Consider a scenario in which your organization uses SAP BusinessObjects Access Control and SAP BusinessObjects Process Control, with control owners monitoring the automated control setup in SAP BusinessObjects Process Control. This control can be of any type, such as master data control for vendor master system changes or validation of the authorization for new contractors who have joined in the organization. As all employees are assigned certain roles in SAP ERP Central Component (SAP ECC) to perform their jobs, it is challenging to automate such controls in SAP BusinessObjects Process Control.

You need to seek the help of SAP BusinessObjects Access Control for generating segregation of duties (SoD) violations. Once you are satisfied with the authorization assignment for the new contractors, you need to review the report periodically. Control owners need to manage the reporting of the test effectiveness in both the applications. You need to manually perform the test by survey assessment or manual test control and again review the SoD report in SAP BusinessObjects Process Control.

After integrating the two applications, you can automatically view the information you need in one dashboard from one application. By adopting this approach, you can manage the SoD report as well as authorization limitation for contractors and many other areas such as control mechanisms for the use of firefighter or custom role check status. This integrated approach reduces costs and provides better visibility of the end-to-end internal controls in your organization.

Technical Requirements

You need to have both SAP BusinessObjects Process Control and SAP BusinessObjects Access Control running. You do not need to have these applications running in one landscape or one server. Regardless of the landscape, you can integrate the applications with each other. If you are maintaining three-tier architectures for SAP BusinessObjects Access Control and SAP BusinessObjects Process Control, you can define your landscape for other cross-component functionality such as Real Time Agent (RTA) deployment within the SAP ERP or non-ERP landscape. RTA is a package installed in the SAP ECC system with automated rules for SAP BusinessObjects Process Control. This integration does not interfere with the landscape design of each application. The only technical requirement for this approach is to have proper network connectivity for these systems and the ability to communicate via service-oriented architecture (SOA) or Remote Function Call (RFC).

There are some version differences as well. Although SAP BusinessObjects Process Control 2.5 is ABAP stack based and SAP BusinessObjects Access Control 5.x is Java stack based, the integration is based on pre-delivered Web service functionality for SAP BusinessObjects Access Control 5.3. For SAP BusinessObjects Access Control 4.0, the integration is based on the ABAP platform and RFC methods.

SAP BusinessObjects Access Control contains four components: Risk Analysis and Remediation (RAR), Enterprise Role Management (ERM), Compliant User Provisioning (CUP), and SPM. You can integrate SAP BusinessObjects Process Control with each of these components using this procedure. In this example, I’m just using ERM, RAR, and SPM.

Integration between SAP BusinessObjects Access Control 4.0 and SAP BusinessObjects Process Control 2.5

Figure 1 shows how SAP BusinessObjects Process Control 2.5 sends the rules and script information to SAP BusinessObjects Access Control 4.0. Both are built in ABAP SAP NetWeaver technology, so the communication happens via RFC. You need to define these configurations prior to the operation phase of the integrated approach.

Figure 1

Flow diagram between SAP BusinessObjects Access Control 4.0 and SAP BusinessObjects Process Control 2.5

Integration Prerequisites

Prior to the integration in this example, the auditor or business process owner monitors the report and takes necessary steps to remediate the issues. He or she needs to review the report in each application. No control is available to generate an issue for any exception produced in SPM. After you integrate the scenario, you can view the entire log from SAP BusinessObjects Process Control and thereby diagnose the problem if any exception occurs.

You can make this happen by following the steps I’ll show you. This is one example, but you can build the rules and controls based on your business requirements and technical limitations.

Log on to SAP NetWeaver Business Client and to SAP BusinessObjects Process Control and define the three important categories — script type, system type, and script categories — in the rule building process in SAP BusinessObjects Process Control 2.5 (Figure 2). The default values are already available in SAP BusinessObjects Process Control 2.5. You can use these parameters to build the control rule assignment, which establishes the relationship between the control and the rule in SAP BusinessObjects Process Control.

Figure 2

Define script types

Script type is a very important factor in defining the rule script because it is an identifier to establish relationships with a program or query. For SAP BusinessObjects Access Control 4.0, define the script type as SAP because it is ABAP based. For SAP BusinessObjects Access Control 5.3, define the script type as SOD because it is Java based. There is a pre-delivered Web service called VirsaCCRiskAnalysisService in the installation guide that you can use for the integration of SAP BusinessObjects Access Control 5.3 to SAP BusinessObjects Process Control 2.5.

SAP BusinessObjects Process Control can monitor the control across SAP and non-SAP systems. Selecting a system type provides the entire system details and enables the SAP BusinessObjects Process Control to integrate multiple systems. For SAP BusinessObjects Access Control 4.0, define the system type as SAP and for SAP BusinessObjects Access Control 5.3, define the system type as CC (Figure 3).

Figure 3

Define system types

To differentiate between all the script categories, choose Configuration Control or Master Data Control (Figure 4). This is the initial configuration required to build SAP BusinessObjects Process Control to work for SAP BusinessObjects Access Control. For example, if you want to check a configuration control such as how many times the exchange rate type is changed in the TCURV table, choose Configuration Control. In the material master, if the unit of measure has changed during the year, choose Master Data Control.

Figure 4

Define script categories

Now let’s move on to building the rulse and scripts in SAP BusinessObjects Process Control 2.5.

Step 1. Create Scripts

Log onto SAP NetWeaver Business Client and to SAP BusinessObjects Process Control 2.5 and follow menu path Evaluation Setup > Rule Script > Create (Figure 5). Choose the SAP standard script type because SAP BusinessObjects Access Control 4.0 is ABAP based. For the Target Connector, select the one in which the SAP BusinessObjects 4.0 system is running. The program name is the one with which you are going to integrate, which you can find in SPM. You can get the program name by logging into SAP ERP (in this example, J1E_100) and running transaction /n/VIRSA/VFAT. Go to the utility toolbox and run the log report, and then go to System > Status to find the program name. You’ll see this program name in the SPM and SAP BusinessObjects Process Control integration methodology.

Figure 5

Create a script for SPM

You can build the script for RAR to construct a rule for a user authorization count of more than 150, for example (Figure 6). You can create a script for RAR where you need to enter the program name (e.g., /VIRSA/ZVRAT_U01). J1E is the target connector for SAP BusinessObjects Access Control 4.0.

Figure 6

Create a script for RAR

Figure 7 shows a script used for ERM and to build a rule for a Z* role status check. Enter the program name /VIRSA/ZVRMT_U01. This program is available in ERM and provides the role status in ERM.

Figure 7

Create a script for ERM

To get a program name, you need to log on to the system where SAP BusinessObjects Access Control 4.0 is installed and go to transaction /VIRSA/ZVRAT. For example, to get the program name for user count authorization, run /n/VIRSA/ZVRAT. Click the toolbox icon and follow menu path Virsa Tool Box > Virsa Utilities and Reports > User Administration Utilities and Reports > Count authorization for Users. In that report, go to System > Status > Repository data > Program (Screen).

Step 2. Create Rules

Rules control and determine the exception data that is extracted from SAP ERP when a control is tested or monitored. A rule is a combination of a script and rule parameters (or group of rule criteria).

You create a rule to prepare control objectives. To create a rule in SPM, go to Evaluation set up > Rule > Create (Figure 8). Enter the script created earlier in step 1 (e.g., PC_SUP_FIREFIGHTER). The area that is grayed out is automatically imported from the script. You need to make sure that the rule has been released so you can save the rule. You do not need a rule parameter for an SAP standard rule set — it is only required in delivered rule scripts.

Figure 8

Create a rule for SPM

Then create a rule for RAR (Figure 9). In this example, you want the user authorization count not to exceed 150. The rule generates a review-required report in SAP BusinessObjects Process Control 2.5. You can provide the validity period and select the script you created earlier for this application. You need to release it by setting the Rule Status to Released.

Figure 9

Create a rule for RAR

Then create a rule for ERM (Figure 10). In this example, I will show you how to review the role status of ERM in SAP BusinessObjects Process Control 2.5. You can provide the validity period and select the script you created earlier for this application. You need to release it before you can save the rule.

Figure 10

Create a rule for ERM

Step 3. Create a Process or Use an Existing One

A process refers to a set of activities relating to a specific function in an organization’s operations. These activities, if appropriately carried out, produce the desired output or process result. It encompasses the flow of material and information between the process steps, and the required business decisions that determine how to accomplish a process step.

You can create a central process or use an existing process that is relevant for the control of integration you are planning to use. You need to map this with the business requirement and process owner approval. To do this, go to Compliance Structure > Central Process Hierarchy > Create > Process (Figure 11).

Figure 11

Create a process in SAP BusinessObjects Process Control 2.5

Step 4. Create a Subprocess or Use an Existing One

A process can contain subsets of the activities, known as subprocesses. An example of a process is the order-to-cash activity. This process starts with sales order creation and ends with receipt of cash from customers for goods delivered or services rendered. A subprocess for this can be the sales order processing, which pertains to the receipt, processing, and execution of a sales order.

You can create a central subprocess or use any existing subprocess that is relevant for the control of integration you are planning to use. You need to map this with the business requirement and subprocess owner approval. To create it, go to Compliance Structure > Central Process Hierarchy > Create > Subprocess (Figure 12).

Figure 12

Create a subprocess in SAP BusinessObjects Process Control 2.5

Step 5. Create Controls in SAP BusinessObjects Process Control 2.5

A process also includes relevant controls to ensure that the process and corresponding subprocesses are performed according to the company’s requirements and policies. These controls are activities designed to address control objectives and mitigate risks in the company’s internal control environment.

You need to create a control by going to Compliance Structure > Central Process Hierarchy > Create > Control (Figure 13). Place the cursor where the control needs to be assigned to the subprocess. This control is designed to address control objectives and mitigate risks in the company’s internal control environment. In Figure 13, you add a description for the Firefighter log report. Similarly for integrating with RAR and ERM, you need to create a control for each application. Figure 14 shows one for RAR and Figure 15 shows one for ERM.

Figure 13

Create a control for SPM (specifically, a Firefighter log report)

Figure 14

Create a control for RAR

Figure 15

Create a control for ERM

The control objective for RAR is to monitor the user count authorization number so it does not exceed 150 authorization counts for all users available in the system. I define the operation frequency as Monthly and the control automation as automatic by selecting 0AUT.

In Figure 15, I define the role status check for all the roles managed in ERM. Similarly, I define for the frequency of operation to be Monthly and the control automation mode as automatic for this control by selecting 0AUT. You can select the control relevance for this automated monitoring control based on your business requirement.

Step 6. Assign the Subprocess to an Organizational Unit

Organizations within the Compliance Structure work center allow you to define organization structures relevant to your compliance initiatives. The organization structure you set up affects your analysis and reporting requirements, including sign-off by organizations.

Within your organizational hierarchy, you can assign subprocesses to one or more organizations. In doing so, you are also associating the related parent processes and subordinate controls to these organizations. Depending on your method of assignment, you may allow the subprocesses and controls to be edited locally by the organization, if needed, or to only reference the central process hierarchy.

To associate the relevant parent process with the control, you can monitor the evaluation results for the entire organization in SAP BusinessObjects Process Control for the three controls for RAR, ERM, and SPM. To assign the control and subprocess to the organizational unit, in SAP BusinessObjects Process Control 2.5 follow menu path Compliance Structure > Organizations > Open > Subprocesses > Assign Subprocess (Figure 16). You need to place the cursor in the organization to which you are going to assign these new controls you created for SPM.

Figure 16

Assign the control and subprocess to the organizational unit

Step 7. Assign Control Rules

You can assign rules to controls for automated testing and monitoring. These rules can be either automated or semi-automated. Go to the path Evaluation Setup > Control rule assignment (Figure 17). First you search for the organization and then you assign rules to a selected control.

Finally, you need to maintain the frequency and monitoring or compliance category based on the need. In the Assigned Rules and Frequencies section, click the control and then the Maintain Frequencies button. You can maintain the rule for compliance, to test effectiveness of controls for reporting to your internal or external auditors, or to monitor the continuous operating effectiveness of the control. You can assign rules that may have different testing frequencies to a control. Then you can define the frequency as weekly, monthly, or annually.

Figure 17

Assign the control rule for RAR, SPM, and ERM

Step 8. Create a Schedule

Scheduling refers to the process of creating a recurring event (job) at a specified frequency to perform automated tests and monitoring of controls. To check whether the controls are followed properly in your organization, set up frequencies during which the controls with the rules are tested and monitored for any deficiency.

You can create a schedule job in the scheduler for this newly created control in SAP BusinessObjects Process Control 2.5. Follow menu path Evaluation Setup > Monitoring Scheduler (Figure 18). Here you can search for the control recently created for SPM.

Figure 18

Create the scheduler

Variants play a significant role in getting the right amount of data as well as filtering for any performance bottleneck (Figure 19). In the screen shown in Figure 18, scroll to the right of the Selected Controls panel and select the last line that shows the Firefighter log report. View the open input field called Variant Name. Here you can select variants for the control execution scheduler to restrict the result output based on your requirements. For example, you have 10 Firefighter IDs that exist in SPM, and you are responsible for monitoring only one Firefighter ID (e.g., FFID01) so you can use the variant to select for this control. You can also view the job status from the scheduler screen, which you see after you create the schedule (Figure 20).

Figure 19

Select variants

Figure 20

Monitoring scheduler

Step 9. Review the Reports

After you complete the job, you can view the job status in Figure 20. Follow menu path Evaluation Set up > Job Monitor > Search to see the information about the job and the attachment for the reports to be reviewed for SPM. In Figure 21, you can view the job log of the Firefighter log report control.

Figure 21

Job log view in SAP BusinessObjects Process Control 2.5

Click Firefighter Log Report in the screen in Figure 21 to view the output of the report in SAP BusinessObjects Process Control 2.5 (Figure 22). Similarly you can navigate to the jobs created for RAR and ERM control in SAP BusinessObjects Process Control 2.5.

Figure 22

Report output

Click AC RAR – USER COUNT in Figure 20 to produce the screen in Figure 23. This shows the control for the job name for RAR, JOB GRC EXPERT 02. You can view the job log status as well as the user authorization count report. It shows the detailed information of the job, such as the variant name as USER_C1 and the target connector used for this automated control in which SAP BusinessObjects Access Control 4.0 is operational. You can also view the time frame when the job is scheduled and executed.

Figure 23

Job detail view of the RAR control

Click AC RAR – User Auth Count in the screen in Figure 23 to bring up the screen shown in Figure 24. This shows the report output of user count for more than 150 authorizations in SAP List Viewer format. This report is rendered in SAP BusinessObjects Process Control 2.5, showing the effectiveness of having a common integrated approach for one framework for reviewing and monitoring the control and evaluation results.

Figure 24

Report output for RAR

Figure 25 shows the job name for RAR is JOB GRC EXPERTS 03. You can view the job log status as well as the role status in the ERM report. It shows detailed information, including that AC ERM – ROLE STATUS links to ERM and the subprocess for this control is GRC Experts – Role Management. You can also view the time frame when the job is scheduled and executed.

Figure 25

Job detail view of the RAR control

Click the link AC ERM – Custom Role Status in the screen in Figure 25 to get the report output as shown in Figure 26. This report is rendered in SAP BusinessObjects Process Control 2.5 in the same way as it could be generated in SAP BusinessObjects Access Control 4.0.

Figure 26

Report output for ERM

To troubleshoot any errors in the executions of the job, you can go to transaction SM37 and search for the job created in SAP BusinessObjects Process Control 2.5 (Figure 27). The job name is the same as what you entered in the scheduler screen in SAP BusinessObjects Process Control 2.5. You can retrieve more information about the log file — whether it is a success or failure or further information about the job status. Click the Job log button to view the detail screen of the job with each step’s information (Figure 28).

Figure 27

Job details in transaction SM37

Figure 28

Job log overview in transaction SM37

You can view each step and make a judgment on how the application is triggered and what activity is carried out during the process. For example, the job is finished at the last step, which means that ABAP Scheduler can successfully complete the job in SAP BusinessObjects Access Control 4.0. If you experience any problem in SAP BusinessObjects Process Control 2.5, then you need to review the job status in SAP Business Objects Process Control 2.5 for further analysis and review of the job status.

This job log also created more information on not only the job execution but also the information on whether the test results have been shared with SAP BusinessObjects Process Control 2.5. You can view the results sent successfully to SAP BusinessObjects Process Control in the job log (Figure 29).

Figure 29

Job log overview for test results from transaction SM37 to SAP BusinessObjects Process Control 2.5