Transcription
Maintaining ConfigurationSettings in SAP Access ControlApplies to:SAP Access Control 10.1 SP23 and earlierSummary:This guide contains information about the parameters used when configuring SAP Access ControlCreated:January 2019Version 2.8 2019 SAP AG
Maintaining Configuration Settings in Access Control 10.1Document HistoryDocument VersionDescription1.00Initial release1.10Modified parameter 1048, 1049, 10501.20Modified parameter 20131.30Added parameter 50311.40Added parameter 1124Added parameter 5026Added parameter 5027Added parameter 5028Added parameter 50321.4.1Added parameter 1014Added parameter 1047Added parameter 1125Added parameter 1073Added parameter 2008Added parameter 3027Added parameter 4016Added parameter 4017Added parameter 4019Added parameter 5022Added parameter 50231.5.0Removed parameter 1000Added parameter 1015Added parameter 1054Updated parameter 1071Added parameter 1302Added parameter 2048Added parameter 2060Added parameter 2061Added parameter 2401Added parameter 3028Added parameter 4018Added parameter 5033[ii]
Maintaining Configuration Settings in Access Control 10.11.6.0Modified parameter 1050Added parameter 1126Added parameter 1127Added parameter 2020Added parameter 40201.7.0Modified parameters: 1027 1038 1048 1062 1063 1064 1080 1081 1082 1083 1084 1085 1086 1087 1088 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1302 2009[iii]
Maintaining Configuration Settings in Access Control 10.11.8.0 2011 2023 2038 2040 2047 2048 2050 3005 3019 4000 4001 4002 4003 4004 4005 4006 4007 4008 4009 4010 4012 5026 5027 5028 5033Added parameter 1115Added parameter 3029Added parameter 3040Modified parameter 40201.9.0SP11 November 2015 Removed parameter 1031 Added parameter 1016 Added additional information explaining parameter 2047 (nochange in parameter, itself)[iv]
Maintaining Configuration Settings in Access Control 10.11.9.1December 2015 1.9.2January 2016 2.02.12.22.3Reinstated parameter 1031Added additional information for parameter 1016SP 13 April 2016 Added parameter 2402 Added parameter 4021 Changed default value from NO to empty for parameter 5027 Changed default value from NO to empty for parameter 5028SP 14 July 2016 Updated content for parameter 1033 Updated Batch Risk Analysis and ad hoc data information for thefollowing parameters:o1021o1023o1024o1025o1026 (also changed default value from empty to 50SP 15 October 2016 Added parameter 1075 Added parameter 2062 Added parameter 6001 Modified parameter 4021SP 15 November 2016[v]
Maintaining Configuration Settings in Access Control 10.12.42.52.62.7 Modified information for parameter 6001 Removed parameter 1075 Removed parameter 2062SP 16 January 2017 Added parameter 2062 Added parameter 1075 Updated description for parameter 3028SP 17 April 2017 Updated default value for parameters 4003, 4004, 4005, 4006. Added parameter 3041 Added parameter 3042SP18 July 2017 Updated SAP Note information for parameters: 1028 and 1029 Updated parameter 3042SP18 May 2018 Updated for data privacy Added parameter 2063 (SP21) Added parameter 4022 (SP21) Added parameter 4025 (SP23)2.8[vi]
Maintaining Configuration Settings in Access Control 10.1IconsTypographic ConventionsType StyleDescriptionExample TextWords or characters quotedfrom the screen. Theseinclude field names, screentitles, pushbuttons labels,menu names, menu paths,and menu options.IconDescriptionCautionNote or ImportantExampleRecommendation or TipCross-references to otherdocumentationExample textEmphasized words orphrases in body text, graphictitles, and table titlesExample textFile and directory names andtheir paths, messages,names of variables andparameters, source text, andnames of installation,upgrade and database tools.Example textUser entry texts. These arewords or characters that youenter in the system exactly asthey appear in thedocumentation. Exampletext Variable user entry. Anglebrackets indicate that youreplace these words andcharacters with appropriateentries to make entries in thesystem.EXAMPLE TEXTKeys on the keyboard, forexample, F2 or ENTER.[vii]
Maintaining Configuration Settings in Access Control 10.1Table of Contents1.Maintain Configuration Settings . 11.1Change Log . 21.2Mitigation . 81.3Risk Analysis . 131.4Risk Analysis - Spool . 311.5Workflow . 331.6Emergency Access Management . 461.7UAR Review . 581.8Performance . 621.9Risk Analysis - Access Request . 681.10 Role Management . 711.11 Risk Analysis – Risk Terminator . 951.12 Access Request Role Selection . 981.13 Access Request Default Roles . 1131.14 Access Request Role Mapping . 1191.15 SOD Review . 1221.16 LDAP . 1251.17 Assignment Expiry . 1261.18 Access Request Training Verification . 1271.19 Authorizations . 1301.20 Access Request Business Role . 1311.21 Management Dashboard Reports . 1341.22 Access Request Validations . 1361.23 Simplified Access Request . 1451.24 Access Control – General Settings. 1501.25 Access Controls – ILM Configuration . 1522.Index by Numerical Value . 1533.Copyright . 156[viii]
Maintaining Configuration Settings in Access Control 10.11.Maintain Configuration SettingsAccess Control configuration settings allow you to customize the SAP Access Control application.You access the settings, or parameters, in Customizing (transaction SPRO). The menu path from theSAP Easy Access screen is Tools Customizing IMG Execute Project SAP Reference IMG Governance, Risks, and Compliance Access Control Maintain Configuration Settings.To maintain the configuration settings:1. Choose the New Entries pushbutton and select a parameter group from the dropdown list.2. In the Parameter ID column, select a parameter ID.3. Select a Parameter Value from the dropdown list, or, if appropriate, enter a value in theParameter Value field.4. Optionally, in the Priority field, enter a number for the priority of the parameter. This is a userdefined field.5. Choose Save.January 2019Page 1 of 165
Maintaining Configuration Settings in Access Control 10.1Parameter GroupsConfiguration parameters are organized into Parameter Groups as shown in the table below. Eachgroup corresponds to an area of functionality within SAP Access Control.Group NumberGroup DescriptionGroupNumberGroup Description01Change Log14Access Request Role Mapping02Mitigation15SOD Review03Risk Analysis16LDAP04Risk Analysis - Spool17Assignment Expiry05Workflow18Access Request TrainingVerification06Emergency AccessManagement1907UAR Review20Access Request Business Role08Performance21Management DashboardReports09Risk Analysis - AccessRequest2210Role Management23Simplified Access Request11Risk Analysis – RiskTerminator24Access Control – GeneralSettings12Access Request RoleSelection25Access Controls – ILM(Information LifecycleManagement) Configuration13Access Request DefaultRolesAuthorizationsAccess Request Validations1.1 Change LogThe Change Log parameters control how transaction history is logged and displayed in SAP AccessControl.Overview of Change Log ParametersJanuary 2019Page 2 of 165
Maintaining Configuration Settings in Access Control 10.1ParameterIDDescriptionDefault Value1001Enable Function Change LogYES1002Enable Risk Change LogYES1003Enable Organization Rule LogYES1004Enable Supplementary Rule LogYES1005Enable Critical Role LogYES1006Enable Critical Profile LogYES1007Enable Rule Set Change LogYES1008Enable Role Change LogYES5001SLG1 Logs for HR TriggerHIGHDetails of Change Log ParametersParam IDDescriptionDefaultEnable Function Change LogYESSet to YES to display the Change History tab on the Function screen.1001January 2019Page 3 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultEnable Risk Change LogYESSet to YES to display the Change History tab on the Access Risk screen.1002Param IDDescriptionDefaultEnable Organization Rule LogYESSet to YES to display the Change History tab on the Organization Rules screen.1003January 2019Page 4 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultEnable Supplementary Rule LogYesSet to YES to display the Change History tab on the Supplementary Rules screen.1004Param IDDescriptionDefaultEnable Critical Role LogYesSet to YES to display the Change History tab on the Critical Role screen.1005January 2019Page 5 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultEnable Critical Profile LogYesSet to YES to display the Change History tab on the Critical Profile screen.1006Param IDDescriptionDefaultEnable Rule Set Change LogYesSet to YES to display the Change History tab on the Rule Sets screen.1007January 2019Page 6 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultEnable Role Change LogYESSet to YES to display the Change History link on the Additional Details tab of the RoleMaintenance screen.1008Param IDDescriptionDefaultSLG1 Log Level for HR TriggersHIGHThe available values are High and Medium. When this parameter is set to High, all theHR Trigger logs are captured under SLG1 whether or not the info types from the HRSystem satisfy BRF rules. When this parameter is set as Medium, the system onlycaptures those logs that occur after the BRF rules are satisfied.The screen shot below shows the detail SLG1 logs that are captured when theparameter is set to High.5001January 2019Page 7 of 165
Maintaining Configuration Settings in Access Control 10.11.2 MitigationThe Mitigation parameters control how risk mitigation works in SAP Access Control.Overview of Mitigation ParametersParameter IDDescriptionDefault Value1011Default expiration time for mitigating control assignments (indays)3651012Consider Rule ID also for mitigation assignmentNO1013Consider System for mitigation assignmentNO1014Enable separate authorization check for mitigation fromaccess requestNO1015Get data for Invalid Mitigation Report from ManagementSummary tableNO1016Specify number of days to exclude from Invalid MitigationCleanup0 (zero)Details of Change Log ParametersParam IDDescriptionDefaultDefault expiration time for mitigating control assignments (indays)365The default quantity of days you can mitigate any object (selection on service map). Youcan overwrite this quantity in the Valid To field.1011January 2019Page 8 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultConsider Rule ID also for mitigation assignmentNOBy default, the application includes all rules when it mitigates the access risk.Setting the value to YES allows you to specify the specific Rule ID to be included whenmitigating the risk.1012January 2019Page 9 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultConsider System for mitigation assignmentNOSetting the value to YES allows you to apply mitigating controls to risks originating fromspecific systems.1013January 2019Page 10 of 165
Maintaining Configuration Settings in Access Control 10.1Param ID1014DescriptionDefaultEnable separate authorization check for mitigation from accessrequestNOThis parameter controls how authorization checks are done during the access requestrisk mitigation process.Previously, when risk mitigation was done during request approval, the mitigation wassaved directly to the user mitigation tables. If the request was later rejected or cancelled,the mitigation remained in the user mitigation table even though it was then invalid.By using this parameter, you tell the application to save the mitigation in intermediatetables until the request is fully approved. At that point, the mitigation is transferred to theuser mitigation table.This parameter works in conjunction with an activity (88) that is added to authorizationobject GRAC MITC.Setting the value to YES enables activity 88 and mitigations are saved to an intermediatetable until the request is fully approved.Setting the value to NO saves the mitigations directly to the user mitigation tables andactivity 88 is not checked.For more information, see SAP Note 1996151January 2019Page 11 of 165
Maintaining Configuration Settings in Access Control 10.1Param ID1015DescriptionDefaultGet data for Invalid Mitigation Report from ManagementSummary tableNOSAP Access Control allows you to run analysis reports for Invalid Mitigating Controls withthe option to use Offline Data. The report gets the offline data from the detailed violationstable from the last batch risk analysis. The data is very granular (low level) and may taketime and more system resources to get.This parameter allows you to get the Offline Data from the Management Summary table.As the data is already at a summary level, it takes less time and less resources toproduce the report.Set value to No to get the data from the detailed violations table.Set value to Yes to get the data from the Management Summary table.Param IDDescriptionDefaultSpecify number of days to exclude from Invalid MitigationCleanup0As an AC Administrator, you can use Invalid Mitigation Cleanup to remove mitigationassignments that are no longer valid because the risks no longer exist. For example, therole assignments have been removed or the roles have changed.Additionally, there may be a scenario where you assign mitigation controls in RoleSimulation or User Simulation, which results in invalid mitigation assignments becausethe roles or the updates do not yet exist in the back-end. The mitigation assignments willshow as invalid until the user assignments and role changes have propagated to theback-end system.1016If you use Invalid Mitigation Cleanup, it will remove all invalid mitigationassignments, including those in Simulation. To keep your work from being deleted, youcan use this parameter to exclude the assignments that have been maintained within theselected number of days from the cleanup. For example, enter 10 to exclude invalidmitigation assignments maintained in the last 10 days.The calculated date is based on the date of last maintenance of the mitigating controlassignments to users and roles. Whether the maintenance is done via a request,manually, or uploaded, the calculation is the same.Note: If you use the upload feature, all items uploaded would have a last maintaineddate of the upload date even if there is no change.January 2019Page 12 of 165
Maintaining Configuration Settings in Access Control 10.11.3 Risk AnalysisThe Risk Analysis parameters control how risk analysis works in SAP Access Control.Overview of Risk Analysis ParametersParameter IDDescriptionDefault Value1021Consider Org Rules for other applicationsNO1022Allow object IDs for this connector to be case sensitive empty 1023Default report type for risk analysis21024Default risk level for risk analysis31025Default rule set for risk analysis empty 1026Default user type for risk analysisA1027Enable Offline Risk AnalysisNO1028Include Expired UsersNO1029Include Locked UsersNO1030Include Mitigated RisksNO1031Ignore Critical Roles and ProfilesYES1032Include Reference user when doing user analysisYES1033Include Role/Profile Mitigation in User Risk AnalysisYES1034Max number of objects in a package for parallel processing1001035Send e-mail notification to the monitor of the updatedmitigated objectYES1036Show all objects in Risk AnalysisNO1037Use SoD Supplementary Table for AnalysisYES1038Consider FF Assignments in Risk AnalysisNO1046Extended objects enabled connector empty 1048Business View for Risk Analysis is EnabledNO (Technical View)1050Default Report View for Risk AnalysisRemediation ViewJanuary 2019Page 13 of 165
Maintaining Configuration Settings in Access Control 10.1Details of Risk Analysis ParametersParam IDDescriptionDefaultConsider Org Rules for other applicationsNOSetting the value to YES automatically selects the Consider Org Rule checkbox on theRisk Violations tab of the Access Request and Role Maintenance screens.1021NoteThis parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.January 2019Page 14 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultAllow object IDs for this connector to be case sensitive empty On the Risk Analysis screen, you specify the system and the analysis criteria such asUser, Risk Level, and so on. This parameter allows you to specify for which systems theinformation entered is case sensitive.In the example below, z cup USR001 is case sensitive for system NCACLNT001.1022Note: To enter more than one system or connector, enter additional instances of theparameter.January 2019Page 15 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultDefault report type for risk analysis2The Risk Analysis screen allows you to select several report type options for the riskanalysis, such as Access Risk Analysis, Action Level, and Permission Level.This parameter allows you to choose one or more report types that are selected bydefault. It works as follows: If you do not define a value for parameter 1023 in the IMG, the report typedefaults to 2, Permission Level. If you define one or more values for parameter 1023 in the IMG, the report typedefaults to those values.Note: In the IMG value cell, press F4 to display the available types, such as PermissionLevel, and so on. The screenshot below shows the report being run with a default valueof 2, Permission Level.1023NoteThis setting does not affect the Risk Analysis Type fields on the Batch RiskAnalysis screens; you must set these separately.January 2019Page 16 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultDefault risk level for risk analysis2The Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.1024This parameter allows you to choose the Risk Level that is selected by default.NoteThis setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc datascreens.Param IDDescriptionDefaultDefault rule set for risk analysis empty The Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.1025This parameter allows you to choose the Rule Set that is selected by default.NoteThis setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc datascreens.Param IDDescriptionDefaultDefault user type for risk analysisAThe Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.1026This parameter allows you to choose the User Type that is selected by default.NoteThis setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc datascreens.January 2019Page 17 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultEnable Offline Risk AnalysisNOThe Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.The parameter value is set to NO to exclude Offline Data in risk analysis by default. On theRisk Analysis screen, the Offline Data checkbox is empty by default.Note:If Parameter 2023 is set to YES, then this parameter must also be set to Yes.1027NoteThis setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc datascreensJanuary 2019Page 18 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultInclude Expired UsersNOSet to YES to include expired users from plug-in systems for risk analysis.1028NoteThis parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.SAP NOTE2178532 – Risk analysis not considering locked and expired users.Param IDDescriptionDefaultInclude Locked UsersNOSet to YES to include locked users from plug-in systems for risk analysis.1029NoteThis parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.SAP NOTE2178532 – Risk analysis not considering locked and expired users.Param IDDescriptionDefaultInclude Mitigated RisksNOThe Risk Analysis screen allows you to select several options for the risk analysis, suchas analysis criteria, report options, and additional criteria.1030Set the parameter value to YES to include Mitigated Risks in the risk analysis by default.The application displays the SoD violations, the mitigated risks, and the mitigating controlassigned to it. On the Risk Analysis screen, the Include Mitigated Risks checkbox isautomatically selected.NoteThis setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc datascreens.Param IDDescriptionDefaultIgnore Critical Roles and ProfilesYESSet the value to YES to exclude critical roles and profiles for risk analysis.1031NoteIn Batch Risk Analysis, if this parameter is set to YES, the roles and profiles that arein the Critical Roles and Profiles tables are added to the entries specified in the IMGActivity Maintain Exclude Objects for Batch Risk Analysis.January 2019Page 19 of 165
Maintaining Configuration Settings in Access Control 10.1January 2019Page 20 of 165
Maintaining Configuration Settings in Access Control 10.1Param ID1032DescriptionDefaultInclude Reference user when doing user analysisYESSet the value to YES to include referenced users when performing SoD risk analysis forusers. This is also valid for Batch Risk Analysis.NoteThis parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.January 2019Page 21 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultInclude Role/Profile Mitigation in User Risk AnalysisYESSet the value to YES to include mitigating controls assigned to roles and profiles whenperforming user risk analysis. This setting affects both ad hoc user-level analysis anddata calculated during batch risk analysis.BackgroundIf Role 1 is mitigated for Risk A, then all users assigned to Role 1 are mitigated for RiskA.If User Jones is mitigated for Risk A, the user-level mitigation supersedes any role orprofile level mitigation.Practical use: if businesses do not mitigate risks at the user level, they can use role orprofile mitigation as a blanket mitigation technique.Illustration1033 Role 1 and Role 2 both contain Risk A.Role 1 is mitigated for Risk A.User Jones is assigned both Roles 1 and 2 and is not mitigated at the user level.User Smith is assigned both Roles 1 and 2 and is mitigated at the user level.User Williams is assigned only Role 2 and is not mitigated at the user level.With this scenario, how does the system respond?If the setting for Parameter1033 is:YESNOSAP Access Control does this: User Jones is mitigated for Risk A due to themitigation applied to Role 1 (role level mitigation).User Smith is mitigated for Risk A due to themitigation applied at the user level (user levelmitigation). User Williams is not mitigated for Risk A. User Jones is not mitigated for Risk AUser Smith is mitigated for Risk A due mitigationapplied at the user level User Williams is not mitigated for Risk A.NOTEThis parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.SAP NOTE1732781 - Risks appear for the Roles/Users whose Mitigation has already doneJanuary 2019Page 22 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultMaximum number of objects in a package for parallel processing100The application uses this parameter in conjunction with the Number of Tasks specifiedin the Customizing activity (IMG) Distribute Jobs for Parallel Processing to determinethe distribution of objects that are processed per job.For example, if there are 10,000 users to analyze and this value is 100, then there will be100 packages created each having 100 users. Each package is submitted to a separatebackground process, which is available to the application via the application group.1034If instead, we specify three background processes are available to GRAC SOD, 100packages are submitted one by one to these processes. Three packages initially andthen one by one to each process, which complete the package execution.Note: The RZ10 parameter rdisp/wp no btc overrides this configuration. Therefore, ifthe RZ10 parameter is set to 2, then the application ignores the parameter in this settingand uses the value 2 instead.January 2019Page 23 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultSend e-mail notification to the monitor of the updated mitigatedobjectYESSet the value to YES to send e-mail notifications to the owner of the mitigating controlwhen the mitigated object is updated, such as the user/role.1035January 2019Page 24 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultShow all objects in Risk AnalysisNOSet the value to YES to select the Show All Objects checkbox on the Risk Analysisscreen by default.1036The objects that do not have violations are displayed with the Action: No Violations.Note: This setting applies to SoD Batch Risk Analysis.January 2019Page 25 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultUse SoD Supplementary Table for AnalysisYESSet value to YES to use supplementary rules for SoD risk analysis.1037NOTEThis parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.Param IDDescriptionDefaultConsider FF Assignments in Risk AnalysisNOSet value to YES to use supplementary rules for SoD risk analysis. You can use thisparameter to select whether or to include Firefighter (FF) assignments in risk analysis. Select YES to include FF assignments for risk analysis.On the Access Management Access Risk Analysis screens, the applicationdisplays the Include FFIDS checkbox. Select NO to exclude FF assignments for risk analysis.On the Access Management Access Risk Analysis screens, the applicationdoes not display the Include FFIDS checkbox.1038(cont.)January 2019Page 26 of 165
Maintaining Configuration Settings in Access Control 10.1Param IDDescriptionDefaultNoteFor Access Requests, the application does not allow users to choose whether toinclude FFIDs for risk analysis. As shown in the graphic below, the Include FFIDscheckbox is not part of the Risk Violation tab on the Access Request screen. If youset the parameter value as YES, the application includes FFIDs in the risk analysis,but it will not display the checkbox on the screen.NoteThis setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc datascreens.January 2019Page 27 of 165
Maintaining Configuration Settings in Access Control 10.1January 2019Page 28 of 165
Maintaining Configuration Settings in Access Control 10.1Param ID1046DescriptionDefaultExtended objects enabled connector empty Extended objects are objects from non-SAP systems. This parameter allows you tospecify the connectors for non-SAP systems.The connectors can have object lengths greater than SAP objects. For example, SAPUser ID length is 12, but the extended object length may be 50.Note: You can set multiple connectors by adding multiple instances of the parameter.Param IDDescriptionDefaultBusiness View for Risk Analysis is EnabledNO (Technical View)The available
Access Control configuration settings allow you to customize the SAP Access Control application. You access the settings, or parameters, in Customizing (transaction SPRO). The menu path from the SAP Easy Access screen is Tools Customizing IMG Execute Project SAP Reference IMG Governance, Risks, and Compliance Access Control Maintain .
