Documente Academic
Documente Profesional
Documente Cultură
SAP AG Dietmar-Hopp-Allee 16 69190 Walldorf Germany T +49/18 05/34 34 34 F +49/18 05/34 34 20 www.sap.com
Copyright 2008 SAP AG, All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice. Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors. Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries. Oracle is a registered trademark of Oracle Corporation.
MaxDB is a trademark of MySQL AB, Sweden. SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary. These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
Disclaimer UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group. Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc. Any Java Source Code delivered with this product is only to be used HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc. JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. Documentation in the SAP Service Marketplace You can find this documentation at the following Internet address:
service.sap.com/instguides
Some components of this product are based on Java. Any code change in these components may cause unpredictable and severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components.
by SAPs Support Services and may not be modified or altered in any way.
Typographic Conventions
Type Style Example Text Represents Words or characters that appear on the screen. These include field names, screen titles, pushbuttons as well as menu names, paths and options. Cross-references to other documentation Example text Emphasized words or phrases in body text, titles of graphics and tables Names of elements in the system. These include report names, program names, transaction codes, table names, and individual key words of a programming language, when surrounded by body text, for example, SELECT and INCLUDE. Screen output. This includes file and directory names and their paths, messages, names of variables and parameters, source code as well as names of installation, upgrade and database tools. Exact user entry. These are words or characters that you enter in the system exactly as they appear in the documentation. Variable user entry. Pointed brackets indicate that you replace these words and characters with appropriate entries. Keys on the keyboard, for example, function keys (such as F2) or the ENTER key.
Icons
Icon Meaning Caution Example Note Recommendation Syntax
EXAMPLE TEXT
Example text
Example text
<Example text>
EXAMPLE TEXT
Document History
The Master Guide is regularly updated in SAP Service Marketplace at service.sap.com/instguides. Make sure you have the latest version of the Master Guide by checking SAP Service Marketplace immediately before starting the installation. The following table provides an overview of the most important changes that were made in the latest versions. Master Guide Version 1.00 January 28, 2008 Important Changes First release of GRC Access Control 5.3 application including the following functionality: Compliant User Provisioning, Enterprise Role Management, Risk Analysis and Remediation, and Superuser Privilege Management. Added support packages for 530_46C, 530_620, 530_640, and 530_700 to Important SAP Notes section 1.3.
February 2008
Table of Contents
Chapter 1
1.1 1.2 1.2.1 1.2.2 1.3 1.4
Chapter 2
2.1 2.1.1 2.2 2.3
Chapter 3 Appendix A
A1
A2
A3
A4
February 2008
1 Getting Started
SAP GRC Access Control is an enterprise application that provides end-to-end automation for documenting, detecting, remediating, mitigating, and preventing access and authorization risk enterprise wide, resulting in proper segregation of duties, lower costs, reduced risk, and better business performance. The Access Control application includes the following capabilities: Risk Analysis and Remediation, which supports real-time compliance to detect, remove, and prevent access and authorization risk by preventing security and control violations before they occur. Compliant User Provisioning, which automates provisioning, tests for SoD risks, and streamlines approvals to the appropriate business approvers to unburden IT staff and provide a complete history of user access. Enterprise Role Management, which standardizes and centralizes role creation and maintenance. Superuser Privilege Management, which enables users to perform emergency activities outside their roles as a privileged user in a controlled and auditable environment. SAP GRC solutions help companies comply with the Sarbanes-Oxley Act and other regulatory mandates by enabling organizations to rapidly identify and remove authorization risks from IT systems. Access Control allows preventive controls be embedded into business processes to identify and prevent future SoD violations from being introduced without proper approval and mitigation.
February 2008
You can find the most current information about the technical implementation of SAP GRC Access Control, and the latest installation and configuration guides on SAP Service Marketplace at service.sap.com/instguides. We strongly recommend that you use the documents available here. The guides are regularly updated.
Released platforms and technology-related topics such as maintenance strategies and language support Network security High Availability Performance Information about Support Package Stacks, latest software versions and patch level requirements Information about Unicode technology
service.sap.com/unicode@sap
February 2008
February 2008
1138109
VIRSAHR
February 2008
2 SAP GRC Access Control Overview 1.4 GRC Access Control Documentation
RFC
RTA
Reporting Analytics
SAP BW
Non-Sap App
RTA
JDBC
February 2008
February 2008
11
RFC
RTA
Presentation Server
Non-Sap App
RTA
Reporting Analytics
UD Connector
SAP BW
Non-Sap App
RTA
Non-Sap App
RTA
Technology Layer
UME SLD IGS
February 2008
2 SAP GRC Access Control Overview 2.2 Technical System Landscape Risk Analysis and Remediation supports real-time compliance to detect, remove, and prevent access and authorization risk by preventing security and control violations before they occur. The technical system landscape for Risk Analysis and Remediation is shown below.
Risk Analysis and Remediation Landscape
Bex, BI Web App Designer
Executive Analytics Alert Monitor Analysis Engine Controls Manager Data Unification
Web Dynpro
Rule Engine Workflow Engine (AE)
Dashboards
Rule Loader
Rule Cache
Remediation Workflow Context Transaction Log (File) Alert Data Text Data (Transaction name, etc.)
BI
Virsa Adapter
Adapter Framework
BI
SAP
Oracle
Legacy
External systems
Superuser Privileged Management enables users to perform emergency activities outside their roles as a privileged user in a controlled and auditable environment. The technical system landscape for Superuser Privilege Management is shown below.
Superuser Privilege Management Landscape
X
SD FFId
X
MM FFId
X
FI FFId
SD FF Role MM FF Role
CC Analysis Engine
Risk Analysis
Analysis Adapter
WebDynpro Reports
ABAP Reports
February 2008
13
2 SAP GRC Access Control Overview 2.2 Technical System Landscape Compliant User Provisioning automates provisioning, tests for SoD issues, and streamlines approvals to the appropriate business approvers to unburden IT staff and provide a complete history of user access. The technical landscape for Compliant User Provisioning is shown below.
Compliant User Provisioning Landscape
Framework Components Presentation Layer (JSP)
Navigation Framework (UI)
Http requests
Action Classes BAPI Framework Integration SAP JCO Adapters Business Object Classes Data Access Object Layer
SAP R/3
RE CC
RTA
AE DB
Enterprise Role Management standardizes and centralizes role creation. The technical landscape for Enterprise Role Management is shown below.
Enterprise Role Management
Action Classes BAPI Framework Integration SAP JCO Adapters Business Object Classes Data Access Object Layer
SAP R/3
AE
RTA
CC
February 2008
2.3.1 Purpose
To install SAP GRC Access Control software use the steps described below. This table contains all available software components. However, to implement a specific scenario, you only need a subset of available software components. For information about software compatibility requirements, see section 2.1 Software Component Matrix. For the latest component version and patch level requirements, see the Important SAP Notes section.
2.3.2 Process
SAP GRC Access Control supports all operating and database software systems supported by SAP NetWeaver. For more details, refer to the product availability matrix on SAP Service Marketplace at service.sap.com. Implementation Sequence Step 1 Required Required Action Install NetWeaver 7.0 Application Server (AS) SP12, (ECC 6.0, NW04S or 2004S) Install Risk Analysis and Remediation Install Compliant User Provisioning Install Enterprise Role Manager Install Superuser Privilege Management Install Access Control Real Time Agent 5.3 Reference See service.sap.com/instructions
2 3 4 5 6
VIRCC00_0.SCA VIRAE00_.0SCA VIRRE00_0.SCA VIRFF00_0.SCA One RTA connection is required. VIRSANH Installation Guide SAP GRC Access Control
Optional
Install 2nd Access Control Real Time Agent Install Enterprise Portal Integration Install Launch Pad
VIRSAHR; VIRSANH and SAP_HR are required to deploy 2nd AC RTA. VIREPRTA00_0.SCA
Optional
Optional
February 2008
15
3 Solution-Wide Topics
Shared services provided by SAP NetWeaver are required to run Solution Manager and System Landscape Directory. Refer to the current SAP NetWeaver Master Guide for more information about these topics.
February 2008
Implementation
Operation
Upgrade
SAPterm
SAP Library
Master Guide Component Installation Guide Security Guide Configuration Documentation Implementation Guide (IMG) Solution Management Guide
Release Notes
SAPterm
SAPterm is SAPs terminology database. It contains SAP-specific vocabulary in over 30 languages, as well as many definitions and glossary entries in English and German. Target group: Relevant for all target groups Current version: Located in the SAP Help Portal at help.sap.com Additional Information Glossary (direct Access) or Terminology (available as terminology CD), and in the SAP-System in transaction STERM
February 2008
17
SAP Library
The SAP Library is a collection of function- and process-oriented documentation for SAP components. The SAP Library also contains the Business Scenario Descriptions. Target group: Consultants, System Administrators, Project teams for implementations or upgrades Current version: Located in the SAP Help Portal at help.sap.com; also located in the SAP Service Marketplace at service.sap.com/ibc (only the Business Scenario Descriptions)
Security Guide
The Security Guide describes the settings for a medium security level and offers suggestions for raising security levels. A collective security guide is available for the SAP NetWeaver technologies like SAP Web Application Server (SAP Web AS). This document contains general guidelines and suggestions about system security. Other technologies and individual applications have a Security Guide of their own. Target group: Technology consultants, Solution consultants, and Project teams for implementations or upgrades Current version: Located in the SAP Service Marketplace at service.sap.com/securityguide
February 2008
Master Guide
The Master Guide is the starting point for implementing an SAP solution. It lists the required SAP components and third party applications that are required for each Business Scenario. It provides scenario-specific descriptions of preparation, execution, and follow-up of an implementation. It also offers references to other documents, such as Component Installation Guides and SAP Notes. Target group: Technology consultants, System Administrators, and Project teams for implementations or upgrades Current version: Located in the SAP Service Marketplace at service.sap.com/securityguide
February 2008
19
February 2008
Release Notes
Release notes are documents that contain short descriptions of new features or changes in an SAP component since the previous release. Release notes about ABAP developments enable the SAP system to generate delta and upgrade IMGs. Target group: Consultants and project teams for upgrades. Current version: Located in SAP Service Marketplace at service.sap.com/ releasenotes and in the SAP menu of the SAP system under Help Release information.
February 2008
21