This post originally appeared on the Analytics blog and has been republished with permission.

http://blog-sap.com/analytics/2016/05/25/cybersecurity-risk-and-governance-are-you-prepared/

It's the stuff of corporate nightmares and can keep executives up at night; the threat of cyber breaches and attacks that can put a company's data and reputation at risk or even make business processes come to a sudden, screeching halt. And there are no simple or easy answers. The cybersecurity landscape is volatile. Companies know they need to protect against cyber breaches and manage the risk of information theft, data modification, and the resulting disruption of business processes. It's critical that they understand how to prevent cyber attacks and handle mounting threats.

One key question is, "Do they have the right infrastructure and methods in place to effectively mitigate this ever-shifting risk?"

With 85% of the world's business systems running on SAP technology, SAP has focused increasing efforts on this issue. The company is holding an upcoming #askSAP session on how to improve approaches to cybersecurity risk and governance in our current era of increasing digitization. During this community call, which is interactive, SAP will give an overview of how companies should rethink their security strategy as they embrace the digital economy - so they can protect business applications and improve risk and governance programs.

Leading the discussions of this board-level topic will be SAP executives Michael Golz (CIO, Americas at SAP) and Kevin McCollom (Group Vice President, SAP Solutions for Governance, Risk and Compliance). Moderated by access and cyber governance expert Erin Hughes (Greenlight Technologies), the session will cover: 1) The state of cybersecurity threats and evolving security perspectives 2) A preview of SAP's security strategy 3) SAP's perspective on cyber risk and governance, and business application security 4) An overview of solutions

Because it's a community call, attendees will have the opportunity to ask questions through live chat or Twitter using the #askSAP hashtag.

Don't miss this key opportunity to learn more about cybersecurity risk and governance!

Details:

#askSAP GRC Innovations Community Call: Cybersecurity Risk and Governance

Wednesday June 15, 2016 8AM PST / 11AM EST / 5 PM CET (90 minutes)

REGISTER NOW

https://event.on24.com/eventRegistration/EventLobbyServlet?target=reg20.jsp&partnerref=blog&eventid=1182841&sessionid=1&key=3770761FD0EDCBFF3A11368CBC0CF81D&regTag=&sourcepage=register

I am creating this blog to provide the steps of Disclosure Survey creation process.

Prerequisites:

Check the prerequisites to enable the functionality in the wiki page below:

Disclosure Survey Prerequisites - Governance, Risk and Compliance - SCN Wiki

Process:

Creating the Survey

• Category must be Disclosure Survey

Planning Disclosure Survey

Within planner screen, choose 'Perform X Disclosure Survey', where X is the object type (Organization, Subprocess or Control).

Three different Disclosure Survey plan activities are available:

• Perform Control DS
• Perform Organization DS
• Perform Subprocess DS

In the plan details screen, there are two Survey options:

• Survey
• Object Survey

If the processor wants just one or the other, the fields can be left blank.

Review after choosing the plan combinations

Activate the plan

The disclosure Survey may involve an object Survey, a disclosure survey or both of them.

In the example above, I scheduled the survey for both.

Work inbox:

The Business Event responsible for delivering the work item to the disclosure survey performer is:

• 0PC_PERF_DISCSVY

In the work inbox, I clicked on the task and opened the Organization Evaluation:

Disclosure – Object

Once you select the row, the following menu appears:

Reminder: A single work item is triggered for each object owner

If the questions dissapear when writting long comments, implement the follwing SAP note:

2307585 - Disclosure survey questions disappear when user enters very long comments

After filling out both, send the Survey for review.

Review Survey

Important info:

Is it possible to Remove the Review stage?

Currently, there is no option to switch off the review phase of the disclosure surveys.

Check history Button

You can also button:

It opens the Disclosure Survey Details Report

If the report presents an error, here is the notes released in 2016. Choose it according to your symptom:

2298408 - Object survey details are not showing up in Disclosure Survey Details Report

2224640 - Disclosure Survey Details does not filter children orgunits.

2300883 - Disclosure Survey Details report does no filter relevant timeframe plans

2263030 - Question Explain text is missing in Disclosure Survey Details Report

2277328 - Delete Disclosure Survey for any recipient causing report eror

2240413 - Disclosure Survey details reports not showing Survey Scores for survey question

Disclosure Survey status:

2278915 - Error in Disclosure Survey Status report "There is no data matching the entered

If the Survey was not triggered for some organizations, the following corrections can fix it:

2199671 - Issues in disclosure survey due to missing survey instances.

After pressing finish button, the workflow is completed.

Offline Disclosure Survey (object level)

The offline form shows a separate evaluation for each object.

When submitted the form updates SAP Process Control the same way as the online mode.

If the processor is responsible for 10 controls, they will receive a single e-mail with an attached form containing an evaluation section for each of the ten controls.

Respond to Disclosure Survey (Offline)

Dear all,

This blog will give you an overview about Continuous Control Monitoring(CCM) in GRC Process Control.

Intentionally this blog in two parts for better understanding.

Continuous control monitoring functionality is used to monitor the Controls and CCM is called with different names though concept will be same.

• Automated Rules Framework (ARF)
• Automated Controls Framework (ACF)
• Automated Monitoring Framework (AMF)
• Continuous Control Monitoring (CCM)
• Continuous Monitoring Framework (CMF)

The integration of compliance management software with SAP ERP systems for the purpose of setting up test and monitoring scenarios.

Data sources is nothing but which data is read from which system using the GRC Integration Framework and which type of analysis this data is subjected to.

In GRCV 10.0 -9 types of data sources

In GRCv10.1-10 types of data sources, (Added HANA based data source)

Steps to follow:

This blog is based on Sub scenario: SAP QUERY for data source

Refer the below link for Sub scenario:Configurable.

Business Rule Functionality - Governance, Risk and Compliance - SCN Wiki

Create data source from RULE SETUP work center

Click on Create

Select sub scenario as SAP Query in Object field

Select the Main connector from F4

Now select the Query from Query Lookup

Click on Connector tab, it will give you target connector.

Now SAVE the data source

Now open the created data source from catalog and change status to IN REVIEW and SAVE.

Now again open the data source from catalog and change status to ACTIVE and SAVE

Only ACTIVE data sources can be used in Business rules

Business rules are the selection criteria for the data to be analyzed and contain analysis rules and logic for applying and issuing the criteria. The analysis rules form the core of the CMF and they are used to determine whether as the result of a test, for example, an issue is to be generated with a specific status.

Business rules are created from RULE SETUP work center

Click on Create

Select the created data source from Search box

Click Continue

Depends on requirement you can select/unselect the filters in step@2 Filter Criteria

Deficiency Criteria

It is like condition if data matches to defined criteria then it is considered as defect.

Select Customer number from deficiency fields (Select/un select deficiency)

Step@4 Conditions and Calculations (#Not Used#)

It is related to BRF+ used in cases where field values not retrieved from defined data sources.

Step@5                Output format

Step@6 Technical Settings

Step@7 Ad-hoc Query

Select the data collection and click on Start to show the output as defined in deficiency criteria

Step@8 Attachments and Links

Once we come to STEP@8 then only the save button will be enabled.

  Click the save button

  Click on Change this business rule and change the status from IN REVIEW to ACTIVE.

Now assign the created business rule to control

Please refer PART-2    Continuous Control Monitoring-GRCV10.0 Process Controls#Part2

Regards

Baithi

With Continuous  to Continuous Control Monitoring-GRCV10.0 Process Controls#Part1

Now assign the created business rule to control

Please be note that business rules can be assigned to local controls only

Click on Business rule assignment

Provide the valid from date of business ness in Date field and click on APPLY

Now select the required controls (Make sure controls are already created) from F4

  Click on SEARCH

Click on Modify to enable ADD button to add the business rule

Select the business rule,click OK

Now select the Business and select the frequencies from Maintain Frequencies

Click on SAVE to complete the business rule assignment to control.

Now schedule job:Automated Monitoring

Click on Automated Monitoring

Click on create Job

Select the regulation

Two BC Sets along with sample data are delivered by SAP: one is used for regulation SOX and the other is used for FDA.

Now select the control

If you do not find control details, suggested to check below points

• The regulation who is indicated by you in the previous Share Regulation step is applied as a default search criteria in this step.
• Only auto or semi-auto control could be searchable, manual control could not be used in scheduler.
• For Automated Monitoring Job, only control whose trigger value is Date could be searchable; for Incoming Event Handling Job, only control whose trigger value is Event could be searchable.
• Proper Business Rules must be assigned to control under the specific regulation who is indicated by you in the previous Share Regulation step with a reasonable period, and the proper frequency, Monitoring/Compliance flag must also be maintained if applicable. Please pay more attention on the Business Rule Assignment valid period, which could be seen through click Professional View button in Business Rule Assignment component. The date of Test Period who is indicated by you in the previous Header step must be totally covered by the corresponding Business Rule Assignment Valid Period, not any gap allowed.
• For Automated Monitoring Job except SoD Integration and Process Integration sub scenario, you must have proper authorization to applied connectors defined in Business Rule.
• For Automated Monitoring Job with Configurable and Programmed sub scenario, If control¡¯s corresponding organization has OLSP maintained, only the connectors maintained in this OLSP could be searchable.
• If the target connector is indicated in the previous Header step, only this target connector could be searchable.

Click SAVE to complete the continuous monitoring scheduler.

The new job will be updated in Continuous Monitoring Scheduler catalog

Job Monitor

We can use Job Monitor to know the overview of continue monitoring jobs

Hope this blogs helps to someone who are looking for CCM.

Regards

Baithi

Risk for organisations is growing. With more devices to protect, more people who require access to data, and more partners to integrate with, the paradigm ofaccess control is larger than ever. The Verizon Data Breach Investigations Report (DBIR)highlighted 9 of the top attack patterns ranging from Insider & Privilege Misuse, Physical Theft & Loss, Web App attacks through to payment card skimmers. There are just a few of the top attack patterns but none the less, this highlights the importance of reducing risk.

For all of us familiar with SAP Governance, Risk, and Compliance (GRC) we’re well aware of SAP Access Control (AC).  SAP Access Control is typically the 1^st solution customers implement when they begin their GRC journey.  AC is the solution our customers turn to when forced by internal and external auditors to perform Access Risk Analysis to get clean (i.e. identify and mitigate segregation of duties risks).  SAP Access Control is also well known for its Emergency Access Management (i.e. firefighter) functionality.  Rather than giving employees SAP_ALL (i.e. the “keys to the kingdom”), organizations can give users emergency access ids so that the emergency access activities are tracked and can be properly audited.  Other functionalities provided by Access Control include Access Request Management (i.e. providing users a central formalized process to request authorizations) and Business Role Management (i.e. putting roles in business terms).

While we know Access Risk Analysis and the mitigation of segregation of duties risk are critical activities for organizations, we also know that the mitigation of the access risks often requires manual activities that often take plenty of time.  Most of us don’t work in organizations where we can have one person do one thing and another person do another. We may have headcount and process constraints and unfortunately most of our manual controls are manual.   If I can create a vendor and pay a vendor, someone (i.e. perhaps my manager) may need to review a report to see whether I’ve actually done these activities.  The ability to do an activity, doesn’t mean that the activity actually occurs.  What if a manager has been reviewing multiple reports showing him that while an access risk has been identified, nothing has actually occurred?  How much time is that manager spending on the manual review(s)?  Is a business process change required?

With the power of SAP Access Violation Management (AVM) by Greenlight organizations now have the ability to analyze the underlying transactions associated with their access risk so that they can automatically mitigate as needed.  SAP Access Control leverages a rule set to uncover and provide visibility into users and roles with the capability to perform high risk transactions.  SAP Access Violation Management leverages Access Control and analytics rule sets to provide visibility into actual usage and violations executed against high risk transactions in conflict with policy. 

One more powerful function of Access Violation Management is the ability to connect to home grown applications, .net tools, and other cloud based solutions (e.g. Ariba), and even SAP Business Planning and Consolidation (BPC).  I’m sure there are applications in your landscape with data that you wish you could consume.  I’m sure you think SAP GRC solutions are only for SAP environments.  I’m here to tell you that, while this is a common misconception, it’s simply not the case.  SAP GRC solutions can be applied to more than SAP environments.

To learn more about how you can leverage your SAP Access Control investment with SAP Access Violation Management especially in the context of Ariba and BPC, please join us for a webinar on May 25.

Register now for Extending SAP Access Control with SAP Access Violation Management by Greenlight, 25^th May 2016, 1PM – 1.45PM AEST.

Introduction

Request Mitigation Policy is basically a set of rules which can be used to control the GRC request approval behaviour when there are risk violations in the request based on “Risk Type”, “Risk Level” of the violations reported in the access request. Additional request parameters can also be included while customizing the Mitigation Policy Rules.

SAP delivers a predefined BRF+ Application and BRF+ rule mapping that decides the Risk Mitigation policy for GRC. You can either delete this mapping or change the BRF mapping as per your requirement to enforce the approver to mitigate the risk in a request.

Requirement

Usually customers will have requirement to mitigate only specific type of risks after running risk analysis at Stage Level. We have a requirement where our customer wants SoD risks (High, Medium and Low) to be mitigated and Critical Action (High, Medium and Low), Critical Permission Risks (High, Medium and Low) not required to be mitigated.

Solution

The MSMP Workflow Stage Task Setting Configuration Parameter is tied to a BRF+ Configuration

The configuration is available through the below mentioned path.
SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application "Request Mitigation Policy".

Under the Application Mapping, there is the Application ID: 'Request Mitigation Policy'. The BRF Function for this App ID is maintained by default. The BRF+ rule is created to identify which risk requires mitigation and which risk does not require. If there is no BRF+ Rule created for Mitigation Policy, then please remove the entry from IMG.

If the “Request Mitigation Policy” entry is deleted from Maintain AC Applications and BRFPlus Function Mapping then GRC will not allow approvers to approve the request until all risks are mitigated.

Hence we have customized Request Mitigation Policy rule according to our requirement. Following are the steps:

Configuration Setting 1

Stage Level setting “Approver Despite Risk” is set to “No”

Configuration Setting 2

Parameter 1072 - Mitigation of critical risk required before approving the request is set as “NO”. Even if it set as "YES" mitigation policy will overwrite these settings based on mitigation policy rules configured in BRF+

Configuration Setting 3

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application "Request Mitigation Policy".

Request Mitigation Policy is maintained and associated with MSMP Process ID “SAP_GRAC_ACCESS_REQUEST”

Open BRF+ in “Expert Mode” and if you are not in Expert mode use “Personalize” button to open in Expert Mode as shown below:

BRF+ Mitigation Policy application provided by SAP is “GRAC_BRFP_MIT_POLICY”.

Open the Function of the Mitigation Policy BRF+ application and create a top expression as “Decision Table”. This decision table is the place where you define your Mitigation Policy rules.

Verify your Decision Table entries, Save and Activate the Decision Table.

Save and activate Function and Application and once completed use Function Simulation to verify the results.

After this we have created a GRC request with SoD and Critical Action risk violations and approver was prompted to mitigated only SoD risks and after mitigating SoD risks requested can be approved without mitigating Critical Action Risk Violations.

Request has SoD risk violations which are not mitigated as shown below:

Request has Critical Action risk violations which are unmitigated as shown below:

When approver tried to approve the request GRC stopped the approval with the error message as shown below:

Approver Mitigated the SoD risk violations in the request.

After mitigating the SoD risk violations approver is able to approve the request without mitigating Critical Action risk violations

Critical Action risk violations are not mitigated and approver can approve the request

Mitigation Policy can be customized as per your requirements by creating different rules in the Mitigation Policy BRF+ application.

References

2212543 - How to enforce mitigation of only a specific type of Risk ID

1614290 - Risk Analysis Mandatory for Access Request

Thanks for reading.

Looking forward for your valuable inputs in updating/improving the blog with all relevant details

Best Regards,

Madhu Babu Sai

SAP GRC Access Control is the top application on the market in its category, it has great features. But like any other application, it brings its share of issues with every new support package upgrade or new release.

When looking for upgrading or applying a corrective note, it is always good to be aware of common issues you may encounter along the way. Watch out for these issues so you can be well prepared to identify and address them before you realize you are in short deadlines, go-live dates coming up, production downs situations, driving you crazy. You will be glad you did!

As I have been supporting GRC Access Control over the last 5 years, several issues seem to surface over and over. With this blog article, I will try to collect these case scenarios, as well as suggest some workarounds. If this sounds like the beginnings of a Wiki, you would be right. At present, there is not enough material for one, so I will use this blog for the time being. I do expect to post new case scenarios as soon as I am aware of them, so if you wish to bookmark it for future reference, please do so.

Read on for a list of common issues that surface for many customers after upgrading or applying corrective notes.

To help with your navigation, below is an index of the topics:

08-Aug-2016: Manager information not populating in GRACUSER from LDAP

If you are experiencing this issue, please make sure the following notes are applied to your system:

Note 2301753, Note 2325452 and Note 2297757.

_____________________________________________________________________________________________________________________

04-Aug-2016: EAM log sync does not show error if one of the connectors is down, no logs are collecting

For customers that upgraded 10.1 to SP12, please apply correction delivered in SP13 that throws an error message in case one of the plugin connectors is down, logs are not collecting for this connector. Otherwise you do not get any errors, log collection is Zero, and you will find out when you realize logs are missing for this connector.

Note is 2301784.

_____________________________________________________________________________________________________________________

28-Jul-2016: "Error in RFC; 'Syntax error in program /GRCPI/SAPLGRIA_USR'" and table SRT_WHITE_LIST

After upgrading to Support Package 12 (GRC release 10.1 and NW 7.40), a dump is observed in ST22 when:

1) Running user sync:

Short Text: "Error in RFC; 'Syntax error in program /GRCPI/SAPLGRIA_USR'"

Error message: "SRT_WHITE_LIST is not defined in the ABAP Dictionary as a table, pro"

2) when creating a new access request. In addition to ST22 errors above, the following error is also shown in webdynpro message area of the screen:

"Error in RFC; '00024rabax during sap for connector <plugin_connector>'

The syntax error occurs in program /GRCPI/SAPLGRIA_USR because there is a reference to table SRT_WHITE_LIST that does not exist in the system.

Please follow the solution proposed by KBA 2102825.

_____________________________________________________________________________________________________________________

26-Jul-2016: Search Request link dumps with "500 Internal server error" after upgrade

After customers upgraded to GRC 10.1 SP11, it stopped working. This is because there is a variable undeclared in web dympro GRAC_UIBB_REQUEST_SEARCH. The variable is FIORI_DONT_SHOW_IN_FILTERBAR of method process event. Note 2184361 fixes this issue.

_____________________________________________________________________________________________________________________

19-Jul-2016: ERM reports - some authorization changes to System drop down list

I have been seeing this issue quite often lately, and I want to write something about it.

For ERM reports, many customers report that after upgrading 10.0 release to SP22 or higher, the system drop down in the ERM reports is empty.

It seems the object GRAC_SYS with ACTVT 16 is no longer being checked, and GRAC_SYST with ACTVT 16 is the new object checked.

Also, customer that upgraded to 10.1 release experience the same issue. In 10.1 release, this changed slightly and a new authorization object is needed: GRAC_SYSTM with field GRACSYSID and value <connector> is checked, along with GRAC_SYSTM with field GRACSYSACT with value E1.

***Object GRAC_SYSTM is only available for 10.1 release, and comes in role SAP_GRAC_REPORTS.

The 10.1 security guide also mentions this object:

https://websmp202.sap-ag.de/~sapidb/011000358700000596352013E/ACPCRM_Security_Guide_SP11.PDF

For technical consultants, debugging can be performed to validate the logic:

10.0:

class CL_GRAC_FEEDER_ERM_REPORTS

methods SEL_SCREEN_ACT_USAGE, GET_CONNECTORS

10.1:

class CL_GRAC_FEEDER_ERM_REPORTS

methods SEL_SCREEN_ACT_USAGE, GET_CONNECTORS, FILTER_CCI_CONNECTORLIST_DD

The SAP KBA 2195080 will be amended with this information, soon.

_____________________________________________________________________________________________________________________

19-Jul-2016: HR Trigger termination issues

I just created a new KBA with a compilation of MUST APPLY notes if you are having issues with HR trigger termination (dates, etc).

KBA is 2344832.

______________________________________________________________________________________________________________________

18-Jul-2016: Upgrading to NW75 - System->Status, Data Component has misleading GRC information

According to note 2156130, GRC 10.0 is compatible with NW75. However, customers that upgraded to NW75 having GRC 10.0 are experiencing issues such as the System->Status->Data Component (Installed software component version) showing misleading GRC versioning information such as showing GRCFND_A V1100 without support package level information, when the GRC 10.0 current installation was untouched (only NW was upgraded). The SPAM tcode is showing correctly the current release and SP level, it was not impacted by the NW upgrade.

As of today the NW75 is only compatible with GRC 10.1 release.

_______________________________________________________________________________________________________________________

18-Jul-2016: Upgrading to NW75 - Any link in Access Risk Analysis generates dump

Any of the links for risk analysis in NWBC (Access Management) is generating dump (ASSERT condition was violated) and the page shows 500 SAP Internal Server Error. A collection of notes must be applied: note 2331111 and KBA 2299562 (which has a list of notes to be applied).

This issue affects screens that include search elements, such as any link Access Request creation. The correction is over class CL_FPM_GUIBB_SEARCH_DATA_MGR, dump is "ASSERT io_config_context_root_node IS BOUND" and

As of today the NW75 is only compatible with GRC 10.1 release.

_______________________________________________________________________________________________________________________

18-Jul-2016: After upgrading GRC 10.1 to SP13, dump in Access Risk Analysis links

After upgrading GRC 10.1 release to SP 13, customers are getting following error when starting the Access Risk Analysis links: 500 Internal SAP Server Error. Also a dump is produced:

Dump error: Subnode COMPONENTCONTROLLER.1.SEARCH.SEARCH does not exist (termination: RABAX_STATE). It looks like the io_config_context_root_node parameter in lo_config_api_creation call is supposed to be CONPONENTCONTROLLER node, not the SEARCH node. Chages are in class CL_FPM_GUIBB_SEARCH_CONFIG.

A collection of notes must be applied: note 2331111 and KBA 2299562 (which has a list of notes to be applied).

________________________________________________________________________________________________________________________

18-Jul-2016: Repository sync job taking all available space for log files, all of a sudden

Repository sync started to fail for both incremental and full modes, no changes done recently. This is explained in note 1743367. When syncing users, every user expired/locked/deleted in the back-end connector will have its violations deleted from tables GRACUSERPRMVL / GRACUSERACTVL / GRACUSERCRPVL (based on parameters 1028 and 1029).

This mass deletion (in case mass users got deleted/expired/locked) may cause the dumps, although it has been running okay for most of the cases. If this is happening in your environment, make sure to execute the Z program attached to the mentioned note 1743367 in order to delete the violations for these users.

You may think: okay every time my sync job fails, I will run this Z report.. it was not meant to be used regularly as part of the synchronization jobs... best advice is to follow recommendation in note 1580877 (special attention to section C.1). Also if you decrease the value for the batch user size (1121) the application will commit more frequently.

________________________________________________________________________________________________________________________

18-Jul-2016: Batch risk analysis is suddenly running for 10+ hours

This issue has been very common lately. It happens that there was an issue with the last execution date not getting updated correctly for Role analysis if the batch risk analysis was scheduled for technical and business roles. The note 2138558 addresses this issue.

________________________________________________________________________________________________________________________

18-Jul-2016: Integrating GRC to LDAP with multiple domains

I have seen so many questions regarding this matter, that I compiled some Q&A and created this KBA 2344229.

________________________________________________________________________________________________________________________

18-Jul-2016: Portal sync errors - correction to provide detailed logs

We have now a note 2267646 which introduces some more detailed logs into the portal sync. The note corrections are not meant to resolve any specific issue, but we will be able to know more details of the errors coming from portal server, which will help in troubleshooting the issue.

This note is very useful, so apply it when you can. Even for portal syncs issues where there are no dumps or errors and simply the sync is not bringing any users, this note should help.

________________________________________________________________________________________________________________________

18-Jul-2016: "Error when trying to complete/forward work item 0000004567"

This error is tricky to troubleshoot, as it is generic and many possible root causes could be discussed here. To have more details on what happened to the workflow, I recommend to take a trace using tcode SWF_TRC, where you should be able to see more meaningful messages. There is a note with more information on how to start this trace: note 2344265.

________________________________________________________________________________________________________________________

The final text of the General EU Data Protection Reform has been published. It brings a number of compliance obligations, improving the privacy rights of the individuals. For instance, the right to object and the right for data portability. It also requires data breaches to be notified within 72 hours. A comprehensive guide is available here.  The reform imposes organizations to perform Data Protection Impact Assessments (DPIAs) as part of their overall risk management practices:

“In order to enhance compliance with this Regulation in cases where the processing operations are likely to result in a high risk for the rights and freedoms of individuals, the controller should be responsible for the carrying out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of this risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data is in compliance with this Regulation. Where a data protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.”

As an example, consider evaluating data retention risks. Maintaining data for a period longer than necessary and failing to apply the data minimization principle can have serious consequences to the individuals in the case of a data breach. Organizations can identify risks with the help surveys, as discussed in this panel for instance. The graphic below shows a simplified overview of the necessary steps for conducting DPIAs:

This is only one of the aspects of the new regulation. The new rules will become applicable on May 25, 2018. Fines for non-compliance are up to 4% of annual global turnover.

The GRC Product Management team and Product Security Research are running a Customer Engagement Initiative, which consists on a co-innovation project to help our customers to adapt to improve their privacy management programs with SAP GRC. There is still room for participation. The candidates do not necessarily need to be currently a GRC customer. Contact Anderson SANTANA DE OLIVEIRA for more information.

Dear colleagues,

I hope that some of you who reads this blog can influence on the process to improve GRC ARQ functionality by voting for the idea.

Let me describe my vain attempts to outflank poor functionality of multiple user request. Maybe some of you can suggest obvious way to resolve the described problem.

I started my discovering after getting a task to customize block/unlock processes. The processes should forward requests for a certain approver basing on user's region. So that, if a request contains user from Dagobah, the request will be forwarded to Yoda; if a request contains user from Kashyyyk - it goes to Chewbacca. Simple logic that surely must be made in GRC and can be made... but only for a single-user request. If we create a multiple request with both users from Dagobah and Kashyyyk, then the whole request will be approved or rejected by the first approver (I assume it would be Yoda, because he is Jedi ).

Firstly, I tried to customize BRF rule for a stage with approvers. I created the rule that works perfect in simulation mode, but it didn't work in a real workflow. SAP support found a bug in BRF (Note 2317257), but the summary for my incident was "it's not available to take a decision for a single user in multiple request". The possible solution, in my opinion, might be adding for MSMP stage properties approve level "users" as well as we have it for "system" and "role".

Secondly, I decided to divide users in different paths by their company. Again, a few days to create a rule was waste to get a similar result. In simulation mode rule works fine, but in real work mode I get the error message:

Rule SAP_GRAC_ACCESS_REQUEST/B/578E2CB300E8E3AFE1000000C0A80947: Returned result for not requested Line-Item ''

I assume that again it happens because multiple or even single user request contains line items (system and/or role) that cannot be forwarded to another stage, while my rule based on users' attributes that are not a line items. So, the system can segregate line items only, but not other valuable entities of requests.

I hope that someone can advice me the possible solution in the comments or at least to vote the mentioned idea.

In the end, I decided to share my function for searching approvers, I hope that someone can use the logic or a part of it to implement in own system. Please find it below.

Special thanks to Christian Lechner who helped me with my issue during investigations.

Regards,

Artem

GRC 10 SP23

Be aware, it's just an example that needs to be customized according to your needs (for example, add request type in the logic).

If we test the function with the following REQ_ID we get the correct results: request with one user (#39 and BRK company) goes to single path, request with multi user (#100) goes to different paths according with the company addresses.

Single-user request

Multiple-user request

Simulation for single:

Simulation for multiple:

Hello colleagues,

I would like to share my experience of SP23 update. If think about updating on this SP level, please think twice. Here is the reasons why.

I assume that SP23 for GRC 10.0 and SP12 for GRC 10.1 are equal, so my descriptions of the problems we faced in SP23 might exist in SP12.

The first issue we faced was spam messages for Mit.Control assignment. The same problem is here.

The interesting thing is that we don't have active MC assignment process and we didn't have such a problem before update.

No 1062 entry.

To stop spamming we activated profile parameter 1035 (set it to NO) as Alessandro recommended.

The next issue we experience is password notification for New Account request type.

Before SP update

After SP update

The the last problem discussed here

Our problem is exactly the same and we created the message for SAP. The last advice (that didn't help) from support was to apply note 2288396.

I hope that we will not face with other problems after update, but I would recommend you to wait for at least SP24 (SP13 for GRC 10.1)

Regards,

Artem

Bad news everyone, HR PD-profiles will not work in CUA landscape for GRC version 10.0 and further.

If you still use GRC 5.3 and PD-profiles are being assigned in your CUA-managed system you might be wonder this situation. I also was wonder when after long negotiations I got this news.

In short, the dialogue was like that:

- PD-profiles are not being assigned in HR system.

- Do you use CUA?

- Yes

- Take it out of CUA

- Why? Our landscape based on CUA

- Dude, GRC doesn't support PD-profiles for systems in CUA

- The previous version supported this functionality! Show me the document with this statement!

- (oh, nerd !) here it is. Special for you http://service.sap.com/sap/support/notes/2348602

So, instead of developing this functionality support team has released the note saying that this will not work any more.

The best solution I ever got!

I don't know why this impossible to make. The system could at least put the entry in the table directly like it was in the previous version.

I'm really keen on GRC AC solutions since I started to work with them, but this way of 'problem solving' is inappropriate for SAP (imho).

The newer version shouldn't loose its functionality, in contrary, it should have wider spectrum of functionality.

I would be appreciated to hear some one with a large competence in this area, why useful and working functionality was kicked out in new versions.

Regards,

Artem

Take advantage of this opportunity to discuss the topic "Risk, Responses and Integrations with Process Control" with SAP Experts in a virtual round table. Bring your questions and doubts, and also feel free to share your experiences with other GRC users during the session.

This session will cover details about configuring Risk and Responses and also using PC along with RM.

Some important points:

Only S-users can participate in this session (please provide your S-user in the registration).

Session limited to 20 seats.

Concerning questions: It should not involve investigation of complex scenarios or deep analysis.

After the registration you will receive an invitation with SAP Connect link to join the session.

When: Thursday, August 25, 2016 from 5:00 PM to 6:00 PM (BRT)

Link for registration:

https://www.eventbrite.com.br/e/sap-risk-management-risk-responses-and-integrations-with-pc-tickets-27133049682

Please leave a comment below in case you have any question about this session or if you would like to suggest topics for other sessions.

Introduction to Application

An Application object serves as a container which holds all the BRFPlus objects that is built to solve a particular business task.

In order to create a new application go to. The screen below will pop-up

Properties of Application

While Creating the Application, the following details needs to be defined.

1. General Data and

2. Application

In General Data NAME, SHORT TEXT and TEXT has to be defined.

The Field NAME is Language Dependent unlike the fields TEXT and SHORT TEXT.

Once the General Data is defined, application data needs to be defined.

Storage types in Application

While creating an application, we need to define the storage type. There are three storage types. They are:

1. Master Data

2. Customizing and

3. System

Basing on the storage types, if a new object is created in BRFPlus Application, it inherits its storage type based on the application in which it is created.

Storage types Customizing and Master Data are client dependent whereas System is Client Independent.

Storage type Customizing and System are transportable whereas Master Data is Local.

If the flag Create Local Application is selected, the application and its objects are restricted to local system usage only and their objects cannot be transported to other systems.

Development Package

Development Package will act as a container that holds object logically belonging to each other.

When the storage type is selected as Master data, The flag for Create Local Application is greyed out and it can’t be selected Since Master data is not transportable.

BRFplus offers a local application TMP. The Purpose of TMP is to create objects for temporary use cases only.

Software Component

The software component describes a set of development objects that can only be delivered in a single unit. You should assign all the sub-packages of the main package to this software component.

Once the Application is created, we will get a screen like this. In this screen, the following Application Properties can be defined. They are:

1.       General and

2.       Details

Application Properties - Detail

In Detail, the following tabs provides various properties for Application.

Properties Tab - An Introduction

The properties tab contains the following fields.

Apart from Development package and Software component, Application component and Application exit class fields are also available.

Application Component is not BRF+ Specific but will be useful in categorizing when building a package or raising a OSS message to SAP.

Application Exit Class will be used to implement additional functionality with methods of an ABAP Class.

Default Settings Tab - An Introduction

Application Log Objects provides a method to use a standard logging facility for all of your custom ABAP programs. It consists of several transaction codes, tables, and function modules. By using the SAP functionality, it is possible to have a standard way to store error messages, making the handling of errors much simpler, and increasing the maintainability of code.

Important transaction codes related to Application Log Objects are:

• SLG0 - Create a new Log Object and Sub object
• SLG1 - Display Application Log
• SLG2– Delete the Application Log

Application Log Sub-Objects Will help in further classifying the Application Log Object.

The Flag     will Control whether the log data shall be permanently stored in the database or not. If not, log data is only kept in memory during run time and is lost after the session.

Default Enforcement will define what degree of compulsion the objects within the application have to follow the application-wide default setting concerning application log.

Versioning of Assigned Objects allows you to track the changes that have been done to a BRFplus object over time. It is based on the timestamp that the system assigns to objects when they are saved and activated.

These are the following options available in Versioning Mode

You can define whether newly created objects are put under version control or not by default. This default setting is done on application level and affects all objects that are created in the scope of that application.

Default Language Settings allows you to define if the dependency of text and document depends on Language or Version or Language and Version and None of them.

Contained Objects Tab - An Introduction

Contained Objects will display the list of Objects that are available in the application.

The field Type is basically defined as drop down which displays the following objects in that specific application.

Miscellaneous Tab - An Introduction

In Miscellaneous, there is only one field Restart Rulesets Enabled with Flag Option.

This is used in case of Deferred Ruleset Processing.

We can define exit conditions for a ruleset to stop processing at a defined point in the process if a condition is fulfilled. In Some cases, the Processing might stop in between due to lack of availability of data. So, If the option Restart Rulesets Enabled is selected, then the Process starts from the place where it stopped rather than from the beginning.

Hope this helps to have some clarity on options in Application for BrfPlus. Additions and Subtractions to this blog is most welcome.

Regards,

Deepak M

I really like the concept of enhancements, as it gives the flexibility to change the behavior of the application from the standard to a custom requirement. There is a step by step WIKI about creating simple enhancements, which is helpful to get started: Enhancement Framework - Class Enhancements - Pre-exit, Post-exit and Overwrite-exit methods - Concept and Simple Scenari…

In SAP GRC Access Control 10.x releases the weekend days and public holidays are also considered setting the escalation time according to MSMP stage level settings per standard. Although it can be a requirement to restrict the escalation to working days only and this can be easily achieved by creating an enhancement. To determine the workdays the best approach is to use the factory calendar in the SAP system, see Creating Factory/Holiday Calendar. First it needs to be decided to choose an existing factory calendar or create a new one in SCAL transaction.

To enable escalation only on workdays the class CL_GRFN_MSMP_WF_TEMPLATE_BASE has to be enhanced by applying an overwrite-exit method to the method GET_ESCALATION_SETTINGS. This method calls the function module END_TIME_DETERMINE, which has the optional parameter FACTORY_CALENDAR. Copy the standard code into the overwrite-exit method and add the Factory Calendar ID, which has been chosen from SCAL transaction. Now the escalation date and time is calculated considering working days only, as maintained in the factory calendar.

METHOD iow_z_workday_escalation~get_escalation_settings.

*"------------------------------------------------------------------------*

*" Declaration of Overwrite-method, do not insert any comments here please!

*"

*"methods GET_ESCALATION_SETTINGS

*"  importing

*"    !IS_MSMP_EXEC_CONTEXT type GRFN_MW_S_EXECUTION_CONTEXT

*"    !IS_STAGE type GRFNMWCNSTGV

*"  returning

*"    value(ES_ESCALATION_SETTINGS) type GRFNMW_S_TEMPLATE_ESCALATION

*"  raising

*"    CX_GRFN_MSMP_CONFIGURATION_ERR

*"    CX_GRFN_MSMP_NO_APPROVER

*"    CX_GRFN_MSMP .

*"------------------------------------------------------------------------*

     DATA: ls_escalation_settings TYPE grfnmw_s_template_escalation,

           l_escalation_user      TYPE grfn_mw_wf_appr_usr.

 

     DATA ls_global_settings TYPE grfnmwcnglbset.

 

     DATA: end_date   LIKE sy-datum,

           end_time   LIKE sy-uzeit,

           start_date LIKE sy-datum,

           start_time LIKE sy-uzeit.

 

     DATA: lv_timestamp TYPE timestampl.

 

 

     ls_global_settings = cl_grfn_msmp_configuration=>get_global_settings( is_msmp_exec_context-process_id ).

 

     IF  is_stage-escalation_type <> grfnw_msmp_c_escalation_type-no_escalation.

 

       IF ( ls_global_settings-escalation_enble EQ abap_true ).

         ls_escalation_settings-requested_esclation_date = ls_global_settings-escalation_date.

       ENDIF.

 

       ls_escalation_settings-escalation_type = is_stage-escalation_type.

 

       GET TIME STAMP FIELD lv_timestamp.

 

* convert to date and time

       CONVERT TIME STAMP lv_timestamp TIME ZONE  sy-zonlo INTO DATE start_date TIME start_time.

 

* calculate time

       CALL FUNCTION 'END_TIME_DETERMINE'

         EXPORTING

           duration               = is_stage-escalation_time

           unit                   = grfnw_msmp_c_duration_units-minutes

           factory_calendar           = 'EU' "Factory Calendar ID from SCAL transaction

         IMPORTING

           end_date               = end_date

           end_time               = end_time

         CHANGING

           start_date             = start_date

           start_time             = start_time

         EXCEPTIONS

           factory_calendar_not_found = 1

           date_out_of_calendar_range = 2

           date_not_valid             = 3

           unit_conversion_error      = 4

           si_unit_missing            = 5

           parameters_no_valid        = 6

           error_message              = 7

           OTHERS                     = 7.

 

       IF sy-subrc = 0.

         ls_escalation_settings-latest_end_date = end_date.

         ls_escalation_settings-latest_end_time = end_time.

       ELSE.

         RAISE EXCEPTION TYPE cx_grfn_msmp_configuration_err.

       ENDIF.

 

     ENDIF.

 

     es_escalation_settings = ls_escalation_settings.

   ENDMETHOD.

In MSMP stage level settings I have maintained 2 days / 48 hours as escalation time to test the enhancement.

The request has been submitted on Friday. Per standard it would escalate on Sunday. Activating the described enhancement the request escalated and moved to the next stage on Tuesday, as it is recorded in the audit log.

I think who sets escalation in the workflow customizing, will also like this enhancement.

Best Regards,

Zoltan Galik

Hi,

Many a times I get a query regarding how to find the workflow corresponding to a Case guid in GRC Process Control. Especially when cloning takes place.

There 2 ways:

1> Follow the steps below:

      a) Go to the table 'SWW_WI2OBJ'

      b) Enter the case guid you have at hand, in the field 'INSTID' and execute

      c) Here you can pick the TOP_WI_ID and work.

2> You can also use the transaction grpc_as_reorg. But this may at times not give the results when the workflow is in error or cancelled state.

  a) Enter the Case guid on Technical Case Key and execute.

b) double click on resuly and get the workflow id

Regards,

Smita.

Dear colleagues,

A few weeks ago I posted a blog where criticised SAP GRC support team with their way of 'problem solving' and 'maximum attention' to the clients.

I still believe that the idea place doesn't work, but we should do all the best to make it works. That's why I'm writing this blog. Unfortunately, I don't see other ways how to focus your attention on GRC functionality and start to influence on the product.

I kindly ask you to give your voice for some of my ideas for improving GRC functionality, each voice will be valuable for me, especially the voice of Collen Hebbert who promised to vote up for my ideas . It would be great if you look at other ideas that describe your needs. If you see how to workaround issues described in the ideas, please vote down and leave your comment.

I know that many of you rarely or never check the idea place, so I offer to promote your ideas in the comments of this blog. Let's deal to place your ideas in the comments of the blog till the end of the year (31st of December, 2016), in order to prevent overflowing the blog. If this practice will be successful, we will open a new blog session for promoting you ideas.

Here is the list of my ideas:

https://ideas.sap.com/SAPAccessControl/D26527

https://ideas.sap.com/D35079

https://ideas.sap.com/D36000

https://ideas.sap.com/D35999

https://ideas.sap.com/D35998

https://ideas.sap.com/D35997

Let's force the government SAP tohear us!

Faithfully yours,

Artem