Consider a business process of order-to-cash (OTC) users having violations in segregation of duties (SoD) rules in SAP BusinessObjects Access Control 5.3. There is no control mechanism to monitor these users or user groups for this business process with the automated rule features. You can use the ability to initiate the control rule monitoring from SAP BusinessObjects Process Control without building the SoD rules in two applications. You then can leverage the SoD rule library of SAP BusinessObjects Access Control 5.3 and monitor the SoD violations in SAP BusinessObjects Process Control 2.5.

By introducing SAP BusinessObjects Access Control in the OTC process for the user’s risk analysis, you can monitor controls, the mitigation plan, and SoD exceptions from the SAP BusinessObjects Process Control 2.5 dashboard. This integrated approach reduces costs and provides better visibility of the end-to-end internal controls in your organization.

In my previous article, “Create a Centralized Control Management System by Integrating Access and Process Controls,” I introduced this situation using different versions of the technology. In doing so, I highlighted more about the integration aspects and introduced some example terms, so you should read it first. My previous article applies specifically to the SAP BusinessObjects Access Control 4.0 and SAP BusinessObjects Process Control 2.5 versions.

Before I get into the specifics of setting up the integration in your system, I’ll go through how service-oriented architecture and Web services factor into the integration of your SAP BusinessObjects solutions for GRC and your SAP NetWeaver layer.

SOA and Web Service

SAP BusinessObjects Process Control 2.5 uses ABAP technology while SAP BusinessObjects Access Control 5.3 is in a Java stack of the SAP NetWeaver platform. Because the two components use different technology, you need an SOA interface such as Web service capability. SOA methodology generates all the necessary network connectivity of the SAP NetWeaver layer and the SAP BusinessObjects solutions for GRC.

Two built-in Web services (VirsaCCRiskAnalysis and VirsaCCUser) make the data flow and establish connectivity between these two applications (Figure 1). VirsaCCRiskAnalysis triggers the risk analysis in RAR and VirsaCCUser performs user name resolution. Sometimes Simple Object Access Protocol (SOAP), Web service runtime, and test features help to determine that these components are activated properly prior to setup.

Figure 1

Flow diagram of SAP BusinessObjects Access Control 5.3 and SAP BusinessObjects Process Control 2.5 integration

These data flows are bi-directional and act as a medium for rule validation for SAP BusinessObjects Access Control and SAP BusinessObjects Process Control. Interestingly, SAP BusinessObjects Process Control rules allow a certain amount of selection criteria and SAP BusinessObjects Access Control rules process the SoD rules for the type of analysis (e.g., user analysis or user group analysis) requested.

Roles in SAP BusinessObjects Process Control 2.5

In SAP BusinessObjects Process Control 2.5, you need to perform configuration, prepare setup of the rules, and schedule the trigger of the control monitoring. Primarily, you configure in the IMG, including creating connectors and registering the Remote Function Call (RFC) ID in Web services. Figure 2 represents the entire data flow between SAP BusinessObjects Access Control and SAP BusinessObjects Process Control starting with control rule assignment. In this scenario, it is assumed that the configuration of both SAP BusinessObjects Access Control 5.3 and SAP BusinessObjects Process Control 2.5 is maintained.

Figure 2

Process flow in SAP BusinessObjects Access Control 5.3 and SAP BusinessObjects Process Control 2.5

Configuration Check in SAP BusinessObjects Process Control 2.5

Go to the ABAP system where SAP BusinessObjects Process Control 2.5 is installed and follow menu path SPRO > GRC Process Control > Assessment and Test > Automated Test and Monitoring. Using selections under the Automated Test and Monitoring node, you can create the RFC connectors, register the connectors, and fulfill other necessary requirements for this integration.

Step 1. Create the RFC connection. Use transaction SM59 or use the menu path shown above. You need to create two connectors for two Web services, such as USER_ANALYSIS (Figure 3) and RISK_ANLYSIS (Figure 4). Enter G as the Connection Type, which represents the HTTP connection to the external server. The target host is the SAP BusinessObjects Access Control host name where the RAR component is installed. You need to provide the path prefix, which you can get from SAP NetWeaver’s Web service URL, and the service number.

Figure 3

RFC destination for SAP BusinessObjects Access Control 5.3 created in SAP BusinessObjects Process Control 2.5

Figure 4

Another RFC destination for SAP BusinessObjects Access Control 5.3 created in SAP BusinessObjects Process Control 2.5

Step 2. Create the ports. After creating the RFC IDs, use transaction LPCONFIG in the SAP BusinessObjects Process Control 2.5 ABAP system and create the port for each proxy class, which controls access from the Internet to an intranet (Figures 5 and 6). The proxy class is provided in SAP BusinessObjects Process Control 2.5. Enter CO_GRPCCCVIRSA_CCRISK_ANALYSIS in the Proxy Class field and RISK_ANLYSIS in the Logical Port and Description fields for the risk analysis port during the logical port creation process. Then enter what’s shown in Figure 6 for the next port.

Figure 5

Logical port creation for the RISK_ANLYSIS destination

Figure 6

Logical port creation for the USER_ANALYSIS destination

Follow menu path SPRO > GRC Process Control > Assessment and Test > Automated Testing and Monitoring > Register Connectors (Figure 7). Register the two RFC IDs that you’ve been working with (e.g., RISK_ANLYSIS and USER_ANALYSIS). In Figure 7, you can see the system type is CC.

Figure 7

Register connectors in SAP BusinessObjects Process Control 2.5

Step 3. Register the connectors for the Web service in SAP BusinessObjects Process Control 2.5. Follow menu path SPRO > GRC Process Control > Assessment and Test > Automated Testing and Monitoring > Compliance Calibrator Integration > Register Connectors for Web Services (Figure 8). Establish the connection from SAP BusinessObjects Process Control 2.5 to the SAP BusinessObjects Access Control 5.3 Web service. Create the necessary entries RISKANALYSIS and VIOLATEDUSER.

Figure 8

Register connectors for Web services

Once the configuration is done, you can maintain the rule criteria, rule script, and rule for the SoD controls to be executed from SAP BusinessObjects Process Control 2.5. Let’s start with creating a script.

Log onto SAP NetWeaver Business Client and to SAP BusinessObjects Process Control 2.5 and follow menu path Evaluation Setup > Rule Script > Create (Figure 9). Create a script name AC 5.3 RAR - SOD SCRIPT with the Segregation of Duties script type and Compliance Calibrator (now called RAR) system type. The target connector is RISK_ANLYSIS, as seen in Figure 4.

Figure 9

Script for SAP BusinessObjects Access Control 5.3 integration

Rule criteria are variables used by the script. Rule criteria represent the filter, testing, or deficiency parameters associated with a script when a rule is run. Automated test rules can include any of the script types shown in the screen in Figure 10. In this example for integrating with SAP BusinessObjects Access Control 5.3, use script type SOD.

Figure 10

Define script types

You need to define script criteria for this kind of scenario. Click the Script Criteria tab in Figure 9 to bring up the screen shown in Figure 11. These values are predefined parameters available in SAP BusinessObjects Process Control 2.5. You cannot create new rule criteria. Rather, you use this script or rule criteria assignment based on what is available. For this scenario, add the highlighted values in Figure 11.

Figure 11

Assign rule criteria

For more information on how to add the rule criteria, refer to Figure 12. Click the Add button to view all the default selections. You need to highlight the one that is required for this scenario. If you make a mistake, you can remove certain rule criteria from the script by clicking the Remove button.

Figure 12

Add rule criteria

Once you have completed the steps of the script building process, you can create the rule. Rules control and determine the exception data that is extracted from SAP ERP Central Component (ECC) when a control is tested or monitored. A rule is a combination of a script and rule parameters (or group of rule criteria).

You create a rule to prepare control objectives. To create a rule in SAP BusinessObjects Process Control 2.5, go to Evaluation set up > Rule > Create (Figure 13). Enter the script created earlier in Figure 9 (e.g., AC 5.3 RAR - SOD SCRIPT). The area that is grayed out is automatically imported from the script. You need to make sure that the rule has been released so you can save it. Choose Compliance Calibrator as the System Type.

Figure 13

Create a rule for SoD control

Defining rule parameters is an important task for the rule building process. In Figure 14 the list of rule criteria is shown as these are selected during the script creation in the earlier step.

• CC_OBJECT_MAPTYPE: This parameter helps interface with RAR for user, user group, and organizational level analysis.
• CC_OBJECT_MAPVALUE: You can access user, user group, and organization rule values from RAR. You can enter multiple users in the selection criteria provided that the users or user ranges exist in RAR.
• CC_REPORT_TYPE: In RAR, there are two report types available: Action Level (which reports on transaction codes only) and Permission Level (which reports on more granular values of authorization objects). You can control these variables from SAP BusinessObjects Process Control 2.5 if a user wishes to produce the exception report either for action level or permission level.
• CC_RISK_ID: Risk ID is defined in RAR’s rule library. The risk ID is a four-character field and is used in the integration. Users can choose a range of risk IDs to produce the exception results.
• CC_SYSTEM_ID: The system ID is defined in RAR’s Configuration tab in the connector section. In SAP BusinessObjects Process Control 2.5, it will be used as the exact name defined in SAP BusinessObjects Access Control 5.3 for establishing a connection between the two applications.

Figure 14

Rule parameters required for SAP BusinessObjects Access Control 5.3 integration

After you save the rule, it is stored in SAP BusinessObjects Process Control 2.5. You then need to create a central control for this integration. Follow menu path Compliance Structure > Central Process Hierarchy > GRC Experts Community, select the subprocess, and create a new control for this integration objective (Figure 15). Create a control to effectively monitor the SoD exception for risk ID P003 defined in SAP BusinessObjects Access Control 5.3. Define the mode of operation frequency such as Monthly or Weekly. You can also set Control Relevance check boxes such as Monitoring and Risk Assessment.

Figure 15

SoD control for SAP BusinessObjects Access Control 5.3

Once the control is created, you need to assign the control to the rule created earlier. You can find more details in Figure 16 and in my previous article.

Figure 16

Assign a control rule for AC RAR – SOD Control

You can create the scheduler jobs periodically to generate the reports. The remaining process is similar to the process I described in my previous article about SAP BusinessObjects Access Control 4.0. Once the job is scheduled for this control, you can view the result output from the Job monitor menu path in SAP BusinessObjects Process Control 2.5. Use menu path Evaluation Set up > Job Monitor > Search to see the information about the job and the detail job log for the reports to be reviewed for RAR SoD control (Figure 17).

Figure 17

Details report output of SoD control in SAP BusinessObjects Process Control 2.5

Role in SAP BusinessObjects Access Control 5.3

You need to check some configuration in SAP BusinessObjects Access Control 5.3 to complete the integration approach. Log on to RAR and follow menu path Configuration > Risk Analysis > Additional Options > Enable Offline Analysis. Prior to scheduling a background job for the SoD control from SAP BusinessObjects Process Control, you need to ensure that the default value is set to Yes. Log on to RAR and follow the menu path Configuration > Background Job and schedule a job for the management reports. Make sure that management report is scheduled and completed prior to executing the control in SAP BusinessObjects Process Control 2.5 system. To make sure that the Web services are running without error, go to the Web service navigator in the initial screen of SAP NetWeaver and test the two Web services mentioned earlier.

Test Steps to Remember Prior to Executing This Integration

It’s always good to test a few things before carrying out integration. In this case, test the following:

• Execute the Management Report in RAR in SAP BusinessObjects Access Control 5.3
• Check for the configuration of the offline risk analysis
• Check the Web services for risk analysis and user violations
• Create the RFC destinations for risk analysis and user violations
• Create logical ports for risk analysis and user violations
• Register connectors and Web services for risk analysis integration