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40


GRC100 Lesson: Introduction to SAP BusinessObjects Governance, Risk,and Compliance (GRC) 10.0

Lesson: Introduction to SAP BusinessObjectsGovernance, Risk, and Compliance (GRC) 10.0

Lesson OverviewThis lesson presents an introduction to SAP BusinessObjects Governance, Risk, andCompliance and how this solution helps companies to proactively balance risk andopportunity. Also presented are compliance initiatives from various regions of theworld and the benefits of an integrated solution.

Lesson ObjectivesAfter completing this lesson, you will be able to:

• Explain how SAP BusinessObjects Governance, Risk, and Compliance solutionscontribute to improved performance

• Identify compliance regulations from various regions and the importance ofan integrated solution

Business ExampleCompany policy states that material risks need to be identified, documented andmanaged to avoid any disruption to business activities and to safeguard the reputationof the company. Some risks can be due to legal regulation, such as:

• Sarbanes-Oxley Act (SOX)• Health Insurance Portability and Accountability Act (HIPAA)• German Federal Data Protection Act

while others may not be regulated by law but have become the “Standard” or “BestPractice” to remain compliant with other regulations (such as Control Objectives forInformation and Related Technology (CoBIT) or IT Infrastructure Library (ITIL)) orrisks that are more inherent to a specific industry or company environment (suchas Oil and Gas or Mining). The risks can be found in many areas such as businessprocesses and procedures, security and user access, and IT infrastructure and solutionadministration just to name a few. SAP BusinessObjects Governance, Risk, andCompliance (GRC) can help to document and manage the prevention and/or detectionof the identified risks and also document and manage the mitigation or remediationof the identified risks or issues. This solution can also serve as an audit trail duringperiod end review processes.



GRC Solution Introduction

Figure 1: Risk

Companies like this realize that risks can have a detrimental impact on performance.They understand the link between risk and performance, and they understand how tooptimize their business in light of risks to which they are exposed. The GRC solutionhelps companies to prevent, manage, and respond to risks.

Figure 2: Meaning for Everyone, Everywhere, Anytime



GRC requirements are pervasive. Knowledge of your business and the relatedrisks and compliance and policy requirements is critical for everyone, everywhere.Regardless of your industry, regardless of where you sit in the organization, there are aset of questions that you are left to answer.

Figure 3: The Cost of Not Knowing

The cost can be significant if you:

• Are not able to answer important questions about your business• Cannot confidently address complex and constantly changing regulatory

requirements• Cannot link your investments in GRC programs to performance



Figure 4: Proactively Balance Risk and Opportunity

SAP BusinessObjects GRC solutions help companies to proactively balance risk andopportunity through three main concepts:

• Customers can better manage risk, compliance, and other GRC initiatives• Customers can better protect their value• Organizations can perform better.

Ultimately, the goal is to enable organizations to see all risks and compliance issues sothat they can make optimal decisions in light of both the opportunity ahead and therelated risks.



Figure 5: Solution Architecture Capability Model

This solution architecture is a capability model illustrating the broad range ofcapabilities incorporated in SAP's GRC solutions.

Note: This capability model is not meant to represent the technicalarchitecture in any way.

SAP BusinessObjects GRC solutions are comprised of three main areas of capabilities:Analyze, Manage and Monitor. Successful GRC programs have capabilities andsupporting technologies that cross these three areas.

Figure 6: Manage, Protect, Perform



SAP BusinessObjects GRC solutions are delivered through four primary solutionsthat help customers automate risk and compliance, protect their value and optimizetheir performance:

Figure 7: Enterprise GRC: Risk-Intelligent Mangement of EnterprisePerformance

Companies that are able to build a level of risk intelligence, and leverage this toincrease performance, are able to do so by focusing on the three core capabilitieslisted above.

Figure 8: Access Risk Management

Business Challenge

Companies today continue to struggle to effectively manage access risk, withsegregation of duties and excessive access rights showing as top contributors to fraudand audit findings. Regulatory requirements increase, often resulting in multiple



compliance teams across departments and relying on manual compliance processes.With thousands of users, roles, and processes to test and with multiple complianceapplications taxing IT resources, excessive time is spent documenting processes forauditors instead of focusing on business operations. This fragmented and costlyapproach to managing access risk leads to reactive – rather than proactive – accessrisk prevention, inefficient compliance processes, and a lack of real-time visibilityinto access risk.

Solution

SAP BusinessObjects Access Control addresses these challenges by enablingbusinesses to confidently manage and reduce access risk across the enterprise. It helpsto prevent unauthorized access – including segregation of duties (SoD) and criticalaccess – and achieve real-time visibility to access risk, minimizing the time and costof access risk management.

The Access Control solution unifies access risk analysis and remediation, business rolemanagement, compliant identity management, emergency privilege management, andprovides a holistic, enterprise-wide view in real time. It can help ensure day-to-daycompliance, provide comprehensive management oversight, and perform effective andcomplete audits. The result is an improved ability to protect information and preventfraud while minimizing the time and cost of access risk management.

Figure 9: Global Trade Services

Today's global environment is increasingly dynamic and unpredictable – makinginternational trade risky, volatile, and costly. These realities include complex tradecompliance demands, fluctuating transportation costs, and increasing cross-borderregulations, and drive the need for advanced global trade solutions.



SAP BusinessObjects Global Trade Services helps companies automate tradecompliance and accomplish three key goals:

1. Better management of global trade operations2. Ensure ongoing compliance3. Optimize the cross-border supply chain

Figure 10: Continuous Transaction Monitoring

GRC's continuous transaction monitoring solution allows you to identify and correcterrors, waste, abuse, policy violations, and potential fraud. These issues can onlybe revealed through in-depth analysis of transactions that are recorded as businessactivities are completed. This in-depth analysis allow you to achieve three keybenefits:

1. Improve the quality and speed of your business processes2. Increase insight into business activities3. Increase margin contribution



Figure 11: The SAP Difference

In summary, some key benefits of the GRC solutions are:

• The most comprehensive set of capabilities available• Proactive monitoring across key risk indicators and compliance effectiveness• Solutions are delivered with industry-specific risk, compliance, and process

content• Solutions are proven



Regional Compliance Regulations

Figure 12: Compliance Regulations & Standards

Compliance regulations can be specific to a particular region or country or may beapplicable to multiple regions. In addition, compliance can also be to international ornational standards. These items are not put into regulatory law, but do become bestpractice to follow or may be required by a particular vendor as in the case of PCIDSS, which stands for Payment Card Industry Data Security Standards. This is acontractual Agreement by the U.S. Payment Card Industry to ensure the safe handlingof cardholder information at every step, so it is about security standards for accountdata protection and not a legal regulation.

Figure 13: Regional Compliance Regulations: USA, Canada, Latin America



Figure 14: Regional Compliance Regulations: Europe, Middle East, Africa

Figure 15: Regional Compliance Regulations: Asia Pacific



Figure 16: Fragmentation

In many organizations, implementing policies, identifying and measuring risks,and supporting regulatory mandates takes place at the departmental level. Theorganizational fragmentation resulting from disconnected, departmental activitiescan result in inconsistent policies, difficulty predicting risk, a lack of enterprisetransparency, and duplication of effort.

As an organization increases its collaboration with partners and suppliers, theconsequences of organizational fragmentation intensify. The organization will be heldaccountable for good governance and compliance not only within the confines of itsown enterprise, but also across the extended enterprise, so risk increases.



Figure 17: Integrated Governance, Risk, and Compliance

Organizations need an integrated approach if they want move towards operationalexcellence. They need an approach that simplifies GRC, not isolated disciplines ofeach, and that dramatically reduces the cost, provides complete compliance and riskvisibility, and easily adapts to change. SAP's GRC solution embeds GRC into theway companies do business, into every business process, and provides an integratedapproach to governance, risk, and compliance initiatives.



Lesson Summary

You should now be able to:• Explain how SAP BusinessObjects Governance, Risk, and Compliance solutions

contribute to improved performance• Identify compliance regulations from various regions and the importance of

an integrated solution


GRC100 Lesson: GRC Solution Overview

Lesson: GRC Solution Overview

Lesson OverviewThis lesson presents an overview of the GRC 10.0 solution and how each componentcontributes to encompass people, processes, and products..


• Identify key governance, risk, and compliance processes supported in GRC 10.0

Business ExampleA company is looking for solutions available to assist in managing their Governance,Risk and Compliance (GRC) initiatives. SAP BusinessObjects GRC offers severalsolutions that will help manage the ability to comply with legal compliance regulationsand internal company policies, including:

Access Control – Segregation of Duties documentation and analysis; securityrole management; user access management, emergency access managementProcess Control – document, monitor and review processes; document andmonitor issue remediation of issuesRisk Management – document, monitor, and review Key Risk Indicators (KRIs)Global Trade Services– manage and document trade information globally;produce documentation for Customs officials for cross-border shipmentsElectronic Invoicing for Brazil (Nota Fiscal Eletronica) – Brazilian ElectronicInvoice requirement



Key Governance, Risk, and Compliance ProcessesSupported in GRC 10.0

Figure 18: Key Processes: Risk Management Process

The Risk Management process allows the company to identify, mitigate andmonitor critical business risks that may have a negative impact on an organization'sperformance, goals and objectives. The ERM process allows management toprioritize often times scarce resources to mitigate the company's highest risk areas.



Figure 19: Key Processes: Compliance Management

Compliance Management provides documentation of compliance structures andrelated compliance initiatives. A risk-based approach to scoping helps focus controlevaluation efforts on those control activities with the greatest likelihood of failureand potential negative impact to the enterprise. Compliance evaluations includeself-assessments and management assessments using user-definable surveys, aswell as manual testing using test plans and automated testing and monitoring usingbusiness rules. If exceptions are identified during the evaluation process, issues arecreated and assigned for remediation. Once identified, users review and determine thehow the issues will be processed.



Figure 20: Key Processes: Audit Management

Audit Management involves risk-based audit planning, preparation, fieldwork,execution and reporting. This involves use of the SAP NetWeaver Audit Managementapplication, and it is not covered here because of the focus on Risk Management,Process Control and Access Control solutions.

Figure 21: Key Processes: Policy Management



Policy Management provides end-to-end management of corporate policies alignedwith risk and compliance management including creation, localization, distribution,and acknowledgement.

Figure 22: Key Processes: Access Risk Management

Access Risk Management provides the ability to manage and monitor user privileges,while ensuring compliance with security policies related to segregation of dutiesand restriction of critical permissions. You can prevent, monitor and manage accessconflicts present at the system, infrastructure, and application levels.



Figure 23: Key Processes: Trade Management

Trade Management involves controlling the cost and risk of international tradeby ensuring compliance with global regulations, accelerating trade activity, andminimizing duties. SAP BusinessObjects Electronic Invoicing for Brazil (Nota FiscalEletronica) supports companies in complying with the requirements of the Brazilianauthorities for electronic invoicing.



Lesson Summary

You should now be able to:• Identify key governance, risk, and compliance processes supported in GRC 10.0



Lesson: GRC Convergence

Lesson OverviewThis lesson explains why convergence is important and discusses how GRC closes theperformance loop when there are disconnects between risks, policies, and compliance.


• Explain the business benefits of an integrated solution• Describe a business example of how the GRC solution addresses the issue of

disconnects between risks, policies, and compliance

Business ExampleThis lesson presents an example of a global enterprise that sees an opportunity to grow.

Business Benefits of an Integrated Solution

Figure 24: GRC Convergence Survey Reponse

In terms of governance, risk and compliance, SAP believes strongly in the topic ofconvergence, and according to executives from across the world, many of them alsofind this to be a very relevant topic. In February 2010, KPMG released a global surveyon GRC. Working with the Economist Intelligence Unit, they surveyed 542 executivesfrom a wide range of industries and regions with approximately a 1/3 from each major


GRC100 Lesson: GRC Convergence

region of the world. One of the very consistent themes that arose in this survey wasthat almost 2/3 of the respondents (64%) basically said GRC convergence was apriority for their organization—but what does this mean and why is it important?

As was stated in the report and also echoed by many SAP customers, GRC is a topicthat has unfortunately gotten too unwieldy in most organizations. As folks try to gettheir arms around GRC, they find that is it is too costly, requires too many resourcesand leaves them exposed to undue risk. Our customers are telling us that they believeGRC convergence will help them to start addressing these issues by reducing theircosts, which is good, but most importantly, reducing their risk exposure and improvingthe overall performance of their businesses.

Figure 25: Example depicting the importance of GRC Convergence

Leadership sets a strategy to increase penetration in some of the markets that theyserve. As in many well-run organizations, when executive leadership says jump, theteam jumps. In this example, a variety of related operational initiatives are put intoplace by different lines of business. Sales and marketing performs analysis to establishand accept a target for the expanded penetration. That analysis is communicatedto production planning. That team than makes plans to increase production. Themanufacturing team works with strategic sourcing to identify the need for an increasedsupply of raw materials. They decide on two suppliers for a critical componentthat, based upon known performance and other factors, can meet the demand.Manufacturing ramps-up additional capacity and pushes more product off the line.Distribution works to get the product into the targeted markets. Sales and marketingwork to get the product into customers’ hands and, ultimately, achieve success.



Figure 26: Core Issues

Ultimately this brings us to what we see as “the core issue”: How do you closethe performance loop when there is a clear disconnect between risks, policies andcompliance?

Add to this the complex composition of most modern companies: a myriad of businessprocesses spanning organizations across several regions, coupled with differingcompliance requirements--and the answer is unfortunately that you can’t.

First of all, there is a lot of duplication of effort as organizations try to solve thisproblem, often times duplicating activities and technologies in addressing this issue.But even more important is that without getting a clear view into these elements andunderstanding them, most companies have undue or even catastrophic risks that lurkwithin that they are unable to identify or remediate.

SAP believes that GRC convergence can help address this problem and is uniquelyqualified to deliver solutions to support this movement.



How GRC Addresses Disconnects between risks,policies, and compliance

Figure 27: Comprehensive Approach to GRC

Enterprise GRC refers to a platform that enables organizations to gain visibility intoall of their risk and compliance activities, but also more efficiently manage across thedisciplines of risk management, compliance management, audit management, policymanagement and access management.

SAP is committed to enabling customers to realize GRC convergence, a key aspectof which is to ensure that GRC is optimized for SAP, but not tethered to SAP. Manycustomers maintain hybrid environments or have made the choice for a differentbusiness process platform. The GRC 10.0 solution is designed to be tightly integratedto SAP, and can leverage adapters from technology partners and open APIs like webservices to losely work with other platforms as well.

While the application process stack is key, partnering with vendors like CA, Novell,and Sensage extends the GRC platform across the IT stack, including IT infrastructureand applications, which takes into account categories like Identity Managementintegration.

GRC's content framework allows close work with both system integrators andtechnology service providers to provide out-of-the-box content that provides a startingpoint for customers with specific business scenarios. Through integration withSAP Performance Management, GRC is truly able to close the performance loop



by ensuring that risks are tied closely to key performance indicators in the strategicmanagement process, that risk influences the planning or supply chain process, andthat controls can be tied to consolidations processes to ensure a compliant close.



Lesson Summary

You should now be able to:• Explain the business benefits of an integrated solution• Describe a business example of how the GRC solution addresses the issue of

disconnects between risks, policies, and compliance



Lesson: Key Features and Benefits

Lesson OverviewThis lesson introduces key features and benefits of the GRC 10.0 solution.


• Identify and describe key benefits of enhancements to the GRC 10.0 solution

Business ExampleA company is looking for improved ways to efficiently and effectively manage theirGovernance, Risk and Compliance areas and to reduce the cost of such an effort. Thecompany is also looking for a more unified platform to reduce the amount of trainingneeded to increase the skills of their workforce, reduce hardware utilization, and toreduce the cost of audit services.

SAP BusinessObjects GRC 10.0 is now on a common platform to where RiskManagement, Process Control, and Access Control are combined into a single solutionwith a unified work space and improved reporting and audit trail functionality. Thecommon platform will reduce the amount of time to train users because the userinterface is the same across all three of the mentioned solutions and will allow forimproved efficiency in IT maintenance. Global Trade Services and Nota FiscalEletronica also utilize this platform.


GRC100 Lesson: Key Features and Benefits

Common Technical Platform

Figure 28: Common Technical Platform Purpose and Value

The unified Risk Management, Access Control, and Process Control data model andtechnology platform enables optional sharing of selected risk and compliance dataand functions. Sharing is optional because some customers prefer a “silo approach,”whereas others seek to consolidate and integrate their GRC activities. GRC 10 reducesthe total cost of ownership due to lower overall implementation, administrative andmaintenance costs, as GRC solutions now leverage a common technology (ABAP)platform and appropriately shared Implementation Guide (IMG).



Figure 29: Common Technical Platform Enhancements and Benefits

Enhanced Visualization and Streamlined Navigation

Figure 30: Enhanced Visualization and Streamlined Navigation Purpose andValue

Enhanced Visualization and Streamlined Navigation: Streamlined user navigationwith shared work centers emphasizes function rather than component. Thissignificantly reduces duplication of menu items (for example, one inbox, not three)and facilitates sharing of data and functions.



The menu items that the individual user sees within each work center is controlled bythat user's GRC roles. This also enables data shared across components to be vieweddifferently by different users.

Figure 31: Visualization and Streamlined Navigation Enhancements and KeyBenefits

Configurable User Interface

Figure 32: Configurable User Interface Purpose and Value



Configurable User Interface allows configuration to determine field status byapplication components. For example, the organization field “Average Cost perControl” can be shown for those users authorized for Process Control and hidden forthose users authorized for Access Control. Field statuses (required field, optionalfield, displayed, or hidden) can be selected by field by component or even regulation,if applicable. Changes to the field status are reflected in the user interface withoutrequiring programming.

Figure 33: Configurable User Interface Enhancements and Benefits

The configurable user interface allows customers to configure without programming:

1. Which fields are relevant to regulations, or even to specific regulations2. Which fields are relevant to each underlying component3. Which fields should be mandatory, optional, or hidden4. Which fields can be changed locally and which must be maintained centrally.

For Process Control, the assignment of subprocess to organization has beenmade more flexible to allow local editing of some fields in a control whiledisallowing editing of other fields.



Improved Reporting

Figure 34: Improved Reporting Purpose and Value

Improved Reporting: GRC reporting leverages the SAP BusinessSuite ABAP ListViewer (ALV)-Crystal integration framework to present and personalize ABAP(WebDynpro) reports and convert into Crystal reports. This lowers total cost ofownership and extends the benefits and functionality of Crystal without the need for aseparate SAP BusinessObjects Enterprise server.

Figure 35: Reporting Enhancements and Benefits



Enhanced Policy Management

Figure 36: Enhanced Policy Management Purpose and Value

Enhanced Policy Management: Policy Management provides complete lifecyclemanagement for corporate policies, and it aligns policies with risk and compliancemanagement activities. Effective policy management reduces enterprise risk andimproves corporate governance with management guidance for the organization’sbehavior, actions, and decision-making processes.

Figure 37: Policy Management Enhancements and Benefits



Enhanced Business Rule Framework

Figure 38: Enhanced Business Rule Framework Purpose and Value

Enhanced Business Rules for Automated Testing and Monitoring: The enhanced,user-configurable rule engine gives customers maximum flexibility in defining theirautomated rules. You can now monitor a much wider range of back end systems,consume data from non-SAP systems without needing third-party tools, processasynchronous events, and automatically analyze SAP Basis change logs.

Figure 39: Business Rule Framework Enhancements and Benefits



Content Lifecycle Management

Figure 40: Content Lifecycle Management Purpose and Value

Content Lifecycle Management (CLM) supports check-in, version control,comparisons, and deployment of packaged content. CLM also formalizes the abilityto export structured content out to Excel and check changes back in—an enormousproductivity boost for initial implementations, getting content into GRC from legacyor reference systems, periodic updates, and expanding implementations.

Figure 41: Content Lifecycle Management Solution Enhancements and Benefits



Lesson Summary

You should now be able to:• Identify and describe key benefits of enhancements to the GRC 10.0 solution



Lesson: Integration

Lesson OverviewThis lesson introduces an overview of various integrations to and within the GRC10.0 solution.


• Discuss how particular applications integrate with the GRC 10.0 solution

Business Example1. Your organization is using SAP BusinessObjects Access Control 10.0 Analyze

and Manage Access Risk. You want to use SoD analysis results automatically,weekly or monthly to mitigate a risk identified in Process Control.

2. Handling some responses for risks appears to be a complicated andtime-consuming process with a lot of resources involved. Therefore, havingprojects in the appropriate SAP application (Project System) based on suchresponses is a good way to track response status and completeness.

3. During the internal and external auditing of this fiscal year, auditors addresscompliance and operational problems outside of the control evaluation cycle.These issues need to be documented and tracked for the improvement of theorganizational compliance status.

Creating an issue helps to speed up the identification of risk that may lead toputting timely actions in place to mitigate exposure. Timely issue resolutionprevents spending excessive amounts of time and efforts in resolving anynegative impacts that the delay of resolution may lead to.

Integration OverviewThe GRC 10.0 solution integrates with several other systems and applications, bothacross the solution and for specific solution components.


GRC100 Lesson: Integration

Figure 42: GRC 10.0 Solution Integration Overview

Access Control Integration

Figure 43: Access Control Integration Overview



Access Control Integration for Shared Master Data

Figure 44: Access Control Integration for Shared Master Data

Shared Organization Hierarchy

With a shared organization hierarchy, you can:

• Centrally maintain organizations and organization hierarchy• Use one organization hierarchy in Access Control, Process Control, and Risk

Management solutions• Access to organization hierarchy is possible from Access Control, Process

Control, and Risk Management solutions• Maintain different views of organization structures to adapt it to your needs

Mitigating Controls

You can create mitigating controls within Access Control from the Analysis Resultsscreen after executing User Risk Analysis. You can also create mitigating controlsfrom the Process Control user interface with Business Processes. To create fromProcess Control:

1. Add a mitigating control ID2. Assign an access risk, mitigation monitor, and mitigation approver3. Now this control can be utilized in Access Control for mitigating an access risk

Organization Views



To add an organization view, from the back-end system, execute Transaction SPRO,then choose SAP Reference IMG → Governance, Risk, and Compliance → SharedMaster Data Settings → Maintain Organization Views → Maintain OrganizationViews Configuration

Note: While creating more entries with the same name, but a differentapplication component, you can specify for which of the components thehierarchy should be used.

Users and Owners

Owners are responsible for the correctness of risks, roles, mitigating controls, and soon. These owners have different responsibilities throughout Access Control, however,only Mitigation Monitors and Mitigation Approvers may be assigned to controls andare therefore shared with Process Control and Risk Management.

Access Control Integration: HR TriggersThe HR Triggers functionality of Access Control 10.0 allows the creation of automaticaccess requests, corresponding to changes in master data in SAP or Non-SAP HRsystems. When an event is triggered in the SAP HR system, such as hiring a newemployee, rules are applied and a corresponding action to create a workflow request isinitiated in Access Control. The request can be processed through workflow and canbe provisioned to the back-end system by direct assignment or indirect assignment.

The configuration of HR Triggers in Access Control 10.0 includes the configuration ofactions, rules, and field mapping.

Note: Users do not need to complete an access request form.



Figure 45: HR Integration Process Flow

HR Triggers Process Flow Overview

1. User is maintained in the HR system2. A change in the HR system triggers a call to a function module in the GRC

system to create the request (GRAC_GET_HR_TRIGGER_DATA)3. The information is presented to the HR Trigger BRFplus rules and evaluated4. Based on the BRF rules created in the GRC system, the changes are evaluated

and the BRF rules return results that correspond to the actions maintained in theIMG settings for HR triggers

Access Control and Identity Management (IdM)Integration OverviewIdentity Management (IdM) solutions provide the key infrastructure to manage useraccounts in multiple back-end systems. Access Control currently provides integrationwith IdM solutions for enterprise-wide, compliant provisioning.

The integration of Access Control and Identity Management enables customers todeploy an automated business and risk driven Access Control solution enterprisewide. With this solution, business owners can control access, security posture and riskbased on business relevant values without requiring the domain-specific knowledgefor each of the IT systems.



GRC Access Control provides robust integration with IdM solutions and continues tofocus on its core competencies of risk, SoD and remediation. To support this strategy,Access Control integrates with market leading IdM vendors like SUN, Novell andintegrate and optimize for SAP NetWeaver IdM.

User Provisioning Scenarios with IdM Integration

Two scenarios are supported: GRC-driven provisioning and IdM-driven provisioning.

Figure 46: Access Control - Identity Management Supported Scenarios

GRC-driven provisioning is initiated in GRC, provisioned by GRC for SAP systems,and provisioned in IdM for non-SAP systems. IdM-driven provisioning is initiated inIdM, submitted to GRC through Web Services, provisioned by GRC for SAP systems,and provisioned in IdM for non-SAP systems.



Figure 47: GRC-Driven Provisioning Process Flow

Figure 48: IdM-Driven Provisioning

Process Control IntegrationProcess Control Integration Overview



Integrations for Process Control 10.0 include:

• Process Integration• SoD Integration

Figure 49: Process Integration

Process Integration allows you to monitor deficiencies in other systems. The ProcessIntegration Proxy must be completed before you can proceed on the portal.



Figure 50: Process Integration Job Result

Configure Process Integration, then create an automated monitoring job to test forcontrol deficiencies. Results appear both in the Job Monitor and as a workflow task ifthe deficiency is high or medium.

Process Control - SoD IntegrationIf you identify a risk in Process Control, you can use Access Control's SoD analysisresults to mitigate that risk.

Figure 51: SoD Integration



Figure 52: View Job Step Result for SoD Integration in Job Monitor

The monitor allows you to see all job results without receiving a task.

Figure 53: View Job Step Related Data in Job Monitor

You have access to the same hyperlinks the person receiving a workflow task receives.



Figure 54: Prerequisites for SoD Integration

Before you can complete the SoD Integration, you must have completed all the stepslisted above. Multiple role owners will have to complete these steps, or someonewith GRC_ALL.

Risk Management IntegrationRisk Management integrates with several other systems to help users identify andmanage risk from one location.

Figure 55: Risk Management Integration Overview

Risk Management - SAP Project System IntegrationProject System Integration allows you to:

• Trigger automatic creation of project definition in Project Systems from RiskManagement

• Track the status of the project definition from the remote Project Systems system



A Risk Manager is not required to have any Project System background to create aproject out of a Risk Management response. The project is actually maintained by aProject Manager or another responsible person and Risk Managers may only trackthe current status of the project they created. Current status is obtained by a periodicbackground job. The Risk Manager just opens the response.

Figure 56: Integration with project system: Process Flow

Plant Maintenance IntegrationSome responses for risks require that service, maintenance, or quality inspectionprocedures be performed over the technical objects or fixed assets. Therefore,automatic creation of Plant Maintenance notifications directly from Risk Managementcan be helpful in this regard.

Figure 57: Risk Management Integration with Plant Maintenance



The Risk manager is not required to have any Plant Maintenance background to createa notification out of a Risk Management response. A notification is actually processedby a Plant Maintenance manager or another responsible person and Risk manager mayonly track the current status of the notification created. Current status is obtained by aperiodic background job. To see this, the Risk manager just opens the response.

Figure 58: Response Automation - Integration with SAP Plant Maintenance:Process Flow

Environmental Health & Safety IntegrationSome enterprise risks can be related to the environment and worker safety. SAP has aseparate solution, Environmental Health & Safety, where such kind of risks can beprocessed by the solution-specific mechanisms, which are absent in operational riskmanagement. Having these risks in Risk Management as well allows users to track allthe enterprise risks with one application (Risk Management). Analysis Automationcreates Environmental Health & Safety risk assessment out of risk analysis in RiskManagement, tracks its probability and severity values and replicates them to thecorresponding analysis parameters according to the rules predefined in Customizing.



Figure 59: Environmental Health & Safety Integration Overview

Note: A Risk manager is not required to have any Environmental Health& Safety background to create an Environmental Health & Safety riskassessment out of risk analysis. Risk Assessment is actually processed by anEnvironmental Health & Safety manager or another responsible person and aRisk manager may only track the current probability and impact level of therisk he or she created Current values are obtained by a periodic backgroundjob. To see this, the Risk manager just opens the analysis.

Figure 60: Analysis Automation - Integration with Environmental Health &Safety: Process Flow



Risk Management - Issue Management IntegrationIssue Management allows the management of issues identified outside of the standardtesting and assessment process.

Figure 61: Issue Management Integration

Features include:

• Enables reporting process for risk and compliance related issues outside ofstandard evaluation processes

• Supports central categorization and management of issues• Allows flexible determination of appropriate responses/remediation procedures• Provides enterprise-wide visibility of issues and their remediation statuses

Note: Ad Hoc issues can be created during the Aggregation of Deficienciesand Sign-Off level, but currently are not considered. If you create an issuewhile working these tasks, you do not get an error message.

Policy Management IntegrationYou can set up automatic updates of response completeness for all responses created,based on the policy. Each time the policy status is updated, the response completenessis updated accordingly.

If you would like to customize automatic response completeness update basedon policy status: Execute Transaction SPRO-Risk Management → Response andEnhancement Plan → Responses for Policies → Link Policy Status and ResponseCompleteness. Then execute the task Policy Status and Response Completeness link.



Lesson Summary

You should now be able to:• Discuss how particular applications integrate with the GRC 10.0 solution


Unit Summary GRC100

Unit SummaryYou should now be able to:• Explain how SAP BusinessObjects Governance, Risk, and Compliance solutions

contribute to improved performance• Identify compliance regulations from various regions and the importance of

an integrated solution• Identify key governance, risk, and compliance processes supported in GRC 10.0• Explain the business benefits of an integrated solution• Describe a business example of how the GRC solution addresses the issue of

disconnects between risks, policies, and compliance• Identify and describe key benefits of enhancements to the GRC 10.0 solution• Discuss how particular applications integrate with the GRC 10.0 solution


GRC100 Test Your Knowledge

Test Your Knowledge

1. How can you begin to leverage your Governance, Risk, and Complianceprograms to optimize performance?Choose the correct answer(s).□ A Know your business□ B Know business-related risks□ C Know compliance and policy requirements□ D Know what reserves your company has for litigation

2. SAP BusinessObjects GRC solutions are comprised of three main areas ofcapabillities:Choose the correct answer(s).□ A Avoid□ B Analyze□ C Monitor□ D Manage

3. Continuous Transaction Monitoring helps you to confidently manage and reduceaccess risk enterprise-wide.Determine whether this statement is true or false.□ True□ False

4. Continuous Transaction Monitoring provides protection against fraud, waste,misuse, and errors.Determine whether this statement is true or false.□ True□ False

5. Compliance regulations can be specific to a particular region or country, or maybe applicable to multiple regions.Determine whether this statement is true or false.□ True□ False


Test Your Knowledge GRC100

6. Implementing policies and supporting regulatory mandates at the departmentallevel is an example of .Fill in the blanks to complete the sentence.

7. The Enterprise Risk Management process allows management to prioritizescarce resources to mitigate the company's highest risk areas.Determine whether this statement is true or false.□ True□ False

8. Which component in the SAP BusinessObjects GRC solution supportsCompliance Management by providing documentation of compliance structuresand related compliance initiatives?Choose the correct answer(s).□ A Risk Management□ B Access Control□ C Process Control□ D Global Trade Services

9. Which component in the SAP BusinessObjects GRC solution provides theability to manage and monitor user privileges?Choose the correct answer(s).□ A Risk Management□ B Access Control□ C Process Control□ D Global Trade Services

10. When it comes to managing governance, risk, and compliance efforts, GRCConvergence helps companies:Choose the correct answer(s).□ A Reduce costs and required resources□ B Reduce risk exposure□ C Reduce reporting requirements□ D Improve overall business performance



11. Enterprise GRC enables organizations to more efficiently manage across thedisciplines of risk management, compliance management, audit management,policy management, and access management.Determine whether this statement is true or false.□ True□ False

12. The unified Risk Management, Access Control, and Process Control datamodel and technology platform enables optional sharing of selected risk andcompliance data and functions because some customers prefer a silo approach.Determine whether this statement is true or false.□ True□ False

13. Streamlined user navigation with shared work centers emphasizes eachcomponent rather than function.Determine whether this statement is true or false.□ True□ False

14. The Configurable User Interface allows configuration to determine:Choose the correct answer(s).□ A Field status by application components□ B Field status by regulation□ C A and B□ D None of the above; programming is required

15. Considering the business use and purpose of the Access Control solution, whichof the following would be logical integrations?Choose the correct answer(s).□ A HR Triggers□ B SAP Issue Management□ C Identity Management□ D SAP Crystal Reports



16. SoD Integration is between which solution components?Choose the correct answer(s).□ A Process Control and Risk Management□ B Access Control and Risk Management□ C Process Control and Access Control□ D Process Control, Access Control, and Risk Management

17. With a shared organization hierarchy, you can configure whether an organizationview is used for one solution component or shared between all GRC components.Determine whether this statement is true or false.□ True□ False



Answers

1. How can you begin to leverage your Governance, Risk, and Complianceprograms to optimize performance?

Answer: A, B, C

Knowledge of your business, related risks, and compliance and policyrequirements are the starting point to leveraging your Governance, Risk, andCompliance programs to optimize performance.

2. SAP BusinessObjects GRC solutions are comprised of three main areas ofcapabillities:

Answer: B, C, D

Analyze, Manage, and Monitor are the three main areas of capabilities.

3. Continuous Transaction Monitoring helps you to confidently manage and reduceaccess risk enterprise-wide.

Answer: False

The statement is false. Access Risk Management helps you to confidentlymanage and reduce access risk enterprise-wide.

4. Continuous Transaction Monitoring provides protection against fraud, waste,misuse, and errors.

Answer: True

The statement is true.

5. Compliance regulations can be specific to a particular region or country, or maybe applicable to multiple regions.

Answer: True




6. Implementing policies and supporting regulatory mandates at the departmentallevel is an example offragmentation.

Answer: fragmentation

Implementing policies and supporting regulatory mandates at the departmentallevel is an example of fragmentation.

7. The Enterprise Risk Management process allows management to prioritizescarce resources to mitigate the company's highest risk areas.

Answer: True


8. Which component in the SAP BusinessObjects GRC solution supportsCompliance Management by providing documentation of compliance structuresand related compliance initiatives?

Answer: C

The correct answer is Process Control.

9. Which component in the SAP BusinessObjects GRC solution provides theability to manage and monitor user privileges?

Answer: B

The answer is Access Control.

10. When it comes to managing governance, risk, and compliance efforts, GRCConvergence helps companies:

Answer: A, B, D

GRC Convergence helps companies reduce costs and required resources, reducerisk exposure, and improve overall business performance.



11. Enterprise GRC enables organizations to more efficiently manage across thedisciplines of risk management, compliance management, audit management,policy management, and access management.

Answer: True


12. The unified Risk Management, Access Control, and Process Control datamodel and technology platform enables optional sharing of selected risk andcompliance data and functions because some customers prefer a silo approach.

Answer: True


13. Streamlined user navigation with shared work centers emphasizes eachcomponent rather than function.

Answer: False

Streamlined user navigation with shared work centers emphasized functionrather than component.

14. The Configurable User Interface allows configuration to determine:

Answer: C

The Configurable User Interface allows configuration to determine field statusby application components and by regulation.

15. Considering the business use and purpose of the Access Control solution, whichof the following would be logical integrations?

Answer: A, C, D

HR Triggers, Identity Management, and SAP Crystal Reports are all logicalintegrations with the Access Control solution.

16. SoD Integration is between which solution components?

Answer: C

SoD Integration is between Process Control and Access Control.



17. With a shared organization hierarchy, you can configure whether an organizationview is used for one solution component or shared between all GRC components.

Answer: True



Unit Summary GRC100


Unit Summary GRC100


Unit 2Information Architecture, Security and

Authorizations

Unit OverviewThis unit describes the GRC 10.0 information architecture and harmonization goalsof that architecture. In addition, authorization concepts and role requirements arediscussed, as they relate to the user interface.


• Explain what the information architecture is and why it is important• Explain the harmonization goals of the information architecture• Describe major changes to the GRC 10.0 information architecture• Identify required PFCG roles• Ensure requirements are met to access GRC 10.0 solutions• Describe how authorizations affect what is seen in the user interface

Unit ContentsLesson: Information Architecture .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Exercise 1: Connect to the System and View IMG Structure... . . . . . . . . . . . 73Lesson: Security and Authorizations ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Exercise 2: View Role Assignments .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85


Unit 2: Information Architecture, Security and Authorizations GRC100

Lesson: Information Architecture

Lesson OverviewThis lesson presents the information architecture for the GRC 10.0 solution.


• Explain what the information architecture is and why it is important• Explain the harmonization goals of the information architecture• Describe major changes to the GRC 10.0 information architecture

Business ExampleYou want to do some online shopping and access retailer's web site to get started. Thebuttons, tabs, and other navigation items that you see in the user interface representsthe information architecture.

The Importance of the Information Architecture

Figure 62: Information Architecture Example


GRC100 Lesson: Information Architecture

The information architecture (IA) determines the presentation of user interfaceelements:

• Menu structure• Tabs• Navigation alternatives

The IA presents the application or solution to its users and defines much of the initialuser experience.

Harmonization Goals of the Information ArchitectureGoals of information architecture harmonization include:

• Providing a consistent user experience across GRC• Optimizing for users of multiple GRC applications by minimizing redundancy

and streamlining navigation.• Enhancing the user experience while providing users the tools needed to do

their job.

Figure 63: Information Architecture Harmonization

The Information architecture harmonization for GRC solutions goal is to provide aneasier and more consistent user experience for users who may interact with multipleGRC products.



Major Changes to the Information Architecture

Figure 64: Prior Information Architecture: PC 3.0, RM 3.0, and AC 5.3

In these screen samples from prior versions, navigation is separate for eachcomponent. This required that users with cross-product responsibilities navigateeach application separately, and even login multiple times if Access Control, ProcessControl, and Risk Management were used. This also resulted in multiple inboxes,multiple document searches, and so on.

The GRC 10.0 Information Architecture:

• Provides direct navigation to Access Control, Process Control and RiskManagement components.

• Eliminates redundant menu items.• Varies based upon user authorization.• Allows configuration changes for the SAP NetWeaver Portal component or SAP

NetWeaver Business Client software.



Figure 65: GRC 10.0 Information Architecture in SAP NetWeaver PortalComponent

This is an excerpt of the updated information architecture as seen in the SAPNetWeaver Portal component by a user with authorization crossing multipleunderlying components. As an example of streamlining, note that there is a singleshared work inbox (no longer multiple inboxes) for AC, PC and RM. The usernavigates the work centers (tabs) based upon the tasks they need to perform or thedata they need to access, not the product they wish to use. This better supports theconcept of GRC convergence and facilitates appropriate sharing of data and functions.



Figure 66: GRC 10.0 Information Architecture in the SAP NetWeaver BusinessClient

This is a similar look at the information architecture, this time as seen in the SAPNetWeaver Business Client software.



Exercise 1: Connect to the System and ViewIMG Structure

Exercise ObjectivesAfter completing this exercise, you will be able to:• Connect to the training environment• Log on to the GRC 10.0 system ABAP client, NWBC and SAP GUI• Identify high-level nodes for IMG Customizing

Business ExampleYou must connect to the training environment before you can log on to the GRC 10.0system for this course. You will use the ABAP client and the NetWeaver BusinessClient (or SAP GUI) to perform various tasks.

From the ABAP client view, you will access the IMG, where customizing activitiesare performed, and view its high-level structure.

Task 1: Connect to the Training Environment.1. Open a browser window and enter http://mywts.sap.com in the address

bar.

2. Choose EMEA, then choose Training under CORP.

3. Enter the logon and password provided by your instructor.

Task 2: Connect to the Remote Desktop1. Click Start → Run. Enter mstsc.exe in the Run dialog box, then click OK.

2. Enter the system name provided by your instructor, then click Connect.

3. Enter Train-XX as your user name, where XX is your Participant ID. Enterpassword initial.

4. Click OK in the Language Dialog box.

Continued on next page



Task 3: Log On to the GRC 10.0 ABAP Client.1. Click Start → SAP Logon.

Note: If you do not see the Start button in the lower left corner, you mayneed to maximize the Remote Desktop window.

2. Choose ZMC, then click Log On.

3. Enter User ID XX_Custom, where XX is your Participant ID. Enter passwordinitial, then click the system OK icon or press Enter.

4. Note the user menu items displayed for your User ID.

Task 4: Access the IMG for Customizing Activities1. Enter Transaction SPRO in the transaction field, then click the system OK icon.

2. Click SAP Reference IMG.

3. Expand the Governance, Risk, and Compliance node.

4. View the nodes listed here. This is where you perform customizing activities andmaintain configuration settings for the GRC solution. Note that there are nodesfor shared configuration settings as well as for solution component-specificconfiguration settings.

Task 5: Log on to the NetWeaver Business Client1. Enter NWBC (/nnwbc) in the transaction entry field, then click the system

OK icon.

2. On the Launch NetWeaver Business Client screen, choose /nwbc.

3. Click through the various work centers and note the work sets under each one.

Task 6: Log On via the SAP GUI1. Log out of the NWBC, then re-execute /nnwbc from the ABAP client.

2. On the Launch NetWeaver Business Client screen, copy the address of the page,ending with the forward slash after nwbc. What you copy should be similar tothis: http://wdfbmt2299.wdf.sap.corp:51080/nwbc/

3. From the Remote Desktop Start menu, choose Start → Programs → SAP NWBC→ Version 3.0 → NetWeaver Business Client.

4. Click the New icon for a new connection.




5. Enter the following information:

Note: For the URL, paste the one you copied.

Data Data Value

Name ZMC

URL http:wdf-bmt2299.wdf.sap.corp:51080/nwbc/

Type ABAP

Client 800

Language EN

6. Click OK when finished.

7. You can now use this SAP GUI to logon to NWBC.

Note: You can still logon to NWBC by using the Steps 1 - 5 of thisexercise.

ResultYou should now be able to access and logon to the training environment, remotedesktop, ABAP client, IMG, and SAP GUI.



Solution 1: Connect to the System and ViewIMG StructureTask 1: Connect to the Training Environment.1. Open a browser window and enter http://mywts.sap.com in the address

bar.

a)

2. Choose EMEA, then choose Training under CORP.

a)

3. Enter the logon and password provided by your instructor.

a)

Task 2: Connect to the Remote Desktop1. Click Start → Run. Enter mstsc.exe in the Run dialog box, then click OK.

a)

2. Enter the system name provided by your instructor, then click Connect.

a)

3. Enter Train-XX as your user name, where XX is your Participant ID. Enterpassword initial.

a)

4. Click OK in the Language Dialog box.

a)

Task 3: Log On to the GRC 10.0 ABAP Client.1. Click Start → SAP Logon.

Note: If you do not see the Start button in the lower left corner, you mayneed to maximize the Remote Desktop window.

a)

2. Choose ZMC, then click Log On.

a)




3. Enter User ID XX_Custom, where XX is your Participant ID. Enter passwordinitial, then click the system OK icon or press Enter.

a)

4. Note the user menu items displayed for your User ID.

a)

Task 4: Access the IMG for Customizing Activities1. Enter Transaction SPRO in the transaction field, then click the system OK icon.

a)


a)

3. Expand the Governance, Risk, and Compliance node.

a)

4. View the nodes listed here. This is where you perform customizing activities andmaintain configuration settings for the GRC solution. Note that there are nodesfor shared configuration settings as well as for solution component-specificconfiguration settings.

a)

Task 5: Log on to the NetWeaver Business Client1. Enter NWBC (/nnwbc) in the transaction entry field, then click the system

OK icon.

a)

2. On the Launch NetWeaver Business Client screen, choose /nwbc.

a)

3. Click through the various work centers and note the work sets under each one.

a)

Task 6: Log On via the SAP GUI1. Log out of the NWBC, then re-execute /nnwbc from the ABAP client.

a)




2. On the Launch NetWeaver Business Client screen, copy the address of the page,ending with the forward slash after nwbc. What you copy should be similar tothis: http://wdfbmt2299.wdf.sap.corp:51080/nwbc/

a)

3. From the Remote Desktop Start menu, choose Start → Programs → SAP NWBC→ Version 3.0 → NetWeaver Business Client.

a)

4. Click the New icon for a new connection.

a)

5. Enter the following information:

Note: For the URL, paste the one you copied.

Data Data Value

Name ZMC

URL http:wdf-bmt2299.wdf.sap.corp:51080/nwbc/

Type ABAP

Client 800

Language EN

a)

6. Click OK when finished.

a)

7. You can now use this SAP GUI to logon to NWBC.

Note: You can still logon to NWBC by using the Steps 1 - 5 of thisexercise.

a)

ResultYou should now be able to access and logon to the training environment,remote desktop, ABAP client, IMG, and SAP GUI.



Lesson Summary

You should now be able to:• Explain what the information architecture is and why it is important• Explain the harmonization goals of the information architecture• Describe major changes to the GRC 10.0 information architecture



Lesson: Security and Authorizations

Lesson OverviewThis lesson presents high-level authorization engine changes for GRC 10.0 andexplains what types of authorizations are used for different components. It alsoidentifies key roles and how they are used, as well as what controls the user interfacefrom an authorization perspective.


• Identify required PFCG roles• Ensure requirements are met to access GRC 10.0 solutions• Describe how authorizations affect what is seen in the user interface

Business ExampleA company segregates its access risk management based upon a specific attributeof a user (User Group, Company, Connector ID) and wishes to limit the itemsthat a reviewer can view. SAP BusinessObjects GRC 10.0 contains permission(authorization object) level security to help limit the data that a user can access,whether this is in a view only or maintenance mode. This also drives what the userwill have access to in regards to Work Centers (both in general and what can beaccessed within a Work Center) and Reports.


GRC100 Lesson: Security and Authorizations

Authorization Overview

Figure 67: Authorization Changes for GRC 10.0

Figure 68: GRC 10.0 Access and IMG Configuration

Figure 69: Process Control or Risk Management Access



Figure 70: GRC Solutions and Access Control

Figure 71: Authorization Types by Component



Figure 72: Key Roles

Authorizations and the User Interface

Figure 73: What Can You See?



The above shows the My Home work center as displayed in the SAP NetWeaverPortal component. The look would be similar, but not identical, in the SAP NetWeaverBusiness Client (NWBC) software.

1. Work centers are defined in PCD roles for the Portal and in PFCG roles forNWBC. The work centers are fixed in each base role. SAP delivers these roles,but they can be modified by the customer.

2. The locations of application folders and subordinate applications within theservice map are controlled by the SAP NetWeaver LaunchPad application. Youmay see this in the IMG configuration.

3. The service map is then generated dynamically based upon user authorization.That is, if the user does not have authorization to see given application folders orapplications, they will be hidden from view (not grayed out).

Figure 74: Reminder About How What you See is Determined

As a reminder, what the end user sees is determined by a combination of factors, asshown above.

• The product licensing determines access to components• The UI framework configuration controls what fields are displayed to each

underlying component• Roles/authorizations determine more granular access, all the way down to

individual business entities (such as Control XYZ in Organization ABC) in thecase of Process Control and Risk Management.



Exercise 2: View Role Assignments

Exercise ObjectivesAfter completing this exercise, you will be able to:• Locate and review role assignments for business subprocesses via GRC Role

Assignment• Locate and review role assignments for business subprocesses via Organizations

Business ExampleTo access specific Process Control or Risk Management data or transactions, you mustensure that entity-level authorizations are assigned within the application. This willpermit actions to specific entities, such as organizations, processes, subprocesses,controls, and risks.

Task 1: Review Role Assignments in the AccessManagement Work CenterReview role assignments for business subprocesses via GRC Role Assignment in theAccess Management work center.

1. Log on to the ABAP client (ZMC) as XX_CUSTOM, where XX is yourParticipant ID.

2. Execute Transaction NWBC (/nnwbc).

3. Choose /nwbc.

4. Choose Business Processes located under GRC Role Assignments in the AccessManagement work center.

5. Enter a time frame of Year 2011, then click Apply.

6. Choose the Subprocess role level.

7. Accept the default value of Yes for Show Cross-Regulation Roles.

8. Add a filter for Organizations. Choose 00-GRC General Accounting .

9. Choose Next to continue to the Assign Roles section.

10. Review the roles assigned to the subprocesses which are listed under the Objectheader. On this screen, you will see role assignments for Access Control, ProcessControl, and Risk Management. A white space in the role column means that norole is assigned.




11. Roles have been assigned, so do not save your changes. Click Cancel to exit.

Task 2: Review Role Assignments in the Master DataWork CenterReview role assignments for business subprocesses via Organizations in the MasterData work center.

1. Navigate to the Master Data work center.

2. Choose Organizations under the Organizations work set.

3. Choose any organization from the list, then click Open. Note that the trianglenext to the organization means that there are sub-organizations and the dot nextto the organization means that it is the lowest level. Use today’s date.

4. Choose the Subprocess tab, then click Assign Subprocess.

5. Choose one or more subprocess(es) from the list, then click Next.

6. Without making any changes, click Next on both the Shared Services Used andShared Services Offered steps.

7. Change the Allow Local Changes value to Yes, then click Next.

8. Without making any changes, click Finish on the Select Controls step.

9. Choose the first subprocess from the list, then click Open. You should see theSubprocess details.

10. Click the Roles tab. Choose a role from the list, then click Assign.

11. Select XX_CUSTOM user from the list, where XX is your Participant ID, thenclick OK.

12. You should now see XX_CUSTOM listed under the Name column next to thesubprocess you chose.

13. Normally you would Save your changes, but for the purposes of this exercise,choose Cancel. Do not Save your changes.



Solution 2: View Role AssignmentsTask 1: Review Role Assignments in the AccessManagement Work CenterReview role assignments for business subprocesses via GRC Role Assignment in theAccess Management work center.


a)

2. Execute Transaction NWBC (/nnwbc).

a)

3. Choose /nwbc.

a)

4. Choose Business Processes located under GRC Role Assignments in the AccessManagement work center.

a) Choose Access Management → GRC Role Assignments → BusinessProcesses

5. Enter a time frame of Year 2011, then click Apply.

a)

6. Choose the Subprocess role level.

a)

7. Accept the default value of Yes for Show Cross-Regulation Roles.

a)

8. Add a filter for Organizations. Choose 00-GRC General Accounting .

a) Choose Add next to Organizations.

b) Choose the organization 00-CRG General Accounting, then click the Rightarrow to move this organization to the Selected list.

c) Click OK.

9. Choose Next to continue to the Assign Roles section.

a)




10. Review the roles assigned to the subprocesses which are listed under the Objectheader. On this screen, you will see role assignments for Access Control, ProcessControl, and Risk Management. A white space in the role column means that norole is assigned.

a)

11. Roles have been assigned, so do not save your changes. Click Cancel to exit.

a)

Task 2: Review Role Assignments in the Master DataWork CenterReview role assignments for business subprocesses via Organizations in the MasterData work center.

1. Navigate to the Master Data work center.

a)

2. Choose Organizations under the Organizations work set.

a)

3. Choose any organization from the list, then click Open. Note that the trianglenext to the organization means that there are sub-organizations and the dot nextto the organization means that it is the lowest level. Use today’s date.

a)

4. Choose the Subprocess tab, then click Assign Subprocess.

a)

5. Choose one or more subprocess(es) from the list, then click Next.

a)

6. Without making any changes, click Next on both the Shared Services Used andShared Services Offered steps.

a)

7. Change the Allow Local Changes value to Yes, then click Next.

a)

8. Without making any changes, click Finish on the Select Controls step.

a)




9. Choose the first subprocess from the list, then click Open. You should see theSubprocess details.

a)

10. Click the Roles tab. Choose a role from the list, then click Assign.

a)

11. Select XX_CUSTOM user from the list, where XX is your Participant ID, thenclick OK.

a)

12. You should now see XX_CUSTOM listed under the Name column next to thesubprocess you chose.

a)

13. Normally you would Save your changes, but for the purposes of this exercise,choose Cancel. Do not Save your changes.

a)



Lesson Summary

You should now be able to:• Identify required PFCG roles• Ensure requirements are met to access GRC 10.0 solutions• Describe how authorizations affect what is seen in the user interface


GRC100 Unit Summary

Unit SummaryYou should now be able to:• Explain what the information architecture is and why it is important• Explain the harmonization goals of the information architecture• Describe major changes to the GRC 10.0 information architecture• Identify required PFCG roles• Ensure requirements are met to access GRC 10.0 solutions• Describe how authorizations affect what is seen in the user interface


Unit Summary GRC100



Test Your Knowledge

1. The determines thepresentation of user interface elements.Fill in the blanks to complete the sentence.

2. A key feature of the GRC 10.0 information architecture is:Choose the correct answer(s).□ A Separate work inboxes for each solution component□ B A single shared work inbox for all solution components□ C A single shared work inbox for Process Control and Risk Management□ D A single shared work inbox for Process Control and Access Control

3. Users navigate the work centers based upon the tasks they need to perform or thedata they need to access, not the product they wish to use.Determine whether this statement is true or false.□ True□ False

4. While authorization concepts are similar to prior releases, changes in GRC 10.0solutions required enhancements to the engine.Fill in the blanks to complete the sentence.

5. To access GRC 10.0 solutions, you must have at least the following: 1. Portalauthorization or NWBC authorization; 2. Applicable PFCG base roles; and 3.PFCG role(s) relative to specific components (AC, PC, RM).Determine whether this statement is true or false.□ True□ False

6. If you use Access Control 10.0 with other GRC solution components, you canleverage this functionality to:Choose the correct answer(s).□ A Create GRC users□ B Assign and manage PFCG roles used with GRC□ C Perform SoD analysis for PFCG role authorizations□ D Perform SoD analysis for entity-level authorization



7. The locations of application folders and subordinate applications within theservice map are controlled by the SAP NetWeaver LaunchPad application.Determine whether this statement is true or false.□ True□ False

8. Which of the following determine what users see in the GRC 10.0 user interface?Choose the correct answer(s).□ A Product Licensing□ B User Interface Framework Configuration□ C Roles and Authorizations□ D Work Centers



Answers

1. The information architecture determines the presentation of user interfaceelements.

Answer: information architecture

The correct answer is information architecture.

2. A key feature of the GRC 10.0 information architecture is:

Answer: B

A key feature of the GRC 10.0 information architecture is a single shared workinbox for all solution components.

3. Users navigate the work centers based upon the tasks they need to perform or thedata they need to access, not the product they wish to use.

Answer: True


4. While authorization concepts are similar to prior releases, changes in GRC 10.0solutions required enhancements to the authorization engine.

Answer: authorization

The answer is authorization.

5. To access GRC 10.0 solutions, you must have at least the following: 1. Portalauthorization or NWBC authorization; 2. Applicable PFCG base roles; and 3.PFCG role(s) relative to specific components (AC, PC, RM).

Answer: True


6. If you use Access Control 10.0 with other GRC solution components, you canleverage this functionality to:

Answer: A, B, C

SoD risk analysis cannot be performed for entity-level authorization.



7. The locations of application folders and subordinate applications within theservice map are controlled by the SAP NetWeaver LaunchPad application.

Answer: True


8. Which of the following determine what users see in the GRC 10.0 user interface?

Answer: A, B, C

Product licensing, the user interface framework configuration, and roles &authorizations determine what users see in the GRC 10.0 user interface.


Unit Summary GRC100


Unit Summary GRC100


Unit 3The GRC 10.0 User Interface

Unit OverviewThis unit presents an overview of work centers, including their purpose, and use.Harmonized navigation concepts are discussed, as well as how authorizations affectwhat users can view and access. Hands-on activities include navigating the workcenters and assigning a delegate.


• Identify and access key components of the GRC 10.0 User Interface• Describe the purpose of each work center• Describe how to control work center display for NWBC vs Portal• Describe how authorizations affect what users see• Describe examples of what users see in Access Control, Process Control, and

Risk Management

Unit ContentsLesson: Work Centers .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100

Exercise 3: Navigate the Work Centers and Assign a Delegate ... . . . . . . 113Lesson: Harmonized Navigation in the GRC 10.0 Portal . . . . . . . . . . . . . . . . . . . . . .121

Exercise 4: Harmonized Navigation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125


Unit 3: The GRC 10.0 User Interface GRC100

Lesson: Work Centers

Lesson OverviewThis lesson introduces work centers and their purpose.


• Identify and access key components of the GRC 10.0 User Interface• Describe the purpose of each work center• Describe how to control work center display for NWBC vs Portal

Business ExampleA user in SAP BusinessObjects GRC 10.0 is responsible for managing severaldifferent areas of the solution. Utilizing the Work Center concept, the user cannavigate easily to the specific area that is desired and have similar actions available onthe screen. This helps to correctly find the specific task more efficiently and also helpsin managing the security between different types of users more easily.

Work Centers OverviewWork centers provide a central access point for GRC 10.0. They can be organizedbased on what the customer has been licensed to operate. Delivered work centersare shown below.

Figure 75: Work Centers in GRC 10.0


GRC100 Lesson: Work Centers

The default delivered system contains the work centers displayed above. However,your system administrator can customize the work centers to support yourorganization's preferred structures. Depending on the products that you have licensed,different components of the GRC solution are displayed (Access Control, ProcessControl, or Risk Management).

My Home Work CenterThe My Home work center allows you to:

• View, access, and perform workflow tasks assigned to you, including viewingcompleted reports that you scheduled.

• Perform document searches across all documents (including document content)for which you have authorization.

• Assign delegates to perform your tasks or activities.• View and process your user data.

The service maps and applications under each work center are controlled by youraccess. If you are a delegate and choose to work as that person, you will inherit theirauthorization.

Figure 76: My Home Work Center in the Portal

My Home provides a central location to view and act on your assigned tasks andaccessible objects: organizations, processes, subprocesses, and controls. Dependingon the products you have licensed, the My Home work center contains these sections:



Work Inbox - The Work Inbox lists the tasks you need to process for GRCapplications.Ad Hoc Tasks - From the My Home work center, the Ad Hoc Tasks sectionenables you to process risk proposals, incidents and issues, depending on theapplications to which you have access.In the My Objects section of the My Home work center, you can maintain theGRC objects to which you have accessDocument Search - Document Search enables you to search for documents acrossGRC solutions, including business entities and compliance initiatives. Thesearch includes documents and hyperlinks, which you can add as attachments.This can only be used if you have activated TREX.My Delegation - You can delegate the access rights and tasks of one user, thedelegator, to another user, the delegate, for a specific time period or indefinitely.This relates to PC and RM applications.

Delegator: From My Home work center, click My Delegation. Assign one or moredelegates for the desired period. Delegate: From My Home, click Change Delegation.Choose to work on behalf of yourself or on behalf of another person.

Figure 77: My Delegation for Process Control and Risk Management

The above delegation does not apply to Access Control, which has its own delegationfunction. This applies to Process Control and Risk Management only.

Delegation does not remove access or forward tasks from the delegator. Instead, itallows the delegate to work with the same access and tasks as if he or she were thedelegator. Both the delegator and the delegate can access the system at the same time,as long as they do not access the same objects or activities.



Master Data Work CenterDepending on the GRC products you have licensed, the Master Data work centercontains the following sections:

OrganizationsRegulations and PoliciesObjectivesActivities and ProcessesMitigating ControlsRisks and ResponsesAccountsConsistency ChecksReports

The service map and applications under each work center are controlled by youraccess.

Figure 78: Master Data Work Center in the Portal

The Organizations section of the Master Data work center enables you to define andwork with the organizations of your company.

Regulations and Policies gives you visibility into your compliance framework andaccess to end-to-end policy management.



Objectives define statements of desired results or purposes. Business objectives relateto strategies and risks, while control objectives are assigned to relevant subprocesses.

The Activities and Processes section is where you maintain your company's activities,business processes, subprocesses, and controls.

The Risks and Responses section of the Master Data work center enables you tomaintain your organization's risk, opportunity, and response catalogs.

Use the Accounts section to create account groups that are relevant to your complianceinitiatives.

Consistency checks are a set of reports to help ensure data validity.These are especiallyuseful during initial implementation and after significant changes. Currently these arefor the Risk Management product only.

The Reports section includes links to master data reports.

Rule Setup Work CenterDepending on the GRC products you have licensed, the Rule Setup work centerprovides links to the following areas:

Access Rule MaintenanceCritical Access RulesException Access RulesGenerated RulesContinuous MonitoringSchedulingLegacy Automated MonitoringReports

The service map and applications under each work center are controlled by youraccess.



Figure 79: Rule Setup Work Center in the Portal

The Access Rule Maintenance section includes the ability to maintain rule sets, accessrisks and functions.

The Critical Access Rules section allows you to identify individual roles and profilesthat pose an access risk to your company. If your system uses profiles, you may havedefined profiles that pose an access risk. Make sure that you designate these profilesas critical profiles.

The Exception Access Rules section allows you to eliminate false positives based onorganizational-level restrictions. This functionality was created to aid exception-basedreporting for organizational rules and supplemental rules.

The Generated Rules section shows generated rules and related details includingaccess risks, functions.

The Continuous Monitoring section (not displayed above due to space) gives youaccess to data sources, business rules, assignment of business rules and Key RiskIndicators (KRIs).

The Scheduling section enables you to maintain schedules for continuous controlmonitoring and track job progress in the areas of monitoring and automated testing.

The Legacy Automated Monitoring section allows you to continue to use automatedrules created in Process Control 3.0.

The Reports section of this work center include reports specifically related tocontinuous control monitoring setup and execution.



Setup Work Center for Access ControlThe Setup work center is available in Access Control and provides links to thefollowing areas:

Access Rule MaintenanceException Access RulesCritical Access RulesGenerated RulesOrganizationsMitigating ControlsSuperuser AssignmentSuperuser MaintenanceAccess Owners

Figure 80: Setup Work Center in NWBC

The Access Rule Maintenance section allows you to manage access rule sets,functions, and the access risks used to identify access violations

Under Exception Access Rules, you can manage rules that supplement access rules.

The Critical Access Rules section allows you to define additional rules that identifyaccess to critical roles and profiles.



The Generated Rules section allows you to find and view generated access rules.

Under Organizations, you can maintain the company's organization structure forcompliance and risk management with related assignments.

The Mitigating Controls section allows you to manage controls to mitigate segregationof duty, critical action, and critical permission access violations.

Superuser Assignment is where you assign owners to firefighter IDs and assignfirefighter IDs to users.

Superuser Maintenance is where you maintain firefighter, controller, and reason codeassignments.

Under Access Owners, you manage owner privileges for access managementcapabilities.

Assessments Work CenterDepending on the GRC products you have licensed, the Assessments work centercontains the following sections:

SurveysManual Test PlansRisk AssessmentsIncident ManagementScenario ManagementAssessment PlanningReports



Figure 81: Assessments Work Center in the Portal

The Surveys section of the Assessments work center provides setup of surveycomponents. Within GRC, surveys are used to obtain information on the existenceand evaluation of risks (Risk Management) or the adequacy of controls (ProcessControl). Surveys are used to carry out assessments of objects such as risks, activities,controls and policies, for example.

The Manual Test Plans section allows you to create a manual test plans which consistof test steps performed to determine whether a control is operating effectively.

The Risk Assessments section enables you to create activities to be evaluated for risksand opportunities, such as projects or business processes.

The Incident Management section provides documentation of risks that occur—thatis, incidents.

In Scenario Management, you can define and simulate scenarios for Risk Management.

In the Assessment Planning section you plan and release workflow tasks for thevarious evaluations and other assessments.

The Reports section of the Assessments work center provides a variety of reportsrelated to assessment results.



Access Management Work CenterDepending on the GRC products you have licensed, the Access Management workcenter has the following sections:

GRC Role AssignmentsAccess Risk AnalysisMitigated AccessAccess Requests AdministrationRole ManagementRole MiningRole Mass MaintenanceSuperuser AssignmentSuperuser MaintenanceAccess Request CreationCompliance Certification ReviewsAlertsScheduling

Figure 82: Access Management Work Center in the Portal



In the Access Risk Analysis section, you evaluate your systems for access risks acrossuser, role, HR object and organization levels. An access risk is two or more actions orpermissions that, when available to a single user or single role, profile, organizationallevel, or HR Object, create the possibility of error or irregularity.

Mitigated Access allows you to identify access risks, assess the level of those risks,and assign mitigating controls to users, roles, and profiles to mitigate the access ruleviolations.

Access Request Administration manages access assignments, accounts, and reviewprocesses.

Role Management allows you to manage roles from multiple systems in a singleunified repository.

Role Mining groups features allow you to target roles of interest, analyze them, andtake action.

Role Mass Maintenance lets you import and change authorizations and attributesfor multiple roles.

Superuser Assignment allows you to assign firefighter IDs to owners and assignfirefighters and controllers to firefighter IDs.

In the Superuser Maintenance section, you can perform activities such as researchingand maintaining firefighters and controllers, and assigning reason codes by system.

Access Request Creation provides creation of access assignments and accounts.

Compliance Certification Reviews supports review of users' access, risk violations androle assignments.

Alerts are generated by the application for execution of critical or conflicting actions.

The Scheduling section of the Rule Setup work center enables you to maintainschedules for continuous control monitoring and automated testing, and to trackrelated job progress.

Reports and Analytics Work CenterDepending on the GRC products you have licensed, the Reports and Analytics workcenter has the following sections:

ManagementComplianceRisks and OpportunitiesAccess ManagementIncidents and Losses



Print ReportsBI Analytics

Figure 83: Reports and Analytics Work Center in the Portal

These are the delivered reports. When you execute reports you only see objects youare authorized to view.





Exercise 3: Navigate the Work Centers andAssign a Delegate

Exercise ObjectivesAfter completing this exercise, you will be able to:• Identify work sets and key tasks in various work centers• Assign a delegate

Business ExampleWork centers contain work sets that include links to functions across the GRCsolution. Your view and available choices depend on your user authorizations.

You are the Internal Control Manager working in Process Control and must assignanother user to fill in for you while you are on vacation. You identify the CrossRegulation Process Owner as your delegate.

Task 1: Explore the Access Control Setup Work CenterExplore the Setup work center, which is unique to Access Control.

1. Logon as XX_CUSTOM, where XX is your Participant ID.

2. Go to the Setup work center and explore the work sets. Click some of the linksunder each one and explore the various screens.

3. Choose Rule Set under the Access Rule Maintenance work set. Note the Rule SetIDs and descriptions.

4. Choose Rule Set Comparison, then enter two rule sets to compare.

5. Choose which components to compare, then click Run in Foreground.

6. On the Analysis Results screen, you can see which rule set each Access Riskbelongs to in the Rule Set ID column.

7. Close the current window and the Rule Set Comparison window to return tothe Setup work center.




Task 2: View the Organization HierarchyAccess the Organization Hierarchy from two separate work centers.

1. Still in the Setup work center, choose Organizations under the Organizationswork set.

2. Find the organization XX_GRC GLB INTL, where XX is your Participant ID.Expand the organization hierarchy nodes to view the levels of the hierarchy.Remember that this Setup work center is specific to Access Control.

3. Close the Organization Hierarchy window and navigate to the Master Datawork center.

4. Choose Organizations under the Organizations work center.

5. Note that you are viewing the same Organization Hierarchy information fromthis Master Data work center as you saw in the Setup work center.

Task 3: Explore the Reports and Analytics Work CenterNavigate to the Reports and Analytics work center and view the work sets containedtherein.

1. Go to the Reports and Analytics work center. Note the work sets in this workcenter and the links under each one.

2. Note that the report links you see in this work center are for Access Control, RiskManagement, and Process Control, and that access is grouped in this one placefor any of these components.

3. Explore the remaining work centers and choose some of the links under thevarious work sets to examine what can be done in each one.

Task 4: Assign a DelegateLog in as the Internal Control Manager and assign a delegate to process tasks inyour absence.

1. Exit the application and log in as the Internal Control Manger, XX_G_ICMAN,where XX is your Participant ID.

2. Review the various work centers to review the activities that are available toICMAN.

3. Choose the My Home work center, then find the My Delegation work set.

4. Click My Delegation to open the Assign Own Delegate window.




5. Click Create.

6. Click the search icon in the User field to choose a user who will act as yourdelegate.

7. Choose XX_G_PRCOWN from the list, where XX is your Participant ID, thenclick OK.

8. Enter today’s date for the Start Date.

9. Enter any future date for the End Date.

10. Click Save. You should now see XX_G_PRCOWN listed on the Assign OwnDelegate screen.

Task 5: Change Settings to Work as the AssignedDelegateYou are the delegate named by the Internal Control Manager and must now logon andchange your settings to work on behalf of this person.

1. Exit the system, then log in as XX_G_PRCOWN, where XX is your ParticipantID.

2. View the work centers and activities that are available to XX_G_PRCOWN.

3. Choose Change Delegation, located at the top right of the My Home work centernext to your user welcome message.

4. Ensure that any other sessions are closed, and verify this by checking the AllSessions Closed check box.

5. Change the Work on Behalf of setting to XX_G_ICMAN, and then click Save.

6. You should now see a message displayed at the top of the My Home work centerindicating that you are working on behalf of XX_G_ICMAN. Note that you nowhave access to all the activities and screens assigned to the ICMAN role.



Solution 3: Navigate the Work Centers andAssign a DelegateTask 1: Explore the Access Control Setup Work CenterExplore the Setup work center, which is unique to Access Control.

1. Logon as XX_CUSTOM, where XX is your Participant ID.

a)

2. Go to the Setup work center and explore the work sets. Click some of the linksunder each one and explore the various screens.

a)

3. Choose Rule Set under the Access Rule Maintenance work set. Note the Rule SetIDs and descriptions.

a)

4. Choose Rule Set Comparison, then enter two rule sets to compare.

a)

5. Choose which components to compare, then click Run in Foreground.

a)

6. On the Analysis Results screen, you can see which rule set each Access Riskbelongs to in the Rule Set ID column.

a)

7. Close the current window and the Rule Set Comparison window to return tothe Setup work center.

a)

Task 2: View the Organization HierarchyAccess the Organization Hierarchy from two separate work centers.

1. Still in the Setup work center, choose Organizations under the Organizationswork set.

a) Choose Setup → Organizations work set→ Organizations




2. Find the organization XX_GRC GLB INTL, where XX is your Participant ID.Expand the organization hierarchy nodes to view the levels of the hierarchy.Remember that this Setup work center is specific to Access Control.

a)

3. Close the Organization Hierarchy window and navigate to the Master Datawork center.

a)

4. Choose Organizations under the Organizations work center.

a) Choose Master Data work center → Organizations work set →Organizations

5. Note that you are viewing the same Organization Hierarchy information fromthis Master Data work center as you saw in the Setup work center.

a)

Task 3: Explore the Reports and Analytics Work CenterNavigate to the Reports and Analytics work center and view the work sets containedtherein.

1. Go to the Reports and Analytics work center. Note the work sets in this workcenter and the links under each one.

a)

2. Note that the report links you see in this work center are for Access Control, RiskManagement, and Process Control, and that access is grouped in this one placefor any of these components.

a)

3. Explore the remaining work centers and choose some of the links under thevarious work sets to examine what can be done in each one.

a)




Task 4: Assign a DelegateLog in as the Internal Control Manager and assign a delegate to process tasks inyour absence.

1. Exit the application and log in as the Internal Control Manger, XX_G_ICMAN,where XX is your Participant ID.

a) Logoff the NWBC or SAP GUI, whichever you are using.

b) Use the system Exit icon to logoff the ZMC system.

c) At the SAP Logon window, choose ZMC and click Log On.

d) Enter XX_G_ICMAN as the user ID and initial as the password.

e) Click the system OK icon or press Enter.

2. Review the various work centers to review the activities that are available toICMAN.

a)

3. Choose the My Home work center, then find the My Delegation work set.

a) Choose My Home → My Delegation work set

4. Click My Delegation to open the Assign Own Delegate window.

a)

5. Click Create.

a)

6. Click the search icon in the User field to choose a user who will act as yourdelegate.

a)

7. Choose XX_G_PRCOWN from the list, where XX is your Participant ID, thenclick OK.

a)

8. Enter today’s date for the Start Date.

a)

9. Enter any future date for the End Date.

a)




10. Click Save. You should now see XX_G_PRCOWN listed on the Assign OwnDelegate screen.

a)

Task 5: Change Settings to Work as the AssignedDelegateYou are the delegate named by the Internal Control Manager and must now logon andchange your settings to work on behalf of this person.

1. Exit the system, then log in as XX_G_PRCOWN, where XX is your ParticipantID.

a) Logoff the NWBC or SAP GUI, whichever you are using.

b) Use the system Exit icon to logoff the ZMC system.

c) At the SAP Logon window, choose ZMC and click Log On.

d) Enter XX_G_PRCOWN as the user ID and initial as the password.

e) Click the system OK icon or press Enter.

2. View the work centers and activities that are available to XX_G_PRCOWN.

a)

3. Choose Change Delegation, located at the top right of the My Home work centernext to your user welcome message.

a) Choose My Home → Change Delegation

4. Ensure that any other sessions are closed, and verify this by checking the AllSessions Closed check box.

a)

5. Change the Work on Behalf of setting to XX_G_ICMAN, and then click Save.

a)

6. You should now see a message displayed at the top of the My Home work centerindicating that you are working on behalf of XX_G_ICMAN. Note that you nowhave access to all the activities and screens assigned to the ICMAN role.

a)



Lesson Summary

You should now be able to:• Identify and access key components of the GRC 10.0 User Interface• Describe the purpose of each work center• Describe how to control work center display for NWBC vs Portal


GRC100 Lesson: Harmonized Navigation in the GRC 10.0 Portal

Lesson: Harmonized Navigation in the GRC 10.0 Portal

Lesson OverviewIn this lesson you will see examples of how authorization affects what users see.


• Describe how authorizations affect what users see• Describe examples of what users see in Access Control, Process Control, and

Risk Management

Business ExampleIn the Rule Setup work center, a Control Owner for Process Control would see thingslike Data Sources, Business Rules, and Business Rule Assignment for ContinuousMonitoring, while a Risk Manager would be more interested in viewing KRI templatesand KRI Implementation information in the Continuous Monitoring section.

In this example, an Access Control user won't see the Continuous Monitoring sectionat all, but would see sections like Access Rule Maintenance and Critical Access Rules.



How Authorizations Affect what Users See

Examples of What Users see in Access Control, ProcessControl, and Risk Management

Figure 84: Rule Setup as Viewed by a Control Owner in Process Control

A Control Owner can see Process Control specific tasks, but not Access Controland Risk Management.

Note: The open space on the lower left is caused by use of SAP NetWeaverFloorplan Manager, which does not allow service map contents to flowseamlessly from one side to the other. Depending upon the user authorizationand layout of application groups within the service map, these white spacesmay appear, and it does not indicate a problem.



Figure 85: Rule Setup as Viewed by a Risk Manager in Risk Management

A Risk Manager can only see Risk Management Tasks and Reports.

Figure 86: Rule Setup as Viewed by an Access Control User

This Access Control user will only see those objects included in the assigned role.





Exercise 4: Harmonized Navigation

Exercise ObjectivesAfter completing this exercise, you will be able to:• Examine various user views based on different authorizations• Experience how harmonized navigation improves accessibility• Personalize the Work Inbox

Business ExampleUsers who only need to see certain aspects of each application will see only thosecomponents when logging onto the system. Users with broader authorizations willhave access to more work centers and work sets, with additional choices under eachone.

Users can personalize the view of the Work Inbox to meet their business needs.

Task 1: View Access Control-Specific ObjectsLogon as an Access Control user with limited authorizations and view AccessControl-Specific work centers and work sets.

1. Log on to the ABAP client (ZMC) as ACDISPLAYXX, where XX is yourParticipant ID, using password initial.

2. Access the NWBC or SAP GUI.

3. Note the work centers across the top of the screen. Which work center is uniqueto Access Control?

4. Note the work sets and links displayed under each work center and that they arespecific to Access Control functions.

Remember that there is shared master data. For example, the organizations yousee here are the same ones you can see from the Process Control-specific andRisk Management-specific user interfaces.

Task 2: View Process Control-Specific ObjectsLog on as a Process Control user with limited authorizations and view ProcessControl-specific work centers and work sets.

1. Exit the GRC 10.0 system and log on to the ABAP client as XX_S_CTLTST,where XX is your Participant ID. Use the password initial.




2. Launch the NWBC.

3. Note the work centers. Which ones were not seen in the Access Control-specificuser interface?

4. Note the work sets and links displayed under each work center and that they arespecific to Process Control functions.

5. Why is the Access Management work center empty?

Task 3: View Risk Management-Specific ObjectsLogon as a Risk Management user with limited authorizations and view RiskManagement-specific work centers and work sets.

1. Exit the GRC 10.0 system and logon to the ABAP client as XX_RISKMAN,where XX is your Participant ID. Use the password initial.

2. Launch the NWBC.

3. Note the work centers, work sets, and functions.

4. Navigate to the Assessments work center, then note that Risk Assessments isthe work set. What type of assessments would be done in Process Control thatare not listed here?

Task 4: Explore a Harmonized ViewLogon as a user with broader authorizations to explore a harmonized view of workcenters and work sets.

1. Exit the GRC 10.0 system, then logon as XX_CUSTOM, where XX is yourParticipant ID. Remember that you changed your password in an earlier exercisewhen you first logged onto the system.

2. Launch NWBC.

3. Explore the work centers, work sets, and functions. You can now seework centers across GRC, including Access Control, Process Control, RiskManagement, and Global Trade Services.

4. Choose the Assessments work center, then click Planner under the AssessmentPlanning work set.

5. In the list of plans, you can see that some are for Risk Management assessmentsand some are for Process Control assessments.

6. Navigate to the My Home work center, then choose My Profile under the MyProfile work set.




7. Note the role assignments for your user. The Request Access button allows youto request access for you or another user and to run a simulation so that you cansee any access risks potentially resulting from the change.

Task 5: Personalize your Work InboxIn this task, you will personalize your work inbox. You will create a query, a newquery category, and personalize inbox settings.

1. You should already be logged on as XX_CUSTOM.

2. Choose the My Home work center, then click the Work Inboxlink.

3. Click Personalize at the top right of the window.

4. Choose Add Category to add a category for your Active Queries. Enter adescription for this category: XX Category, where XX is your Participant ID,then choose OK.

5. In the Personalization window, add a query to your Active Queries under yournew category.

6. Click Apply to save changes.

7. Define a new query, using the Define New Query link at the top right of thescreen.

8. Choose an Object Type.

9. Choose an existing query as a template.

10. Click Next.

11. Set Status equal to Ready.

12. Enter 01.01.2010 to 01.01.2011 for the Created On and Created To dates.

13. Click Next.

14. Enter XX Query for the Description, where XX is your Participant ID.

15. Activate Query should be checked.

16. Choose the category you created for your Work Inbox: XX Custom.

17. Click Finish.

18. Return to the Work Inbox, and then choose Personalize. You should see yournew query, XX Query, listed under your new category.

19. Click Cancel to return to the Work Inbox.




20. Choose Settings, located above the elevator box.

21. Select some settings from the Hidden Columns list to add to the DisplayedColumns list. Change the sequence if you’d like and choose the number ofcolumns that will be fixed to the left of the display. Click OK when finished.

22. You should now see your chosen columns and indicated display order in theWork Inbox view.



Solution 4: Harmonized NavigationTask 1: View Access Control-Specific ObjectsLogon as an Access Control user with limited authorizations and view AccessControl-Specific work centers and work sets.

1. Log on to the ABAP client (ZMC) as ACDISPLAYXX, where XX is yourParticipant ID, using password initial.

a) Exit NWBC by logging off, then exit the ABAP client, using the systemExit icon . Use the SAP Logon window to log on to ZMC as a new user.

2. Access the NWBC or SAP GUI.

a) From the ABAP client, enter /nnwbc, then click the system OK icon orpress Enter.

3. Note the work centers across the top of the screen. Which work center is uniqueto Access Control?

a) The Setup work center.

4. Note the work sets and links displayed under each work center and that they arespecific to Access Control functions.

Remember that there is shared master data. For example, the organizations yousee here are the same ones you can see from the Process Control-specific andRisk Management-specific user interfaces.

a)

Task 2: View Process Control-Specific ObjectsLog on as a Process Control user with limited authorizations and view ProcessControl-specific work centers and work sets.

1. Exit the GRC 10.0 system and log on to the ABAP client as XX_S_CTLTST,where XX is your Participant ID. Use the password initial.

a)

2. Launch the NWBC.

a) /nnwbc




3. Note the work centers. Which ones were not seen in the Access Control-specificuser interface?

a) Master Data, Rule Setup, Assessments

4. Note the work sets and links displayed under each work center and that they arespecific to Process Control functions.

a)

5. Why is the Access Management work center empty?

a) Access Management is an Access Control function and your current userauthorizations only allow you to view Process Control-specific functions.

Task 3: View Risk Management-Specific ObjectsLogon as a Risk Management user with limited authorizations and view RiskManagement-specific work centers and work sets.

1. Exit the GRC 10.0 system and logon to the ABAP client as XX_RISKMAN,where XX is your Participant ID. Use the password initial.

a)

2. Launch the NWBC.

a) /nnwbc

3. Note the work centers, work sets, and functions.

a)

4. Navigate to the Assessments work center, then note that Risk Assessments isthe work set. What type of assessments would be done in Process Control thatare not listed here?

a) Control Risk Assessments

Task 4: Explore a Harmonized ViewLogon as a user with broader authorizations to explore a harmonized view of workcenters and work sets.

1. Exit the GRC 10.0 system, then logon as XX_CUSTOM, where XX is yourParticipant ID. Remember that you changed your password in an earlier exercisewhen you first logged onto the system.

a)




2. Launch NWBC.

a) /nnwbc

3. Explore the work centers, work sets, and functions. You can now seework centers across GRC, including Access Control, Process Control, RiskManagement, and Global Trade Services.

a)

4. Choose the Assessments work center, then click Planner under the AssessmentPlanning work set.

a) Choose Assessments → Assessment Planning → Planner

5. In the list of plans, you can see that some are for Risk Management assessmentsand some are for Process Control assessments.

a)

6. Navigate to the My Home work center, then choose My Profile under the MyProfile work set.

a) Choose My Home → My Profile work set → My Profile

7. Note the role assignments for your user. The Request Access button allows youto request access for you or another user and to run a simulation so that you cansee any access risks potentially resulting from the change.

a)

Task 5: Personalize your Work InboxIn this task, you will personalize your work inbox. You will create a query, a newquery category, and personalize inbox settings.

1. You should already be logged on as XX_CUSTOM.

a)

2. Choose the My Home work center, then click the Work Inboxlink.

a) Choose My Home → Work Inbox

3. Click Personalize at the top right of the window.

a) Personalize is a link on the screen.




4. Choose Add Category to add a category for your Active Queries. Enter adescription for this category: XX Category, where XX is your Participant ID,then choose OK.

a)

5. In the Personalization window, add a query to your Active Queries under yournew category.

a)

6. Click Apply to save changes.

a)

7. Define a new query, using the Define New Query link at the top right of thescreen.

a)

8. Choose an Object Type.

a)

9. Choose an existing query as a template.

a)

10. Click Next.

a)

11. Set Status equal to Ready.

a)

12. Enter 01.01.2010 to 01.01.2011 for the Created On and Created To dates.

a)

13. Click Next.

a)

14. Enter XX Query for the Description, where XX is your Participant ID.

a)

15. Activate Query should be checked.

a)




16. Choose the category you created for your Work Inbox: XX Custom.

a)

17. Click Finish.

a)

18. Return to the Work Inbox, and then choose Personalize. You should see yournew query, XX Query, listed under your new category.

a)

19. Click Cancel to return to the Work Inbox.

a)

20. Choose Settings, located above the elevator box.

a)

21. Select some settings from the Hidden Columns list to add to the DisplayedColumns list. Change the sequence if you’d like and choose the number ofcolumns that will be fixed to the left of the display. Click OK when finished.

a)

22. You should now see your chosen columns and indicated display order in theWork Inbox view.

a)



Lesson Summary

You should now be able to:• Describe how authorizations affect what users see• Describe examples of what users see in Access Control, Process Control, and

Risk Management


GRC100 Unit Summary

Unit SummaryYou should now be able to:• Identify and access key components of the GRC 10.0 User Interface• Describe the purpose of each work center• Describe how to control work center display for NWBC vs Portal• Describe how authorizations affect what users see• Describe examples of what users see in Access Control, Process Control, and

Risk Management


Unit Summary GRC100



Test Your Knowledge

1. Work centers:Choose the correct answer(s).□ A Provide a central access point for GRC 10.0□ B Are independent of customer licensing□ C Can be customized by a system administrator□ D Do not contained shared tasks across solution components

2. The My Home work center is used as an entry point for any other work centers.Determine whether this statement is true or false.□ True□ False

3. The My Home work center allows you to:Choose the correct answer(s).□ A View, access, and perform workflow tasks, whether assigned to you

or not□ B View completed reports scheduled by anyone□ C Perform document searches across all documents, including document

content□ D Assign delegates to perform your tasks or activities

4. Assigning a delegate from the My Home work center does not apply to AccessControl, which has its own delegation function.Determine whether this statement is true or false.□ True□ False

5. Which of the following work centers is only used in Access Control?Choose the correct answer(s).□ A Rule Setup□ B Master Data□ C Assessments□ D Setup



6. In the Rule Setup work center, a Control Owner for Process Control would beinterested in seeing things like Data Sources, Business Rule Assignments forContinuous Monitoring, and KRI templates.Determine whether this statement is true or false.□ True□ False

7. An Access Control user won't see the Continuous Monitoring section of the RuleSetup work center, but would see sections like Access Rule Maintenance andCritical Access Rules.Determine whether this statement is true or false.□ True□ False

8. Users will only see those objects included in the assigned role.Determine whether this statement is true or false.□ True□ False



Answers

1. Work centers:

Answer: A, C

Work centers provide a central access point for GRC 10.0 and can be customizedby a system administrator.

2. The My Home work center is used as an entry point for any other work centers.

Answer: False

The statement is false.

3. The My Home work center allows you to:

Answer: C, D

C and D are correct. The My Home work center also allows you to view, access,and perform workflow tasks that are assigned to you and view completed reportsthat were scheduled by you.

4. Assigning a delegate from the My Home work center does not apply to AccessControl, which has its own delegation function.

Answer: True


5. Which of the following work centers is only used in Access Control?

Answer: D

The Setup work center is unique to Access Control.

6. In the Rule Setup work center, a Control Owner for Process Control would beinterested in seeing things like Data Sources, Business Rule Assignments forContinuous Monitoring, and KRI templates.

Answer: False

The statement is false. A Risk Manager would be more interested in seeingKRI templates.



7. An Access Control user won't see the Continuous Monitoring section of the RuleSetup work center, but would see sections like Access Rule Maintenance andCritical Access Rules.

Answer: True


8. Users will only see those objects included in the assigned role.

Answer: True



Unit Summary GRC100


Unit Summary GRC100


Unit 4Common Functions and Data

Unit OverviewThis unit discusses sharing master data and common functions across GRC solutions,the User Interface Configuration Framework, local field changes, and setting fieldstatus for applications or regulations. Also presented are, master data relatedimplementation considerations for organizations.


• Describe how common functions are shared across GRC solutions.• Explain which master data can be shared relative to common functions.• Describe key features of the User Interface Configuration Framework• Specify whether or not a field has regulation-specific values• Specify whether or not a field can be changed locally• Set the field status for individual application components or for individual

regulations• Discuss shared master data examples• Discuss master data related implementation considerations for organizations• Describe various organization hierarchy views and advanced date options

Unit ContentsLesson: Common Functions and Data Overview... . . . . . . . . . . . . . . . . . . . . . . . . . . . .144Lesson: User Interface Configuration Framework... . . . . . . . . . . . . . . . . . . . . . . . . . . .151Lesson: Shared Master Data... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159

Exercise 5: View Shared Master Data Examples ... . . . . . . . . . . . . . . . . . . . . . . .167


Unit 4: Common Functions and Data GRC100

Lesson: Common Functions and Data Overview

Lesson OverviewThis lesson presents how GRC solutions share common functions and what masterdata can be shared across solutions relative to these functions.


• Describe how common functions are shared across GRC solutions.• Explain which master data can be shared relative to common functions.

Business ExampleYour organization wants to use the GRC 10.0 solution to manage risk and complianceacross the enterprise. Management would like to reduce working in silos by sharingcommon data elements, while building good governance, risk and compliancepractices into core business processes.

Specific business needs include:

Sharing of organization, process and control structures for compliance, riskand access management.Supporting end-to-end processes that leverage these shared structures to bettermanage risk, lower compliance cost, and increase operational efficiencies.Promoting proactive management of risks through effective decision support,timely risk responses, and alignment of multiple stakeholder groups.


GRC100 Lesson: Common Functions and Data Overview

Sharing Common Functions Across GRC Solutions

Figure 87: Overview of Common Functions

Figure 88: Policy Management Overview

Policy Management is a common function available to those companies licensing SAPBusinessObjects Process Control 10.0 or SAP BusinessObjects Risk Management10.0.

The end-to-end process begins with creating and approving policies, which ofteninvolves attaching or linking the policy documents. You indicate the scope of eachpolicy by assigning it to organizations, processes or activities, and people. You alsomay associate controls or ERM risks to the policy. Thereafter, you distribute the



policy to those affected by it and, if desired, you may require formal acceptance oracknowledgment. In addition, you may require that survey assessments or quizzesbe completed to indicate understanding of the policy. Information on acceptance,assessments or quizzes can be reported to demonstrate the level of compliance. Forthe reason that policies may be widely distributed throughout an organization, an SAPlogon is not required to receive the policy nor to acknowledge it.

Figure 89: Ad Hoc Issues Overview

Ad hoc issues management is a common function available to those companieslicensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjects RiskManagement 10.0.

This feature is designed to enable identification, remediation and tracking of issues notassociated with scheduled compliance evaluations. Examples of ad hoc issues includeexternal audit findings, issues discovered by inspections, and problems reported byindividuals outside formal compliance processes. If an issue is not fully complete, it isrouted via workflow to an issue administrator, who reviews, completes and assigns theissue. Thereafter, the issue is similar to an evaluation-based issue reported in PC—thatis, it may be remediated and then closed. You may associate issues with a variety ofbusiness entities such as organizations, risks, regulations, and controls. You may alsoassign a source of the issue; the sources available are configurable in the IMG.



Figure 90: Content Lifecycle Management Overview

The Content Lifecycle Management (CLM) function allows external content tobe packaged and imported to the CLM repository. This external content could becompany data imported for the first time into the GRC solution during implementation,or it could be content developed by third parties.

Once imported to CLM, you can review the content, decide what to deploy, and resolveany content conflicts (if the content has been previously deployed). Deploy the contentyou select, then manage it as needed in GRC (currently RM and PC components). Asneeded, you may checkpoint and export the content managed in GRC and import itagain to the CLM repository. This is done so that it can be edited on a mass basis orused to compare your current content with updated external content you receive.



Sharing Common Functions Across GRC Solutions

Shared Master Data Overview

Figure 91: Key Master Data Pre-GRC 10.0

In prior versions, sharing of master data was limited by different technical platforms.

Figure 92: Shared Master Data in GRC 10.0



In the GRC 10.0 solutions shown above, technical platforms unite on SAP NetWeaver(ABAP), enabling increased harmonization of key master data. Organization, processand control structures can now be shared across components, which supports a moreintegrated approach to governance, risk and compliance. Note that control extensionsare used to expand the control entity so it can be used for different purposes (forexample, as a control that mitigates access violations).

Figure 93: Integrated GRC Example

This example shows an integrated approach to detecting and preventing fraud relatedto the procure-to-pay process. In short, the company has identified a significant risk offraud. While several types of risk responses are possible, the company has a hybridapproach to both reduce the risk through an updated security policy and control therisk.

The controls include use of Access Control 10.0 to prevent most segregation of dutiesconflicts. Where SoD violations are identified, one or more mitigating controls areput in place or linked to controls already existing in Process Control. In addition, anautomated control in Process Control monitors the status of access risks in AccessControl to verify that access management is in place and operating effectively. Asin prior versions, controls in Process Control can be assessed or tested to ensureappropriate design and effectiveness.

Policies—in this example, a security policy—are managed in the common PolicyManagement component. As mentioned previously, Policy Management includes theability to gather acknowledgments or even quizzes from those affected by the policyto determine policy effectiveness.



Lesson Summary

You should now be able to:• Describe how common functions are shared across GRC solutions.• Explain which master data can be shared relative to common functions.


GRC100 Lesson: User Interface Configuration Framework

Lesson: User Interface Configuration Framework

Lesson OverviewThis lesson presents how the User Interface Configuration Framework (UICF) enablesyou to maintain master data fields without programming.


• Describe key features of the User Interface Configuration Framework• Specify whether or not a field has regulation-specific values• Specify whether or not a field can be changed locally• Set the field status for individual application components or for individual

regulations

Business ExampleSAP delivers default behavior for GRC solution master data fields, but yourorganization has determined that some field behavior should be changed to bettermap to your existing processes and data. It is important that this not involve customprogramming, as company policy severely limits SAP customization to facilitatelater upgrades.

Note: Your team has proposed these changes:

Field Components Regulation-Specific?

Field Status

ControlSignificance

PC Yes - Financial Required

Yes - FCPA Hidden

Yes - Operational Optional

Control Nature All No Hidden

Control Purpose All No Required

Each of these changes can be performed without programming using the UIConfiguration Framework described in this section.



For the Control Significance field, you determine that it should be required forvarious regulations related to financial compliance, that it is not relevant at all for theForeign Corrupt Practices Act, and that it might be useful for operational complianceinitiatives. You do this via the regulation-specific configuration by first designating thefield as being specific to regulations, then by configuring the field status by regulation.

Your company does not consider the Control Nature field useful, so you want todisable it for all components. You determine that by default it is already hidden forAC, but that it is optional for both PC and RM. You configure the field status byapplication component to make the field status hidden also for PC and RM.

For the Control Purpose field (typically used to indicate whether a control is detectiveor preventive), you want to ensure that this field is required regardless of whichcomponent creates or maintains the control. You determine that by default this isrequired for PC, optional for RM, and hidden for AC. You configure the field status byapplication component to make the field status required for all components.

These changes involve configuration in the IMG and automatically update the userinterface. Therefore, this should be done and tested carefully in a non-productionsystem. It is best to severely limit changes after the system is in production.

User Interface Configuration Framework Overview

Figure 94: What the UCIF Enables



Figure 95: Configuration Steps for User Interface Status at the Field Level

Figure 96: IMG Path for Configuration of UICF

The User Information Configuration Framework settings are all maintained under theMaintain Field-Based Configuration node in the IMG.



Regulation-Specific Values

Figure 97: Regulation-Specific Configuration

Only those fields that exist in control table GRFNFLDRGSP (also appear in the F4help list) can be regulation-specific fields. Keep in mind that regulation-specific fieldsrelate to Process Control only.



Local Field Changes

Figure 98: Allow Local Change Configuration

Only those fields exist in control table GRFNFLDLCHG (also appear in the F4help list) can be set to allow local changes. Local Changes Allowed fields relate toPC only because these are dependent upon the method of assigning subprocessesto organizations. That is, if during assignment of a subprocess to an organizationthe subprocess is set to not allow local changes (similar to assigning with referencein prior versions of PC), the settings here do not apply to that subprocess for thatorganization nor to subordinate controls within that subprocess.



Setting Field Status for Applications or Regulations

Figure 99: Field Status Configuration by Application Component

Users can only maintain the UI status for those fields that exist in control tableGRFNFLD (also appears in the F4 help list for Field ID). The default UI field status isOptional.

The predefined Field UI Status Configuration by Application is maintained in the tableGRFNAPPFLD. It is recommended that you do not make changes directly to theGRFNAPPFLD table, but instead use this IMG activity.



Figure 100: Field Status Configuration by Regulation

Users can only maintain the UI status for those fields that exist in control tableGRFNFLDRGSP (also appear in the F4 help list for Field ID), which is configured byperforming the Regulation-Specific Configuration discussed earlier.

Once one or more regulation-specific fields have been maintained, they can be furtherconfigured here to set the field status by regulation, if desired. The default UI fieldstatus is Optional.

The predefined Field UI Status Configuration by Regulation is maintained in Controltable GRFNREGFLD. Currently the table GRFNREGFLD is empty, as SAP does notdeliver pre-configured UI status for different regulations.



Lesson Summary

You should now be able to:• Describe key features of the User Interface Configuration Framework• Specify whether or not a field has regulation-specific values• Specify whether or not a field can be changed locally• Set the field status for individual application components or for individual

regulations


GRC100 Lesson: Shared Master Data

Lesson: Shared Master Data

Lesson OverviewThis lesson presents how unified master data for organizations and controls aredisplayed in each GRC solution component and implementation considerations relatedto shared master data.


• Discuss shared master data examples• Discuss master data related implementation considerations for organizations• Describe various organization hierarchy views and advanced date options

Business ExampleSAP BusinessObjects GRC 10.0 is an integrated solution with Risk Management,Process Control and Access Control being contained in a single SAP component.These solutions work together to product a more harmonized and complete picture ofthe GRC environment. Several configuration items and attributes are shared itemsbetween 2 or more of the components. These shared items now can be set up one timeand consumed by any of the installed programs as needed rather than maintaining thesame information in multiple spots. This reduces the amount of configuration and /or maintenance involved as well as the need to synchronize master data (whethermanually or by system) between the components and therefore reduces the amount oftime and the possibility of the data being out of sync with the other solutions withinthe GRC solution.



Shared Master Data Examples

Figure 101: Master Data for Organizations Before GRC 10.0

Similar master data was created for each module, which could involve:

• Redundant Maintenance• Manual synchronization of data• Increased risk of missing, inconsistent or incorrect master data



Figure 102: GRC 10.0: Unified Master Data for Organizations

GRC 10.0 allows creation of shared master data for organizations.

Figure 103: Master Data for Controls Before GRC 10.0

Control master data for prior Access Control and Process Control products werecreated separately in each product.



Figure 104: GRC 10.0: Unified Master Data for Controls

In GRC 10.0, the control data can be shared and only those fields relevant for thespecific view are displayed. Continuous control monitoring and automated testingfunctionality in Process Control can be used for controls used to mitigate accessrisks in Access Control.



Master Data Related Implementation Considerations forOrganizations

Figure 105: Implementation Considerations for Organizations

Examples of Different Views of the Same Master DataEntity for Different Users

Figure 106: Organization Hierarchy Views



The available views can be used by different components in different ways. A singleview can act as either the default view, or it can be the available view for none, one,or multiple components. Furthermore, each component can have one default viewand multiple available views. A view that is available to a component but is not thedefault view for the component is only used for hierarchical organization displayand reporting purposes.

Figure 107: Sample Organization Hierarchies

The above examples show the following:

1. The first hierarchy shows what a typical Compliance user might see2. The second hierarchy shows what a Risk Management user might see3. The third example shows what an Access Control user might see4. The fourth example shows the Standard Hierarchy, which is defined as an

available view for Access Control



Figure 108: Advanced Date Options

Advanced Date Options are available for Process Control and Risk Management andcan be personalized by user. Access Control sees hierarchies as of the current date.

Compliance users often work in arrears, hence the need for availability of a Periodwith Yearoption. Risk managers more often work as of today’s date, hence the needfor Date and Today options.





Exercise 5: View Shared Master DataExamples

Exercise ObjectivesAfter completing this exercise, you will be able to:• View shared components for organizations in the IMG• Review locally managed controls setting in the IMG• View roles shared between business role management and access request

management

Business ExampleOne key benefit of harmonization is that objects, such as roles and organizations,are created or loaded once and then used by more than one component of the GRCsolution. Another benefit is that you can configure shared settings once and theywill apply throughout the solution, for example, the ability to allow controls to bemanaged locally.

Task 1: View Shared Components for OrganizationsIn this task, you will access the IMG to view shared components for organizations.


2. Enter SPRO, then choose the system OK icon or press Enter.

3. Click SAP Reference IMG

4. Expand Governance, Risk, and Compliance

5. Expand Shared Master Data Settings

6. Choose Maintain Organization Views

7. Select Maintain Organization Views Configurations, then click Choose.

8. View the Application Components listed for the Organization Views. Do notmake any changes to this information.

9. Close this popup window when finished, using the system Cancel icon .




Task 2: Allow Locally Managed ControlsIn this task, you will review where to maintain the ability to allow locally managedcontrols.

1. From Display IMG, choose Shared Master Data Settings.

2. Click the Execute icon next to Maintain Ability to Add Locally-DefinedControls.

3. Note that the Customizing Item ADD_LOCAL_DEFINED_CN is set to Active.

Task 3: View Shared RolesView roles shared between business role management and access request management.

1. Choose the Access Management work center.

2. Scroll down to the Role Management work set, and then choose Role Search.

3. Enter Z_GRC_PR* in the Role Name field, then click Search.

4. From the search results, choose Z_GRC_PR_APM_VENDOR_MASTER to viewrole details.

5. On the Define Role tab, click More Details.

6. Choose the Owners/Approvers tab. On this tab you can see that this role is usedfor both access request management and business role management.



Solution 5: View Shared Master DataExamplesTask 1: View Shared Components for OrganizationsIn this task, you will access the IMG to view shared components for organizations.


a)

2. Enter SPRO, then choose the system OK icon or press Enter.

a) You should be in the ABAP client and not NWBC.

3. Click SAP Reference IMG

a) SAP Reference ID is located at the top left of the screen, just under thetransaction entry field.

4. Expand Governance, Risk, and Compliance

a)

5. Expand Shared Master Data Settings

a) This is a sub-node under Governance, Risk, and Compliance.

6. Choose Maintain Organization Views

a)

7. Select Maintain Organization Views Configurations, then click Choose.

a)

8. View the Application Components listed for the Organization Views. Do notmake any changes to this information.

a)

9. Close this popup window when finished, using the system Cancel icon .

a)




Task 2: Allow Locally Managed ControlsIn this task, you will review where to maintain the ability to allow locally managedcontrols.

1. From Display IMG, choose Shared Master Data Settings.

a)

2. Click the Execute icon next to Maintain Ability to Add Locally-DefinedControls.

a)

3. Note that the Customizing Item ADD_LOCAL_DEFINED_CN is set to Active.

a)

Task 3: View Shared RolesView roles shared between business role management and access request management.

1. Choose the Access Management work center.

a) Launch NWBC to view work centers. Enter /nnwbc, then click the systemOK icon or press Enter.

2. Scroll down to the Role Management work set, and then choose Role Search.

a)

3. Enter Z_GRC_PR* in the Role Name field, then click Search.

a)

4. From the search results, choose Z_GRC_PR_APM_VENDOR_MASTER to viewrole details.

a)

5. On the Define Role tab, click More Details.

a)

6. Choose the Owners/Approvers tab. On this tab you can see that this role is usedfor both access request management and business role management.

a)



Lesson Summary

You should now be able to:• Discuss shared master data examples• Discuss master data related implementation considerations for organizations• Describe various organization hierarchy views and advanced date options


Unit Summary GRC100

Unit SummaryYou should now be able to:• Describe how common functions are shared across GRC solutions.• Explain which master data can be shared relative to common functions.• Describe key features of the User Interface Configuration Framework• Specify whether or not a field has regulation-specific values• Specify whether or not a field can be changed locally• Set the field status for individual application components or for individual

regulations• Discuss shared master data examples• Discuss master data related implementation considerations for organizations• Describe various organization hierarchy views and advanced date options



Test Your Knowledge

1. Ad hoc issues are issues not associated with compliance evaluations, yet areassociated with a variety of business entities, such as organizations, risk,regulations, and controls..Determine whether this statement is true or false.□ True□ False

2. Policy Management is a common function available to those companieslicensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjectsRisk Management 10.0.Determine whether this statement is true or false.□ True□ False

3. Ad hoc issues management is a common function available to those companieslicensing:Choose the correct answer(s).□ A Access Control□ B Risk Management□ C Process Control□ D Access Control and Process Control□ E Process Control and Risk Management□ F Risk Management and Access Control

4. Thefunction

allows external content to be packaged and imported to therepository.

Fill in the blanks to complete the sentence.

5. Organization structures, process structures, and control structures can be sharedacross components in the GRC 10.0 solution.Determine whether this statement is true or false.□ True□ False



6. Where SoD violations are identified, one or more mitigating controls are put inplace or linked to controls already existing in Process Control.Determine whether this statement is true or false.□ True□ False

7. An automated control in the solution monitorsthe status of access risks in the solution to verifythat access management is in place and operating effectively.Fill in the blanks to complete the sentence.

8. The User Interface Configuration Framework enables using a single userinterface launch point for maintaining shared master data across:Choose the correct answer(s).□ A Applications only□ B Regulations only□ C Applications and regulations□ D None of the above

9. The User Interface Configuration framework enables using common andcentralized master data, while supporting entity attributes that can be specific toregulations.Determine whether this statement is true or false.□ True□ False

10. The User Interface Configuration Framework requires programming in order toconfigure which fields are relevant to each solution component (AC, PC, RM).Determine whether this statement is true or false.□ True□ False

11. Only those fields that exist in the control table GRFNFLDRGSP can beregulation-specific fields.Determine whether this statement is true or false.□ True□ False



12. Regulation-specific fields relate to Access Control only.Determine whether this statement is true or false.□ True□ False

13. Local Changes Allowed fields relate to Process Control only because these aredependent upon the method of assigning subprocesses to organizations.Determine whether this statement is true or false.□ True□ False

14. Setting field status for applications or regulations is maintained in.

Fill in the blanks to complete the sentence.

15. Shared master data involves:Choose the correct answer(s).□ A Manual synchronization of data□ B Decreased risk of inconsistent master data□ C Redundant maintenance□ D Required sharing of organizations

16. Prior to GRC 10.0, master data for Access Control and Process Control werecreated once and shared by both solution components.Determine whether this statement is true or false.□ True□ False

17. In GRC 10.0 control data can be shared by Access Control and Process Control,and only those fields relevant for the specific view are displayed.Determine whether this statement is true or false.□ True□ False



18. Master data-related implementation considerations for organizations include:Choose the correct answer(s).□ A To what extent will companies share harmonized structures□ B To what extent does the company work in separate silos□ C Who is responsible for maintaining organization hierarchies□ D How does a company plan to evolve in the future

19. Organization hierarchy views are initially set up in the IMG.Determine whether this statement is true or false.□ True□ False

20. Each solution component can have one default view and multiple availableviews, which are used only for hierarchical organization display and reportingpurposes.Determine whether this statement is true or false.□ True□ False



Answers

1. Ad hoc issues are issues not associated with compliance evaluations, yet areassociated with a variety of business entities, such as organizations, risk,regulations, and controls..

Answer: True


2. Policy Management is a common function available to those companieslicensing SAP BusinessObjects Process Control 10.0 or SAP BusinessObjectsRisk Management 10.0.

Answer: True


3. Ad hoc issues management is a common function available to those companieslicensing:

Answer: B, C, E

B, C, and E are correct. Ad hoc issues management is a common functionavailable to those companies licensing Process Control, RiskManagement, orboth.

4. The Content Lifecycle Management (CLM) function allows external content tobe packaged and imported to the CLM repository.

Answer: Content Lifecycle Management (CLM) , CLM

The Content LIfecycle Management (CLM) function allows external content tobe packaged and imported to the CLM repository.

5. Organization structures, process structures, and control structures can be sharedacross components in the GRC 10.0 solution.

Answer: True




6. Where SoD violations are identified, one or more mitigating controls are put inplace or linked to controls already existing in Process Control.

Answer: True


7. An automated control in the Process Control solution monitors the status ofaccess risks in the Access Control solution to verify that access managementis in place and operating effectively.

Answer: Process Control , Access Control

An automated control in the Process Control solution monitors the status ofaccess risks in the Access Control solution to verify that access managementis in place and operating effectively.

8. The User Interface Configuration Framework enables using a single userinterface launch point for maintaining shared master data across:

Answer: C

C is correct: Applications and regulations

9. The User Interface Configuration framework enables using common andcentralized master data, while supporting entity attributes that can be specific toregulations.

Answer: True


10. The User Interface Configuration Framework requires programming in order toconfigure which fields are relevant to each solution component (AC, PC, RM).

Answer: False

The UCIF allows you to configure without programming which fields arerelevant to each solution component.



11. Only those fields that exist in the control table GRFNFLDRGSP can beregulation-specific fields.

Answer: True


12. Regulation-specific fields relate to Access Control only.

Answer: False

Regulation-specific fields relate to Process Control only.

13. Local Changes Allowed fields relate to Process Control only because these aredependent upon the method of assigning subprocesses to organizations.

Answer: True


14. Setting field status for applications or regulations is maintained in the IMG.

Answer: the IMG

Setting field status for applications or regulations is maintained in the IMG.

15. Shared master data involves:

Answer: B

Shared master data involves decreased risk of inconsistent master data. Sharingof organizations is optional, but not required.

16. Prior to GRC 10.0, master data for Access Control and Process Control werecreated once and shared by both solution components.

Answer: False

The statement is false. Prior to GRC 10.0, master data for Access Control andProcess Control were created separately in each product.



17. In GRC 10.0 control data can be shared by Access Control and Process Control,and only those fields relevant for the specific view are displayed.

Answer: True


18. Master data-related implementation considerations for organizations include:

Answer: A, B, C, D

All choices are correct.

19. Organization hierarchy views are initially set up in the IMG.

Answer: True


20. Each solution component can have one default view and multiple availableviews, which are used only for hierarchical organization display and reportingpurposes.

Answer: True



Unit Summary GRC100


Unit Summary GRC100


Unit 5Implementation and Configuration

Unit OverviewThis unit presents IMG organization for GRC 10.0 and how to navigate the IMG bysolution and common settings. Basic and common customizing tasks are highlighted,as well as configuring application-specific IMG nodes. Functional implementationis introduced, including project teams, prerequisite tasks, and an overview of theimplementation process.


• Describe the IMG organization for GRC 10.0• Identify basic and common customizing tasks for Access Control, Process

Control, and Risk Management• Access IMG customizing documentation• Identify members of typical project teams• Perform prerequisite tasks• Describe key, high-level steps in the GRC 10.0 implementation process

Unit ContentsLesson: Streamlined Configuration... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

Exercise 6: Review the IMG Structure... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189Lesson: Functional Implementation ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197

Exercise 7: Review System Configuration ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205


Unit 5: Implementation and Configuration GRC100

Lesson: Streamlined Configuration

Lesson OverviewThis lesson describes the IMG (Implementation Guide) organization for GRC10.0,including shared configuration and product-specific configuration.


• Describe the IMG organization for GRC 10.0• Identify basic and common customizing tasks for Access Control, Process

Control, and Risk Management• Access IMG customizing documentation

Business ExampleIn prior releases, configuration of Process Control and Risk Management wereseparate IMG activities with some overlap. Prior Access Control releases did notprovide configuration using the IMG. To streamline configuration, the GRC 10.0solutions’ IMG identifies activities which are shared among multiple products

IMG Organization for GRC 10.0

Figure 109: GRC Implementation Guide (IMG)


GRC100 Lesson: Streamlined Configuration

On the left is an example of collapsed activities in the IMG for Process Control andRisk Management 3.0. In this IMG structure, if you implemented both products, youwould have to do some similar activities twice, that is once for each product.

On the right side is an example of partially collapsed activities for GRC 10.0 solutions.Activities that relate to more than one product are configured in one place.

Because some functions are now shared with multiple applications in GRC, the newIMG structure provides a clear picture about common customizing activities andapplication-specific ones. For detailed usage and customizing steps, please refer to theIMG documentation and Installation Guide.

Figure 110: Customizing IMG Structure for GRC 10.0

Basic and Common Customizing TasksTo access the IMG, first log into the ABAP client for GRC 10.0, then executetransaction SPRO. Click SAP Reference IMG to view the IMG nodes and customizingactivities. From here, you can configure:

General settings as needed for Access Control, Process Control, or RiskManagementShared master data settingsReportingCommon component settings for those components in use



Figure 111: Basic and Common Customizing for Access Control, ProcessControl, and Risk Management

Prerequisites Before Beginning the Functional Implementation

1. Complete technical setup2. Activate applicable BC sets based upon customer requirements3. Obtain the authorization roles necessary for access to the IMG

Note: Only activate the timeframe-related BC sets if the customer is on acalendar year because January to December is delivered in the BC set.

Some IMG activities are only needed if you would like to change the deliveredstructure or behavior of the system. Look at the help icon to the left of each task forin-depth instructions in the IMG.

Configuring Product-Specific IMG NodesAfter basic and common customizing, configure the product-specific IMG nodes forlicensed products to be implemented. If some products are licensed but not yet to beimplemented, there is no need to configure them.



Figure 112: Product-Specific Customizing for Access Control, Process Control,and Risk Management

IMG Customizing DocumentationDocumentation for IMG customizing is contained within the IMG itself. IMGcustomizing is performed by users assigned the following roles:

SAP_GRAC_SETUP for ACSAP_GRC_SPC_CUSTOMIZING for PCSAP_GRC_RM_CUSTOMIZING for RM





Exercise 6: Review the IMG Structure

Exercise ObjectivesAfter completing this exercise, you will be able to:• Locate IMG nodes for general and report settings• Locate IMG nodes for common component settings• Locate IMG nodes for Access Control, Process Control, and Risk Management

Business ExampleBefore you begin configuration, it is important to familiarize yourself with the sectionsof the IMG that pertain to general and shared settings across the GRC solution, as wellas component-specific sections that pertain to each application component.

Task 1: View General SettingsView general settings in the IMG.

1. Log on to the ABAP client (ZMC) as user XX_CUSTOM, where XX is yourParticipant ID.

2. Enter SPRO in the transaction field, then click the system OK icon or pressEnter.


4. Expand Governance, Risk, and Compliance.

5. Expand the General Settings node.

6. Explore the various settings and sub-nodes.

7. Click the Execute icon next to Maintain Entity Role Assignment.

8. What are the roles associated with the RISK Entity?

Task 2: View Report SettingsView common report settings in the IMG.

1. Click the system Back icon to return to the Display IMG screen.

2. Expand the Reporting node to explore the various settings and sub-nodes.

3. Click the Execute icon next to Maintain Report Configuration




4. Click the Checked icon when you receive the cross-client message.

5. Review the report configuration settings in this area.

6. What are the two report types displayed on the first screen?

Task 3: View Common Component SettingsView settings common to all GRC solution components in the IMG.


2. Expand the Common Component Settings node.

3. Expand the nodes in this section and explore the various settings.

4. Click the Execute icon next to Maintain Policy Types and Distribution Methods.

5. What are the Policy Type Descriptions listed here?

Task 4: View Access Control SettingsView Access Control-specific settings in the IMG.

1. Locate and expand the Access Control node to explore the various settings andsub-nodes.

2. Click the Execute icon next to Maintain Access Risk Levels.

3. What risk levels are listed here?

Task 5: View Process Control SettingsView Process Control-specific settings in the IMG.


2. Locate and expand the Process Control node to explore the various settingsand sub-nodes.

3. Expand the Reporting sub-node. Note that you viewed general Reportingsettings earlier and that this Reporting section is specific to Process Control.

4. Click the Execute icon next to Activate BAdI for Weighting of a Report LineDuring Aggregation.

5. What is the Return Weight for every line?




Task 6: View Risk Management SettingsView Risk Management-specific settings in the IMG.

1. Click the Cancel icon to exit the BAdI Weighting window.

2. Click the systemBack icon to return to the Display IMG screen.

3. Locate and expand the Risk Management node to explore the various settingsand sub-nodes.

4. Expand the Incident Loss Database node.

5. Click the Execute icon next to Maintain Risk and Opportunity Priority IDs.

6. What are the priority descriptions listed here?



Solution 6: Review the IMG StructureTask 1: View General SettingsView general settings in the IMG.

1. Log on to the ABAP client (ZMC) as user XX_CUSTOM, where XX is yourParticipant ID.

a) Your password is the one you chose when you first logged onto the systemwith this user ID.

2. Enter SPRO in the transaction field, then click the system OK icon or pressEnter.

a) Perform this task in the ABAP client, not in the NWBC.


a)

4. Expand Governance, Risk, and Compliance.

a)

5. Expand the General Settings node.

a)

6. Explore the various settings and sub-nodes.

a)

7. Click the Execute icon next to Maintain Entity Role Assignment.

a)

8. What are the roles associated with the RISK Entity?

a) SAP_GRC_RM_API_RISK_OWNER andSAP_GRC_RM_API_RISK_EXPERT

Task 2: View Report SettingsView common report settings in the IMG.


a)




2. Expand the Reporting node to explore the various settings and sub-nodes.

a)

3. Click the Execute icon next to Maintain Report Configuration

a)

4. Click the Checked icon when you receive the cross-client message.

a)

5. Review the report configuration settings in this area.

a)

6. What are the two report types displayed on the first screen?

a) End-User and System

Task 3: View Common Component SettingsView settings common to all GRC solution components in the IMG.


a)

2. Expand the Common Component Settings node.

a)

3. Expand the nodes in this section and explore the various settings.

a)

4. Click the Execute icon next to Maintain Policy Types and Distribution Methods.

a)

5. What are the Policy Type Descriptions listed here?

a) Policy, Procedure, Work Instruction, Standard, SOP

Task 4: View Access Control SettingsView Access Control-specific settings in the IMG.

1. Locate and expand the Access Control node to explore the various settings andsub-nodes.

a)




2. Click the Execute icon next to Maintain Access Risk Levels.

a)

3. What risk levels are listed here?

a) Medium, High, Low, Critical

Task 5: View Process Control SettingsView Process Control-specific settings in the IMG.


a)

2. Locate and expand the Process Control node to explore the various settingsand sub-nodes.

a)

3. Expand the Reporting sub-node. Note that you viewed general Reportingsettings earlier and that this Reporting section is specific to Process Control.

a)

4. Click the Execute icon next to Activate BAdI for Weighting of a Report LineDuring Aggregation.

a)

5. What is the Return Weight for every line?

a) The return weight = 1

Task 6: View Risk Management SettingsView Risk Management-specific settings in the IMG.

1. Click the Cancel icon to exit the BAdI Weighting window.

a)

2. Click the systemBack icon to return to the Display IMG screen.

a)

3. Locate and expand the Risk Management node to explore the various settingsand sub-nodes.

a)




4. Expand the Incident Loss Database node.

a)

5. Click the Execute icon next to Maintain Risk and Opportunity Priority IDs.

a)

6. What are the priority descriptions listed here?

a) Least Important, Important, Very Important



Lesson Summary

You should now be able to:• Describe the IMG organization for GRC 10.0• Identify basic and common customizing tasks for Access Control, Process

Control, and Risk Management• Access IMG customizing documentation


GRC100 Lesson: Functional Implementation

Lesson: Functional Implementation

Lesson OverviewThis lesson presents an overview of the functional implementation process, includingpotential project team members and their roles, prerequisite tasks, and implementationtasks performed during each phase of the project.


• Identify members of typical project teams• Perform prerequisite tasks• Describe key, high-level steps in the GRC 10.0 implementation process

Business ExampleA company is embarking on an SAP BusinessObjects GRC 10.0 implementation.During the Project Preparation and Blueprinting phase, the project manager will needto identify the necessary members of the project team, including those who maybe the stakeholders, as well as understand the necessary prerequisites needed to becompleted prior to engaging the functional team. During this time as well, the ProjectManager will need to create a Project Timeline of tasks that will need to be completeddepending upon the solution or solutions being implemented (or in some cases tobe implemented in the future).

Project TeamsYou will most likely work on a team to complete a functional implementation. Projectteams vary, depending on which applications are in use.



Figure 113: GRC Project Teams

Solution or Application Consultants are experts in specific solution or application areasand focus on implementation. Tasks include analyzing business process requirementsand then transferring those into the software, as well as performing configurationtasks. These consultants advise a customer about the generic functionality and theoptions for customizing in order to suit the specific customer requirements.

Technology Consultants perform tasks such as evaluating landscape choices,analyzing hardware and software requirements, and evaluating sizing requirements.These consultants install software, activate and set up required tools, and activateBusiness Configuration (BC) sets, in addition to other technical tasks. In general, theyprepare the system to be ready for the functional implementation.

Security Consultants may perform similar tasks as a Solution or Applicationconsultant, and have some overlapping areas with a Technology Consultant, forexample, evaluating sizing requirements.

IT Administrators perform tasks such as setting up automated mail service, copyingand modifying user roles, setting up users and assigning roles, performing functionaland integration tests, and monitoring the go-live process. IT Administrators mayalso monitor ongoing system performance and provide support for workflowadministration.

Project Managers in a software implementation are responsible for managing a projectteam and the successful "going live" of a solution within time and budget. Amongother duties, they plan project phases, monitor the project progress, handle changerequests, and lead communication with the client, as well as between the projectand steering committee.

Business Users are a subset of users that typically reference non-transactionalactivities. They use the software to collect and analyze data that help them supportmaking business decisions. These users are focused on creating new strategiesand making decisions based on information from a variety of sources. Examplesof business users include Internal and External Auditors, Risk Managers, andCompliance Managers.



Power Users are a subset of End Users who perform additional tasks beyond an EndUser's profile in a specific application area, for example, assigning user profiles. Theyoften serve as first support and fulfill a training role for other end users.

Executives are responsible for business transformation and SAP selection anddeployment. They have a very broad responsibility, but require expert assistance inspecific areas, for example, they may be in charge of IT landscape strategy and theimplementation of business requirements. They may also monitor the degree of useracceptance and system optimization after implementation.

A Works Council typically reviews generic user tasks against tasks that the WorksCouncil represents. Popular in Europe, a Works Council has the task of promotingthe interests both of the enterprise and of its workforce and serves to reduceworkplace conflict by improving and systematizing communication channels. Theygive representatives of workers in large multinational companies a direct line ofcommunication to top management and make sure that workers in different countriesare all told the same thing at the same time about transnational policies and plans.

Prerequisite Tasks

Figure 114: Prerequisite Tasks



Prerequisites before beginning the functional implementation include:

1. Technical setup should be complete before you begin these steps. Technicalsetup is typically performed by the Technology Consultant and IT Administrator.Example tasks include specifying system architecture, such as identifyingfront end and reporting components, defining transport mechanisms and theintegration framework, validating different steps during installation, includingvalidating proper ABAP installation.

2. Activate applicable Business Configuration (BC) sets based upon customerrequirements. While in the IMG, click on Existing BC Sets to see the BC setsappear in a column to the right of the tasks. Only activate the timeframe-relatedBC sets if the customer is on a calendar year, as January to December is deliveredin the BC set.

3. You must have the necessary authorization roles that allow access to the IMG:

• SAP_GRAC_SETUP for Access Control configuration• SAP_GRC_SPC_CUSTOMIZING for Process Control configuration• SAP_GRC_RM_CUSTOMIZING for Risk Management configuration

Implementation Process

Figure 115: Implementation Process Overview

Once the implementation is complete, you will conduct daily, regular business. Whiledoing this, you will enjoy the benefits of preventive governance, risk, and compliancemanagement.



Figure 116: Design the Solution

Listed here are general tasks for the Design phase of implementation and may differ,depending on regions and business needs. For example, Security consultants typicallyensure and discuss regional data security requirements and act as a NB Works Councilliaison. When gathering parameters regarding processes, Security consultants mayalso define a responsibility matrix during this phase.



Figure 117: Install or Upgrade and Migrate

Note: During this implementation phase, it is important to ensure that thePre-10.0 production system data is preserved for auditing purposes, includingold log files.

Figure 118: Configure Access Control



Figure 119: Implement

Figure 120: Optimize and Enhance





Exercise 7: Review System Configuration

Exercise ObjectivesAfter completing this exercise, you will be able to:• Review configuration settings in the IMG• Review existing BC sets in the IMG

Business ExampleBefore beginning the functional implementation, it is important to verify technicalsettings and activated BC sets.

Task 1: View General Configuration Settings andActivated BC SetsView general configuration settings and the associated activated BC sets in the IMG.


2. Enter SPRO in the Transaction Entry field and click the system OK icon orpress Enter.


Caution: Do not make configuration changes. Review currentsettings only.

4. Click Existing BC Sets at the top of the screen.

5. Expand nodes to view configuration that is maintained in each section, as well asthe activated BC sets. Begin with expanding Governance, Risk, and Compliance→ General Settings.

View Maintain Customer Specific Menus, Key Attributes, Authorizations,Workflow, Shared Master Data Settings, and Reporting.




Task 2: View Component-Specific Settings and ActivatedBC SetsView component-specific configuration settings and associated activated BC sets inthe IMG.

1. Expand the Access Control node, then note the configuration settings andactivated BC sets for this section.

2. Expand the Process Control node, then note the configuration settings andactivated BC sets for this section.

3. Expand the Risk Management node, then note the configuration settings andactivated BC sets for this section.



Solution 7: Review System ConfigurationTask 1: View General Configuration Settings andActivated BC SetsView general configuration settings and the associated activated BC sets in the IMG.


a) You changed your password upon initial system logon.

2. Enter SPRO in the Transaction Entry field and click the system OK icon orpress Enter.

a) You are working in the ABAP Client and not in the NWBC.


Caution: Do not make configuration changes. Review currentsettings only.

a)

4. Click Existing BC Sets at the top of the screen.

a) Existing BC Sets is located just under Display IMG.

5. Expand nodes to view configuration that is maintained in each section, as well asthe activated BC sets. Begin with expanding Governance, Risk, and Compliance→ General Settings.

View Maintain Customer Specific Menus, Key Attributes, Authorizations,Workflow, Shared Master Data Settings, and Reporting.

a)

Task 2: View Component-Specific Settings and ActivatedBC SetsView component-specific configuration settings and associated activated BC sets inthe IMG.

1. Expand the Access Control node, then note the configuration settings andactivated BC sets for this section.

a)




2. Expand the Process Control node, then note the configuration settings andactivated BC sets for this section.

a)

3. Expand the Risk Management node, then note the configuration settings andactivated BC sets for this section.

a)



Lesson Summary

You should now be able to:• Identify members of typical project teams• Perform prerequisite tasks• Describe key, high-level steps in the GRC 10.0 implementation process


Unit Summary GRC100

Unit SummaryYou should now be able to:• Describe the IMG organization for GRC 10.0• Identify basic and common customizing tasks for Access Control, Process

Control, and Risk Management• Access IMG customizing documentation• Identify members of typical project teams• Perform prerequisite tasks• Describe key, high-level steps in the GRC 10.0 implementation process



Test Your Knowledge

1. To access the IMG, first log onto the ABAP client for GRC 10.0, then executetransaction SPRO.Determine whether this statement is true or false.□ True□ False

2. From the IMG, you can configure:Choose the correct answer(s).□ A General settings for Access Control, Process Control, or Risk

Management□ B Shared master data settings□ C Reporting□ D Common component settings for those solution components in use.

3. Before beginning the functional implementation, you must activate BC sets,based upon customer requirements.Determine whether this statement is true or false.□ True□ False

4. Documentation for IMG Customizing is contained within the IMG itself.Determine whether this statement is true or false.□ True□ False

5. IMG customizing is performed by users assigned the following roles:Choose the correct answer(s).□ A SAP_GRAC_SETUP□ B SAP_GRC_SAC_CUSTOMIZING□ C SAP_GRC_RM_CUSTOMIZING□ D SAP_GRC_SPC_CUSTOMIZING□ E SAP_GRPC_SETUP□ F SAP_GRC_PC_CUSTOMIZING



6. Business Users, such as Internal and External Auditors, are a subset of usersthat typically:Choose the correct answer(s).□ A Reference non-transactional activities□ B Use the software to collect and analyze data to support business

decisions□ C Serve as first support for end users□ D Fulfill a training role for other end users

7. Which of the following are not part of the project team?Choose the correct answer(s).□ A Executives□ B Works Council□ C All end users□ D Power users

8. Technical setup should be complete before beginning the functionalimplementation.Determine whether this statement is true or false.□ True□ False

9. A POC, prototype, or integration plan is typically developed during which phase?Choose the correct answer(s).□ A Implement□ B Configure□ C Optimize/Enhance□ D Design

10. During the Install/Upgrade & Migrate phase, you do not have to preservePre-10.0 production system data or old log files.Determine whether this statement is true or false.□ True□ False



Answers

1. To access the IMG, first log onto the ABAP client for GRC 10.0, then executetransaction SPRO.

Answer: True


2. From the IMG, you can configure:

Answer: A, B, C, D

All choices are correct.

3. Before beginning the functional implementation, you must activate BC sets,based upon customer requirements.

Answer: True


4. Documentation for IMG Customizing is contained within the IMG itself.

Answer: True


5. IMG customizing is performed by users assigned the following roles:

Answer: A, C, D

The correct answers are A, C, and D: SAP_GRAC_SETUP forAC, SAP_GRC_RM_CUSTOMIZING for Risk Management, andSAP_GRC_SPC_CUSTOMIZING for Process Control.

6. Business Users, such as Internal and External Auditors, are a subset of usersthat typically:

Answer: A, B

A and B are correct: Business Users reference non-transactional activities anduse the software to collect and analyze data to support business decisions.



7. Which of the following are not part of the project team?

Answer: C

All end users are not included in the project team.

8. Technical setup should be complete before beginning the functionalimplementation.

Answer: True


9. A POC, prototype, or integration plan is typically developed during which phase?

Answer: D

The correct answer is the Design phase.

10. During the Install/Upgrade & Migrate phase, you do not have to preservePre-10.0 production system data or old log files.

Answer: False

The statement is false; during this phase, it is important to ensure that thePre-10.0 production system data is preserved for auditing purposes, includingold log files.


Unit Summary GRC100


Unit Summary GRC100


Unit 6Reporting

Unit OverviewThis unit presents an overview of the harmonized reporting framework, as well asnavigating and customizing reports, and Crystal report integration.


• Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework• Navigate reports• Create a report without programming• Describe Crystal integration options and report layouts

Unit ContentsLesson: Harmonized Reporting Framework... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .218

Exercise 8: Run Reports and View Dashboards ... . . . . . . . . . . . . . . . . . . . . . . . .227


Unit 6: Reporting GRC100

Lesson: Harmonized Reporting Framework

Lesson OverviewThis lesson presents an overview of the reporting framework in GRC 10.0 and how toconfigure reports without programming.


• Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework• Navigate reports• Create a report without programming• Describe Crystal integration options and report layouts

Business ExampleA company wants to provide the necessary reporting tools needed to supply theinformation needed from a governance, risk and compliance perspective. SAPBusinessObjects GRC 10.0 allows the flexibility to deliver reports in different formats(OnScreen, Excel, Crystal Reports, Dashboards) and with specific attributes. Theflexibility provided by the Reporting Framework makes it easy to create variants thatcan be save and re-utilized at a later date or in continuing operations.


GRC100 Lesson: Harmonized Reporting Framework

Harmonized Reporting Framework Overview

Figure 121: GRC 10.0 Harmonized Reporting Framework Key Capabilities

IMG Report Configuration

Figure 122: IMG Report Configuration



Access Control will use the reporting infrastructure to define the reports and attributes,but not the Reporting Datamart.

To configure report settings in the IMG: Execute Transaction SPRO→ SAP ReferenceIMG → Governance, Risk, and Compliance → Reporting Additional report settingsfor Process Control can be found at SPRO → SAP Reference IMG → Governance,Risk, and Compliance → Process Control → Reporting

Report Navigation

Figure 123: Report Navigation - Work Center Example

Each work center contains reports relevant to its business function. For example, themaster data work center displayed above shows reports directly related to master datastructures from the point of view of a Process Control user. If you were to go to theAssessments work center, you would instead see reports relevant to assessments andother evaluations. The actual reports available in each work center will vary basedupon user authorization.



Figure 124: Report Navigation: Reports and Analytics Work Center

The delivered Reports and Analytics work center is set up with an area for frequentlyused management, compliance and access management reports. However, this canalso be adapted by the customer. If desired, the reports shown here can be configuredto include reports also shown in the other work centers.

Reporting Framework for Customizing ReportsTo configure a new report without programming, you don't need to create the reportfrom scratch. First, copy an existing report and then to make changes to it.



Figure 125: Create a New Report: Maintain View Cluster VC_GRFNREPCUST

This transaction may be added to the IMG to make it easier to configure reports. Asshown above, this is done by maintaining the view cluster VC_GRFNREPCUST.

Figure 126: Create a New Report: Copy Source Report



Figure 127: Create a New Report: Maintain Columns and Filters

Maintaining Columns allows you to determine the order to columns in the report.There may be other options available depending upon the product to which the reportrelates. For example, for a Process Control report, you may be able to indicate thebehavior of columns related to regulations.

Maintaining Filters allows you to determine selection screen filters and relatedbehavior.

Figure 128: Setting Default Columns - Process Control and Risk ManagementOnly



Default columns for a report can be defined in VC_GRFNREPCOLUMNSC. This issimilar to the procedure shown on prior screens. However, the output determines whatis shown on the personalization screens for Process Control and Risk Management, asshown above. The initial population of the fields selected is taken from the defaultcolumns in VC_GRFNREPCOLUMNSC, and you can then further personalize thecolumns by moving fields between the Selected and Available columns.

Crystal IntegrationGRC 10.0 reports are delivered with three layout options, which provide significantflexibility without programming.

Figure 129: Layout Options for Delivered Reports

Figure 130: Crystal Integration Comparison of Options



There is no dominating or best practice reporting option here. Choose which reportoption(s) you will support based on business requirements. As you see above, theALV grid and the output of the ALV grid to the generic Crystal template is the same,except for the ability to collapse and expand hierarchies.

Figure 131: Examples of Report Display Options

The above figure shows a hierarchical report displayed using the three options. Eachoptions takes the same data and presents it with the benefits and constraints of itstechnology and format.





Exercise 8: Run Reports and ViewDashboards

Exercise ObjectivesAfter completing this exercise, you will be able to:• View Risk Management dashboards• View Compliance dashboards for Process Control• View Access Management dashboards for Access Control• Save a report variant

Business ExampleYou want to review information about your company’s risks, compliance status, andaccess risks. With the Harmonized Reporting Framework, you can view reports anddashboards for all of these areas from one work center, Reports and Analytics.

Task 1: View Risk Management DashboardsView Management dashboards for Risk Management.

1. Launch the NetWeaver Business Client or log into the SAP GUI.

2. Choose the Reports and Analytics work center.

3. Under theManagement work set, you will find dashboards for Risk Management.Choose Heatmap.

4. Choose a currency, then click OK.

5. Explore the Risk Heatmap. Do you recall the configuration settings you viewedin the IMG for this display, for example, colors associated with risk levels?Those display settings are seen here.

6. Close the Heatmap when finished.

Task 2: View Compliance Dashboards for ProcessControlView Compliance Dashboards for Process Control from the Reports and Analyticswork center.

1. Choose the Overall Compliance Status dashboard under the Compliance workset.




2. Enter Year for the Period and 2010 for the Year, then click Refresh.

3. View the Compliance Metrics displayed. Click the links to view details,beginning with % of Ineffective Controls.

4. Choose different display and sort settings. Switch between Number andPercentage views.

Task 3: View Access Management DashboardsView Access Management Dashboards for Access Control in the Reports andAnalytics work center.

1. Under the Access Management work set, choose User Risk Violation

2. Use the drop down arrows to view the analysis criteria options available.

3. the following information on the Risk Analysis: User Level screen:

Field Data Value

System ZMGCLNT800

User GRCRA2

User Group (Leave Blank)

Custom Group (Leave Blank)

RIsk Level High

Rule Set Global

User Type Dialog

Remaining Fields Accept default values

4. Save this variant as XX_Variant, where XX is your Participant ID.

5. Click Save.

6. Choose the Saved Variants drop down arrow. Your newly saved variant shouldbe listed here.

7. Click Run in Foreground, then view analysis results.



Solution 8: Run Reports and ViewDashboardsTask 1: View Risk Management DashboardsView Management dashboards for Risk Management.

1. Launch the NetWeaver Business Client or log into the SAP GUI.

a) From the ABAP client, enter /nnwbc, then choose /nwbc in the NWBClaunchpad window.

2. Choose the Reports and Analytics work center.

a)

3. Under theManagement work set, you will find dashboards for Risk Management.Choose Heatmap.

a) Choose Reports and Analytics → Management → Heatmap

4. Choose a currency, then click OK.

a)

5. Explore the Risk Heatmap. Do you recall the configuration settings you viewedin the IMG for this display, for example, colors associated with risk levels?Those display settings are seen here.

a)

6. Close the Heatmap when finished.

a)

Task 2: View Compliance Dashboards for ProcessControlView Compliance Dashboards for Process Control from the Reports and Analyticswork center.

1. Choose the Overall Compliance Status dashboard under the Compliance workset.

a) Choose Reports and Analytics → Compliance work set → OverallCompliance Status




2. Enter Year for the Period and 2010 for the Year, then click Refresh.

a) Period: Year; Year: 2010

3. View the Compliance Metrics displayed. Click the links to view details,beginning with % of Ineffective Controls.

a)

4. Choose different display and sort settings. Switch between Number andPercentage views.

a)

Task 3: View Access Management DashboardsView Access Management Dashboards for Access Control in the Reports andAnalytics work center.

1. Under the Access Management work set, choose User Risk Violation

a) Choose Reports and Analytics → Access Management → User RiskViolation

2. Use the drop down arrows to view the analysis criteria options available.

a)

3. the following information on the Risk Analysis: User Level screen:

Field Data Value

System ZMGCLNT800

User GRCRA2

User Group (Leave Blank)

Custom Group (Leave Blank)

RIsk Level High

Rule Set Global

User Type Dialog

Remaining Fields Accept default values

a)




4. Save this variant as XX_Variant, where XX is your Participant ID.

a)

5. Click Save.

a)

6. Choose the Saved Variants drop down arrow. Your newly saved variant shouldbe listed here.

a)

7. Click Run in Foreground, then view analysis results.

a)



Lesson Summary

You should now be able to:• Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework• Navigate reports• Create a report without programming• Describe Crystal integration options and report layouts


GRC100 Unit Summary

Unit SummaryYou should now be able to:• Describe key capabilities of the GRC 10.0 Harmonized Reporting Framework• Navigate reports• Create a report without programming• Describe Crystal integration options and report layouts


Unit Summary GRC100



Test Your Knowledge

1. Users can see all reports presented in the information architecture, regardless oftheir user authorization.Determine whether this statement is true or false.□ True□ False

2. Which of the following reports might you find in the Master Data Work Center?Choose the correct answer(s).□ A Reports related to compliance structure□ B Reports related to user authorization analysis□ C Reports related to audit analysis□ D Reports related to access rule detail

3. Which transaction is executed in order to maintain view clusterVC_GRFNREPCUST?

4. Reports can be displayed in Crystal while leveraging built-in ABAP List Viewer(ALV) functionality.Determine whether this statement is true or false.□ True□ False



Answers

1. Users can see all reports presented in the information architecture, regardless oftheir user authorization.

Answer: False

Reports are presented in the information architecture based upon userauthorization.

2. Which of the following reports might you find in the Master Data Work Center?

Answer: A, C

Reports related to compliance structure and audit analysis can be found in theMaster Data work center. Reports related to user authorization analysis andaccess rules share a target user function and can be found in the Reports andAnalytics work center under Access Management.

3. Which transaction is executed in order to maintain view clusterVC_GRFNREPCUST?

Answer: SM34

4. Reports can be displayed in Crystal while leveraging built-in ABAP List Viewer(ALV) functionality.

Answer: True

The statement is True.




Course Summary GRC100

Course SummaryYou should now be able to:

• Introduce SAP BusinessObjects Governance, Risk, and Compliance (GRC)10.0• Identify key governance, risk, and compliance processes supported in the GRC

10.0 solution• Describe key features and business benefits of the integrated solution• Identify applications that integrate with the GRC 10.0 solution• Describe the purpose and location of key user interface components• Discuss harmonized navigation and how authorizations affect what users see• Describe how common functions and relative master data are shared across

GRC solutions• Describe the IMG organization for GRC 10.0• Describe a general implementation process and key steps• Configure report presentation, structure, and content


FeedbackSAP AG has made every effort in the preparation of this course to ensure the accuracyand completeness of the materials. If you have any corrections or suggestions forimprovement, please record them in the appropriate place in the course evaluation.


Documents

GRC100 - GRC Principles and Harmonization(Col96).pdf