See how to integrate SAP BusinessObjects Access Control and SAP BusinessObjects Process Control. You can optimize reporting practices, consolidate segregation of duties issues, and troubleshoot any potential problems using these two applications.
Key Concept
Centralized control management enables the automation of your internal control and access control methodology. SAP BusinessObjects Access Control and SAP BusinessObjects Process Control formulate the strategies of automated control monitoring of the segregation of duties exceptions and noncompliance events (e.g., role status or operation work) to gain better visibility of key business processes. Automated rule monitoring integrates with SAP BusinessObjects Access Control for effective monitoring and access management in a single solution.
Consider a scenario in which your organization uses SAP BusinessObjects Access Control and SAP BusinessObjects Process Control, with control owners monitoring the automated control setup in SAP BusinessObjects Process Control. This control can be of any type, such as master data control for vendor master system changes or validation of the authorization for new contractors who have joined in the organization. As all employees are assigned certain roles in SAP ERP Central Component (SAP ECC) to perform their jobs, it is challenging to automate such controls in SAP BusinessObjects Process Control.
You need to seek the help of SAP BusinessObjects Access Control for generating segregation of duties (SoD) violations. Once you are satisfied with the authorization assignment for the new contractors, you need to review the report periodically. Control owners need to manage the reporting of the test effectiveness in both the applications. You need to manually perform the test by survey assessment or manual test control and again review the SoD report in SAP BusinessObjects Process Control.
After integrating the two applications, you can automatically view the information you need in one dashboard from one application. By adopting this approach, you can manage the SoD report as well as authorization limitation for contractors and many other areas such as control mechanisms for the use of firefighter or custom role check status. This integrated approach reduces costs and provides better visibility of the end-to-end internal controls in your organization.
Note
Superuser Privilege Management (SPM) was formerly referred to as Virsa FireFighter, so that “FireFighter” appears in some of the screenprints and in some functionalities, such as Firefighter log report.
Technical Requirements
You need to have both SAP BusinessObjects Process Control and SAP BusinessObjects Access Control running. You do not need to have these applications running in one landscape or one server. Regardless of the landscape, you can integrate the applications with each other. If you are maintaining three-tier architectures for SAP BusinessObjects Access Control and SAP BusinessObjects Process Control, you can define your landscape for other cross-component functionality such as Real Time Agent (RTA) deployment within the SAP ERP or non-ERP landscape. RTA is a package installed in the SAP ECC system with automated rules for SAP BusinessObjects Process Control. This integration does not interfere with the landscape design of each application. The only technical requirement for this approach is to have proper network connectivity for these systems and the ability to communicate via service-oriented architecture (SOA) or Remote Function Call (RFC).
There are some version differences as well. Although SAP BusinessObjects Process Control 2.5 is ABAP stack based and SAP BusinessObjects Access Control 5.x is Java stack based, the integration is based on pre-delivered Web service functionality for SAP BusinessObjects Access Control 5.3. For SAP BusinessObjects Access Control 4.0, the integration is based on the ABAP platform and RFC methods.
SAP BusinessObjects Access Control contains four components: Risk Analysis and Remediation (RAR), Enterprise Role Management (ERM), Compliant User Provisioning (CUP), and SPM. You can integrate SAP BusinessObjects Process Control with each of these components using this procedure. In this example, I’m just using ERM, RAR, and SPM.
Integration between SAP BusinessObjects Access Control 4.0 and SAP BusinessObjects Process Control 2.5
Figure 1 shows how SAP BusinessObjects Process Control 2.5 sends the rules and script information to SAP BusinessObjects Access Control 4.0. Both are built in ABAP SAP NetWeaver technology, so the communication happens via RFC. You need to define these configurations prior to the operation phase of the integrated approach.

Figure 1
Flow diagram between SAP BusinessObjects Access Control 4.0 and SAP BusinessObjects Process Control 2.5
Integration Prerequisites
Prior to the integration in this example, the auditor or business process owner monitors the report and takes necessary steps to remediate the issues. He or she needs to review the report in each application. No control is available to generate an issue for any exception produced in SPM. After you integrate the scenario, you can view the entire log from SAP BusinessObjects Process Control and thereby diagnose the problem if any exception occurs.
You can make this happen by following the steps I’ll show you. This is one example, but you can build the rules and controls based on your business requirements and technical limitations.
Log on to SAP NetWeaver Business Client and to SAP BusinessObjects Process Control and define the three important categories — script type, system type, and script categories — in the rule building process in SAP BusinessObjects Process Control 2.5 (Figure 2). The default values are already available in SAP BusinessObjects Process Control 2.5. You can use these parameters to build the control rule assignment, which establishes the relationship between the control and the rule in SAP BusinessObjects Process Control.

Figure 2
Define script types
Script type is a very important factor in defining the rule script because it is an identifier to establish relationships with a program or query. For SAP BusinessObjects Access Control 4.0, define the script type as SAP because it is ABAP based. For SAP BusinessObjects Access Control 5.3, define the script type as SOD because it is Java based. There is a pre-delivered Web service called VirsaCCRiskAnalysisService in the installation guide that you can use for the integration of SAP BusinessObjects Access Control 5.3 to SAP BusinessObjects Process Control 2.5.
Note
A rule script is a key link between SAP BusinessObjects Process Control and the SAP ERP system. SAP ERP has the business-related information (e.g., sales order and invoices) and SAP BusinessObjects Process Control monitors that information based on the mechanism provided in the script.
SAP BusinessObjects Process Control can monitor the control across SAP and non-SAP systems. Selecting a system type provides the entire system details and enables the SAP BusinessObjects Process Control to integrate multiple systems. For SAP BusinessObjects Access Control 4.0, define the system type as SAP and for SAP BusinessObjects Access Control 5.3, define the system type as CC (Figure 3).

Figure 3
Define system types
To differentiate between all the script categories, choose Configuration Control or Master Data Control (Figure 4). This is the initial configuration required to build SAP BusinessObjects Process Control to work for SAP BusinessObjects Access Control. For example, if you want to check a configuration control such as how many times the exchange rate type is changed in the TCURV table, choose Configuration Control. In the material master, if the unit of measure has changed during the year, choose Master Data Control.

Figure 4
Define script categories
Now let’s move on to building the rulse and scripts in SAP BusinessObjects Process Control 2.5.
Step 1. Create Scripts
Log onto SAP NetWeaver Business Client and to SAP BusinessObjects Process Control 2.5 and follow menu path Evaluation Setup > Rule Script > Create (Figure 5). Choose the SAP standard script type because SAP BusinessObjects Access Control 4.0 is ABAP based. For the Target Connector, select the one in which the SAP BusinessObjects 4.0 system is running. The program name is the one with which you are going to integrate, which you can find in SPM. You can get the program name by logging into SAP ERP (in this example, J1E_100) and running transaction /n/VIRSA/VFAT. Go to the utility toolbox and run the log report, and then go to System > Status to find the program name. You’ll see this program name in the SPM and SAP BusinessObjects Process Control integration methodology.

Figure 5
Create a script for SPM
You can build the script for RAR to construct a rule for a user authorization count of more than 150, for example (Figure 6). You can create a script for RAR where you need to enter the program name (e.g., /VIRSA/ZVRAT_U01). J1E is the target connector for SAP BusinessObjects Access Control 4.0.

Figure 6
Create a script for RAR
Figure 7 shows a script used for ERM and to build a rule for a Z* role status check. Enter the program name /VIRSA/ZVRMT_U01. This program is available in ERM and provides the role status in ERM.

Figure 7
Create a script for ERM
To get a program name, you need to log on to the system where SAP BusinessObjects Access Control 4.0 is installed and go to transaction /VIRSA/ZVRAT. For example, to get the program name for user count authorization, run /n/VIRSA/ZVRAT. Click the toolbox icon and follow menu path Virsa Tool Box > Virsa Utilities and Reports > User Administration Utilities and Reports > Count authorization for Users. In that report, go to System > Status > Repository data > Program (Screen).
Step 2. Create Rules
Rules control and determine the exception data that is extracted from SAP ERP when a control is tested or monitored. A rule is a combination of a script and rule parameters (or group of rule criteria).
You create a rule to prepare control objectives. To create a rule in SPM, go to Evaluation set up > Rule > Create (Figure 8). Enter the script created earlier in step 1 (e.g., PC_SUP_FIREFIGHTER). The area that is grayed out is automatically imported from the script. You need to make sure that the rule has been released so you can save the rule. You do not need a rule parameter for an SAP standard rule set — it is only required in delivered rule scripts.

Figure 8
Create a rule for SPM
Then create a rule for RAR (Figure 9). In this example, you want the user authorization count not to exceed 150. The rule generates a review-required report in SAP BusinessObjects Process Control 2.5. You can provide the validity period and select the script you created earlier for this application. You need to release it by setting the Rule Status to Released.

Figure 9
Create a rule for RAR
Then create a rule for ERM (Figure 10). In this example, I will show you how to review the role status of ERM in SAP BusinessObjects Process Control 2.5. You can provide the validity period and select the script you created earlier for this application. You need to release it before you can save the rule.

Figure 10
Create a rule for ERM
Step 3. Create a Process or Use an Existing One
A process refers to a set of activities relating to a specific function in an organization’s operations. These activities, if appropriately carried out, produce the desired output or process result. It encompasses the flow of material and information between the process steps, and the required business decisions that determine how to accomplish a process step.
You can create a central process or use an existing process that is relevant for the control of integration you are planning to use. You need to map this with the business requirement and process owner approval. To do this, go to Compliance Structure > Central Process Hierarchy > Create > Process (Figure 11).

Figure 11
Create a process in SAP BusinessObjects Process Control 2.5
Step 4. Create a Subprocess or Use an Existing One
A process can contain subsets of the activities, known as subprocesses. An example of a process is the order-to-cash activity. This process starts with sales order creation and ends with receipt of cash from customers for goods delivered or services rendered. A subprocess for this can be the sales order processing, which pertains to the receipt, processing, and execution of a sales order.
You can create a central subprocess or use any existing subprocess that is relevant for the control of integration you are planning to use. You need to map this with the business requirement and subprocess owner approval. To create it, go to Compliance Structure > Central Process Hierarchy > Create > Subprocess (Figure 12).

Figure 12
Create a subprocess in SAP BusinessObjects Process Control 2.5
Step 5. Create Controls in SAP BusinessObjects Process Control 2.5
A process also includes relevant controls to ensure that the process and corresponding subprocesses are performed according to the company’s requirements and policies. These controls are activities designed to address control objectives and mitigate risks in the company’s internal control environment.
You need to create a control by going to Compliance Structure > Central Process Hierarchy > Create > Control (Figure 13). Place the cursor where the control needs to be assigned to the subprocess. This control is designed to address control objectives and mitigate risks in the company’s internal control environment. In Figure 13, you add a description for the Firefighter log report. Similarly for integrating with RAR and ERM, you need to create a control for each application. Figure 14 shows one for RAR and Figure 15 shows one for ERM.

Figure 13
Create a control for SPM (specifically, a Firefighter log report)

Figure 14
Create a control for RAR

Figure 15
Create a control for ERM
The control objective for RAR is to monitor the user count authorization number so it does not exceed 150 authorization counts for all users available in the system. I define the operation frequency as Monthly and the control automation as automatic by selecting 0AUT.
In Figure 15, I define the role status check for all the roles managed in ERM. Similarly, I define for the frequency of operation to be Monthly and the control automation mode as automatic for this control by selecting 0AUT. You can select the control relevance for this automated monitoring control based on your business requirement.
Step 6. Assign the Subprocess to an Organizational Unit
Organizations within the Compliance Structure work center allow you to define organization structures relevant to your compliance initiatives. The organization structure you set up affects your analysis and reporting requirements, including sign-off by organizations.
Within your organizational hierarchy, you can assign subprocesses to one or more organizations. In doing so, you are also associating the related parent processes and subordinate controls to these organizations. Depending on your method of assignment, you may allow the subprocesses and controls to be edited locally by the organization, if needed, or to only reference the central process hierarchy.
To associate the relevant parent process with the control, you can monitor the evaluation results for the entire organization in SAP BusinessObjects Process Control for the three controls for RAR, ERM, and SPM. To assign the control and subprocess to the organizational unit, in SAP BusinessObjects Process Control 2.5 follow menu path Compliance Structure > Organizations > Open > Subprocesses > Assign Subprocess (Figure 16). You need to place the cursor in the organization to which you are going to assign these new controls you created for SPM.

Figure 16
Assign the control and subprocess to the organizational unit
Step 7. Assign Control Rules
You can assign rules to controls for automated testing and monitoring. These rules can be either automated or semi-automated. Go to the path Evaluation Setup > Control rule assignment (Figure 17). First you search for the organization and then you assign rules to a selected control.
Finally, you need to maintain the frequency and monitoring or compliance category based on the need. In the Assigned Rules and Frequencies section, click the control and then the Maintain Frequencies button. You can maintain the rule for compliance, to test effectiveness of controls for reporting to your internal or external auditors, or to monitor the continuous operating effectiveness of the control. You can assign rules that may have different testing frequencies to a control. Then you can define the frequency as weekly, monthly, or annually.

Figure 17
Assign the control rule for RAR, SPM, and ERM
Step 8. Create a Schedule
Scheduling refers to the process of creating a recurring event (job) at a specified frequency to perform automated tests and monitoring of controls. To check whether the controls are followed properly in your organization, set up frequencies during which the controls with the rules are tested and monitored for any deficiency.
You can create a schedule job in the scheduler for this newly created control in SAP BusinessObjects Process Control 2.5. Follow menu path Evaluation Setup > Monitoring Scheduler (Figure 18). Here you can search for the control recently created for SPM.

Figure 18
Create the scheduler
Variants play a significant role in getting the right amount of data as well as filtering for any performance bottleneck (Figure 19). In the screen shown in Figure 18, scroll to the right of the Selected Controls panel and select the last line that shows the Firefighter log report. View the open input field called Variant Name. Here you can select variants for the control execution scheduler to restrict the result output based on your requirements. For example, you have 10 Firefighter IDs that exist in SPM, and you are responsible for monitoring only one Firefighter ID (e.g., FFID01) so you can use the variant to select for this control. You can also view the job status from the scheduler screen, which you see after you create the schedule (Figure 20).

Figure 19
Select variants

Figure 20
Monitoring scheduler
Note
Whenever you search for a variant name for the SPM control, you can enter one variant out of the selection of variants available, as mentioned in Figure 19. You can choose the variant for scheduling the job.
Step 9. Review the Reports
After you complete the job, you can view the job status in Figure 20. Follow menu path Evaluation Set up > Job Monitor > Search to see the information about the job and the attachment for the reports to be reviewed for SPM. In Figure 21, you can view the job log of the Firefighter log report control.

Figure 21
Job log view in SAP BusinessObjects Process Control 2.5
Click Firefighter Log Report in the screen in Figure 21 to view the output of the report in SAP BusinessObjects Process Control 2.5 (Figure 22). Similarly you can navigate to the jobs created for RAR and ERM control in SAP BusinessObjects Process Control 2.5.

Figure 22
Report output
Click AC RAR – USER COUNT in Figure 20 to produce the screen in Figure 23. This shows the control for the job name for RAR, JOB GRC EXPERT 02. You can view the job log status as well as the user authorization count report. It shows the detailed information of the job, such as the variant name as USER_C1 and the target connector used for this automated control in which SAP BusinessObjects Access Control 4.0 is operational. You can also view the time frame when the job is scheduled and executed.

Figure 23
Job detail view of the RAR control
Click AC RAR – User Auth Count in the screen in Figure 23 to bring up the screen shown in Figure 24. This shows the report output of user count for more than 150 authorizations in SAP List Viewer format. This report is rendered in SAP BusinessObjects Process Control 2.5, showing the effectiveness of having a common integrated approach for one framework for reviewing and monitoring the control and evaluation results.

Figure 24
Report output for RAR
Figure 25 shows the job name for RAR is JOB GRC EXPERTS 03. You can view the job log status as well as the role status in the ERM report. It shows detailed information, including that AC ERM – ROLE STATUS links to ERM and the subprocess for this control is GRC Experts – Role Management. You can also view the time frame when the job is scheduled and executed.

Figure 25
Job detail view of the RAR control
Click the link AC ERM – Custom Role Status in the screen in Figure 25 to get the report output as shown in Figure 26. This report is rendered in SAP BusinessObjects Process Control 2.5 in the same way as it could be generated in SAP BusinessObjects Access Control 4.0.

Figure 26
Report output for ERM
To troubleshoot any errors in the executions of the job, you can go to transaction SM37 and search for the job created in SAP BusinessObjects Process Control 2.5 (Figure 27). The job name is the same as what you entered in the scheduler screen in SAP BusinessObjects Process Control 2.5. You can retrieve more information about the log file — whether it is a success or failure or further information about the job status. Click the Job log button to view the detail screen of the job with each step’s information (Figure 28).

Figure 27
Job details in transaction SM37

Figure 28
Job log overview in transaction SM37
You can view each step and make a judgment on how the application is triggered and what activity is carried out during the process. For example, the job is finished at the last step, which means that ABAP Scheduler can successfully complete the job in SAP BusinessObjects Access Control 4.0. If you experience any problem in SAP BusinessObjects Process Control 2.5, then you need to review the job status in SAP Business Objects Process Control 2.5 for further analysis and review of the job status.
This job log also created more information on not only the job execution but also the information on whether the test results have been shared with SAP BusinessObjects Process Control 2.5. You can view the results sent successfully to SAP BusinessObjects Process Control in the job log (Figure 29).

Figure 29
Job log overview for test results from transaction SM37 to SAP BusinessObjects Process Control 2.5
Raj Behera
Raj Behera is a manager for the Regional Implementation Group (RIG) at SAP GRC. Prior to joining SAP, Raj worked at Virsa Systems as a key developer for the Access Control application. Since moving to the RIG team, he has helped in hundreds of implementations in the SAP BusinessObjects applications such as SAP BusinessObjects Access Control and SAP BusinessObjects Process Control. Raj has 12 years of experience in SAP consulting in the development and technology areas. He has a master’s degree in engineering management from San Jose State University.
You may contact the author at raj.behera@sap.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.