Hello everyone.

Welcome to next session of SAP GRC Access Control Training.

In this particular session we are going to discuss about shared SAP GRC configuration.

Mainly in this section we will be discussing about configuring the integration framework.

Meaning we will see how you can configure the SAP GRC system to integrate with an external ERP or
any

SML SAP system.

Here what we can see is the img structure.

IMG means the Spro structure.

You may know spro is the transaction code to do the configuration in our SAP system.

This is the IMG structure of sap GRC in sap GRC tool.

The IMG is organized in such a way that it is very easy to understand.

If you see the first section, which is basically for general common customizing these customizing are

applicable for all three modules.

Access control, process control and risk management.

Basically this is shared configuration.

Here we have a general setting which is applicable to all modules.

And we have shared master data setting reporting common component setting.

So we have four different settings here.

Then we have access control customizing which is specific to access control.

Only.

Then we have process control customizing which specific to process control.

Then we have risk management.

Customizing which is for risk management module.

This is the way the img configuration that is the Spro configuration is organized.

In our SAP GRC system.

We will see more detail of each and every configurations when we are configuring the system First
configuration

we should be doing in any SAP GRC system is to activate SAP GRC applications.

Basically, we can activate what module or what application this specific SAP GRC is used, for example

access control, process control and risk management.

These are all the three modules which we can activate in your SAP GRC application.
Please remember each of these module is subject to the license which you have obtained.

Okay.

So in our scenario we will be activating all of this.

Actually I already activated just because in our previous session we have used the NWBC.

Without the activation it is not possible to show you the NWBC how it works.

As you know, this is a fresh system, so I have to activate this.

We have already done this, so keep in mind you have to activate the application based on the
licensing

which you have obtained from SAP.

Because each of these modules has different type of licensing from SAP.

Okay.

The access control basically, you know, the licensing is provided for all users in your landscape

and the process control and risk management.

You need it for limited users.

You don't need it for all users because risk management, if you see it, will be used in very minimal

people.

And the process control also will be used maybe more than risk management because most of the IT
governance

also will be included in process control.

The risk management is specific to the risk management team.

Let's say if you have a risk management department then only they will be using it and some IT
governance

in the higher level to see the dashboard and so on So you have to enable the application which is
licensed

for okay.

You have to be a little careful there.

So the configuration in SAP GRC, the first configuration what you will be doing is the activation of

the client.

And also remember uh in the NWBC if you activate only access control, then you will be able to see
only

the access control specific functionality in NWBC.

If you enable process and risk management then you will have more functionality in NWBC.

Since I wanted to show you what is the whole NWBC, then I have activated all.
Okay, in your scenario, if you already have a GRC system which have activated only access control,

then you will be able to see only the functions, which is for access control.

Okay, that keep in mind.

So it's not really complicated.

You can activate all uh, let's say for development system, I don't think it should be a problem,

but in the productive environment this will be a problem because you may have a licensing
implication

in in general, you please enable what is required in the all the landscape.

Then it will be consistent because all this configuration is again transportable.

Right.

So you will enable only the specific one within your development system.

Then you will create a customizing tier and it will transport it.

So let us go to the system and see how we can enable the application.

So before we get into the system, let us have a quick overview about the system which we are using,

because this is very important to understand what kind of system which we are using.

As I said, this is fresh SAP system.

We have a system GRP with a client 350.

And this is IP address 1921681. 13.

This IP address of the system and the host name is PRD GRC The instant number is 44.

And the connecting system we have another system which is EH8.

This EC EH8 system, it's an ides system.

So we have a client standard client of ides system it's 800.

And this is also hosted in the same host.

So the box is same but a different SAP system.

Now don't get confused.

It's a different SAP system because you can see the instance number is three nine okay.

So this two different system hosted in the same box okay.

The system is delivered with the user admin.

This is the user which was created uh, by the time of installing the system to check whether
everything

is working fine or not.

Now for our GRC purpose, we will create one user name GRAC_ALL with the password like
this.

And uh we will use this user for all our customizing.

Okay, so it is recommended not to use any standard SAP users like SAP* or DDIC.

So SAP* and DDIC is the user normally you get when you are installing any SAP system.

Basically this will be used by the basis admin.

They will create a user for you and create one user which is a generic user for your configuration or

it's not necessary, it should be a generic user.

You can also use different user.

Your own user.

It's not a problem for our training purpose.

I use this user for all our configuration so that you know, we will be creating so many users on the

way so we can identify which user is used for what.

Okay, so let's login to both of these systems and create a user.

GRAC_ALL.

Normally I use this as a standard password.

And so that you know we remember which user we are using.

We are in the GRP system.

The host name is PRD, GRC.

I will log in with the user admin.

Okay, I logged in the admin user.

This was the user which we used when we are demoing the NWBC.

So let us go to SU01.

I will create a user GRAC_ALL.

Let us create a.

GRC configuration user.

So I will put a initial password in it.

welcome1234.

Then we need to assign the roles.

Okay.

The roles which we required.

Basically, we have multiple roles in GRAC.

We will come to the role details in the coming sessions.

So for time being I will assign all the GRAC roles to this user.

I will search with SAP_GRAC*.

All the GRC access controls.

Start with SAP_GRAC.

Then the role name.

So I will search all.

So let me select all of this.

We will go to detail in the latest stages.

Like when we go to the specific sessions.

Then we will discuss about the roles.

And we will also create users accordingly.

So for time being I will assign everything.

Then we will simply save this.

Okay, let me go back.

Let me log in to the system using the GRAC user.

GRAC_ALL and put the initial password in it.

welcome1234.

What was created before?

Then I say welcome.

One.

Two.

Three.

Okay, so this is the user which we will be using.

So in the same time let us also create a user in the second system that is the EHP8 system.

That is EH8 so that we have consistency over the users.

Here also we will log in.

If you can see here this is a client 800.

The GRC system which we logged in is 350.

And you can also see this is a ECC 6.0 system with EHP8.

Let me log in with admin user.

I will create.

One user.

You have to see a C.

Configuration user here.

I will say

I'll use the same password.

Then here, what I will do, I'll simply assign SAP ALL and SAP new.

Okay, as you know, this is not the best practice.

Uh, yeah.

We discussed about this topic quite a lot in our, uh, security training.

So?

So simply, I assign SAP ALL and SAP new.

So we created the user.

Let me log in to the system using this user and put our password.

Here.

AC_ALL.

Then put the password.

Welcome 123.

So this will be the standard password I will be using.

As you know that's not a best practice again, so you should have a proper password policy.

For this is also working fine.

Okay.

Let's go back to the GRC system.

So this is our GRP system.

The client is 350.

You can see here in the corner client is 350.

GRP system client is 350.

Let's go to Spro.

This is a transaction code for customizing.

Then you go to SAP.

Reference img.
Here you can see all the configuration detail.

Then we go to governance risk and compliance.

You can see all the sub configurations inside the GRC.

Then we go to general setting.

Here you can see activate application in client.

Probably you know already you can see the first one.

This is basically the IMG documentation.

If you select this then it will give you the detail of the specific IMG activity.

We will be going through many of the img activity.

Please remember that it is not necessary that you will remember the steps of each IMG activity.

We need to understand this specific task can be done in GRC or not.

That is our job.

Finding out the menu where to configure is not really a big problem, so it is not necessary.

You need to remember the steps of each and every configuration.

Okay.

So we have this course.

And you can also take notes.

And you can go back to your notes when you are doing the actual configuration.

So execute this.

Activate application client.

Simply select this img activity.

Then you can see here I have already activated all the three components.

Basically what we will do is we will simply say new and select the component and say activate and
save.

Once you save, it will ask you to create the TR, then you can transport it to quality and production

accordingly.

In our case, I already activated, as I said, and apart from this there is no configuration done.

This is a fresh system, so we need to do all the configuration during the course and during the
course.

When we are doing configuration, we may find issues and we will also fix the issues if anything
comes

out.
I hope there is no major issues in the systems.

And this is a test system.

It's a demo system which have a temporary license.

Okay.

Let's go back to our presentation.

So the next topic is creating connections.

Creating RFC connections between SAP Client Server and External data source.

Basically, you maintain all the connection details or the RFC parameters in the RFC connections.

We will be using the RFC type three Abap connection There are many other connection types.

We will also see that in the system.

Uh, the RPC type three is Abap connection that is directly connecting to an Abap SAP system.

And here RFC name should be the same name as logical system.

Okay.

This is quite important.

We need to make sure the RFC names which we are using is the same name as your logical system.

Now you may ask what is logical system?

If you remember in our security training we have used logical system for early transfer.

Similarly, in GRC also we should use the logical name.

Now you may ask why we cannot use another names.

It is also possible.

Yeah, technically it is possible.

However, SAP recommends that to use the logical name because it will be easy for your yearly
processing

and so on.

Okay, that's a recommendation.

Let's go to our system and create an RFC destination for that first.

Let us see how to set up this logical system.

Now we are in our GRP system.

First what we need to do is we need to create the logical system for this.

We need to go to the transaction code sale.

I will go to s a l e.
Then you go to basic setting.

Then you go to logical system.

Define logical system.

Okay this is a cross client customizing.

So I created this client that is a GRC CLIENT 350.

Okay.

And let's see.

So once you create this, then it will ask you to create a TR.

Let's see.

Create a new tr here a c.

Configuration tr.

Okay.

Okay.

Once you created the logical system then you go to the SCC4.

SCC4 is the transaction code to maintain the client.

You can see here we have multiple clients.

So this is the client which you will be using 350.

And we need to assign the logical system here.

Logical system which we have created in sale.

And it's available here.

This is the system name which you will be using logical system name.

I will also copy this.

Okay, so we need to assign the logical system to the client.

System name GRP.

We will use the same name for the RFC as well.

Then we go to the ides system that the satellite system.

This is our satellite system.

We have logged in to EHP8 client 800 and we logged in with the user GRAC_ALL.

Here also, let's have a look how the logical system setup is done here.

Because this is an ides system.

You know there are a lot of changes will be done by uh SAP.

So we are not sure how the logical systems are working here.

Here it says EHP8, but the logical system name it says is ZD0 okay.

So the ides systems are mostly you know it's like that.

But if it's a fresh system you will not find anything and this will be blank okay.

In general, let's say you do not create a, uh, logical system or you did not create a client and

assigned it.

Okay.

So let's go back.

Let's create a logical system with the proper name s a l e

Go to basic setting.

Go to logical system.

Define logical system.

So here you find quite a lot because as I said this an ides system you will always find lot of
information in the ides

systems because it's pre-configured right.

So let me create a logical system EHP8 CLIENT 800 EHP8 client 800 okay.

This is our logical system.

Let's see your AC configuration.

Here

Okay.

Then we go and assign the logical system name in the client.

SEC4.

Let's go to our client which we will be using.

And I will assign the logical system which we have created.

EHP8 client 800.

This is the one which we have created.

Let's assign this.

Okay.

And now we have created the logical system name.

Basically assign the logical system name.

This is generally done by basis.

Or you can also do this.

Most of the time this client maintenance is done by basis.

So I just included this in the course so that you are aware of what is the technical configuration are

done in the GRC system.

Let me also keep a record of the logical system.

EH8.

The logical system name is this one.

Okay.

Now we need to create a RFC connection between these two systems EHP eight and GRP.

Okay.

For that we need to have communication user between these two systems okay.

And you may be already aware of the SAP RFCs from our prerequisites course of NetWeaver
Fundamentals.

So we will not go too much detail in how the communication works and in detail, we simply create a
RFC

between these two users.

So for that first what we need is RFC user.

We need a communication user.

So for that let's say we will have user name RFC_GRC AC.

And we will use the password as.

Okay.

So we will create users in both the system.

The user type is.

Communication user okay.

Let's go to both the.

Systems.

So now we are in the EHP8 system client 800.

let's go to SU01.

Let's create.

RFC user for GRC.

Here.

User type should be communication.

Then I will put the password which we have selected welcome 123.

Then let me assign the roles.

Instead I will assign the profile itself.

We will not go into the security details now.

SAP ALL and SAP new.

Okay this is one user.

Similarly let's create a user in the GRC system.

So we are in the GRP system SU01.

Let's create a user.

RFC_GRCA.

C.

Create.

GRC.

AC.

Communication.

User.

I would say communication data.

Let me put the password.

Okay.

Here the role which we need.

GRC.

SAP_GRCAC*.

We need this one.

GRC admin for AC.

So this have all the authorization which is required for this.

Basically this particular role.

GRCAC all it's a super admin access.

This is the one which we have assigned to our own user.

This have all the authorization which is required for your GRC system.

Okay.

It's kind of a SAP_ALL for GRC.

So we assign this role.

Now let us save this user.

So now we created communication user in both the systems from the GRC system as well as the
NetWeaver

ECC system.

So it is not necessary NetWeaver ECC system.

You can also have S4 Hana.

Generally most of the customer may be using S4 Hana system, but the procedure is almost same.

You know S4 Hana also use NetWeaver your platform.

You can use the same method to create an S4 Hana, so don't confuse with that.

Since we have restriction to host S4 Hana in our test environment.

Because you need a very big system, we are using the ECC system for our training purpose.

Now let us create the RFC connection.

To create the RFC connection we go to transaction code SM 59.

Here you can see the RFC connections.

These are all the default connections which was created during the installation of your SAP system.

So we will be using the Abap connection type three okay here let us say if you want to display you
can

select the RFC connection and say display change and create.

So let's create the connection.

So the connection first what we are going to create is to connect your satellite system.

That is the EH8 system.

So for that we will create RFC destination.

Same like the logical system okay.

The logical system is

EH8CLNT

800 okay.

The connection type is Abap.

You can see different connection type okay.

Abap is the one which will be used for SAP to SAP.

Then you can also see HTTP connection to connect to your portal systems and so on.

This is R two.
This is not used anymore.

So older systems and you have TCP IP connections and so on.

Okay.

Here we are using only Abap connection.

We need to provide a description.

Let's say GRP to EH8.

So this connection is grp to EH8.

Here we need to provide the host name and the instance number.

So in our case the host name is same.

As I said.

Don't get confused.

Both of the systems are hosted in the same host name.

So same box but a different instance number.

So the host name is uh prb GRC.

That is our host name.

And you can see this already took the full name.

This is called FQDN fully qualified name for your SAP system.

And it also picked up the IP address.

And then the instance number for this uh EH8 system is 3939.

Then you go to log on security.

Here we need to provide the.

Log on details.

The client is 800 user which we have created is RFC_GRC is okay.

And let me provide the password.

Okay.

Now I will save this.

Once you saved you go to utility and see connection test.

This will show only the connection test.

So make sure that authorization is working.

Go to utility test.

Authorization test.
So this confirms that RFC connection is working from the GRP to the EH8 system.

Okay.

Now we need to create a connection back.

Okay.

We did a small mistake here.

We did instead of C there is a spelling mistake D.

So let me correct that.

Okay I corrected the name correction means we cannot change the names.

Basically, we need to delete and recreate the RFCs.

I have done that.

Okay.

We can also have a test again.

Okay.

So let's go to EH8 system.

Now we are in EH8 system.

Let's go to the transaction SM 59.

Here if you see you will find a lot of RFC connection because this is an older system.

Let's go to create.

And the RFC name is

GRPCLNT350.

That is our logical system name GRPCLNT350.

The connection type is three.

Let me provide a description.

This is from EH8 to GR.

Now let me provide the host name.

PRDGRC.

Okay.

It picked up the fully qualified name as well as the IP address.

The instance number for the system is 44.

Then go to log on.

Security.
Here the client is 350 and the user id is RFC_GRCAC.

And let me put the password.

Welcome 123.

And save.

Okay this is GRPCLNT350.

Go to utilities test connection test Connection test is okay.

Go to utilities test.

Authorization test.

Authorization test also okay.

So that means we have successfully created the RFC connection between these two systems.

So let's go back.

So let's go back to our presentation.

The next step of our configuration is maintain connection and connection type.

Here.

First we need to maintain the connection type definition what kind of connection it is.

So in our case it's an SAP system connection.

In general there are default connection type which is delivered by SAP.

If it is required to create a new connection type we can also create.

But in general we have almost everything here.

Now you can also see SAP and S4 Hana and so on okay.

And then we will define the connection.

What is the connection?

It is.

Then we will see what is subsequent connector.

Then we will define the connector group.

Then we need to assign the connector group to group type.

Then we will assign the connector to connector group.

We will see that in the system.

Then it will be clear to you.

So we are in our GRP system.

Let us go to Spro.
What we will do.

We will add the transaction in our favorites.

Spro.

Will also enable.

Okay.

So Spro.

Then we go to SAP.

Reference img.

Then you go to governance Risk and compliance Then here we need to go to common component
setting.

Okay.

Then you go to Integration framework.

As we said we are configuring the integration framework for SAP GRC which is applicable for access
process

as well as risk management.

Okay.

Maintain connectors and connection type.

Select this.

Here we can see connection type definition.

These are all the connection type which is delivered by SAP.

That means this configuration already present okay.

So we don't need to create it again.

If you want to create a new connection type then we can say new entry.

Then you can create.

It's kind of a container.

It does not have any other implication.

Basically when you go to the next type then you know what is the link between these different
components

Here we have SAP so we will be using SAP.

You select this then you go to define connector.

Okay.

Here we need to create a entry here for the connector which we have created.
We created the RFC connection to different system.

Here we say new entry the target connector.

Okay.

The target connector is EH8CLNT 800.

Select this.

Then you will be able to see the EH8CLNT 800.

This is the one which we have created.

Select this.

Then we need to select the connection type.

The connection type is SAP.

Okay.

Select this and you can see different connection type.

Our connection is SAP and the source connection.

From where we are going to connect.

Okay.

This is quite important also.

The source connection is GRP.

CL

NT350

grp CLNT350.

This is the source connector okay.

Then the logical port.

Okay.

The logical port is.

EH8CLNT

800.

This was the logical port of this particular EH8 system.

Okay.

Now you have understood the difference between the logical port and the target connection.

The logical port is the logical port which we have created in the sale Okay then here, maximum
number
of background job.

Okay, so whenever you are transferring any data from one system or this system to another system,

how many background jobs it can run, let's say how many background work process it can occupy.

So we say three because in that system we have three different, uh, background work process.

In general, in our training system, we are not going to have that much load.

So it's not going to occupy all three of this.

So simply put it three.

If you want to increase it, you can also increase it.

But most of the cases the three is more than enough.

Then we need to go to uh subsequent connector.

In subsequent connector, we won't define anything.

Let's go here.

Select this

Select this and go to subsequent connector.

You can create a subsequent connector.

Okay.

That means you can have one more system, subsequent system connected to this system.

Okay.

That is possible.

We don't create any subsequent connector here because we have only one system.

Okay.

This is the connector.

Then you go to define connector group.

Okay.

In define connector group we need to create a connector group.

Okay.

Let's create a new connector group.

I will name it as SAP.

R3.

LG let's say 3_LG.

That is a logical group.

Okay LG then the connector group text.

That is, it's an SAP R3 system.

It's a.

Free text or three system.

Then we need to define what type of connector it is.

It is an SAP system.

Again we will define here as SAP system.

Okay.

Then we will select this and go to Assign connector group to group type.

Select this okay.

And let's create an entry.

Here we need to select.

This is a logical group.

Okay.

It's a logical group.

And we also have different group.

This is for automated monitoring framework.

Then cross system group.

Let's say if you have cross system uh SOD applications.

Let's say you wanted to run for cross system.

Then you can select this as cross system group.

So in our case it's a simple system.

So we will say logical group.

Then you go to assign connector to connector group.

Go here create new entry.

The target connector is not displaying here.

Let me save this.

Okay I will create a tr GRAC.

Configuration.

Configuration tr.

Okay.
Now the data is saved.

Now if you select it here now you can see the target connector.

That means basically we configured here the target connector.

So if this needs to be available here then we need to save the data here.

That's the reason we did not get in the beginning stage.

So I saved it.

That means saved it in the TR.

Then this is available.

Then we need to select the connector type.

Okay.

Connector type is SAP.

Okay.

There is no selection button here but you can type in manually.

Okay.

Then save the changes.

Okay.

Now the changes are saved in the TR.

This is how we can maintain the connectors and connection type.

Let's go back to our presentation.

The next configuration which we are going to see is integration scenario.

In integration scenario we are going to map the central connector which we have created to different

applications.

Integration scenario.

For access control we have authorization, role management provisioning and superuser management
okay.

This is a next configuration which is to maintain connection setting.

Let us go to the system and see how to maintain it.

We are in our GRP system.

Let's go to Spro and go to SAP.

Reference IMG governance Risk and Compliance.

Here we go to Common Component and go to Integration Framework.

And next one is maintain connection setting.

Select this here it will ask you to select the integration scenario.

If you select here these are all the integration scenario which we are going to configure authorization

provisioning role management and superuser privilege management.

So first select authorization.

So here is the scenario definition.

This is authorization management.

Select the scenario.

Then you go to scenario connection link.

This is already configured.

We don't need to do anything here.

Then you go to scenario connector link.

Here we need to define the target connector okay.

Let's say new entry.

Target connector.

This is our connector EH8CLNT 800.

Then say enter.

And the connection type is retrieved automatically from our previous configuration.

Okay then save the changes.

We will use the existing TR for our configuration to be saved.

Okay, then go back again.

Select again.

Then the next one is provisioning.

Select.

Select.

Provisioning.

These are all the links.

Go to the connector link.

Create new entry.

The target connector.

Save.
Please remember it is not necessary which should be one connector.

You can create multiple connector if you want to connect multiple system.

All the configuration which we are doing you can create multiple connectors.

Okay this is our training system.

We have only one system for this training That's the reason we are connecting only one system.

If you have multiple system, then you can create multiple connectors in all these configuration.

Okay.

Let me save it.

Provisioning is done.

Go back.

Maintain again.

Then go to role management.

Select the role management.

Go to connector link.

Create new entry.

Select the connector.

Just press enter.

Then save.

Okay.

Let me go back again.

The last one is superuser privilege management.

Select Supm Move to connector link.

New entry.

Select the connector.

Press enter and save.

Save it in the same TR.

It is not necessary.

You need to save everything in the same TR.

You can also group it.

Actually, that will be the best way because your configuration may be quite big if you save everything

in the same TR.

Depending on you how you want to do it, you can also save it in the same TR.

Technically it should not make any problems okay.

That configuration also done.

So we have done all the different integration scenario configuration.

Okay.

Let's go back to our presentation.

With this we are coming to end of this particular session.

Thank you very much for listening.

I will see you in the next session.

Bye

Autoscroll

Course content

Overview

Q&AQuestions and answers

Notes

Announcements

Reviews

Learning tools

Lecture completed. Progress cannot be changed for this item.