Thursday, 26 July 2018

SAP GRC ACCESS CONTROL CUSTOM INITIATOR RULE

When raising an access request in SAP GRC, system line items do not have approvers and this will likely result into an error when you add a system (RFC Connector) to a request.
Some of the likely errors encountered are;
  • No Approver found
  • No agent found, cancelling path ....... (in stage no: XXXX)
One of the possible solutions for this scenario is to create a logic using a custom initiator rule to send system line items to a path with no stage in the process ID (SAP_GRAC_ACCESS_REQUEST).

Step 1: Log on to the GRC system and execute transaction code (SPRO) from the command field




Step 2: Click on SAP reference IMG (it takes you to the implementation screen)

Step 3: Goto Governance Risk & Compliance --> Access Control --> Workflow for Access Control   --> Define Workflow Related MSMP Rules



Step 4: Enter the details below
 Enter the information as specified in the image below
Click the Execute button



Step 5: A log is generated, ensure everything is with the status (Green)
   

Step 6: Execute transaction code BRF+
       Right click on Application (Access Request Appro) --> Create --> Expression --> Decision Table




Step 7: Create a decision table; click create and navigate to object. (specify a name, short text, Text)

Add caption

Step 8: Specify the following columns in the decision table;


Build your table to reflect the what is indicated in the image below; click the ok button

A decision table will be created;


Step 9: Click the add row button and fill in the details as seen in the picture below



The condition statement above means:
Request Type is between to 001 - 006 and role type is initial
If all of the conditions are true, then the statement is true and will return the result value which is to send the access request line item to the path System_path 

Is initial refers to a situation where the role type is blank (Connector: this is not a role type)
Is not initial refers to a situation where the role type could either be (Single, Composite, Derived etc)

Save and activate the decision table.

Step 10: Click on Function in the left-hand pane and go into Edit mode to assign the Top expression.




NOTE:

1. Top Expression value should be the “Decision Table” that was created.
2. Make a note of the ID from the general tab. This is required to create the new Initiator Rule in the MSMP workflow.
Now Launch MSMP (GRFNMW_CONFIGURE_WD)
Select the Process ID and go to Maintain Rules (step 2 of 7) and add the newly created BRF+





Go to stage 5, Create all the required paths with the respective stages for each path. For the system path ensure it has no stage




Assign the Rule result value to the custom paths and shown below:


Go to stage 7, save and simulate........ Activate.

When you raise an access request in SAP GRC whenever you add a system line item to the request, the request goes to the system path which has no stage and auto provisioning is performed.
INSURANCE
For more information, you could visit this link.
https://blogs.sap.com/2014/09/24/build-a-simple-brf-initiator-rule/
SAP COMMUNITY
GRC Request with both System and Role Line Items
at No comments:
Labels:

Thursday, 6 October 2016

SECURING YOUR NETWORK: THE BEST APPROACH


A network is said to be a group of two or more computer linked together which are capable of sharing resources.
Authentication is a process of identifying the genuity of an individual before granting access to a particular resource. Authentication aids in access control which in turn helps in achieving security.
Network authentication is a means of verifying the identity of someone over the network before being given access to resources which resides over the network. There are various ways in which we could carryout authentication over a network.
The router is a device that is used for authentication over the network. The router serves as the door that restricts or allows access to a network. Before one could successfully connect to the network there is always a need to provide a name and a password. Security is achieved here through the Strength of the password and the encryption type.
There are basically 3 types of encryption namely;
1.      WEP (Wired equivalent privacy)
2.      WPA (Wifi protected access)
3.      WPA2 (Wired protected access II)
To achieve security (authentication) on a network there are two ways to achieve that;  
In the diagram above a user just needs to get authenticated once to access both applications and the internet.
In this scenario after the authentication has been achieved over the network in order to access the internet you could add an extra security feature which is a domain name server where a username and a password would be required to gain access. In such scenario you can monitor which users have access to the internet, you could determine the amount of data in which a user is consuming, you can limit the data usage of a user to a level.
When trying to log into an SAP system you could restrict access through requesting for a log in details.
Biometric authentication is a way of identification through the evaluation of one or more biological traits of an individual.  This includes the use of fingerprint scanners, Iris scanners, facial scanners, Swipe cards & voice controls etc
SAP biometric authentication software (BIOLOCK) is being produced by Realtime. Biolock identifies who is logging in indisputably, helps in controlling the areas in an SAP system that can be accessed, makes it difficult for impersonation to occur.

Biometric as a form of authentication can be implemented either over the network or on your SAP system.
at No comments:
Labels:

Monday, 8 August 2016

WHY AND FOR WHAT DO WE REQUIRE AUTHORIZATION


   We require authorizations in order to achieve the following;
·         To protect sensitive business data
·         To ensure the smooth running of the business process
·         To determine the cost – benefit relation
When developing a security concept we tend to seek out; what is to be protected (ASSETS), Against what (THREATS) and how do we achieve maximum protection (MEASURES).

FACTORS TO CONSIDER WHEN PROTECTING AN SAP SYSTEM
·         Security must be implemented at all levels; this is because most time an attack could come from the weakest point within the system.
·         Complex authorization is just one aspect of a security concept.

SYSTEM ACCESS CONTROL AND ROLE BASED ACCESS CONTROL
System access control has to deal with users identifying themselves in the system using a valid user ID and a password; Access control has to deal with authority checks for programs and transactions.
Access control is a security technique that can be used to regulate who or what can view or use resources in a computing environment. In order to work in an sap system, users require a valid USER ID and a user master record must be created for each system user. Authorizations are assigned to a user using profiles in the form of roles which are entered into the user master record

DEFINITION OF TERMS
         i.            Roles:- It is a group of activities performed within a business scenario

       ii.            Profile:- It is a container for authorizations
             Business Scenario: - It is a group of activities performed by employees in their various roles


NOTE: A role consists or contains one or more activities in the business scenario; a single role could be involved in different business scenarios.
When creating roles we use the tcode PFCG; the four core elements of a role include
·         TRANSACTION
·         MENU
·         AUTHORIZATION
·         USER ASSIGNMENT
To view the report on SAP roles use RSUSR070 and enter SAP* to display all the roles supplied by SAP.




at No comments:
Labels:

SECURITY & AUTHORIZATIONS IN SAP

What is authorization?

AUTHORIZATION
                Authorization is the process or a system of giving someone the privilege, access, permission to do or have something.

Authorization in Information Technology is the processing of specifying access rights to a system, data or information. It is a process that confirms what a user is allowed to perform on a system.


SAP AUTHORIZATION CONCEPT
                Security in sap is achieved through the authorization concept; the authorization concept is based upon the logical relationship between a USER ID and the range of system authorizations with which it can be associated with i.e. it is the relationship between a user and the set of activities in which he/she could perform in the system.
The authorization concept helps in establishing maximum security, sufficient privileges (accesses) for end users to fulfill their job duties.  Authorizations are used to control access at the application level.

Note: Authorization concepts seeks to achieve the following 

              a. Maximum Security
              b. Sufficient Privileges (ACCESS)
              c. User Maintenance
at No comments:
Labels:
Subscribe to: Comments (Atom)