Transcription
SAP Access Control 12.0Configuration ParametersApplies to:SAP Access Control 12.0 and aboveSummary:This guide contains information about the parameters used when configuring SAP Access Control.Created:January 2019Version 1.3 2019 SAP AG
SAP Access Control 12.0 Configuration ParametersDocument HistoryDocument VersionDescription1.00Initial release1.10Data privacy edits1.20Added parameter 11281.30Added parameter 2063 (SP03)Added parameter 4022 (SP03)Added parameter 4025 (SP03)[ii]
Maintaining Configuration Settings in SAP Access Control 12Typographic ConventionsIconsType StyleDescriptionIconExample TextWords or characters quotedfrom the screen. Theseinclude field names, screentitles, pushbuttons labels,menu names, menu paths,and menu options.CautionNote or ImportantExampleRecommendation or TipCross-references to otherdocumentationExample textEmphasized words orphrases in body text, graphictitles, and table titlesExample textFile and directory names andtheir paths, messages,names of variables andparameters, source text, andnames of installation,upgrade and database tools.Example textUser entry texts. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation. Exampletext Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.EXAMPLE TEXTKeys on the keyboard, forexample, F2 or ENTER.Description[iii]
Maintaining Configuration Settings in SAP Access Control 12Table of Contents1.Maintain Configuration Settings . 11.1Change Log . 31.2Mitigation . 81.3Risk Analysis . 131.4Risk Analysis - Spool . 281.5Workflow . 301.6Emergency Access Management . 431.7UAR Review . 551.8Performance . 591.9Risk Analysis - Access Request . 641.10 Role Management . 671.11 Risk Analysis – Risk Terminator . 891.12 Access Request Role Selection . 921.13 Access Request Default Roles . 1061.14 Access Request Role Mapping . 1121.15 SOD Review . 1141.16 LDAP . 1171.17 Assignment Expiry . 1181.18 Access Request Training Verification . 1191.19 Authorizations . 1221.20 Access Request Business Role. 1231.21 Management Dashboard Reports . 1261.22 Access Request Validations . 1281.23 Simplified Access Request . 1371.24 Access Control – General Settings. 1411.25 Access Controls – ILM Configuration . 1431.26 SAP Cloud Identity Access Governance Integration . 1442.Index by Numerical Value . 1453.Copyright . 148[iv]
SAP Access Control 12.0 Configuration Parameters1.Maintain Configuration SettingsAccess Control configuration parameters allow you to customize the SAP Access Control application.You access parameters in Customizing (transaction SPRO). The menu path from the SAP EasyAccess screen is Tools Customizing IMG Execute Project SAP Reference IMG Governance, Risks, and Compliance Access Control Maintain Configuration Settings.To maintain the configuration settings:1. Choose the New Entries pushbutton and select a parameter group from the dropdown list.2. In the Parameter ID column, select a parameter ID.3. Select a Parameter Value from the dropdown list, or, if appropriate, enter a value in theParameter Value field.4. Optionally, in the Priority field, enter a number for the priority of the parameter. This is a userdefined field.5. Choose Save.January 2019Page 1 of 153
SAP Access Control 12.0 Configuration ParametersParameter GroupsConfiguration parameters are organized into Parameter Groups as shown in the table below. Eachgroup corresponds to an area of functionality within SAP Access Control.Group NumberGroup DescriptionGroupNumberGroup Description01Change Log14Access Request Role Mapping02Mitigation15SOD Review03Risk Analysis16LDAP04Risk Analysis - Spool17Assignment Expiry05Workflow18Access Request TrainingVerification06Emergency AccessManagement1907UAR Review20Access Request Business Role08Performance21Management DashboardReports09Risk Analysis - AccessRequest2210Role Management23Simplified Access Request11Risk Analysis – RiskTerminator24Access Control – GeneralSettings12Access Request RoleSelection25Access Controls – ILM(Information LifecycleManagement) Configuration13Access Request DefaultRoles26SAP Cloud Identity AccessGovernance IntegrationJanuary 2019AuthorizationsAccess Request ValidationsPage 2 of 153
SAP Access Control 12.0 Configuration Parameters1.1 Change LogThe Change Log parameters control how transaction history is logged and displayed in SAP AccessControl.Overview of Change Log ParametersParameterIDDescriptionDefault Value1001Enable Function Change LogYES1002Enable Risk Change LogYES1003Enable Organization Rule LogYES1004Enable Supplementary Rule LogYES1005Enable Critical Role LogYES1006Enable Critical Profile LogYES1007Enable Rule Set Change LogYES1008Enable Role Change LogYES5001SLG1 Logs for HR TriggerHIGHDetails of Change Log ParametersParam IDDescriptionDefaultEnable Function Change LogYESSet to YES to display the Change History tab on the Function screen.1001January 2019Page 3 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultEnable Risk Change LogYESSet to YES to display the Change History tab on the Access Risk screen.1002Param IDDescriptionDefaultEnable Organization Rule LogYESSet to YES to display the Change History tab on the Organization Rules screen.1003January 2019Page 4 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultEnable Supplementary Rule LogYesSet to YES to display the Change History tab on the Supplementary Rules screen.1004Param IDDescriptionDefaultEnable Critical Role LogYesSet to YES to display the Change History tab on the Critical Role screen.1005January 2019Page 5 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultEnable Critical Profile LogYesSet to YES to display the Change History tab on the Critical Profile screen.1006Param IDDescriptionDefaultEnable Rule Set Change LogYesSet to YES to display the Change History tab on the Rule Sets screen.1007January 2019Page 6 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultEnable Role Change LogYESSet to YES to display the Change History link on the Additional Details tab of the RoleMaintenance screen.1008Param IDDescriptionDefaultSLG1 Log Level for HR TriggersHIGHThe available values are High and Medium. When this parameter is set to High, all theHR Trigger logs are captured under SLG1 whether the info types from the HR Systemsatisfy BRF rules. When this parameter is set as Medium, the system only capturesthose logs that occur after the BRF rules are satisfied.The screen shot below shows the detail SLG1 logs that are captured when theparameter is set to High.5001January 2019Page 7 of 153
SAP Access Control 12.0 Configuration Parameters1.2 MitigationThe Mitigation parameters control how risk mitigation works in SAP Access Control.Overview of Mitigation ParametersParameter IDDescriptionDefault Value1011Default expiration time for mitigating control assignments (indays)3651012Consider Rule ID also for mitigation assignmentNO1013Consider System for mitigation assignmentNO1014Enable separate authorization check for mitigation fromaccess requestNO1015Get data for Invalid Mitigation Report from ManagementSummary tableNO1016Specify number of days to exclude from Invalid MitigationCleanup0 (zero)Details of Change Log ParametersParam IDDescriptionDefaultDefault expiration time for mitigating control assignments (indays)365The default quantity of days you can mitigate any object (selection on service map). Youcan overwrite this quantity in the Valid To field.1011January 2019Page 8 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultConsider Rule ID also for mitigation assignmentNOBy default, the application includes all rules when it mitigates the access risk.Setting the value to YES allows you to specify the specific Rule ID to be included whenmitigating the risk.1012January 2019Page 9 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultConsider System for mitigation assignmentNOSetting the value to YES allows you to apply mitigating controls to risks originating fromspecific systems.1013January 2019Page 10 of 153
SAP Access Control 12.0 Configuration ParametersParam ID1014DescriptionDefaultEnable separate authorization check for mitigation from accessrequestNOThis parameter controls how authorization checks are done during the access requestrisk mitigation process.Previously, when risk mitigation was done during request approval, the mitigation wassaved directly to the user mitigation tables. If the request was later rejected or cancelled,the mitigation remained in the user mitigation table even though it was then invalid.By using this parameter, you tell the application to save the mitigation in intermediatetables until the request is fully approved. At that point, the mitigation is transferred to theuser mitigation table.This parameter works in conjunction with an activity (88) that is added to authorizationobject GRAC MITC.Setting the value to YES enables activity 88 and mitigations are saved to an intermediatetable until the request is fully approved.Setting the value to NO saves the mitigations directly to the user mitigation tables andactivity 88 is not checked.For more information, see SAP Note 1996151January 2019Page 11 of 153
SAP Access Control 12.0 Configuration ParametersParam ID1015DescriptionDefaultGet data for Invalid Mitigation Report from ManagementSummary tableNOSAP Access Control allows you to run analysis reports for Invalid Mitigating Controls withthe option to use Offline Data. The report gets the offline data from the detailed violationstable from the last batch risk analysis. The data is very granular (low level) and may taketime and more system resources to get.This parameter allows you to get the Offline Data from the Management Summary table.As the data is already at a summary level, it takes less time and less resources toproduce the report.Set value to No to get the data from the detailed violations table.Set value to Yes to get the data from the Management Summary table.Param IDDescriptionDefaultSpecify number of days to exclude from Invalid MitigationCleanup0As an AC Administrator, you can use Invalid Mitigation Cleanup to remove mitigationassignments that are no longer valid because the risks no longer exist. For example, therole assignments have been removed or the roles have changed.Additionally, there may be a scenario where you assign mitigation controls in RoleSimulation or User Simulation, which results in invalid mitigation assignments becausethe roles or the updates do not yet exist in the back-end. The mitigation assignments willshow as invalid until the user assignments and role changes have propagated to theback-end system.1016If you use Invalid Mitigation Cleanup, it will remove all invalid mitigationassignments, including those in Simulation. To keep your work from being deleted, youcan use this parameter to exclude the assignments that have been maintained within theselected number of days from the cleanup. For example, enter 10 to exclude invalidmitigation assignments maintained in the last 10 days.The calculated date is based on the date of last maintenance of the mitigating controlassignments to users and roles. Whether the maintenance is done via a request,manually, or uploaded, the calculation is the same.Note: If you use the upload feature, all items uploaded would have a last maintaineddate of the upload date even if there is no change.January 2019Page 12 of 153
SAP Access Control 12.0 Configuration Parameters1.3 Risk AnalysisThe Risk Analysis parameters control how risk analysis works in SAP Access Control.Overview of Risk Analysis ParametersParameter IDDescriptionDefault Value1021Consider Org Rules for other applicationsNO1022Allow object IDs for this connector to be case sensitive empty 1023Default report type for risk analysis21024Default risk level for risk analysis31025Default rule set for risk analysis empty 1026Default user type for risk analysisA1027Enable Offline Risk AnalysisNO1028Include Expired UsersNO1029Include Locked UsersNO1030Include Mitigated RisksNO1031Ignore Critical Roles and ProfilesYES1032Include Reference user when doing user analysisYES1033Include Role/Profile Mitigation in User Risk AnalysisYES1034Max number of objects in a package for parallel processing1001035Send e-mail notification to the monitor of the updatedmitigated objectYES1036Show all objects in Risk AnalysisNO1037Use SoD Supplementary Table for AnalysisYES1038Consider FF Assignments in Risk AnalysisNO1046Extended objects enabled connector empty 1048Business View for Risk Analysis is EnabledNO (Technical View)1050Default Report View for Risk AnalysisRemediation ViewJanuary 2019Page 13 of 153
SAP Access Control 12.0 Configuration ParametersDetails of Risk Analysis ParametersParam IDDescriptionDefaultConsider Org Rules for other applicationsNOSetting the value to YES automatically selects the Consider Org Rule checkbox on theRisk Violations tab of the Access Request and Role Maintenance screens.1021Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.January 2019Page 14 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultAllow object IDs for this connector to be case sensitive empty On the Risk Analysis screen, you specify the system and the analysis criteria such asUser, Risk Level, and so on. This parameter allows you to specify for which systems theinformation entered is case sensitive.In the example below, z cup USR001 is case sensitive for system NCACLNT001.1022Note: To enter more than one system or connector, enter additional instances of theparameter.January 2019Page 15 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultDefault report type for risk analysis2The Risk Analysis screen allows you to select several report type options for the riskanalysis, such as Access Risk Analysis, Action Level, and Permission Level.This parameter allows you to choose one or more report types that are selected bydefault. It works as follows: If you do not define a value for parameter 1023 in the IMG, the report typedefaults to 2, Permission Level. If you define one or more values for parameter 1023 in the IMG, the report typedefaults to those values.Note: In the IMG value cell, press F4 to display the available types, such as PermissionLevel, and so on. The screenshot below shows the report being run with a default valueof 2, Permission Level.1023Note: This setting does not affect the Risk Analysis Type fields on the Batch RiskAnalysis screens; you must set these separately.January 2019Page 16 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultDefault risk level for risk analysis2The Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.1024This parameter allows you to choose the Risk Level that is selected by default.Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hocdata screens.Param IDDescriptionDefaultDefault rule set for risk analysis empty The Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.1025This parameter allows you to choose the Rule Set that is selected by default.Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hocdata screens.Param IDDescriptionDefaultDefault user type for risk analysisAThe Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.1026This parameter allows you to choose the User Type that is selected by default.Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hocdata screens.January 2019Page 17 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultEnable Offline Risk AnalysisNOThe Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.The parameter value is set to NO to exclude Offline Data in risk analysis by default. On theRisk Analysis screen, the Offline Data checkbox is empty by default.Note: If parameter 2023 is set to YES, then this parameter must also be set to Yes.1027Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hocdata screensParam IDDescriptionDefaultInclude Expired UsersNOSet to YES to include expired users from plug-in systems for risk analysis.1028Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.SAP NOTE2178532 – Risk analysis not considering locked and expired users.Param IDDescriptionDefaultInclude Locked UsersNOSet to YES to include locked users from plug-in systems for risk analysis.1029Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.SAP NOTE2178532 – Risk analysis not considering locked and expired users.January 2019Page 18 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultInclude Mitigated RisksNOThe Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.1030Set the parameter value to YES to include Mitigated Risks in the risk analysis by default.The application displays the SoD violations, the mitigated risks, and the mitigating controlassigned to it. On the Risk Analysis screen, the Include Mitigated Risks checkbox isautomatically selected.Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hocdata screens.Param IDDescriptionDefaultIgnore Critical Roles and ProfilesYESSet the value to YES to exclude critical roles and profiles for risk analysis.1031Param ID1032Note: In Batch Risk Analysis, if this parameter is set to YES, the roles and profiles thatare in the Critical Roles and Profiles tables are added to the entries specified in the IMGActivity Maintain Exclude Objects for Batch Risk Analysis.DescriptionDefaultInclude Reference user when doing user analysisYESSet the value to YES to include referenced users when performing SoD risk analysis forusers. This is also valid for Batch Risk Analysis.NoteThis parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.January 2019Page 19 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultInclude Role/Profile Mitigation in User Risk AnalysisYESSet the value to YES to include mitigating controls assigned to roles and profiles whenperforming user risk analysis. This setting affects both ad hoc user-level analysis anddata calculated during batch risk analysis.Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data andscreens.SAP NOTE1732781 - Risks appear for the Roles/Users whose Mitigation has already doneBackgroundIf Role 1 is mitigated for Risk A, then all users assigned to Role 1 are mitigated for RiskA.If User Jones is mitigated for Risk A, the user-level mitigation supersedes any role orprofile level mitigation.Practical use: if businesses do not mitigate risks at the user level, they can use role orprofile mitigation as a blanket mitigation technique.Illustration 1033Role 1 and Role 2 both contain Risk A.Role 1 is mitigated for Risk A.User Jones is assigned both Roles 1 and 2 and is not mitigated at the user level.User Smith is assigned both Roles 1 and 2 and is mitigated at the user level.User Williams is assigned only Role 2 and is not mitigated at the user level.With this scenario, how does the system respond?If the setting for Parameter1033 is:YESNOJanuary 2019SAP Access Control does this: User Jones is mitigated for Risk A due to themitigation applied to Role 1 (role level mitigation).User Smith is mitigated for Risk A due to themitigation applied at the user level (user levelmitigation). User Williams is not mitigated for Risk A. User Jones is not mitigated for Risk AUser Smith is mitigated for Risk A due mitigationapplied at the user level User Williams is not mitigated for Risk A.Page 20 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultMaximum number of objects in a package for parallel processing100The application uses this parameter in conjunction with the Number of Tasks specifiedin the Customizing activity (IMG) Distribute Jobs for Parallel Processing to determinethe distribution of objects that are processed per job.For example, if there are 10,000 users to analyze and this value is 100, then there will be100 packages created each having 100 users. Each package is submitted to a separatebackground process, which is available to the application via the application group.1034If instead, we specify three background processes are available to GRAC SOD, 100packages are submitted one by one to these processes. Three packages initially andthen one by one to each process, which complete the package execution.Note: The RZ10 parameter rdisp/wp no btc overrides this configuration. Therefore, ifthe RZ10 parameter is set to 2, then the application ignores the parameter in this settingand uses the value 2 instead.January 2019Page 21 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultSend e-mail notification to the monitor of the updated mitigatedobjectYESSet the value to YES to send e-mail notifications to the owner of the mitigating controlwhen the mitigated object is updated, such as the user/role.1035January 2019Page 22 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultShow all objects in Risk AnalysisNOSet the value to YES to select the Show All Objects checkbox on the Risk Analysisscreen by default.1036The objects that do not have violations are displayed with the Action: No Violations.Note: This setting applies to SoD Batch Risk Analysis.January 2019Page 23 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultUse SoD Supplementary Table for AnalysisYESSet value to YES to use supplementary rules for SoD risk analysis.1037Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data andscreens.Param IDDescriptionDefaultConsider FF Assignments in Risk AnalysisNOSet value to YES to use supplementary rules for SoD risk analysis. You can use thisparameter to select whether to include Firefighter (FF) assignments in risk analysis. Select YES to include FF assignments for risk analysis.On the Access Management Access Risk Analysis screens, the applicationdisplays the Include FFIDS checkbox. Select NO to exclude FF assignments for risk analysis.On the Access Management Access Risk Analysis screens, the applicationdoes not display the Include FFIDS checkbox.1038(cont.)January 2019Page 24 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultNote: For Access Requests, the application does not allow users to choose whether toinclude FFIDs for risk analysis. As shown in the graphic below, the Include FFIDscheckbox is not part of the Risk Violation tab on the Access Request screen. If you setthe parameter value as YES, the application includes FFIDs in the risk analysis, but it willnot display the checkbox on the screen.Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hocdata screens.January 2019Page 25 of 153
SAP Access Control 12.0 Configuration ParametersParam ID1046DescriptionDefaultExtended objects enabled connector empty Extended objects are objects from non-SAP systems. This parameter allows you tospecify the connectors for non-SAP systems.The connectors can have object lengths greater than SAP objects. For example, SAPUser ID length is 12, but the extended object length may be 50.Note: You can set multiple connectors by adding multiple instances of the parameter.Param IDDescriptionDefaultBusiness View for Risk Analysis is EnabledNO (Technical View)The available values are Yes and No.If the parameter is set to Yes, the system displays the Business View format on the RiskViolations tab during creation or approval of a request as shown in the screen shot.1048Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hocdata screens.January 2019Page 26 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultDefault Report View for Risk AnalysisRemediation ViewThere are three types of views for Risk Analysis reports (technical, business andremediation). To change the global default to something other than the Technical View,you can do that through this parameter. This parameter affects the dashboard drill-downfor Risk Analysis.You can change the default view on a case-by-case basis for the ad hoc reports throughthe User Interface (as shown below).1050Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hocdata screens.January 2019Page 27 of 153
SAP Access Control 12.0 Configuration Parameters1.4 Risk Analysis - SpoolThe Risk Analysis - Spool parameters control variables having to do with how Risk Analysis reportsare run.Overview of Risk Analysis – Spool ParametersParameterIDDescriptionDefault Value1051Max number of objects in a file or database record2000001052Spool File Location empty 1053Spool TypeD1054Max number of violations supported in Organization Rule Analysis500000Details of Risk Analysis – Spool ParametersParam ID1051DescriptionDefaultMax number of objects in a file or database record200000You can use this parameter to specify the maximum number of analytics data objects theapplication stores.If parameter 1053 is set to F, the value is the maximum number of objects stored in thefile.If parameter 1053 is set to D, the value is the maximum number of objects stored in theREPCONTENT column of the GRACSODREPDATA table.Note: You can use the GRAC DELETE REPORT SPOOL program to clean up theanalytics data from the file system or table.Prerequisite: You have configured parameters 1052 and 1053.Param IDDescriptionDefaultSpool File Location empty You can specify the file location where the application stores the analytics data, such as\\ ip address \public\SoD\.1052Note: This parameter is only valid if parameter 1053 is set to F.Prerequisite: You have configured parameter 1053.January 2019Page 28 of 153
SAP Access Control 12.0 Configuration ParametersParam IDDescriptionDefaultSpool TypeDYou can use this parameter to set whether the application uses the file system or thedatabase table to store the analytics data for access control, such as ad hoc SoDviolations.Set the value to F to store the data on the file system. (Set the file location in parameter1052).Set the value to D to store the data in the GRACSODREPDATA table.Note:1053 Param ID1054You see the intermediate results while risk analysis is running. This gives you anopportunity to see if the desired records are created and choose to stop or cancelthe job.If you change the location type (such
SAP Access Control allows you to run analysis reports for Invalid Mitigating Controls with the option to use Offline Data. The report gets the offline data from the detailed violations table from the last batch risk analysis. The data is very granular (low level) and may take
