SAP GRC 10 Installation Guide

Installation GuideSAP Access Control 10.0, Process Control 10.0, and Risk Management 10.0Target Audience System Administrators Technical Consultants

PUBLICDocument version: 1.45 2012-06-18

SAP AGDietmar-Hopp-Allee 16

69190 WalldorfGermany

T +49/18 05/34 34 34F +49/18 05/34 34 20

www.sap.com

Copyright 2012 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Excel, Outlook, PowerPoint, Silverlight, and Visual Studio are registered trademarks of Microsoft Corporation.IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, z10, z/VM, z/OS, OS/390, zEnterprise, PowerVM, Power Architecture, Power Systems, POWER7, POWER6+, POWER6, POWER, PowerHA, pureScale, PowerPC, BladeCenter, System Storage, Storwize, XIV, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, AIX, Intelligent Miner, WebSphere, Tivoli, Informix, and Smarter Planet are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the United States and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are trademarks or registered trademarks of Adobe Systems Incorporated in the United States and other countries.Oracle and Java are registered trademarks of Oracle and its affiliates.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems Inc.HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.Apple, App Store, iBooks, iPad, iPhone, iPhoto, iPod, iTunes, Multi-Touch, Objective-C, Retina, Safari, Siri, and Xcode are trademarks or registered trademarks of Apple Inc.IOS is a registered trademark of Cisco Systems Inc.RIM, BlackBerry, BBM, BlackBerry Curve, BlackBerry Bold, BlackBerry Pearl, BlackBerry Torch, BlackBerry Storm, BlackBerry Storm2, BlackBerry PlayBook, and BlackBerry App World are trademarks or registered trademarks of Research in Motion Limited.Google App Engine, Google Apps, Google Checkout, Google Data API, Google Maps, Google Mobile Ads, Google Mobile Updater, Google Mobile, Google Store, Google Sync, Google Updater, Google Voice, Google Mail, Gmail, YouTube, Dalvik and Android are trademarks or registered trademarks of Google Inc.INTERMEC is a registered trademark of Intermec Technologies Corporation.Wi-Fi is a registered trademark of Wi-Fi Alliance.Bluetooth is a registered trademark of Bluetooth SIG Inc.Motorola is a registered trademark of Motorola Trademark Holdings LLC.Computop is a registered trademark of Computop Wirtschaftsinformatik GmbH.SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase Inc. Sybase is an SAP company.

2/56 PUBLIC 2012-06-18

Crossgate, m@gic EDDY, B2B 360, and B2B 360 Services are registered trademarks of Crossgate AG in Germany and other countries. Crossgate is an SAP company.All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies (SAP Group) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

Disclaimer

Documentation in the SAP Service MarketplaceYou can find this document at the following address: https://service.sap.com/instguides

2012-06-18 PUBLIC 3/56

Typographic Conventions

Example Description Angle brackets indicate that you replace these words or characters with appropriate

entries to make entries in the system, for example, Enter your .ExampleExample

Arrows separating the parts of a navigation path, for example, menu options

Example Emphasized words or expressionsExample Words or characters that you enter in the system exactly as they appear in the

documentationhttp://www.sap.com Textual cross-references to an internet address/example Quicklinks added to the internet address of a homepage to enable quick access to specific

content on the Web123456 Hyperlink to an SAP Note, for example, SAP Note 123456Example Words or characters quoted from the screen. These include field labels, screen titles,

pushbutton labels, menu names, and menu options. Cross-references to other documentation or published works

Example Output on the screen following a user action, for example, messages Source code or syntax quoted directly from a program File and directory names and their paths, names of variables and parameters, and

names of installation, upgrade, and database toolsEXAMPLE Technical names of system objects. These include report names, program names,

transaction codes, database table names, and key concepts of a programming language when they are surrounded by body text, for example, SELECT and INCLUDE

EXAMPLE Keys on the keyboard

4/56 PUBLIC 2012-06-18

Document History

CAUTIONBefore you start the implementation, make sure you have the latest version of this document. You can find the latest version at the following location: https://service.sap.com/instguides.

The following table provides an overview of the most important document changes.Version Date Description1.00 2010-12-13 New content SAP AC 10.0, PC 10.0, RM 10.0 (initial release).1.10 2011-01-31 Added SAP BusinessObjects Access Control 10.0 only scenario.1.20 2011-03-28 Updated general prerequisites and AC 10.0 and PC 10.0 plug-in prerequisites.1.30 2011-04-18 Added a statement to clarify that Content Lifecycle Management (CLM) is currently

only available for SAP BusinessObjects Process Control 10.0 and SAP BusinessObjects Risk Management 10.0.

1.35 2011-05-03 Updated Adobe Document Services prerequisite.1.40 2012-03-19 Moved BC Set information from Risk Management BC Sets table to Shared BC Sets

(Process Control & Risk Management) table. Added GRC Internal Audit Management role for Portal Package Configuration. Added note that Adobe Document Services license is required for printing. Added note that GRC 10.0 uses new interfaces for GRC BI Content integration.

1.45 2012-06-18 Formerly known as SAP BusinessObjects Access Control, now known as SAP Access Control

2012-06-18 PUBLIC 5/56

Table of Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.1 About this Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.2 SAP Notes for the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101.3 Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121.4 Important GRC BI Content Integration Information . . . . . . . . . . . . . . . . . . . 131.5 Important Upgrade Information for Risk Management . . . . . . . . . . . . . . . . . . 13

Chapter 2 Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 3 Preparing for the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.1 Preparing to Install AC/PC/RM 10.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173.2 Downloading AC/PC/RM 10.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193.3 Running JAVA Service Program Manager (JSPM) . . . . . . . . . . . . . . . . . . . . . . 193.4 Preparing to Install AC/PC/RM 10.0 Portal Core Components . . . . . . . . . . . . . 203.5 Preparing to Install Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 4 Installing the Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 5 Installing the Components in Enterprise Portal . . . . . . . . . . . . . . . . . . . . 25

Chapter 6 Installing TREX (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 7 PostInstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297.1 Client Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297.2 Activating the Applications in Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297.3 Checking SAP ICF Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307.4 Maintaining System Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307.5 Maintaining Plug-in Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 8 Activating Business Configuration (BC) Sets . . . . . . . . . . . . . . . . . . . . . . . 338.1 Activating AC/PC/RM 10.0 BC Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338.2 Access Control BC Sets Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

6/56 PUBLIC 2012-06-18

8.3 Process Control BC Sets Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358.4 Shared BC Sets (Process Control & Risk Management) . . . . . . . . . . . . . . . . . . 378.5 Risk Management BC Sets Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Chapter 9 Portal Package Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419.1 Creating a System Connection in Enterprise Portal . . . . . . . . . . . . . . . . . . . . . 419.2 Creating the Initial User in the ABAP System . . . . . . . . . . . . . . . . . . . . . . . . . . 429.3 Creating the Initial User in the Enterprise Portal . . . . . . . . . . . . . . . . . . . . . . . 44

Chapter 10 Content Lifecycle Management (CLM) Installation . . . . . . . . . . . . . . . . . 4710.1 New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4710.2 SAP Notes for CLM Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4710.3 Planning for CLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4810.4 Preparing to Install CLM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4910.5 Installing CLM Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4910.6 CLM Post-Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

2012-06-18 PUBLIC 7/56

This page is left blank for documents that are printed on both sides.

1 Introduction

SAP Access Control 10.0, Process Control 10.0, and Risk Management 10.0 are part of the SAP solutions for Governance, Risk, and Compliance (GRC).For more information about GRC, go to http://www.sap.com/grc.

SAP Access Control 10.0SAP Access Control is an enterprise software application which enables organizations to control access and prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application streamlines compliance processes, including access risk analysis and remediation, business role management, access request management, emergency access management, and periodic compliance certifications. Access Control delivers immediate visibility of the current risk situation with real-time data.

SAP Process Control 10.0SAP Process Control is an enterprise software solution for internal controls management. It enables organizations to document their control environment, test and assess controls, track issues to remediation, and certify and report on the state and quality of internal controls. Using a combination of data forms, automated workflows, certification, and interactive reports, this solution enables members of internal control, audit, and business process teams to effectively manage compliance activities.

SAP Risk Management 10.0SAP Risk Management is an enterprise software solution that enables organizations to balance business opportunities with financial, legal, and operational risks to minimize the market penalties from high-impact events. The application allows customers to collaboratively identify these risks and monitor them on a continuous basis. Stakeholders and owners are provided with such tools as analytic dashboards for greater visibility in mitigating risks in their areas of responsibility.

1.1 About this DocumentThis guide describes how to install SAP Access Control 10.0, SAP Process Control 10.0, and SAP Risk Management 10.0 (hereafter referred to as AC/PC/RM 10.0).

1 Introduction1.1 About this Document

2012-06-18 PUBLIC 9/56

1.2 SAP Notes for the InstallationYou must read the following SAP Notes before you start the installation. These SAP Notes contain the most recent information on the installation, as well as corrections to the installation documentation.Make sure that you have the latest version of each SAP Note, which you can find on SAP Service Marketplace at https://service.sap.com/notes.The following table outlines the SAP Notes that you need to read before installing the software in either an Access Control 10.0 only environment or an AC/PC/RM 10.0 environment:SAP Note Number Title Description1353044 Installation Guide:

Crystal Report AdapterInformation about installing a front-end component to integrate Crystal Reports with the Advanced List View (ALV)

1366785 Crystal Reports ALV Integration Functional Restrictions

This note describes the functional and non-functional restrictions of the integration of Crystal Reports into ABAP List Viewer (ALV)

1382730 Crystal Reports ALV Integration Troubleshooting

The following note helps you to analyse problems you might encounter with the integration of Crystal Reports into Advanced List Viewer ALV.

1490996 Inst/Upgrade GRCFND_A V1000 on NW7.02 Enhancement Pack

Information about installing SAP AC/PC/RM 10.0

1497971 Installing GRCPINW V1000_620 on ERP Enterprise 47x

Supplemental information for installing SAP Process Control 10.0 and Access Control 10.0 plug-ins (formerly called Real Time Agents) on ERP Enterprise 47x

1497972 Installing GRCPIERP V1000_620 on ERP Enterprise 47x

Supplemental information for installing SAP Process Control 10.0 and Access Control 10.0 plug-ins on ERP Enterprise 47x

1498033 Upgrade to SAP ERP Enterprise 470x200 with GRCPIERP V1000_620

Supplemental information relevant for the upgrade to SAP ERP Enterprise 470x200

1498034 Upgrade to SAP ERP Enterprise 470x200 with GRCPIERP V1000_620

Supplemental information relevant for the upgrade to SAP ERP Enterprise 470x200

1500168 Installing GRCPINW V1000_46C on ERP 4.6C

Supplemental information for installing SAP Access Control 10.0 Non-HR plug-ins on SAP ERP 4.6C

1500169 Installing GRCPIERP V1000_46C on ERP 4.6C

Supplemental information for installing SAP Access Control 10.0 Non-HR plug-ins on SAP ERP 4.6C

1500689 Installing GRCPIERP V1000_46C on ERP 4.6C

Supplemental information for installing SAP Process Control 10.0 and Access Control 10.0 plug-ins on SAP ERP 4.6C

1500690 Installing GRCPIERP V1000_700 on NW 7.0/SAP ECC 600 or ECC 604

Supplemental information for installing SAP Process Control 10.0 and Access Control 10.0 plug-ins on SAP ERP 2005 (ECC 6.0)

1 Introduction1.2 SAP Notes for the Installation

10/56 PUBLIC 2012-06-18

SAP Note Number Title Description1500691 Upgrade to SAP ECC 600

with GRCPIERP V1000_700

Supplemental information relevant for the upgrade to SAP ECC 600

1500692 Upgrade to SAP ECC 600 with GRCPIERP V1000_700




1501880 Installing GRCPIERP V1000_640 on NW04/SAP ECC 500

Supplemental information for installing SAP Process Control 10.0 and Access Control 10.0 plug-ins on SAP ERP 2004 (ECC 5.0)



1501882 Installing GRCPINW V1000_640 on NW04/SAP ECC 500

Supplemental information for installing SAP Access Control 10.0 Non-HR plug-ins on SAP ERP 2004 (ECC 5.0)

1503749 Installing GRCPINW V1000_710 on NW 7.10

Supplemental information for installing SAP Access Control 10.0 Non-HR plug-ins on NW710



1504132 Release Strategy for ABAP add-on GRCPCINW

For installation or upgrade the ABAP Add-on components GRCPINW

1504243 Release Strategy for ABAP add-on GRCPIERP

For installation or upgrade the ABAP Add-on component GRCPIERP.

1509636 Additional information for GRC2010 installation

This note provides information about installing the software component GRC_POR 1000

1510002 Installing SAP GRC Portal 10.0

Information about installing the GRC_POR 1000 software component.

1514346 BRF+ Various Bug Fixes in EHP2 (SP04SP06)

Insure that when a rule uses the table workarea from a loop to update another table, the context name generation returns the correct name during code generation.

The following table outlines the additional SAP Notes that you need to read before installing the software in an AC/PC/RM 10.0 environment:SAP Note Number Title Description1470670 User-defined Fields for

RMThe Note describes how to customize user-defined fields in Risk Management.

1 Introduction1.2 SAP Notes for the Installation

2012-06-18 PUBLIC 11/56

SAP Note Number Title Description1505255 Transfer client-specific

Customizing for PC/RM

Transfer the client-specific Customizing from the delivery client for SAP Process Control 10.0 and/or Risk Management 10.0.

1509639 Preparation for Installing GRC-RM 2010

For installation of Risk Management 10.0 or upgrade of production system from Risk Management 3.0 to Risk Management 10.0

CAUTIONReview this SAP Note before attempting installation.

1519164 Create BRF+ application name & ID for Continuous Monitoring

The BRFplus application name must be unique to import BRFplus contents from source system to target system. The same BRFplus application name and application id must be present in all environments first.

1522608 Transfer client-specific Customizing

Information for copying PC-relevant client-specific Customizing (upgrade from 3.0 to 10.0).

1526732 Transfer client-specific Customizing

Information for copying PC-relevant client-specific Customizing (new installation of 10.0).

1.3 Related InformationMore information is available on SAP Service Marketplace, as listed in the following tables.DocumentationDescription Internet Address TitleThe security guide describes the settings for a medium security level and offers suggestions for raising security levels. A collective security guide is available for SAP NetWeaver.

http://help.sap.com/grc SAP AC/PC/RM 10.0 Security Guide

The master guide is the starting point for implementing an SAP solution. It provides scenario-specific descriptions of preparation, execution, and follow-up of an implementation. It also provides references to other documents, such as installation guides, the technical infrastructure guide and SAP Notes.

http://help.sap.com/grc SAP Access Control Master GuideSAP Process Control Master GuideSAP Risk Management Master Guide

The operations guide is the starting point for operating a system that runs on SAP NetWeaver. This guide refers users to the tools and documentation that are needed to carry out various tasks, such as monitoring, backup/ restore,

http://help.sap.com/grc SAP AC/PC/RM 10.0 Operations Guide

1 Introduction1.3 Related Information

12/56 PUBLIC 2012-06-18

Description Internet Address Titlemaster data maintenance, transports, and tests.The SAP Library (users guide) is a collection of documentation for SAP software covering functions and processes.

http://help.sap.com/grcIt is also available as a documentation DVD.

SAP Access Control 10.0 Application HelpSAP Process Control 10.0 Application HelpSAP Risk Management 10.0 Application Help

The installation guide describes the technical implementation of an installable unit, taking into account the combinations of operating systems and databases. It does not describe any business-related configuration.

http://help.sap.com/grc SAP NetWeaver Installation Guide

Details about the add-on installation tool

Search for Add-On Installation Tool under SAP NetWeaver 7.0 EHP 2 on the SAP Help Portal athttp://help.sap.com/nw

Add-On Installation Tool

General Quick LinksDescription Internet AddressSAP Help Portal http://help.sap.comSAP Notes https://service.sap.com/notesReleased platforms and operating systems https://service.sap.com/platformsSystem sizing https://service.sap.com/sizingSecurity https://service.sap.com/security

1.4 Important GRC BI Content Integration InformationDue to a conversion to the ABAP stack, the 10.0 release of SAP solutions for governance, risk, and compliance (GRC) does not support the following Access Control 5.3 interfaces for GRC BI Content integration: SAP Access Control 5.3 BW Data Source, based on Universal Data Connect (UD Connect) SAP Access Control 5.3 data martGRC 10.0 instead uses interfaces based on the SAP R/3 BW Data Source Enhancement.

1.5 Important Upgrade Information for Risk ManagementCAUTIONYou must read SAP Note 1490996 before attempting to upgrade.

1 Introduction1.4 Important GRC BI Content Integration Information

2012-06-18 PUBLIC 13/56

ProcedureUpgrading from SAP Risk Management 3.0 to SAP BusinessObjects Risk Management 10.0 is a same-box upgrade process. The following steps are typical for this kind of upgrade:1. Close all open workflow instances and all open survey instances.2. Perform a system backup.3. If it is used, delete all Datamart data.4. Upgrade from SAP NetWeaver 7.01 to NW 7.02.5. Upgrade from SAP Portal 7.01 to SAP Portal 7.02 (if you use portal, alternatively you can use NWBC

3.0).6. Install RM10.0 (GRCFND_A V1000).7. Perform system backup.8. Survey instances and Heat map color ranges are automatically converted by XPRA; verify the data

conversion.9. Upload the new BC sets for new features and new roles (optional for Risk Management 10.0 new

features).10. Perform configuration for optional RM 10.0 new features.11. If it is used, refill Datamart.

1 Introduction1.5 Important Upgrade Information for Risk Management

14/56 PUBLIC 2012-06-18

2 Planning

Before you start the installation, you should plan the following preliminary steps:

Procedure1. Determine the software components and supporting systems needed to run Access Control 10.0

or AC/PC/RM 10.0 by consulting the corresponding master guides at: http://help.sap.com/grc.For Access Control 10.0, consult the SAP Access Control 10.0 Master Guide. For AC/PC/RM 10.0, consult the SAP Access Control 10.0 Master Guide, SAP Process Control 10.0 Master Guide, and SAP Risk Management Master Guide 10.0

2. Decide what you want to install.When installing AC/PC/RM 10.0, the following components are available:Mandatory NetWeaver ABAPOptional (recommended) NetWeaver Java, if you need to use Adobe Document Services

NOTETo enable printing from SAP software, you are also required to download the Adobe Document Services license.

Portal TREX, if you want to use document search (Process Control and Risk Management only). Plug-ins on your ERP system (Access Control and Process Control only).

3. Download and check the relevant SAP Notes. For more information, see section 1.3 above.CAUTIONMake sure that you review the information in SAP Note 1509636 before you start any installation procedures.

4. Take all applicable security measures. For more information, see the SAP AC/PC/RM 10.0 Security Guide at http://help.sap.com/grc.

2 Planning

2012-06-18 PUBLIC 15/56

3 Preparing for the Installation

3.1 Preparing to Install AC/PC/RM 10.0CAUTIONAC/PC/RM 10.0 should not be installed with SAP Business Suite or with any SAP Business Suite components such as ERP, SCM, CRM, and SRM.

PrerequisitesYou use SAP Solution Manager to download the AC/PC/RM 10.0 applications and patches. SAP Solution Manager must be available in the system landscape; however, it does not need to be on the same system as the AC/PC/RM 10.0 applications.For more information about SAP Solution Manager, see https://service.sap.com/solutionmanager.In an Access Control 10.0 only environment, the following components of SAP NetWeaver 7.0 EHP2 SP06 are required:Component DetailsSPAM (Support Package Manager) 40 or higher

Not applicable

SAP NetWeaver Application Server ABAP Components

SAP_ABA 7.02 (SP06) SAP_BASIS 7.02 (SP06) PI_BASIS 7.02 (SP06) SAP_BW 7.02 (SP06)

(Optional) SAP NetWeaver Application Server Java Components

Portal 7.02

SAP Solution Manager 7.00 SP19 or higher

Not applicable

(Optional) SAP NetWeaver Application Server Java for Adobe Document Services

SAP NetWeaver Java is required to use Adobe Document Services. It must be available in the system landscape, but does not need to be installed on the same system as the AC/PC/RM 10.0 applications.You need to create and respectively activate the following JCo destinations: WD_ALV_METADATA_DEST WD_ALV_MODELDATA_DESTIt is essential to create Adobe Credentials; see SAP Note 736902, Adobe Credentials.

3 Preparing for the Installation3.1 Preparing to Install AC/PC/RM 10.0

2012-06-18 PUBLIC 17/56

Component DetailsFor more details about troubleshooting, see SAP Note 944221, Troubleshooting if problems occur in forms processing.For more information, see https://www.sdn.sap.com/irj/sdn/adobe under Installation & Configuration.

We recommend that you install BI Java usage type (part of the SAP NetWeaver Java stack) to enable printing of PDFs from Process Control reports and Risk Management reports.

BI Java usage type must be installed on the same system as the Adobe Document Services.For more information, see SAP Note 918236, WD ABAP ALV - create print version.

In an AC/PC/RM 10.0 environment, the following components of SAP NetWeaver 7.0 EHP2 SP06 are required:Component DetailsSPAM (Support Package Manager) 40 or higher

Not applicable

SAP NetWeaver Application Server ABAP Components

SAP_ABA 7.02 (SP06) SAP_BASIS 7.02 (SP06) PI_BASIS 7.02 (SP06) SAP_BW 7.02 (SP06)

SAP NetWeaver Application Server Java Components

Adobe Document Services 7.02 Portal 7.02 SAP_IGS Version 7000.0.15.1 or higher

Standalone Engine

TREX 7.10 (revision 27 or higher)

SAP Solution Manager 7.00 SP19 or higher

Not applicable

SAP NetWeaver Application Server Java for Adobe Document Services

SAP NetWeaver Java is required to use Adobe Document Services. It must be available in the system landscape, but does not need to be installed on the same system as the AC/PC/RM 10.0 applications.You need to create and respectively activate the following JCo destinations: WD_ALV_METADATA_DEST WD_ALV_MODELDATA_DESTIt is essential to create Adobe Credentials; see SAP Note 736902, Adobe Credentials.For more details about troubleshooting, see SAP Note 944221, Troubleshooting if problems occur in forms processing.

3 Preparing for the Installation3.1 Preparing to Install AC/PC/RM 10.0

18/56 PUBLIC 2012-06-18

Component DetailsFor more information, see https://www.sdn.sap.com/irj/sdn/adobe under Installation & Configuration.

We recommend that you install BI Java usage type (part of the SAP NetWeaver Java stack) to enable printing of PDFs from Process Control reports and Risk Management reports.

BI Java usage type must be installed on the same system as the Adobe Document Services.For more information, see SAP Note 918236, WD ABAP ALV - create print version.

NOTEIf you make use of Process Control 10.0 Policy Survey PDFs, be sure to upgrade to version 9.3.4 of Adobe Reader.

3.2 Downloading AC/PC/RM 10.0NOTEFollow the steps in SAP Note 1490996 to download the files for Access Control, which use the component GRCFND_A V1000.

Procedure1. Go to the SAP Software Distribution Center on SAP Service Marketplace at http://

service.sap.com/swdc.2. Choose Software Downloads Installation and Upgrades A - Z Index G SAP GRC Access Control SAP

GRC ACCESS CONTROL SAP Access Control 10.0 Installation .3. Select the SAP Access Control / SAP Process Control / SAP Risk Mgmt 10.0 download object, and choose

Add to Download Basket.

3.3 Running JAVA Service Program Manager (JSPM)Use JSPM to install the SAP Access Control 10.0 Migration on top of your SAP AC 5.3 system. This section describes how to install the JAVA GRC 10.0 Migration on a Access Control 5.3 system.

NOTE

JSPM must be run as sidadm user. In versions prior to 5.3, SAP Access Control used the Software Deployment Manager (SDM) to install and uninstall the software components. As of version 5.3, SAP Access Control uses JSPM to install (deploy in JSPM terms), but still uses SDM to uninstall.

3 Preparing for the Installation3.2 Downloading AC/PC/RM 10.0

2012-06-18 PUBLIC 19/56

PrerequisitesYou have downloaded the most recent SAP Access Control 10.0 Support Package and placed it in the JSPM Inbox in the directory /usr/sap/trans/EPS/in/.To download the SAP Access Control 10.0 Support Package, go to SAP Software Distribution Center on SAP Service Marketplace at http://service.sap.com/swdc Software Downloads Installation and Upgrades A - Z Index G SAP GRC Access Control SAP GRC ACCESS CONTROL SAP Access Control 10.0 Installation .

ProcedureLaunch the JSPM, which is found in the directory /usr/sap/SID/CD/j2ee/JSPM/go.bat.JSPM scans the directory that contains the installation files (/usr/sap/trans/EPS/in/).Using the JSPM Installer, follow these steps:1. Select Package Type and then New Software components. Use the radio button to specify the system

role and whether or not the system is under NWDI. Click Next.2. Specify Queue. Select the software components that you want to install (for SAP Access Control,

select GRCACMIGxx_0.sca, where xx represents the Support Package number). Click Next3. Check Queue to monitor the installation.

ResultThe SAP Access Control 10.0 Migration is installed on top of your SAP AC 5.3 system.

3.4 Preparing to Install AC/PC/RM 10.0 Portal Core Components

Prerequisites SAP NetWeaver 7.0 EHP2 SP06 or higher SAP NetWeaver Application Server JAVA 7.02 SP06

NOTEThe software component BP ERP05 COMMON PARTS version 1.51 is required to be deployed in Enterprise Portal if you use the portal as front-end.

ProcedureFor download information, see SAP Note 1490996.

3.5 Preparing to Install Plug-InsPlug-ins (formerly called Real Time Agents) facilitate the automated testing process and bring in data required by SAP Access Control and SAP Process Control.

3 Preparing for the Installation3.4 Preparing to Install AC/PC/RM 10.0 Portal Core Components

20/56 PUBLIC 2012-06-18

NOTE Plug-ins are not used in Risk Management. This section applies only to SAP Access Control

and SAP Process Control. If you already have the Process Control 3.0 RTAs, follow the instructions in the SAP Process

Control 10.0 Upgrade Guide, located at: http://help.sap.com/grc.

PrerequisitesUse the tables in this section to identify the appropriate SAP Note describing how to install the SAP GRC 10.0 plug-in on the corresponding platform.For GRCPINW (AC 10.0 and PC 10.0)SAP Note Number Platform1500168 SAP Basis 46C NW1497971 SAP Basis 620 NW1501882 SAP Basis 640 NW1500689 SAP Basis 700 NW1503749 SAP Basis 710 NW

For GRCPIERP (AC 10.0 and PC 10.0)SAP Note Number Platform1500169 SAP Basis 46C ERP1497972 SAP Basis 620 ERP1501879 SAP Basis 640 ERP1500690 SAP Basis 700 ERP

ProcedureDownloading the Plug-ins for Access ControlIntegration of AC with ERP uses the following plug-ins: GRCPINW plug-in for AC for non-HR Functions (formerly AC 5.3 VIRSANH RTA) GRCPIERP plug-in for AC and PC HR Functions (formerly AC 5.3 VIRSAHR RTA)Downloading the Plug-ins for Process ControlIntegration of PC with ERP uses the following plug-ins: GRCPINW plug-in for Continuous Monitoring (required to use the ABAP Report, Configurable and

Programmed Sub-Scenarios) GRCPIERP plug-in for HR functions (formerly PC 3.0 GRPCRTA)Download the GRCPINW and GRCPIERP files, based on the SAP release, from the SAP Service Marketplace at https://service.sap.com.

3 Preparing for the Installation3.5 Preparing to Install Plug-Ins

2012-06-18 PUBLIC 21/56

4 Installing the Components

PrerequisitesNOTEAccess Control, Process Control, and Risk Management have specific system requirements, and cannot run successfully unless these requirements are met. See the earlier sections for the system prerequisites.

ProcedureThe SAP AC/PC/RM applications require the add-on component GRCFND_A. SAP Note 1490996 explains the procedure for installing this add-on component.

4 Installing the Components

2012-06-18 PUBLIC 23/56

5 Installing the Components in Enterprise Portal

PrerequisitesAC/PC/RM 10.0 requires the add-on portal business package GRC_POR and the software component BP ERP05 COMMON PARTS version 1.51.You must upload the content objects to the portal so that you can use the business package after you have downloaded it.

NOTEFor Access Control 10.0 only environments, installing the components in Enterprise Portal is optional. You do, however, need to install the NetWeaver Portal Plug-in GRCPIEP in Access Control 10.0 only environments to enable risk analysis and provisioning using the portal.

ProcedureDownloading from SWDC1. To download the AC/PC/RM 10.0 portal business packages from the SAP Software Distribution

Center (SWDC), go to http://service.sap.com/swdc Software Downloads Support Packages and Patches Browse our Download Catalog SAP Solutions for Governance, Risk, and Compliance .

2. Choose your application (SAP Access Control, SAP Process Control, or SAP Risk Management). For example, for Access Control choose SAP GRC Access Control SAP GRC ACCESS CONTROL

SAP ACCESS CONTROL 10.0 Entry by Component GRC Java Components SAP GRC PORTAL 10.0OS independent .

3. Choose the SAP GRC PORTAL 10.0 download object and choose Add to Download Basket.

Downloading NetWeaver Portal Plug-in GRCPIEP1. To download NetWeaver Portal Plug-in GRCPIEP from the SAP Software Distribution Center

(SWDC), go to http://service.sap.com/swdc Software Downloads Support Packages and PatchesBrowse our Download Catalog SAP Solutions for Governance, Risk, and Compliance .

2. Choose SAP GRC Access Control SAP GRC ACCESS CONTROL SAP ACCESS CONTROL 10.0Entry by Component Portal Plug-in SAP GRC AC PORTAL PLUGIN 10.0 OS independent .

3. Choose the SAP GRC AC PORTAL PLUGIN 10.0 download object and choose Add to Download Basket.


2012-06-18 PUBLIC 25/56

Deploying Packages in NW 7.02Using JSPM (recommended)The Java Support Package Manager (JSPM) ensures that you download the latest version of the relevant SAP software.For information about using the JAVA Support Package Manager (JSPM) to deploy software packages in NetWeaver 7.02, go to the SAP NetWeaver Library in SAP Help Portal at http://help.sap.com, click on theSearch Documentation link in the upper right-hand corner of the screen, and enter the search term JSPM.On the right-hand side of the hit list, you will see a list called Narrow by Info-Class. Click on the Component info-class, and then in the resulting hit list, click on the entry for Java Support Package Manager to go to the top-level entry for JSPM documentation.

Using SDMIf you must reinstall a prior version of SAP software because of a system crash, you will need to use the Software Deployment Manager (SDM).For information about the Software Deployment Manager (SDM) to deploy software packages in NetWeaver 7.02, go to the SAP NetWeaver Library in SAP Help Portal at http://help.sap.com, click on the Search Documentation link in the upper right-hand corner of the screen, and enter the search term Core Development Tasks.On the right-hand side of the hit list, you will see a list called Narrow by Info-Class. Click on the Component info-class. In the resulting hit list, click on the first entry Core Development Tasks, and then follow

Deployment: Putting It All Together Software Deployment Manager SDM Remote GUI Client SDM Repository Management .


26/56 PUBLIC 2012-06-18

6 Installing TREX (Optional)

You can install the standalone version of TREX if you want to use Enterprise Search for document search in Process Control 10.0 and Risk Management 10.0.

NOTETREX is not an option in Access Control 10.0 only environments.

ProcedureYou install TREX 7.10, revision 27 or higher. See the NetWeaver Enterprise Search Installation Guide on the SAP Service Marketplace at https://service.sap.com/instguides SAP NetWeaver SAP NetWeaver Enterprise Search Installation Guide for SP3For more information, see the following SAP Notes:SAP Note Number Title1249465 How to install TREX for Embedded Search1164532 Limitations1266024 Sizing TREX for Embedded Search1269011 Additional TREX instance for Embedded Search

6 Installing TREX (Optional)

2012-06-18 PUBLIC 27/56

7 PostInstallation

After downloading and installing the files described in the previous sections, to configure the product, follow the post-installation sections in the order they are presented.

7.1 Client CopyProcedure

NOTEClient copy is not required in Access Control 10.0 only environments.

For more information, see SAP Note 1505255 .

7.2 Activating the Applications in ClientsAfter the installation is complete, the AC/PC/RM 10.0 applications are in place. Now you must activate them in each client.

ProcedureComplete the following steps to activate:1. Open the SAP Reference IMG in Tools Customizing IMG Project Administration (transaction

SPRO) .2. Display the SAP Reference IMG.3. Open SAP Access Control, Process Control, or Risk Management.4. Execute Activate Applications in Client.To activate an application component:1. Choose the New Entries pushbutton.2. Select an application component from the dropdown list. Choose GRC-AC, GRC-PC or GRC-

RM (choose GRC-AC for Access Control 10.0 only environments).3. In the Active column, you must specify if the application component is to be activated or not. If

you are using more than one component, you must set the indicator for each one.

NOTEThis Customizing activity is the same in all the Risk Management, Process Control, and Access Control nodes. If you are using all three components, they can be activated from the corresponding Customizing activity of any of the three applications.

7 PostInstallation7.1 Client Copy

2012-06-18 PUBLIC 29/56

7.3 Checking SAP ICF ServicesSpecific Internet Communication Framework (ICF), SAP services, and AC/PC/RM services need to be activated. They are inactive by default after installation or upgrade.

NOTECheck that all the relevant services are active.

For more information about activating these services, see SAP Note 1088717, Active services for Web Dynpro ABAP in transaction SICF.

Procedure1. Activate each of the following ICF service nodes:

/sap/public/bc /sap/public/bc/icons /sap/public/bc/icons_rtl /sap/public/bc/its /sap/public/bc/pictograms /sap/public/bc/ur /sap/public/bc/webdynpro /sap/public/bc/webdynpro/mimes /sap/public/bc/webdynpro/adobeChallenge /sap/public/bc/webdynpro/ssr /sap/public/bc/webicons /sap/public/myssocntl

NOTEYou can also activate all ICF services within: /sap/public /sap/bc /sap/grc for Access Control 10.0 only environments

2. Activate GRAC, GRPC, and GRRM services.Activate all services under /sap/bc/webdynpro/sap.

7.4 Maintaining System DataComplete the Add-On Product Version in your system data application so that customer support can see which SAP solution for GRC applications have been implemented in your environment.For more information, see SAP Note 1313108, System Data Maintenance for GRC Process Control.

7 PostInstallation7.3 Checking SAP ICF Services

30/56 PUBLIC 2012-06-18

Procedure1. Locate the System Data application in the Support Portal in SAP Service Marketplace under Data.2. Use one of the search functions provided to select an installed SAP system.3. On the System tab, scroll down to the Add-On Product Version section.4. Insert a line.5. Select the SAP Access Control 10.0 support package, SAP Process Control 10.0 application support

package, and/or the SAP Risk Management 10.0 application support package from the list.6. Save your changes.7. Repeat this procedure for all SAP systems.

Activating Crystal ReportsTo use the Crystal Reports function in GRC10, activate the flag Allow Crystal Reports in Customizing under SAP NetWeaver Application Server SAP List Viewer (ALV) Maintain Web Dynpro ABAP-Specific Settings .

7.5 Maintaining Plug-in SettingsAfter the installation is complete, you need to maintain the plug-in settings, including the exits settings and the configuration settings.

Procedure1. Open the SAP Reference IMG in Tools Customizing IMG Project Administration (transaction

SPRO) .2. Display the SAP Reference IMG.3. Open Governance, Risk and Compliance (Plug-In) Access Control .4. Execute Maintain Plug-in Exits Settings.5. Execute Maintain Plug-in Configuration Settings.

7 PostInstallation7.5 Maintaining Plug-in Settings

2012-06-18 PUBLIC 31/56

8 Activating Business Configuration (BC) Sets

8.1 Activating AC/PC/RM 10.0 BC SetsBusiness Configuration (BC) sets are an official implementation toolset used to simplify the customization process. You need to activate some of the BC sets that are delivered with AC/PC/RM 10.0. (See the Access Control BC Sets table and the Process Control and Risk Management BC Sets table below.)

NOTEFor Access Control 10.0 only environments, you only need to activate the Access Control BC Sets.

You can activate a particular BC set only if that client is not a production client in the system. When you activate the BC set, all data in the BC set is transferred into the corresponding original tables. Any entries already in the original tables are overwritten in this process.

RECOMMENDATIONConsult with the functional configurators for your application before activating the BC sets.

See SAP Solution Manager for information about customizing activities at https://service.sap.com/solutionmanager. For SAP Access Control, Process Control and Risk Management 10.0, the appropriate SAP Solution Manager release for enhanced Solution Manager content is ST-ICO 150 SP27.For more information about the SAP NetWeaver Application Server, see http://help.sap.com/nw70

SAP NetWeaver Library SAP NetWeaver by Key Capability Solution Life Cycle Management by Key CapabilityCustomizing Business Configuration Sets (BC-SETS)

Procedure1. Choose Existing BC Sets from the toolbar in the Implementation Guide. This identifies all of the IMG

activities for which the BC set exists.2. Select one of these IMG activities and choose the button BC Sets for Activity.

The contents of the BC set are displayed in a new window.3. To activate this BC set, choose the pulldown menu Go to Activation Transaction .4. Select the icon for Activate BC Set (or use F7).

The Activation Options screen opens.5. Choose Continue.

A completion message appears: Activation successfully completed.

8 Activating Business Configuration (BC) Sets8.1 Activating AC/PC/RM 10.0 BC Sets

2012-06-18 PUBLIC 33/56

NOTEThe information that follows applies only when activating AC/PC/RM 10.0 Business Configuration sets. The following does not apply when activating BC sets in Access Control 10.0 only environments.

Alternatively, if a yellow informational message appears, choose Enter and then the completion message appears.

CAUTIONYou can safely ignore Basis functionality error messages that state:System table GRPCATTR* cannot be put in a BC Set.A message colored with a yellow background is only a warning. A message colored red is an error message.When activating the BC set tables that begin with GRPC-ATTR-*, errors may be listed in the progress column. There are five BC sets that need to be activated twice: GRPC-ATTR-CTRL_OBJ_CATEGORY GRPC-ATTR-CTRL_GROUP BC_SET_RISK_LEVEL_MATRIX GRFN-PNS-FDA GRFN-PNS-SOX1. You can ignore the following error messages during first-time activation:

GRPC-ATTR-CTRL_GROUP VC_GRPCATTR Table/View V_GRPCATTRVALUE2: higher-level entry for & missing

GRPC-ATTR-CTRL_GROUP VC_GRPCATTR Entry xxxx xxxx does not exist in GRPCATTRVALUE (check entry).

GRFN-PNS-FDA Entry FDA does not exist in GRPC_MCF_REGCONF (check entry).

GRFN-PNS-SOX Entry SOX does not exist in GRPC_MCF_REGCONF (check entry).

2. Second-time activation may produce warning messages that can safely be accepted if no error message occurs.

If you receive a Basis error message with a red background, you must contact your system administrator.

8.2 Access Control BC Sets TableYou need to activate the BC sets that are delivered with SAP Access Control 10.0. You can activate all of the BC sets by using transaction SCPR20.In the following table, BC sets are categorized by type. BC sets marked with an asterisk (*) indicate you can also activate them via Customizing.

8 Activating Business Configuration (BC) Sets8.2 Access Control BC Sets Table

34/56 PUBLIC 2012-06-18

RECOMMENDATIONConsult with the Access Control functional configurators before activating the BC sets for rules, such as, SOD Rules Set. Work with the functional configurators to determine which rule sets are relevant for your implementation.

BC Set BC Set NameSpecific to Access Risk AnalysisGRAC_RA_RULESET_COMMON SOD Rules SetGRAC_RA_RULESET_JDE JDE Rules SetGRAC_RA_RULESET_ORACLE ORACLE Rules SetGRAC_RA_RULESET_PSOFT PSOFT Rules SetGRAC_RA_RULESET_SAP_APO JDE Rules SetGRAC_RA_RULESET_SAP_BASIS SAP BASIS Rules SetGRAC_RA_RULESET_SAP_CRM SAP CRM Rules SetGRAC_RA_RULESET_SAP_ECCS SAP ECCS Rules SetGRAC_RA_RULESET_SAP_HR SAP HR Rules SetGRAC_RA_RULESET_SAP_NHR SAP R/3 less HR Basis Rules SetGRAC_RA_RULESET_SAP_R3 SAP R/3 AC Rules SetGRAC_RA_RULESET_SAP_SRM SAP SRM Rules SetSpecific to Access Request ManagementGRAC_ACCESS_REQUEST_REQ_TYPE* Request TypeGRAC_ACCESS_REQUEST_EUP* EUP (Note: Only the value EU ID 999 is valid for this

BC set.)GRAC_ACCESS_REQUEST_APPL_MAPPING* Mapping BRF Function IDs and AC ApplicationsGRAC_ACCESS_REQUEST_PRIORITY* Request PrioritySpecific to Business Role ManagementGRAC_ROLE_MGMT_SENTIVITY* SensitivityGRAC_ROLE_MGMT_METHODOLOGY* Methodology Process and StepsGRAC_ROLE_MGMT_ROLE_STATUS* Role StatusGRAC_ROLE_MGMT_PRE_REQ_TYPE* Prerequisite TypesSpecific to Superuser ManagementGRAC_SPM_CRITICALITY_LEVEL* Criticality LevelsSpecific to WorkflowGRC_MSMP_CONFIGURATION* MSMP Workflow Configuration Rules Set

8.3 Process Control BC Sets TableYou need to activate the following BC sets (categorized by type) that are delivered with SAP Process Control 10.0:BC Set NameProcess Control-specific generic BC sets

8 Activating Business Configuration (BC) Sets8.3 Process Control BC Sets Table

2012-06-18 PUBLIC 35/56

BC Set NameGRPC-AGENTSLOTC-GLOBAL Global Roles to Receive Tasks in WorkflowGRPC-ROLE-CROSS-REG Role Assignment for PC Cross Regulation RolesGRPC-SCOPE-MAT-ANA-FREQ Scoping Materiality Analysis FrequencyGRPC-SCOPE-IMPACT-LEVEL Impact LevelsBC_SET_PROBABILITY_LEVEL_ID Maintain Probability Level IDBC_SET_RISK_LEVEL_MATRIX Maintain Risk Level Matrix

NOTEBefore activating this BC set, first activate BC_SET_PROBABILITY_LEVEL_ID.

GRPC-SCOPE-CNTL-RISK-FACTOR Control Risk FactorGRPC-SCOPE-CNTL-RATE-RNG Control Rating RangeGRPC-SCOPE-LVL-EVID-VAL Level of Evidence ValueGRPC-SCOPE-LVL-EVID Level of EvidenceBCSET-GRRM-GRRMVRISKOPPLVL Maintain Risk and Opportunity LevelsGRPC-BP-ATTR-VALUE Business Process Attribute ValuesGRPC-ATTR-ASSERTION Financial AssertionsGRPC-ATTR-CATEGORY Control CategoryGRPC-ATTR-CTRL_FREQUENCY Frequency of Control OperationGRPC-ATTR-CTRL_GROUP Control Group and SubgroupGRPC-ATTR-CTRL_OBJ_CATEGORY Control Objective Category and Control TypeGRPC-ATTR-IELC-FREQ Indirect Entity-Level Control Operation FrequencyGRPC-ATTR-INDUSTRY IndustryGRPC-ATTR-NATURE Nature of ControlGRPC-ATTR-PURPOSE Control PurposeGRPC-ATTR-RELEVANCE Control RelevanceGRPC-ATTR-RISK_IMPACT Qualitative Risk ImpactGRPC-ATTR-SAMPLE_METHOD GRPC: Add New Sampling Method to BC SetGRPC-ATTR-SCHED_FREQUENCY Scheduling FrequencyGRPC-ATTR-SIGNIFICANCE Control SignificanceGRPC-ATTR-TEST_TECH Test TechniqueGRPC-ATTR-TRANSTYPE Transaction TypeProcess Control FDA-specific BC sets for FDA regulationsGRFN-PNS-FDA Plan Usage FDA

NOTEBefore activating this BC set, first activate GRPC-MCF-FDA.

GRPC-AGENTSLOTC-FDA FDA Roles to Receive Tasks in WorkflowGRPC-MCF-FDA Regulation/Policy FDAGRPC-ROLE-FDA Roles for Regulation/Policy FDA

8 Activating Business Configuration (BC) Sets8.3 Process Control BC Sets Table

36/56 PUBLIC 2012-06-18

BC Set NameNOTEBefore activating this BC set, first activate GRPC-MCF-FDA.

BC sets for SOX regulations:GRFN-PNS-SOX Plan Usage SOX

NOTEBefore activating this BC set, first activate GRPC-MCF-SOX.

GRPC-AGENTSLOTC-SOX SOX Roles to Receive Tasks in WorkflowGRPC-MCF-SOX Regulation/Policy SOXGRPC-ROLE-SOX Roles for Regulation/Policy SOX

NOTEBefore activating this BC set, first activate GRPC-MCF-SOX.

NOTEThe following BC sets must be activated twice: GRPC-ATTR-CTRL_OBJ_CATEGORY (Control Objective Category and Control Type) GRPC-ATTR-CTRL_GROUP (Control Group and Subgroup)

8.4 Shared BC Sets (Process Control & Risk Management)You need to activate the following BC sets that are delivered with SAP Process Control 10.0 and Risk Management 10.0:BC Set DescriptionGRFN-AHISS-CAPA-REG-CRS Enable CAPA by Regulation Type for Cross Regulation EntitiesGRFN-AHISS-OBJECT Enable Ad Hoc Issues by Object TypeGRFN-AHISS-SOURCE Maintain Ad Hoc Issue SourcesGRFN-AHISS-SOURCE-ENTITY Assign Ad Hoc Issue Sources to Entity TypesGRFN-ALLOW-CREATE-LOCAL-CTRL Maintain Possibility to Add Local Controls to Local SubprocessGRFN-POLICY-ACKN-OPTION Define acknowledgment optionGRFN-POLICY-APPROVAL Define Policy ApprovalsGRFN-POLICY-CATEGORY Maintain Policy CategoriesGRPC-AMF-MENUITEM-UPGRADE BC Set of AMF menu items for upgrade customers

(for upgrade customers only)

NOTEThis BC set must be activated twice.

GRFN-WORKFLOW-NOTIFICATION Maintain Workflow NotificationsGRPC-FREQUENCY Timeframe FrequenciesGRPC-TIMEFRAME TimeframesBC_SET_BENEFIT_CATEGORY Maintain Benefit Category

8 Activating Business Configuration (BC) Sets8.4 Shared BC Sets (Process Control & Risk Management)

2012-06-18 PUBLIC 37/56

BC Set DescriptionGRPC-RISK-DRIVER-CATEGORY Driver Category of Risk AttributesGRPC-RISK-IMPACT-CATEGORY Impact Category of Risk AttributesBCSET-GRRM-GRFNV_DEC_SETUP Define Probability and Maximum ScoreBCSET-GRRM-GRRMVRISKOPPLVL Maintain Risk and Opportunity LevelsBC-SET_RISK_PRIORITY_ID Maintain Risk Priority ID

NOTEIf you are using Internal Audit Management functionality, ensure that the following BC Sets are activated: BCSET-GRRM-GRFNV_DEC_SETUP BCSET-GRRM-GRRMVRISKOPLVL BC-SET_RISK_PRIORITY_IDThese BC sets are used by the audit risk rating function of Internal Audit Management when setting risk score, risk level and risk priority for an auditable entity.

8.5 Risk Management BC Sets TableYou need to activate the following BC sets that are delivered with SAP Risk Management 10.0:BC Set NameBC_SET_ANALYSIS_PROFILE Maintain Analysis ProfileBC-SET_ACTIVITY_TYPES Maintain Activity TypesBC_SET_BENEFIT_CATEGORY Maintain Benefit CategoryBC_SET_DEFINE_CATEGORIES_POWL Maintain Categories for POWLBC_SET_DEFINE_THREE_POINT_ANALYS Define Three Point AnalysisBC_SET_DRIVER_CATEGORY Maintain Driver CategoryBC_SET_IMPACT_CATEGORY Maintain Impact CategoryBC_SET_IMPACT_LEVEL Impact and Risk LevelsBC-SET_INFLUENCE_STRENGTH Define Influence StrengthBC_SET_MAINTAIN_DEFAULT_QUERY Maintain Default Query for POWLBC-SET_MAINTAIN_OPP_RESP_TYPES Maintain Opportunity Response TypesBC_SET_MAINTAIN_USER_RESP Maintain Users Responsible for EntityBC_SET_OBJECTIVE_CATEGORIES Maintain Objective CategoryBC_SET_PROBABILITY_LEVEL_ID Maintain Probability Level IDBC_SET_PROBABILITY_LEVEL_MATRIX Maintain Probability Level MatrixBC-SET_RESPONSE_EFFECTIVENESS Maintain Response EffectivenessBC-SET_RESPONSE_TYPE Maintain Response TypeBC_SET_RISK_APETITE Maintain Risk AppetiteBC_SET_RISK_LEVEL Impact and Risk LevelsBC_SET_RISK_LEVEL_MATRIX Maintain Risk Level Matrix

8 Activating Business Configuration (BC) Sets8.5 Risk Management BC Sets Table

38/56 PUBLIC 2012-06-18

BC Set NameBC_SET_RISK_PRIORITY_MATRIX Maintain Risk Priority MatrixBC_SET_ROLES BC Set for RolesBC_SET_SPEED_OF_ONSET Maintain Speed of OnsetBC-SET_LOSS_MATRIX_COLORS Incident Loss Color MatrixBC_SET_UNIT_MEASURE Maintain Units of MeasuresBC-SET_RISK_RESPONSE_TYPE Maintain Risk Response Type CombinationBCSET-GRRM-GRFNV_POLICYTYPE Maintain Response Relevance for Policy TypesBCSET-GRRM-GRRMVPOLICYRESP Link Policy Status and Response Completeness

8 Activating Business Configuration (BC) Sets8.5 Risk Management BC Sets Table

2012-06-18 PUBLIC 39/56

9 Portal Package Configuration

9.1 Creating a System Connection in Enterprise PortalYou need to create a system connection for Access Control 10.0, Process Control 10.0, or Risk Management 10.0.

ProcedureTo create systems in the portal to access the Web Dynpro applications in the Process Control ABAP system:1. Navigate the SAP Help Portal as follows: help.sap.com/nw70 scroll past SAP NetWeaver 7.0 including

Enhancement Package 1 Knowledge Center Support Package Stack 05, September 2009 scroll past DocupediaFunctional View SAP NetWeaver by Key Capability People Integration by Key Capability Portal Portal

Administration Guide System Administration .Specifically, the topic Workset: System Administration provides tools to configure, maintain, and support the portal, its services, and system landscape.

2. Use the above path until you reach Portal, then follow this path: Portal Administration Guide Super Administration Administration Roles Workset: System Administration .

For optimum display of the portal, you need to choose the relevant portal configuration required depending on the license purchased. Select portal configuration for AC10-only license users or for SAP solutions for governance, risk, and compliance (GRC) multiple application license users (AC10 + PC10 + RM10 or any combination of two applications).

NOTESAP provides a set of sample roles, which include recommended authorizations. You can create your own PFCG roles or copy the sample roles to your customer namespace, and then modify them as needed. For more information about the delivered roles for, see Security Guide for SAP Access Control 10.0 / Process Control 10.0 / Risk Management 10.0.

Portal Configuration for AC 10.0-only Licensed Users System Aliases:

The system alias must use SAP-GRC and SAP-GRC-AC. Portal Roles:

Assign the role GRC ACCESS CONTROL to the user. Assign the role ERP COMMON to everyone in the user group.

9 Portal Package Configuration9.1 Creating a System Connection in Enterprise Portal

2012-06-18 PUBLIC 41/56

Portal Configuration for SAP Solutions for GRC Licensed UsersSystem Aliases If Access Control 10.0 is activated:

The system alias must use SAP-GRC and SAP-GRC-AC. If Process Control 10.0 is activated: The system alias must use SAP-GRC and SAP-GRC-PC. If Risk Management 10.0 is activated: The system alias must use SAP-GRC and SAP-GRC-RM.Portal Roles Assign the role GRC SUITE to the user. Assign the role ERP COMMON to everyone in the user group. Assign the role GRC Internal Audit Management to the user if needed.

9.2 Creating the Initial User in the ABAP SystemSAP AC/PC/RM 10.0 uses various roles to interface with the SAP system.

NOTEThis section uses the delivered roles only as an example. As you complete the procedure, it is essential that you replace the sample roles with equivalent roles in your customer namespace.

ProcedureAccess Control 10.0To create an initial user in the ABAP system for SAP Access Control 10.0:1. Initially, all Access Control users need to be assigned to SAP_GRAC_FN_BASE to access AC 10.0

applications.2. Next, assign the SAP_GRAC_FN_ALL role to the user doing the customizing of the product.

This is the power user role. It gives the designated user the ability to see and do everything without being assigned to a specific Access Control role.This role is typically assigned to the user setting up the organization structures and assigning business roles to all the other users.The role does not contain the authorizations for Workflow Customizing, Case Management, or Web services activation. For these authorizations, use the role SAP_GRAC_SETUP.

CAUTIONAssign the SAP_GRAC_FN_ALL role with caution, since a user assigned to this role can make pervasive changes.For more information on the SAP_GRAC_FN_ALL role and its authorizations, see the SAP AC/PC/RM 10.0 Security Guide on the SAP Service Marketplace at: http://help.sap.com/grc.

3. Using transaction SU01, create a user.

9 Portal Package Configuration9.2 Creating the Initial User in the ABAP System

42/56 PUBLIC 2012-06-18

4. On the Address data tab, assign the communications type of e-mail and provide an e-mail address if this user needs to receive workflow notifications via e-mail.

5. On the Roles tab, assign the SAP_GRAC_FN_BASE, SAP_GRAC_FN_ALL, and SAP_GRAC_ALL roles to this user.

6. This user can now go to the IMG using transaction code SPRO and complete the configuration, including such steps as activating the Business Configuration (BC) sets and assigning roles to other users.

Process Control 10.0 and Risk Management 10.0To create an initial user in the ABAP system for SAP Process Control 10.0 and SAP Risk Management 10.0:1. Initially, all Process Control users and Risk Management users need to be assigned to

SAP_GRC_FN_BASE to access PC/RM 10.0 applications.2. Next, assign the SAP_GRC_FN_ALL role to the user doing the customizing of the product.

This is the power user role. It gives the designated user the ability to see and do everything without being assigned to a specific Process Control or Risk Management role.This role is typically assigned to the user setting up the organization structures and assigning business roles to all the other users. It contains all of the authorizations from the role SAP_GRC_FN_BUSINESS_USER, in addition to the following authorizations: Administrative functions in the Process Control Implementation Guide (IMG), and Risk

Management IMG. Structure setup in expert mode. Data upload for structure setup. Customizing table maintenance for PC/RM 10.0. Initiation of role assignment procedures.The role does not contain the authorizations for Workflow Customizing, Case Management, or Web services activation. For these authorizations, use the role SAP_GRC_SPC_SETUP.

CAUTIONAssign the SAP_GRC_FN_ALL role with caution, since a user assigned to this role can make pervasive changes.For more information on the SAP_GRC_FN_ALL role and its authorizations, see the SAP AC/PC/RM 10.0 Security Guide at: http://help.sap.com/grc.

3. Using transaction SU01, create a user.4. On the Address data tab, assign the communications type of e-mail and provide an e-mail address

if this user needs to receive workflow notifications via e-mail.5. On the Roles tab, assign the SAP_GRC_FN_BASE and SAP_GRC_FN_ALL roles to this user.

9 Portal Package Configuration9.2 Creating the Initial User in the ABAP System

2012-06-18 PUBLIC 43/56

6. This user can now go to the IMG using transaction code SPRO and complete the configuration, including such steps as activating the Business Configuration (BC) sets and assigning roles to other users.

9.3 Creating the Initial User in the Enterprise PortalThe Navigation tab and Work Centers for AC 10.0 and PC/RM 10.0 are defined in the portal roles, and these roles are maintained in the GRC portal package.After creating the portal user, the portal user administrator needs to assign the user to GRC 10.0 portal roles. This enables the user to see the GRC Navigation tab and Work Centers.

NOTEThis section uses the delivered roles only as an example. As you complete the procedure, it is essential that you replace the sample roles with equivalent roles in your customer namespace.

ProcedureAccess Control 10.01. Log on as portal user administrator and access the User Administration function.2. If the user has been created by the User Management Engine (UME) that is connected to the GRC

ABAP system, you do not need to create the user in the portal system.If not, create a new portal user and assign the system to the user in the User Mapping for System Access tab, along with a mapped user ID and password.

3. After creating the user, go to the Assigned Roles tab and assign the role GRC Suite (name: pcd:portal_content/com.sap.pct/com.sap.grc.grac/com.sap.grc.ac.roles/com.sap.grc.ac.Role_All) to the user who has the power user role SAP_GRAC_FN_ALL in the ABAP system, to enable viewing of all the Work Centers.

Process Control 10.0 and Risk Management 10.01. Log on as portal user administrator and access the User Administration function.2. If the user has been created by the User Management Engine (UME) that is connected to the GRC

ABAP system, you do not need to create the user in the portal system.If not, create a new portal user and assign the system to the user in the User Mapping for System Access tab, along with a mapped user ID and password.

3. After creating the user, go to the Assigned Roles tab and assign the role GRC Suite (name: pcd:portal_content/($installedpath$)/com.sap.grc.GRC_Suite/com.sap.grc.GRC_Suite_Role/com.sap.grc.GRC_Suite) to the user who has the power user role SAP_GRC_FN_ALL in the ABAP system, to enable viewing of all the Work Centers.

9 Portal Package Configuration9.3 Creating the Initial User in the Enterprise Portal

44/56 PUBLIC 2012-06-18

More InformationFor more information about visibility of Work Centers, see the SAP AC/PC/RM 10.0 Security Guide at http://help.sap.com/grc.Communication is based on the technologies delivered by SAP NetWeaver Portal. For more information, see the SAP NetWeaver Portal Security Guide at http://help.sap.com/nw.

9 Portal Package Configuration9.3 Creating the Initial User in the Enterprise Portal

2012-06-18 PUBLIC 45/56

10 Content Lifecycle Management (CLM) Installation

10.1 New FeaturesNOTEThis chapter applies only to SAP Process Control 10.0 and SAP Risk Management 10.0.

Content Lifecycle Management (CLM) aims to support the management of application content. This is achieved by providing users with a consistent way to package, version-control, inspect, and import vendor content into their systems. It focuses on the capability to deliver content from vendors landscapes to customers landscapes.It is not intended to provide a means to transport content within a single landscape; this is already facilitated by the ABAP transport system.

10.2 SAP Notes for CLM InstallationYou must read the following SAP Notes before you start the installation. These SAP Notes contain the most recent information on the installation, as well as corrections to the installation documentation.Make sure that you have the up-to-date version of each SAP Note, which you can find in the SAP Service Marketplace at http://service.sap.com/notes.SAP Note Number Title Description1511393 Release strategy for

the ABAP add-on POASBC

This note provides information about planning the installation and upgrade of ABAP add-on POASBC.

1511322 Installing POASBC 100_702 on NW 7.0 EHP2

You want to install an add-on or perform a delta upgrade to SAP NetWeaver 7.0 with Enhancement Package 2.

1536594 Support packages for POASBC 100_702

This note contains information about Add-on Support Packages for POASBC.

CAUTIONDo not import Support Package SP01 (SAPK-10001INPOASBC) and Support Package SP02 (SAPK-10002INPOASBC) together in a queue because a termination may occur during the import.

10 Content Lifecycle Management (CLM) Installation10.1 New Features

2012-06-18 PUBLIC 47/56

10.3 Planning for CLMPlanning for Content Lifecycle Management1. Determine the software component and supporting platform versions that are needed to run

Content Lifecycle Management.2. Identify the managed application system(s) for which content is to be managed using CLM; these

systems are used by CLM for communication during content extraction and content deployment.3. After identification of CLM and managed application systems; choose either integrated landscape

(in the same system where application is being installed) mode or standalone mode.4. Identify roles and their activities that are assigned to CLM users.5. If you intend to create or import content packages with attachments/supporting files apart from

application content, make sure that CLM is connected to a secured desktop. CLM uses local desktop for attachments/files upload and download within content packages. Make sure that CLM users have sufficient authorization to access local files.

Identifying Managed Application SystemsIt is not necessary to identify all managed application systems during CLM installation as you can add extra application systems at a later stage and configure them for communication to CLM. However, identifying the application systems at this stage can provide a good overview of the overall landscape in the context of CLM and can help you to decide on existing systems that can be used for CLM installation.The systems for which content is to be managed must be technically capable of integrating with Content Lifecycle Management (CLM). Apart from the current application (with which CLM is shipped), it is possible to integrate with further applications.

RECOMMENDATIONWe recommend integrating Content Lifecycle Management with the following: Consolidation system for deploying content before deploying that content to the actual

production system.

Choosing Landscape ModelYou need to decide whether the integrated or standalone mode of the Content Lifecycle Management (CLM) system is more appropriate for your scenario.Refer to technical system landscape section in the master guide for the application.

CAUTIONTo enable communication between connected SAP systems it might be necessary to set up trust relationships between systems. When planning the installation of Content Lifecycle Management on an already existing application system instance alongside an existing application, security and performance considerations must be taken into account.

Identifying Roles and Activities

10 Content Lifecycle Management (CLM) Installation10.3 Planning for CLM

48/56 PUBLIC 2012-06-18

Content Lifecycle Management only delivers sample technical roles containing authorizations for various managed applications and with supported features for each managed application. The delivered roles are only for reference for a particular managed application; for more restrictions, you need to plan what roles can exist with regard to CLM and what CLM activities can users with these roles perform. Documentation of the CLM-based authorization objects and delivered technical roles is included in the Security Guide.

RECOMMENDATIONWe recommend to have the same users for both CLM and the application. The CLM authorization object can be assigned to users specific to the application via Netweaver ABAP user and role management.Authorization checks for application-specific objects and roles are part of the application itself. Since CLM interacts with these applications for content extraction and deployment; unauthorized access to content can only be prevented if the same user is used in both CLM and the application.

Software ComponentSoftware Component PrerequisitesPOASBC version POA_SBC_100_702 SAP_ABA 7.02 SAP_BASIS 7.02

10.4 Preparing to Install CLMPreparing to Install Content Lifecycle ManagementFor more information about installing Content Lifecycle Management (CLM) as a standalone add-on, see SAP Service Marketplace at http://service.sap.com/securityguide SAP NetWeaver

SAP NetWeaver Security Guide Security Aspects for Lifecycle Management Security Issues in ABAP Software Maintenance Add-On Installation Tool (if CLM is being installed in standalone mode).See application-specific installation steps, which would include installation of CLM (if installation is being done together with application itself).If you are using Content Lifecycle Management in standalone mode, you can access the Customizing activities as follows:1. Run transaction SIMGH.2. Search for structure Content Lifecycle Management using F4 help.

You can add this structure as a favorite.3. Choose display mode.4. You can now maintain the Customizing activities.

10.5 Installing CLM ComponentsInstallation of Content Lifecycle Management

10 Content Lifecycle Management (CLM) Installation10.4 Preparing to Install CLM

2012-06-18 PUBLIC 49/56

1. Verify that CLM is not already installed.2. Install CLM in the landscape.Verifying Component is Not Already AvailableCheck the system status dialog to ensure that there is not already a component with a name starting POASBC installed.Installing the Component POASBC in Standalone Mode for Content Lifecycle ManagementUse the add-on installation tool to load the required package. The required package is available on the CD under [rel]/DATA/POA_SBC_[rel].SAR, where [rel] is the SAP_BASIS release version of the target system.For more information about installing Content Lifecycle Management (CLM) as a standalone add-on, see SAP Help Portal at http://help.sap.com SAP NetWeaver .

10.6 CLM Post-InstallationPost-Installation of Content Lifecycle Management1. Set up communication destinations.2. Determine naming policy and global configurations.3. Configure system registry.4. Configure technical settings.5. Optional: Set up user mapping.Setting Up Communication Destinations

NOTEThis step mainly applies to standalone CLM landscape model. In the landscape model where communication between the application and CLM happens locally, there is no need for communication destinations.

For each system that has to be managed via CLM there should be at least one RFC destination set up.

NOTEIf it cannot be guaranteed that the same users are used throughout the landscape, it is also the point when users in the managed system and in the system hosting CLM can be mapped to each other. This can be done by configuring authentication of the created RFC Destinations (Logon & Security).

For more information about setting up RFC destinations, see SAP Help Portal at http://help.sap.com SAP NetWeaver .

10 Content Lifecycle Management (CLM) Installation10.6 CLM Post-Installation

50/56 PUBLIC 2012-06-18

CAUTIONWhen configuring the RFC destination, make sure that you set up authentication (logon and security). Ensure that the user is not asked for RFC connection logon details, as CLM lacks the capability to prompt users for RFC connection logon details during runtime.

Make a note of the destinations created as these are needed later on during the configuration process.Determining Naming Policy and Global ConfigurationsTo ensure that a globally unique identification is available for content managed by CLM, namespaces have to be configured within CLM. When application content is managed in CLM system; it receives specific identification based on values configured in this step.UseThere are three levels of unique names within CLM: Vendor namespace

NOTEVendor namespace is only necessary for the business process Providing Content. It is not necessary for the business process Consuming Content.

Authoring domains Repository identificationYou define these values in Customizing for Content Lifecycle Management under Define Global Settings and Define Authoring Domains.For more information about the namespace concept within CLM, see SAP Library documentation under Content Lifecycle Management Content Group .Procedure1. Specify CLM repository ID and vendor namespace that is globally unique for this instance of CLM.

NOTETo ensure the uniqueness of the chosen namespace, SAP operates a service that issues unique namespaces for use in SAP Service Marketplace. Vendors are free to use their own namespace identifier that can distinguish their content from others in CLM.RECOMMENDATIONWe recommend using an existing registered vendor namespace with SAP.

2. Identify at least one authoring domain that is going to be used with this instance of CLM.These settings are unique per CLM instance per CLM ABAP system and client combination. Therefore, in a landscape where CLM is installed in one system, but is used in multiple ABAP clients, each ABAP client holds client-specific values.

EXAMPLEYou can have Netweaver ABAP server D1X:1. Development client 100 has values: Vendor Namespace = XXX, Repository ID = DEV100,

Authoring Domain = O&G_USA


2012-06-18 PUBLIC 51/56

2. Test client 200 has values: Vendor Namespace = XXX, Repository ID = QUA100, Authoring Domain = O&G_USA

You can define the applications that communicate with CLM in Customizing for Content Lifecycle Management under Define Applications.Configuring System RegistryThe CLM system registry is used for maintaining a list of the managed systems along with their connectivity information. CLM must have an entry in the system registry for all the systems that are to be managed by CLM.You can configure new managed systems in Customizing for Content Lifecycle Management under Maintain System Registry (transaction SPRO).For more information, see Maintain System Registry documentation.During maintenance of system registry, you are asked to specify an existing authoring domain and an existing RFC destination whose values were set in above steps.CLM predelivers application-specific API groups containing APIs that are RFC functions modules residing in application system. When you configure system registry, you associate RFC destination to API groups and finally you use the system registry at runtime in your business scenarios for content extraction and deployment.

NOTEAfter settings have been made in Customizing, the transaction /POA/CLM_API_TESTER should be run to test the configured systems, APIs, and function modules before running CLM for actual extraction and deployment. This tool is only intended for developers and it accepts the system registry ID. The returned results display the format, signature, and RFC checks against a particular application system.

You can also maintain the system registry in transaction SE54. Choose Edit View Cluster and enter /POA/VC_CLM_SYS_REG.Configuring Technical Settings for Content Lifecycle ManagementCLM has the following technical settings that can be maintained: Deployment polling count how many times to check the deployment Deployment polling interval (minutes) how often to check the deployment Maximum extract chunk size (KB) Refresh (seconds) how often to refresh the content in the main view Comparison threshold (hours) if a content group you are comparing is older than the defined

threshold, you receive a warning messageTo change these settings, see Customizing for Content Lifecycle Management under Maintain Technical Settings (transaction SPRO).For more information, see the Maintain Technical Settings documentation.Content Lifecycle Management (CLM) is delivered with the following SAP ABAP-based roles:


52/56 PUBLIC 2012-06-18

/POA/CLM_GRC_USER /POA/CLM_GRC__USERThere are three possible information architectures:SAP GUI InstallationIf SAP GUI is used as the information architecture, the following configuration steps must be followed to allow access to CLM:The CLM roles include the menu for the CLM Web Dynpro ABAP application and also an authorization profile for CLM-based authorization objects. For more information about authorizations, see the application security guide.As an administrator, you can assign users in the CLM roles or create your own roles as a copy of these and assign users to these roles.For example, after assignment of CLM roles to 'CLM_TEST' user in SAP backend, the CLM role is available in the user menu.NetWeaver Business Client InstallationIf NetWeaver Business Client is used as the information architecture, the following configuration steps must be followed to allow access to CLM:SAP solutions for governance, risk, and compliance (GRC) predeliver roles for NetWeaver Business Client for various applications and various functions such as: SAP_GRC_NWBC for overall GRC solutions work centers.

RECOMMENDATIONWe recommend that you include CLM in your existing GRC solutions role and provide the configuration in PFCG as needed. You can either include the menu from the delivered CLM role or create your own menu path in NetWeaver Business Client pointing to the CLM Web Dynpro ABAP application /POA/WD_CLM.

The CLM ABAP Web Dynpro application has the following configuration ID to run CLM for GRC solutions:/POA/WD_CLM_GRC - Configuration parameter for CLM in GRC solutions

EXAMPLEThe CLM Web Dynpro ABAP application is included as a new folder in a customer role, which is based on SAP_GRC_NWBC role in PFCG. As a result, the UI that is displayed to a user with this role includes work centers from an existing GRC solutions role plus a new work center for Content Lifecycle Management.

Portal-Based InstallationIf portal-based access is used as the information architecture, the following configuration steps must be followed to allow access to CLM:


2012-06-18 PUBLIC 53/56

Portal roles are used in GRC solutions to provide NetWeaver portal-based user access for various functions.For CLM, no existing portal role is supplied, but the following steps can be used to enable portal users to access CLM:1. In NetWeaver Portal, choose Content Administration Portal Content Management Portal Content .2. Copy an existing model workset, create a new workset, or enhance the old workset with the CLM

link.3. To add CLM as an application link:

1. Create a new iView based on Web Dynpro ABAP application.2. Provide WAS server details or an existing SAP system alias.3. Enter Web Dynpro ABAP application name as wd_clm and enter WDCONFIGURATIONID=%2fPOA

%2fWD_CLM_GRC in Application Parameters field.4. Assign the workset to existing or new portal roles as needed.

EXAMPLEYou can create a new portal role specifically for CLM, which is only visible to content administrators or you can assign the CLM work center to an existing role depending on your requirements.

5. Assign the portal role to relevant users and groups.6. Enable portal users to use back-end users, with the correct authorization to run CLM. Map the

portal users to back-end users with CLM roles assigned.


54/56 PUBLIC 2012-06-18

SAP AGDietmar-Hopp-Allee 1669190 WalldorfGermanyT +49/18 05/34 34 34F +49/18 05/34 34 20www.sap.com

Copyright 2012 SAP AG. All rights reserved.No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

SAP Access Control 10.0, Process Control 10.0, and Risk Management 10.0Table of Contents1 Introduction1.1 About this Document1.2 SAP Notes for the Installation1.3 Related Information1.4 Important GRC BI Content Integration Information1.5 Important Upgrade Information for Risk Management

2 Planning3 Preparing for the Installation3.1 Preparing to Install AC/PC/RM 10.03.2 Downloading AC/PC/RM 10.03.3 Running JAVA Service Program Manager (JSPM)3.4 Preparing to Install AC/PC/RM 10.0 Portal Core Components3.5 Preparing to Install Plug-Ins

4 Installing the Components5 Installing the Components in Enterprise Portal6 Installing TREX (Optional)7 PostInstallation7.1 Client Copy7.2 Activating the Applications in Clients7.3 Checking SAP ICF Services7.4 Maintaining System Data7.5 Maintaining Plug-in Settings

8 Activating Business Configuration (BC) Sets8.1 Activating AC/PC/RM 10.0 BC Sets8.2 Access Control BC Sets Table8.3 Process Control BC Sets Table8.4 Shared BC Sets (Process Control & Risk Management)8.5 Risk Management BC Sets Table

9 Portal Package Configuration9.1 Creating a System Connection in Enterprise Portal9.2 Creating the Initial User in the ABAP System9.3 Creating the Initial User in the Enterprise Portal

10 Content Lifecycle Management (CLM) Installation10.1 New Features10.2 SAP Notes for CLM Installation10.3 Planning for CLM10.4 Preparing to Install CLM10.5 Installing CLM Components10.6 CLM Post-Installation

Copyright and trademarks

Documents

SAP GRC 10 Installation Guide