What is the difference between execution and simulation in grc rar

Your email address will not be published. Reply Thanks for asking. Reply Hey man I just wanted to take the time to say i love reading your blog.

Reply Good. Please suggest. Aninda Reply Hi Aninda, Thank you for such a nice blog. The screenshots are so useful to understand. Thanks and Regards, Madhan Reply Madhan, This website has a lot of info for people who are willing to explore and learn on their own.

Thanks and Regards, Madhan. Reply Hi Aninda.. Because am just in a learing stage,i am not in a situation to study in centres as it costs much…but this page will taught me alot and i need to pay my intrests and thanks to u as a fess… thank u, and thanks a lot for running such website… My humble request for you is please diable the option of copying this information… may be some persons will use it for commercial puprose and they can start a fake websites… Reply Unfortunately you can not preevent someone from copying a webpage.

Reply Thanks!!! Reply It is very nice website, simple and rich of information. Reply Thanks a ton, Aninda. Reply Nice and informative!!! Reply Hi Aninda, Thanks a Lot. Thanks again Anil. Br, Venki Reply Unfortunately I cannot help you get a job! Reply thanku Aninda.. Please suggest me how to train myself in Security.

Youtube or google would be better bets. While Creating Single role what will be happened in the functional side, when entered the Template role in the derived role tab. Don't NO A Where the password will be stored B from where you can Re-Collect the password and C how will you communicate the password to all users at a time. What is Virsa?

Once you entered in to the screen what it will perform? Before GRC comes into picture there were other tools which are running in the market in order to do analysis. Virsa FireFighter for SAP: enables super-users to perform emergency activities outside the parameters of their normal role, but to do so within a controlled, fully auditable environment. Coming to SU24, here we can maintain the assignment of Authorization Objects by entering into particular t-code and we can check the relation between the t-code and concern authorization objects and we can make changes according to business needs.

It means maintain Authorizations and its fields and field values. While Creating Single role what will be happened in the functional side, when you entered the Template role in the derived role tab?

What is Dialog users, Batch users and Communicate users. What is the use with Communicate user? Dialog user is used by an individual to do all kinds of log on. Batch user is used for Background processing and communication within the system. Communicate user is used for external RFC calls.

Across the systems we can connect Can we add one Composite role in to another Composite role at any urgent user requests or in normal user requests? We cannot add a composite role into another composite role but we can add multiple derived roles into one composite role. In Transport what type of Request we will use.

Why don't we use workbench request in transport? Most of the time we do transport workbench and customized requests. Settings, configurations etc are done by BASIS, Security and Functional consultants then those will be treated as Customized and if ABAPers do programs and packages etc and transport them then those will be treated as workbench. When we added Authorization Object in Template role, at the same time what will be happen in Derived role?

How to Check Profile parameter. And how to find whether any transport has ended with error and where we can check? How to extract users list like who didn't login since 3 months. And In 90 Days user locking in which table we will use? Max profiles are Template role is nothing but a default role provided by SAP. This template role might be a single or composite or derived role. Template roles are not generated profiles or authorizations nor assigned to users and org levels are not maintained.

Derived role is nothing but a single role and its derived from a Master role and can restrict org levels and can assign them to users.

SOX is an adhox standard for financial transparency, trust, and corporate accountability. It is mandatory for all public owned companies. There are two main sections and GxP is a general term for Good Anything Practice quality guidelines and regulations.

These guidelines are used in many fields, including the pharmaceutical and food industries. The purpose of the GxP quality guidelines is to ensure a product is safe and meets its intended use. GxP guides quality manufacture in regulated industries including food, drugs, medical devices and cosmetics.

The most central aspects of GxP are: Traceability: the ability to reconstruct the development history of a drug or medical device. Accountability: the ability to resolve who has contributed what to the development and when. The goal of GRC is to help a company efficiently put policies and controls in place to address all its compliance obligations while at the same time gathering information that helps proactively run the business.

It Has 4 Sections to Audit the system. Compliance Calibrator 2. Role Expert 3. Firefighter 4. Access enforcer. It has been a part of Netwever and add on now.

CUA - Central User Administration Advantage of CUA is to lessen the time by creating users in one single system, and distribute it to the respective systems where the user id is requested Helps in avoiding logging to each individual systems What is the procedure for deleting a role?

You can't delete the role in Production System. First you have to delete the role from development system. After creating transport request. Transport the request number to Testing, Production system. Roles delete from there also, after transport the request with success. If we delete a Role can we transport it, if yes then how? Yes, add that role to a transport request first and then delete it from dev system. After deletion transport it to QA and prod system In creating a role what should we write over there, and what does your company follows?

Description of role defines, the role related activity in short. What are various user types? Expired or initial passwords are checked. Users have. Multiple logon is checked. The passwords are not subject to the password change requirement, that is, they cannot be initial or expired.

Only an administrator user can change the password. Multiple logon is permitted. Only a user administrator can change the password. Usage: Anonymous system access for example, public Web services Reference user 'L' Authorization enhancement No logon possible. Reference users are used for authorization assignment to other users. Usage: Internet users with identical authorizations Can you tell me some of the password related parameters? What is the use of CUA?

Using CUA, U can reset the password globally Means: in single shot u can reset the password for all child systems or individual system also reset the password through CUA 2. No password reset tag in individual systems 3. Using CUA, you can unlock and lock the users. Using CUA, you can assign the roles to particular system 5. Using CUA, you can add systems to particular user What are the types of requests?

And which we create for transportation? Generally there are two types of transport request. I want to reset the passwords of users. How do you do it? Mass Password resetting is the easiest task. Login into LSMW t-code. Create a project, which is very easy. Record a batch input session. And run it. It hardly takes 2 mins. What is FireFighter? When we are using FireFighter? User type is kept as "service user' Ex: In your project you are security administrator who does not have access to direct SU01 but you need the access urgently.

While logging you will be prompted to give business reason for access. What is the main difference between roe and profile? Assigning a role to the user does not mean that the user has access to execute those functions. This is ruled by profiles.

Profiles are required to give necessary authorization to the users through the respective roles. What kind of work SoX do as well SoD do? Where it impact all US companies either they operated in US or outside on other countries. Some people think this act is significant, after fall down of big companies such as Enron etc..

SoD - refer to Segregation of Duties. Basically one person cannot have access to the whole process. The task needs to be segregated so that there is check and balance. What is the use of Detour path? Report Download. Check that daily backup are executed without errors - DB12 Backup logs: overview 3.

SAP standard background jobs are running successfully. Review for cancelled and critical jobs. Extents monitoring - DB02 Database monitoring--Check for max-extents reached 6. Check work-processes started from sm51 - SM50 Process overview-- All work processes with a running or waiting status. Check system log - SM21 System log-- Set date and time to before the last log review. Check for errors, warning, security, message-bends, and database events. Look for any failed updates - SM13 update records Check for old locks - SM12 lock entry list Check for spool problems - SP01 spool request screen-- check for spool that are in request for over an hour.

Archive backup - brarchive -f force -cds -c Insert the archive backup tape Review NT system logs for problem - NT system log- look 4 errors or failures - NT security log- failed logon 2 sap servers - NT Application log -look 4 errors or failures.

Explain me about your SAP Career? Elaborate about your complete SAP experience and yes be true with them. Tell me your daily monitoring jobs and most of them you worked on? As a part of my daily job being a SAP Security consultant i have to take care of tickets monitoring and assigning them within the team.

I have to take care of critical incidents and emphasize them on high priority for their faster resolution. I have to troubleshoot different authorization issues that come across in daily work with the users. Which version of SAP are you working on? Is it a java stack or ABAP stack? You have to check this with your systems. Tell me about derived role? Derived roles. To restrict the user access based on organizational level values.

The more negotiable the asset, the greater the need for proper segregation of duties, especially when dealing with cash, negotiable checks, and inventories. Implementation Considerations In certain business areas SoDs are highly important, such as in the cash handling area, because cash is a highly liquid asset. This means it is easy to take money and spend it without leaving a trail of where it went.

Any department that accepts funds, has access to accounting records, or has control over any type of asset should be concerned with SoDs. In those cases, management may need to take a more active role in segregation of duties, either by checking the work done by others, or by using other mitigating controls to minimize risks.

The screen opens showing the 6 steps to design roles across your enterprise. Each step has a link that takes you to a related screen in the Configuration tab. The activities in Role Designer are administrator-level tasks, and they are not addressed in the application help documentation. You can use this default methodology to select role attributes that were defined during configuration. Alternatively, you can define your own custom methodology in the configuration according to your organization's role management process requirements.

Features The Create Role screen displays the phases, or methodology process of role creation, and indicates each role phase by a colored arrow at the top of the page. Phase Function Definition Use this phase to define and set general attributes for the role Use this phase to define authorization data for the role by adding Define Transactions, Functions, and Authorization Objects to the role, along with Authorization maintaining the Org. You display the Organizational Level fields in the role to maintain the Org.

Use this phase to create derived roles for different organizational levels Derive Roles based on authorizations data set for the master role. Use this phase to perform preventative risk analysis for the role.

Risk Analysis Integration with the Risk Analysis and Remediation capability is required for this phase. Use this phase for role approval process with workflow. Integration with Approval Compliant User Provisioning is required for this phase. Role Use this phase to generate master and derived roles so that they show up Generation in the connected backend systems. Testing Use this phase to document role test results and to store test result files. When you select Roles Create, the Create Role screen appears with the default role methodology phases.

After you select new role attributes and save the role, the system determines the appropriate methodology, either the default methodology or alternate methodology, based on the condition groups set in configuration.

Then, the appropriate methodology appears as a highlighted arrow at the top of the page. You complete a set of predefined tasks before you can move to the next phase. The arrow turns yellow when you work within a phase. The arrow turns green when you complete a phase. Note Whenever you want to bypass a phase, you can simply enter the phase and choose Save Back to Role Definition Activities This section describes how to complete the fields involved in role creation.

System Landscape Select from the dropdown menu a system landscape where you want to define the role. The Enterprise Role Management administrator sets up the system landscape to group systems such as ERP dev, qa, and prd.

Within the landscape, the system administrator sets up the default system for role risk analysis and for the default generation of roles. Role Types You can use two role types for this capability: Single roles and Composite roles. You can create two additional role types during the Derive Role phase: Master roles and Derived roles. A single role contains a set of authorization data.

For example, the role for an Accounts Payable clerk that contains multiple single roles, such as Invoice Processing, General Ledger Display, to perform a job function.

Business Process You select the Business Process from the dropdown menu to create or modify the role attribute. The Enterprise Role Management administrator configures business processes. Subprocess You select the Subprocess from the dropdown menu to create or modify the role attribute. Business Process is a configurable role attribute in configuration.

The Enterprise Role Management administrator configures the Subprocesses. A role designer uses this attribute to filter a group of roles across multiple system landscapes, business processes, and subprocesses.

If you are the role designer and you need to plan or enhance roles, contact your System Administrator to create a unique Project or Release name to group all roles together. Role Status You can add a role status to each role to indicate whether the role is in the development or the production status.

When Roles have the role status set to Production, this indicates that the roles are ready for provisioning. In Compliant User Provisioning, you can use an integrated feature to import roles from Enterprise Role Management for provisioning.

Role Name This feature creates a default role name based on the naming convention set up by the Enterprise Role Management administrator.

You can override these defaults to conform to the role naming conventions in your organization. Description The description is a free flow text to describe the role. Profile Name There is a default profile name based on the naming convention set up by the Enterprise Role Management administrator.

The profile naming convention is configurable to be suggested or enforced. You can customize this profile name to make it unique. When not enforced, you can override the profile name during role creation. Profile Description This description is a free flow text to describe the role. This field is automatically populated to match the description. Note Refer to the Access Control Configuration documentation to configure your role creation topics. Some Role Creation functionality within the various phases is present only if it has been configured by your administrator.

The role creation methodology designed into the Enterprise Role Management ERM capability is a part of this compliance and control system. And, when linked to the Risk Analysis and Remediation RAR capability, the application also enforces the Segregation-of-Duties analysis during role design to prevent risks from entering application systems.

The Create Role function works in phases that are seen to progress across the screen and are related to an array of tabs at the bottom of the screen. The tabs that you see depend on the phase. This section describes the features that support and enable the methodology. Features The Role Creation methodology tabs are as follows: Detailed Description Use this text field to describe the role.

Functional Area You use the Functional Area to add a new attribute to the role. You can use these attributes to select multiple functional areas, such as departments or locations. You can use this tab to create a custom attribute to reflect a number of states, such as role status or critical role.

This tab displays all available organization levels for the role based on the authorization data added to the role. Risk Violations After risk analysis has been performed in the Risk Analysis phase, then Risk Violations provides a breakdown of conflicting transactions, critical transactions, conflicting objects, and critical objects.

Creating a Role Procedure To create a role: 1. In the navigation bar of the Role Management tab, choose Roles Create.

The Create Roles screen appears. In the System Landscape dropdown list, select the appropriate system landscape. A system landscape is a collection of systems. In the Role Type dropdown list, select either a Single or Composite role type. In the Business Process dropdown list, select the appropriate business process for the role.

In the Subprocess dropdown list, select the subprocess associated with the business process that you defined. In the Role Name field, enter the name of the role. We recommend that you name the role name with a predetermined naming convention based on your company's policy. The system automatically populates the role name with this naming convention.

The values that you enter in the system landscape and role type fields trigger the populated role name. In the Description field, enter a short description of the role. In the Profile Name field, enter the profile name of the role.

A profile is SAP-specific and is associated with a role. You can also connect a profile to the naming convention set up by the Enterprise Role Management Administrator during configuration. You can have multiple profiles in a role. In the Profile Description field, enter a short description of the profile.

In the Critical Level dropdown list, select the appropriate critical level for your request. Under the Detailed Description tab, enter a detailed description of the role. Most users add a complete role description, including the business implication of the role and the tasks involved for the role. However, you can add any pertinent role information since this field permits an unlimited number of characters. Choose the Functional Area tab. Select the Add icon to add a functional area.

A functional area is a classification of processes for a department and used as an additional attribute to classify roles. Choose the Approvers tab to view a list of approvers and alternate approvers assigned to this role. Note The Approver Provisioning can be defined for provisioning in the Compliant User Provisioning capability as the role approver in the context of provisioning.

And, you can import the role information to CUP for provisioning purposes. The list is a default list of approvers, assigned when Enterprise Role Management matches role attributes with approval criteria.

You can assign new approvers during the role change process. Note The default list is present only if configured. Choose the Custom Attributes tab. Select the Add icon to add custom attributes. Custom attributes are custom fields that you can configure to define an attribute for the role. Choose Save. When you save a role, the following options are available: o Change History o Authorization Data o Change or assign approvers o Change or assign function areas.

Define Authorization You use this phase to define authorization data for the role by adding Transactions, Functions, and Authorization Objects to a role, along with maintaining the Org. Note To maintain the Org. Values, you need to first display the Organizational Level fields in the role. Features To view the Authorization Data screen, choose the Authorization Data pushbutton, located along the bottom of the Define Authorization phase screen.

You may change the authorization data; or, you can choose Save and move on to the next phase. The Change History and the Save pushbuttons are also located at the bottom of the Define Authorization phase. The Change History button is a read-only record of all modifications made to this role. The table includes the date and the time that each phase was modified. Note Whenever you want to bypass a phase, you can simply enter the phase and choose Save Back to Role Definition The following table describes the authorization tabs: Note Ticket Number and comments: only if you have configured a pop-up box for entering a ticket number, when you Save authorizations you are then prompted to enter a ticket number and comments.

These comments then appear in the history for this role. The Allow Functions transactions and authorizations. These Adding Functions to the functions populate the remaining tabs. Authorization Settings on the Miscellaneous Configuration screen must be set to Yes. Transactions You can add or delete the transactions in NA this tab Use the add and subtract icons to add and remove transactions.

You can search for a transaction by transaction name or description. You can configure objects in the Objects by Class tab by field and value, or authorization level. You can add objects to a role, but you can only delete an authorization within the object. Objects in the Objects By Transaction tab are view-only. You can expand each Objects by transaction to view its hierarchical NA Transaction structure and associated values, but you cannot make changes to the transactions.

Adding Functions Procedure Use this section to add functions on the Functions Authorization tab in the Define Authorization role phase. Choose the Add icon. The Search Functions screen opens. Enter a function ID or description to search for a function. If you do not know the full function ID, you can use a partial ID with the wildcard character and then select an ID from the list.

Select the functions from the list and choose Select. To continue to add functions, choose Continue. To update the Authorization Data screen, select Continue again.

Adding Transactions Procedure To add transactions: 1. Choose the Transactions tab. Here, all the transactions that are associated with any functions previously added to the role appear.

Select the Add icon at the bottom of the Transactions list. The Search Transactions screen opens. To search for a transaction enter the Transaction Code or Description in the corresponding field.

Choose Search. If you do not know the full Transaction Code, you can use a partial code with the wildcard character and then select the transaction you want from the list. Select the transactions that you want to add. Choose Select. Selected transactions remain under the Selected Transactions tab on the Search Transactions screen until you choose Continue.

You can use this feature to add transactions without leaving the Search Transactions screen. Choose Continue. The Authorization Data screen now displays the newly added transactions. If you do not want to associate a transaction with the role, select the checkbox next to the transaction.

Choose Delete. Adding Objects by Class You can configure objects in the Objects by Class tab at the field and value level, or authorization level. Back to Role Reverts to the previous phase of the role creation. Definition Org. Levels Displays the organizational level fields in the role.

Add Object Opens a search screen where you can search for one or more objects. This feature enables both functional and technical teams to work together in role management.

Functionality and Icons Choose the Objects by Class tab and then expand each class. Stoplight icon Yellow The yellow light indicates that there is at least one empty field in the Stoplight icon authorization.

Red Stoplight The red light indicates that there is no value in the Org. Level field, or that icon the existing value is not representative of an appropriate value.

Copy icon Copy the authorization. When you copy an authorization, the system copies all fields and values that belong to that authorization. The two values have different authorization ID numbers. Add an authorization value. To add a value to the authorization, click this Add icon icon.

Add the new value in the field that appears. Delete an authorization value. To delete a specific value, select the Delete icon checkbox next to the value. Choose the Delete icon. Shiny Authorization is enabled. Select this icon to disable the authorization. Lightbulb icon Dead Authorization is disabled. When an authorization is disabled, the role Lightbulb icon ignores the value.

Choose this icon to enable the authorization. Information Select this icon to add, view, or change information about the icon authorization. The authorization contains default values. The transaction code Standard automatically pulls in the values.

Maintained The authorization contains user-modified values. Manually The authorization contains values manually added by the user. Objects by Transaction Objects under the Objects by Transaction tab are view only.

You can expand each transaction to view its hierarchical structure and associated values, but you cannot make any changes. Derive Roles Use Derive Roles to derive additional roles with different organizational levels and values based on the authorization data added to a master role.

Note For more details on creating organization value maps, see the Access Control Configuration documentation. This derived role was previously created with a master role. Note Whenever you want to bypass a phase, you can simply enter the phase and choose Save Back to Role Definition Activities To view the following activities, choose the Derive Role tab. The Role Derivation screen opens. Creating a Derived Role 1. Select the Derive Role tab. To change or delete any existing role, select the role.

Choose Change or Delete. To create a new derived role, choose Create. Enter the primary organization level and value or values, the role name, and the role description.

To change this default profile name, enter a new name. If you do not enter a value for Profile, the system generates a name when it generates the derived role. To derive the role without using an organization map, choose Continue. To derive the role with an organization map, select an organization value map. The screen displays organization value map, or maps that match the primary organization value you specified for the new derived role: oIf the system finds an existing organization map that matches the primary organization value you specify for the new derived role, it displays all organizational levels and values for that map in the Process Org.

Level Field screen. Level Fields screen appears; however, you must set the organization levels and values on this screen. The system returns to the Role Derivation screen. You can now create new derived roles. Or, choose the Back to Role Definition pushbutton to proceed to the next phase in the role creation process. Risk Analysis You can use this feature to identify roles that contain risks. Note Whenever you want to bypass a phase, you can simply enter the phase and choose Save Back to Role Definition Activities Use the following steps to perform a risk analysis: 1.

Select the Risk Analysis tab. The System default is Production. It displays risks in the lower portion of the screen. Approval Process When you create roles, you send each role through a role approval process. The approver, or an alternate approver, assigned to the role can approve or reject the role. The approval process allows documented collaboration among different stakeholders involved in the role management process.

It provides control checking and evaluation during role design. You must configure a role approver in each capability. Process The role approval process is as follows: 1.

To assign approvers or modify existing approvers, see Assigning Approvers. To initiate the approval process when the role has the correct approvers, submit it for review. To create a new request to notify the approvers that the role is ready for review, when you initiate the approval process Enterprise Role Management sends the role approval information to Compliant User Provisioning.

Note Once the role has been submitted for review, you cannot make changes to the role in Enterprise Role Management until you receive a response from the approver. The approver logs in to Compliant User Provisioning and approves or rejects the role. When the Approval button is selected, you are then prompted for a requestor comment.

You use this text box to enter instructions to the role approver. You receive the following message: Role is submitted for approval; Compliant User Provisioning request number xxxxx. Assigning Approvers Procedure To assign an approver to a role: 1.

Locate the role for which you want to change approvers. Follow the steps in Searching Roles. To change approver information, select the role, then choose Change.

The Change Role screen appears. To view the Approver and Alternate Approver, select the Approvers tab. Select the Add icon at the bottom of the approver list. An empty field appears in both the Approver and Alternate Approver columns. Select the Search icon beside the empty field in the Approver column. The Approver Search screen appears. A list of approvers appears.

Choose the radio button beside the User ID of the person you want to assign as approver and then choose Select. The Approver Search window closes and the Approver field in the Approver tab populates with the new approvers.

Repeat Step 4 through Step 7 to add an alternate approver. To make changes to the authorization data for the derived role, you must modify the master role and regenerate the master role with the modification.

Changes to roles are not available for use until after the role is generated in the SAP backend system during role maintenance. You can generate a single role or you can mass generate several roles at once.

You can also generate a role or roles in the default system or in multiple systems. You can select system roles and derived roles to generate.

The master role is always generated with the derived roles. A background job is scheduled automatically and the Job ID is shown during the time when you are trying to generate the roles under Mass Maintenance. For more information about setting a default system, see the Access Control Configuration documentation. You can save time by generating the same role or similar roles in similar systems in one landscape, such as all Accounting systems.

You can also make the user name and password that you use for role creation and maintenance available across all systems in the landscape, so you can access Role Generation to generate roles. Note Whenever you want to bypass a phase, you can simply enter the phase and choose Save Back to Role Definition Generating a Role Procedure If you have completed all the steps necessary for creating a role, the role should now be in the generation phase.

To generate a role: 1. Choose Generate at the bottom of the Create Role screen. The role is generated in the default connector configured for the role generation action in the associated system landscape. For more information about connectors and system landscapes, see the Access Control Configuration documentation.

Note A role is not available in the SAP back-end system until it is generated. Generating Multiple Roles Procedure To generate multiple roles: 1. The Mass Maintenance—Generate screen opens. Enter or select the criteria upon which you want to base your search. Choose List Roles.