Exercise Objectives
After completing this exercise, you will be able to:
• Use the launch pad to access the different functionalities within SAP
BusinessObjects Access Control
• Navigate between the different tabs within all applications in SAP
BusinessObjects Access Control
Business Example
To evaluate changes in the most recent version of SAP BusinessObjects Access Control compared to the older versions, you must log on and familiarize yourself with the launch pad and some elementary functionalities.
Task:
Log on to the application and familiarize yourself with the launch pad, access the four components and navigate to the different tabs in each one.
1. Launch the SAP BusinessObjects Access Control 5.3 launch pad, and log on
to the system.
2. Review the launch pad links to the various components
3. Review the Risk Analysis and Remediation component.
4. Review the Compliant User Provisioning component.
5. Review the Enterprise Role Management component.
6. Review the Superuser Privilege Management component.
Unit 1: Course Overview GRC300
Solution 1: SAP BusinessObjects Access
Control - Overview
Task:
Log on to the application and familiarize yourself with the launch pad, access the four components and navigate to the different tabs in each one.
1. Launch the SAP BusinessObjects Access Control 5.3 launch pad, and log on
to the system.
a) Enter the SAP BusinessObjects Access Control training system URL
(provided by your instructor) into a browser window and choose Go.
b) Log on to the system with the user ID GRC300-xx (xx is your user
number, and its provided by instructor) and password.
2. Review the launch pad links to the various components
a) Notice that all the links are activated. If the user does not have access to a
specific component, does it still show?
3. Review the Risk Analysis and Remediation component.
a) Choose Risk Analysis and Remediation. Click on each of the visible tabs:
InformerRule Architect, Mitigation, Alert Monitor, CCADstatus, BJstatus,
and Configuration.
4. Review the Compliant User Provisioning component.
a) Choose Compliant User Provisioning. Click on each of the visible tabs:
My Work, Informer, and Configuration.
5. Review the Enterprise Role Management component.
a) Choose Enterprise Role Management. Click on each of the visible tabs:
Role Management, Informer, and Configuration.
6. Review the Superuser Privilege Management component.
a) Choose Superuser Privilege Management. Click on each of the visible
tabs: Reports and Configuration.
7. Exit the application.
GRC300 Lesson: SAP BusinessObjects Access Control Overview
Lesson Summary
You should now be able to:
• List the main components of SAP BusinessObjects Access Control and their
integration points
• Describe the functionality of Risk Analysis and Remediation and Risk
Terminator
• Describe the functionality of Superuser Privilege Management
• Describe the functionality of Enterprise Role Management
Unit 1: Course Overview GRC300
Lesson: SAP BusinessObjects Access Control
Authorizations
Lesson Overview
This lesson explains the authorization concept of SAP BuinessObjects Access Control in the user management engine (UME).
Lesson Objectives
After completing this lesson, you will be able to:
• List the authorizations and roles used in the Java-based parts of SAP
BusinessObjects Access Control
• Explain the UME role concept
• Access and use the UME administration tool
Business Example
You are asked to evaluate the Java-based authorization concept within SAP BusinessObjects Access Control to ensure the correct technical implementation of roles and responsibilities and to be prepared for future audits.
User Management Engine
The user management engine (UME) is where users are assigned roles for the different SAP BusinessObjects Access Control products. During the installation of the SAP BusinessObjects Access Control products, the roles.txt file is imported. This generates the necessary roles for Risk Analysis and Remediation, Compliant User Provisioning, and Enterprise Role Management.
GRC300 Lesson: SAP BusinessObjects Access Control Authorizations
Figure 19: User Management Engine Import Screen
After the roles text file is imported, you can choose the Identity Management button in the UME and begin creating users or assigning roles to users.
Caution: When creating users, you should verify with your Basis team if the user data source has been set to UME, ABAP, or LDAP. If the user source is not UME, you will not be able to create the users in the UME.
Unit 1: Course Overview GRC300
Once in the UME, you can search for roles or users in the system. The concept of roles in the UME is based on actions. Actions are assigned to roles within the UME, and this makes up a role in the UME. The following roles are delivered with SAP BusinessObjects Access Control:
• Compliant User Provisioning is comprised of three roles: AEAdmin, AESecurity,
and AEApprover. All of these roles are made up of different actions.
– Some of the actions delivered with Compliant User Provisioning include:
ViewAccessEnforcer, AE.ModifyBackgroundJobsConfiguration, and AE.ModifyChangeLogConfiguration.
• Risk Analysis and Remediation is comprised of four roles:
VIRSA_CC_Administrator, VIRSA_CC_Report, VIRSA_CC_Security_Admin, and VIRSA_CC_Business_Owner.
– Some of the actions delivered with Risk Analysis and Remediation
are com.virsa.cc.CreateRuleSet, com.virsa.cc.ChangeRuleSet, and com.virsa.cc.DeleteRuleSet.
• Enterprise Role Management is comprised of six roles: RE Admin,
REBusinessuser, RERoleDesigner, RESecurity, RESuperuser, and REConfigurator.
– Some of the actions delivered with Enterprise Role Management are
ViewConfiguration, RE.ViewRoleExpert, and RE.ViewRoleLibrary.
• Superuser Privilege Management is made up of one SAP role: FF_Admin.
This is the administrator role and should only be used by the administrator. You can create additional roles by assigning some of the following actions: ViewreportsTab, ViewReaffirms, and SODReport.
All of these roles are standard SAP-delivered roles. If you want to replicate or modify the roles, use a copy so the integrity of the SAP-delivered roles is maintained.
GRC300 Lesson: SAP BusinessObjects Access Control Authorizations
GRC300 Lesson: SAP BusinessObjects Access Control Authorizations