Operations Guide

SAP Access Control™ 10.1 / Process Control™ 10.1 / Risk

Management™ 10.1

Target Audience
ÖO ªJ Technical Consultants
ÖO ªJ System Administrators
ÖO ªJ Solution Consultants
ÖO ªJ Business Process Owner
ÖO ªJ Support Specialist

PUBLIC
ÖOí‘–ß•Rµ⁄@ÞY˙´¯y(<—¨ê&3b® ÷ÝH‡—×fiÓV¬hÚOTZ×qœ˛Å_˘ëŠ“´xÓ\Ê-Âq.íûf
Document History

CAUTION

Before you start the implementation, make sure you have the latest version of this document.
You can find the latest version at the following location: http://help.sap.com/grc.

Version Date Description

1.00 2013-06-04 Initial release
1.10 2013-07-25 Clarified Scheduled Periodic Tasks section and created separate table for Access
Control Synchronization Tasks with updated frequencies.

2/40 PUBLIC 2013-07-25

Table of Contents

Chapter 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

1.1 Global Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2 Important SAP Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 2 Technical System Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1 Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Chapter 3 Monitoring of the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.1 CCMS Monitor Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.2 Alert Monitoring with CCMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.1 Component Specific Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.3 Detailed Monitoring and Tools for Problem and Performance
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3.1 Trace and Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.3.2 Operating System Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.3 Workload Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.3.4 Other Important Problem Analysis and Monitoring Tools . . . . . . . . . . . . . . . 20
3.3.5 Interface Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.4 Important Application Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 4 Managing the Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

4.1 Starting and Stopping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.2 Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3 System Copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.4 Periodic Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.4.1 Scheduled Periodic Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.5 Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.6 User Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.7 Printing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2013-07-25 PUBLIC 3/40

Chapter 5 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 6 Software Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

6.1 Transport and Change Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
6.2 Development Requests and Development Release Management . . . . . . . . . . . 30
6.3 Quality Management and Test Management . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6.4 Support Packages and Patch Implementation . . . . . . . . . . . . . . . . . . . . . . . . . 30

Chapter 7 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 8 Configuring Remote Connection to SAP Support . . . . . . . . . . . . . . . . . . 33

8.1 Read Only Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 9 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
9.1 Categories of System Components for Backup and Restore . . . . . . . . . . . . . . . 35
9.2 Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

4/40 PUBLIC 2013-07-25

1 Getting Started

1 Getting Started

The Operations Guide provides administration information for Access Control, Process Control, and
Risk Management.
SAP Access Control is an enterprise software application that enables organizations to control access
and prevent fraud across the enterprise, while minimizing the time and cost of compliance. The
application streamlines compliance processes, including access risk analysis and remediation, business
role management, access request management, emergency access maintenance, and periodic
compliance certifications. It delivers visibility of the current risk situation with real-time data.
SAP Process Control is an enterprise software solution for compliance and policy management. The
compliance management capabilities enable organizations to manage and monitor its internal control
environment. This provides the ability to remediate any identified issues, and then certify and report
on the state of the corresponding compliance activities. The policy management capabilities support
the management of the overall policy lifecycle, including the distribution and attestation of policies by
target groups. These combined capabilities help reduce the cost of compliance and improve
management transparency and confidence in compliance management processes.
SAP Risk Management enables organizations to balance business opportunities with financial, legal,
and operational risks to minimize the market penalties from high-impact events. The application allows
customers to identify these risks and monitor them on a continuous basis. Stakeholders and owners
are provided with such tools as analytic dashboards for visibility in mitigating risks in their areas of
responsibility.

About this Guide

This guide provides a starting point for managing your SAP applications and maintaining and running
them. It contains information for tasks and lists the tools to implement them. This guide also provides
references to the documentation required for these tasks.
NOTE

The guide refers to the SAP NetWeaver Operations Guide as most production operation tasks are
done at the server level. The application tasks are in the Monitoring and Management sections.
CAUTION

This guide does not replace the daily operations handbook that we recommend customers create
for their production operations.
Target Groups

The guide is written for the following audiences:

2013-07-25 PUBLIC 5/40

 1 Getting Started
1.1 Global Definitions

N£M>÷â Technical Consultants

N£M>÷â System Administrators
N£M>÷â Solution Consultants
N£M>÷â Business Process Owner
N£M>÷â Support Specialist

1.1 Global Definitions

SAP Application:
An SAP software solution that serves a specific business area like ERP, CRM, PLM, SRM, SCM.
Business Scenario:
From a microeconomic perspective, a business scenario is a cycle that consists of several different
interconnected logical processes in time. A business scenario includes several company departments
and business partners. From a technical point of view, a business scenario needs at least one SAP
application (SAP ERP, SAP SCM, or others) for each cycle and possibly other third-party systems. A
business scenario is a unit that can be implemented separately and reflects the customer’s prospective
course of business.
Component:
The smallest individual unit considered within the Solution Development Lifecycle. Components are
separately produced, delivered, installed, and maintained.

1.2 Important SAP Notes

For a list of important SAP Notes for the applications, see the following:
N£M>÷â For Access Control, see the SAP Access Control 10.1 Master Guide at http://help.sap.com/grc-ac .
N£M>÷â For Process Control, see the SAP Process Control 10.1 Master Guide at http://help.sap.com/pc .
N£M>÷â For Risk Management, see the SAP Risk Management 10.1 Master Guide at http://help.sap.com/rm .

6/40 PUBLIC 2013-07-25

2 Technical System Landscape
2.1 Related Documentation

2 Technical System Landscape

For information about the technical system landscape and the software component matrix, see the
application master guides.
⁄�u‹˘î SAP Access Control 10.1 Master Guide at http://help.sap.com/grc-ac .
⁄�u‹˘î SAP Process Control 10.1 Master Guide at http://help.sap.com/pc
⁄�u‹˘î SAP Risk Management 10.1 Master Guide at http://help.sap.com/rm .
Scroll down to the Installation information to find a link to the Master Guide.

2.1 Related Documentation

For more information about the technical system landscape, see the guides in the following table.
Topic Guide/Tool Link on SAP Service Marketplace
Application and industry specific components such Master Guide http://service.sap.com/instguides
as SAP Financials and SAP Retail
Technology Components such as SAP NetWeaver
Application Server
Technical Configuration
Sizing Quick Sizer Tool http://service.sap.com/sizing

Installation Installation Guide http://service.sap.com/instguides

Security Security Guide http://service.sap.com/security

2013-07-25 PUBLIC 7/40

This page is left blank for documents
that are printed on both sides.
3 Monitoring of the Application
3.1 CCMS Monitor Templates

3 Monitoring of the Application

The information in this section applies to Access Control, Process Control, and Risk Management.
Within the management of SAP Technology, monitoring is an essential task. The Computing Center
Management System (CCMS) is a set of integrated tools for monitoring and administration of SAP
system landscapes. The transaction code is RZ20.

RECOMMENDATION

For more information about the underlying technology, see the Technical Operations for SAP
NetWeaver at http://help.sap.com/netweaver SAP NetWeaver Platform System Administration
and Maintenance Information

3.1 CCMS Monitor Templates

This section lists the CCMS monitor sets you can use to monitor the application components. The
CCMS Monitor Templates include the following:
?qQB*ú Background processing
?qQB*ú Performance overview
?qQB*ú Syslog
The SAP Web Service Monitor Template is Web Service Monitor.

2013-07-25 PUBLIC 9/40

3 Monitoring of the Application
3.2 Alert Monitoring with CCMS

�ƒNû"[Tç~È‚?�€ìûT�ì—˚CCMS Monitor Template and Web Service Monitor

3.2 Alert Monitoring with CCMS

Proactive, automated monitoring is the basis for ensuring reliable operations for your SAP system
environment. SAP provides you with the infrastructure needed to set up your alert monitoring to
recognize situations for Access Control, Process Control and Risk Management as quickly as possible.

RECOMMENDATION

To enable the auto-alert mechanism of CCMS, see SAP Note 617547.

3.2.1 Component Specific Monitoring

You monitor the following data in the SAP Standard CCMS tool for Access Control, Process Control
and Risk Management:
�ƒN˛™ Background job
�ƒN˛™ Performance Overview
�ƒN˛™ DB access time
�ƒN˛™ System log
�ƒN˛™ System errors
�ƒN˛™ Web Services Call

Background Jobs

You monitor the background job status for jobs that are aborted, canceled, or have been running for
a long time.

10/40 PUBLIC 2013-07-25

3 Monitoring of the Application
3.2 Alert Monitoring with CCMS

EXAMPLE

This is an example of background jobs with the status of Long Running Jobs and Aborted Jobs:

‚
§[wÜG ¡‚®¾¡�ÈÉx„˛ŽBackground Jobs with status of Long Running Jobs and Aborted Jobs

EXAMPLE

The following graphic illustrates that BFC_001 through BFC_005 jobs have the status of Canceled:

‚
§[wÜG ¡‚®¾¡�ÈÈx„˛ŽJob Overview

2013-07-25 PUBLIC 11/40

3 Monitoring of the Application
3.2 Alert Monitoring with CCMS

You can check the details of canceled jobs by selecting a job and clicking Step. The following graphic is
an example of the details for a selected job.
NOTE

The Program name/command for the applications start with GRAC, GRPC, or GRFN. They should be alerted.

⁄V›yľ˙Óí[ÆC£I7/f¹'µDetails of a Job

Performance Overview

In the Performance Overview CCMS Monitor Templates, look for processes with a high Response Time.
NOTE

⁄V›�áw Access Control processes begin with GRAC.

⁄V›�áw Process Control processes begin with GRPC.
⁄V›�áw Risk Management processes begin with GRFN.
EXAMPLE

The following figure illustrates that the GR4 system has a response time of 1448 milliseconds.

⁄V›yľ˙Óí[ÆC£I7/f¹'µSystem Response Time

12/40 PUBLIC 2013-07-25

3 Monitoring of the Application
3.2 Alert Monitoring with CCMS

EXAMPLE

The following graphic illustrates an example of Process Control process (GRPCRTA_PC):

?'6ÖƒY|Êæ|¢½Míc|/ÓÓŸ¸ŁWorkload in System

System Logs

Monitor system logs for any errors.

EXAMPLE

The following graphic illustrates that the R3Syslog displays a runtime error.

?'6ÖƒY|Êæ|¢½Míc|/ÒÓŸ¸ŁRuntime error

2013-07-25 PUBLIC 13/40

3 Monitoring of the Application
3.2 Alert Monitoring with CCMS

You can review the System Log (Syslog): Local Analysis for errors.
NOTE

âEÝÊ Access Control transaction codes start with GRAC.

âEÝÊ Process Control transaction codes start with GRPC.
âEÝÊ Risk Management transaction codes start with GRFN.
EXAMPLE

The following graphic illustrates local analysis of Process Control transaction codes:

âE;6¿2âWPÒ-?m™ÙãIW£Local Analysis

Access the complete list of Access Control transaction codes with transaction code SE93. Search
for GRAC*. Some of the most used codes include:
Access Control Transaction Codes
Transaction Code Description
NWBC Access the majority of the Access Control capabilities and reports (role:
SAP_GRC_NWBC)
GRAC_ALERT_GENERATE Alert generation
GRAC_BATCH_RA Risk Analysis in Batch Mode
GRAC_EAM Emergency Access Management (EAM) Launchpad Logon
GRAC_SPM_CLEANUP Cleanup EAM (SPM) Application Data
GRACRABATCH_MONITOR Batch Risk Analysis Monitor

System Errors

You review the CCMS Monitor Templates (System Errors) for error messages.

14/40 PUBLIC 2013-07-25

3 Monitoring of the Application
3.2 Alert Monitoring with CCMS

EXAMPLE

The following graphic illustrates system errors such as Aborted Batch Jobs and Update Errors:

›»Ã©›B¦iÆê˚hVÉ2®ÉSystem Errors

Web Services

You monitor the SAP Web Service Monitor Templates for errors.

EXAMPLE

The following graphic illustrates the following monitors:

›»ÃO¬Á Task Watcher
›»ÃO¬Á Supervisor Destination
›»ÃO¬Á Web Services Reliable Messaging (WSRM) Event Handler
›»ÃO¬Á Web Services (WS) Namespace for Inbound Destinations
›»ÃO¬Á WS Service Destinations

2013-07-25 PUBLIC 15/40

3 Monitoring of the Application
3.3 Detailed Monitoring and Tools for Problem and Performance Analysis

¸?¢ó ¦Ý£ˆ=
œPû]0‚Ž¢ç,¦Monitors

3.3 Detailed Monitoring and Tools for Problem and

Performance Analysis
Process Control, Risk Management and Access Control are based on SAP NetWeaver Web Application
Server 7.40.

RECOMMENDATION

For information about technical problem analysis (such as database, operating system, or
workload analysis) see the Technical Operations Manual for SAP NetWeaver at http://help.sap.com/
netweaver SAP NetWeaver Platform System Administration and Maintenance Information

3.3.1 Trace and Log Files

The information in this section applies to Access Control, Process Control and Risk Management. Trace
files and log files are essential for analyzing problems. You can use SAP NetWeaver transactions, such
as ST22 and SM2, to monitor trace and log files.

NOTE

The archiving object for Access Control is GRAC_REQ.

16/40 PUBLIC 2013-07-25

3 Monitoring of the Application
3.3 Detailed Monitoring and Tools for Problem and Performance Analysis

RECOMMENDATION

For more information, see the Technical Operations Manual for SAP NetWeaver at http://
help.sap.com/netweaver SAP NetWeaver Platform System Administration and Maintenance
Information

Additionally, the GRC applications use the SAP NetWeaver application log to store application error
warning and success messages issued in critical processes. For example, the delivery interface between
ERP and Process Control, or in UI transactions stores the messages in the SAP NetWeaver application
log. For UI transactions, the application log must be explicitly saved by the user.

RECOMMENDATION

For more information about application logs, see http://help.sap.com/netweaver SAP

NetWeaver 7.4 Application Help Function-oriented View (select language) Solution Life Cycle Management
Application Log (BC-SRV-BAL) .

Application Logs – The application logs can be monitored with transaction SLG1.
ñE‚í�€ The Access Control log object is GRAC.
ñE‚í�€ The Process Control log object is GRPC.
ñE‚í�€ The Risk Management log object is GRRM.
ñE‚í�€ The shared components log object is GRFN.
The following tables list the log subobjects:
Access Control Log Subobjects
Log Object Log Subobjects Description
GRAC AUTH Authorization check
GRAC BATCH Batch risk analysis
GRAC HRTRIGGER HR trigger
GRAC SOD_RISK_ANALYSIS Segregation of Duties (SOD) Risk
Analysis
GRAC SPM Emergency Access Management log
GRAC UAR User Access Review (UAR)

Process Control Log Subogjects

Log Object Log Subobjects Description
GRPC API GRPC Entity API Calls
GRPC AS_REORG GRPC AS REORG Log
GRPC ATTACHMENTS_CLONING Copy Documents During Carryforward
GRPC ATTACHMENTS_DOWNLOAD Documents download log
GRPC ATTACHMENTS_SERVICES Documents Log for Backend Services
GRPC AUTHORIZE Logging of Authorization Checks
GRPC CASE_INT Case Management Integration
GRPC EVENT Event-based Control Monitoring

2013-07-25 PUBLIC 17/40

3 Monitoring of the Application
3.3 Detailed Monitoring and Tools for Problem and Performance Analysis

Log Object Log Subobjects Description

GRPC NWBC Netweaver Business Client Integration
GRPC PLANNER Planner
GRPC REPLACEMENT Succession
GRPC SCHEDULER Scheduler log
GRPC SIGNOFF Sign off
GRPC SOD_CHECK Check of Function Separator

Risk Management Log Subobjects

Log Object Log Subobjects Description
GRRM AGGR_RUN Aggregation Run
GRRM ANLS_AUTOMATION Analysis Automation
GRRM CLEANUP Cleanup report to delete
transaction data
GRRM CONTEXT Context Values
GRRM KRI KRI runtime
GRRM MIGRATION Migration
GRRM RESPONSE_NOTIF Response Due Date Notification
GRRM RESP_AUTOMATION Response Automation
GRRM SURVEY Survey

GRC Foundation (shared) Lob Subobjects

Log Object Log Subobjects Description
GRFN AC_PROV Access Control Provisioning Engine
GRFN AC_REP Access Control Repository
GRFN API GRC API logging
GRFN ASYNC_UPDATE Asynchronous Update Infrastructure
GRFN AUTH GRC authorization
GRFN CASE_INT Continuous monitoring case integration
GRFN FDS Continuous monitoring flexible data store
GRFN HRMAINT Access to HR ORG maintenance
GRFN IO_EXPORT IO Export
GRFN IO_IMPORT IO Import
GRFN IO_META IO Metadata
GRFN JOB AMF Job Step Execution
GRFN JOB_DESIGN AMF Job Step Design Time
GRFN MDCHECK Master Data Consistency Check
GRFN MIGRATION GRC migration
GRFN MSMP_WF_CN Multi-Stage Multi-Path (MSMP) Workflow – Configuration
GRFN MSMP_WF_NT Multi-Stage Multi-Path (MSMP) Workflow – Notification
GRFN MSMP_WF_RT Multi-Stage Multi-Path (MSMP) Workflow – Runtime
GRFN OWP Offline Workflow Process

18/40 PUBLIC 2013-07-25

3 Monitoring of the Application
3.3 Detailed Monitoring and Tools for Problem and Performance Analysis

Log Object Log Subobjects Description

GRFN POLICY Policy Management
GRFN REPLACEMENT GRC replacement
GRFN REP_ENGINE Reporting engine
GRFN RISK_AGGR Risk Aggregation
GRFN RM_BANKING Operational Risk Management for Banking Industry
GRFN SURVEY Survey planning

Job Logs – You can view job logs using transaction SM37.
Workflow Item Logs – You can view the workflow item logs using transaction SWI1.

RECOMMENDATION

For more information, see the SAP Library at http://help.sap.com and search for SAP Workflow
Administration.

Scheduler Logs – Process Control only. To view the scheduler logs, log on to the portal, select a
regulation workset and click Rule Setup Scheduling
For a description of the tasks containing data growth, see the Periodic Task [page 24] section in this guide.

3.3.2 Operating System Monitors

Process Control, Risk Management and Access Control use the standard tools for this function available
in the SAP NetWeaver Application Server 7.40 and do not require a component-specific tool.

RECOMMENDATION

For information, see the Technical Operations Manual for SAP NetWeaver at http://help.sap.com/
netweaver SAP NetWeaver Platform System Administration and Maintenance Information

3.3.3 Workload Monitors

Process Control, Risk Management and Access Control use the standard tools for this function available
in the SAP NetWeaver Application Server 7.40 and do not require a component-specific tool.

RECOMMENDATION

For more information, see the Technical Operations Manual for SAP NetWeaver in the SAP Library under
SAP NetWeaver.

Components to Monitor
Component Monitor Relevant Application Description
Datamart GRFN_DATAMART_UP Process Control This is the reporting
LOAD_BTC Risk Management component.

2013-07-25 PUBLIC 19/40

3 Monitoring of the Application
3.4 Important Application Objects

Component Monitor Relevant Application Description

Scheduler GRPC_SCHEDULER Process Control This sends jobs from the
Process Control job query
to the SAP standard job
query (SM36). It retrieves
objects from the HR info
type, such as control and
organization Information.
KRI Runtime GRRM_KRI_RUNTIME Risk Management Periodic runtime of KRIs.

3.3.4 Other Important Problem Analysis and Monitoring Tools

Process Control, Risk Management, and Access Control use the standard tools for this function available
in the SAP NetWeaver Application Server 7.40 and do not require a component-specific tool.

RECOMMENDATION

For information, see the Technical Operations Manual for SAP NetWeaver at http://help.sap.com/
netweaver SAP NetWeaver Platform System Administration and Maintenance Information

3.3.5 Interface Monitors

Interface monitors analyze problems with interfaces such as RFC, IDoc, and HTTP. Process Control,
Risk Management and Access Control use the standard tools available in the SAP NetWeaver
Application Server 7.40 and do not require a component-specific tool.

RECOMMENDATION

For information, see the Technical Operations Manual for SAP NetWeaver at http://help.sap.com/
netweaver SAP NetWeaver Platform System Administration and Maintenance Information

3.4 Important Application Objects

We recommend you monitor the following Process Control, Risk Management and Access Control
objects:
Objects to Monitor
Object Tools Description
Process Overview Transaction SM50 The monitor tracks the amount of time critical
processes such as dialog (DIA), update (UPD), or
background (BGD) have been running. Processes
that have been running too long are shown in red
in the runtime column.

20/40 PUBLIC 2013-07-25

3 Monitoring of the Application
3.4 Important Application Objects

Object Tools Description

Ensure there are enough background work
processes on the GRC system. You can use operation
mode to switch work processes.
Background Process Transaction SM37 Select the jobs by job name, user name, status, and
time period to display a status overview of scheduled
jobs. Look for any canceled jobs.
Process Control and Transaction GRFN_LOG_ENABLE Enable logging for the following subobjects if you
Risk Management need to track errors in API or authorization check
Application Logs areas:
rãs) API — GRC API Logging
rãs) AUTH — GRC Authorization
For troubleshooting, enable logging for
REP_ENGINE — Reporting Engine.
For more information about objects and subobjects,
see Trace and Log Files.
Application Logs Transaction SLG1 Enable the GRPC application logs for potential risk
areas, such as API access and authorization. Using
transaction SPRO, select Governance, Risk and
Compliance Process Control Administration
Programs
For more information, see Trace and Log Files.
CCMS Transaction RZ20 Monitor the following:
rãs) SAP buffer configuration
rãs) Database workload
rãs) Operating system workload
rãs) System logs for errors
rãs) System errors for application dumps
rãs) Workload analysis for any performance issues
For more information, see the Technical Operations
Manual for SAP NetWeaver at help.sap.com/
netweaver.

Shared Objects Memory Transaction SHMM Transaction SHMM provides an overview of the area
instances in the shared objects memory of the
current application server.
Workflow event queue SWEQADM Use the event queue to delay the starting of receivers
reacting to a triggering event. This spreads the
system load over a longer time period to combat the
threat of system overload. The system administrator
sets the event queue.
SICF Transaction SICF Use this transaction to activate Internet services,
Web services, and Web Dynpro.
SIGS Transaction SIGS Use this transaction to view the status of IGS services
and the required parameters.

2013-07-25 PUBLIC 21/40

This page is left blank for documents
that are printed on both sides.
4 Managing the Application
4.1 Starting and Stopping

4 Managing the Application

The information in this section applies to Process Control, Risk Management and Access Control. SAP
provides you with an infrastructure to help your technical support consultants and system
administrators manage all SAP components and complete tasks related to administration and
operation. The underlying technology of Process Control, Risk Management and Access Control are
based on SAP NetWeaver.

4.1 Starting and Stopping

Procedure
Process Control, Risk Management, and Access Control are provided as add-on components for SAP
NetWeaver. You start and stop them with SAP NetWeaver Web Application Server.

RECOMMENDATION

For more information about STARTSAP/STOPSAP and SAPMMC, see the Technical Operations Manual for
SAP NetWeaver at http://help.sap.com/netweaver SAP NetWeaver Platform System
Administration and Maintenance Information

4.2 Backup and Restore

You need to back up your system landscape regularly to ensure that you can restore and recover it in
case of failure. All application data for the applications reside in the underlying database. No special
backup and recovery methods apply for this component.
The applications rely on the SAP NetWeaver ABAP standard capabilities for the technical operations.
The configuration data is stored in the Implementation Guide (IMG) database tables. These settings
are established during the Customizing activities during implementation (transaction SPRO).

NOTE

If you use a document management system (DMS) that stores data outside of the underlying
database, refer to the backup and restore recommendations for that DMS.

4.3 System Copy

For a system copy of Process Control, Risk Management or Access, the standard procedures of SAP
NetWeaver apply.

2013-07-25 PUBLIC 23/40

4 Managing the Application
4.4 Periodic Tasks

RECOMMENDATION

For more information, see the Technical Operations Manual for SAP NetWeaver in the SAP Library.
Heterogeneous system copies are performed on request and on a project basis. For more
information, see http://service.sap.com/osdbmigration.

NOTE

A client copy from one system into another system with a different operating system or database
is not an alternative to a complete heterogeneous migration. For example, client copies do not
ensure that all repository changes are taken over into the new system. Therefore, if you want to
change your database or application server platform, a heterogeneous system copy is the only
procedure that ensures full data replication.

4.4 Periodic Tasks

The information in this section applies to Process Control, Risk Management and Access Control. In
addition to the standard jobs mentioned in the Technical Operations Manual for SAP NetWeaver, Process
Control, Risk Management and Access Control specific jobs must be scheduled in your system. Run
all jobs, unless otherwise specified, at times of minimal system activity (so as not to affect performance
or otherwise disrupt your daily operations). All jobs can be restarted. There are no dependencies
between the jobs.

4.4.1 Scheduled Periodic Tasks

This information applies to Access Control, Process Control and Risk Management (unless noted).
This information describes the tasks required to keep the application running smoothly. You can
configure the tasks to automatically run. It is important that you monitor the execution of these tasks
on a regular basis. The tasks are scheduled using transaction SM36, except for the Background Job for Missed
Deadlines, which uses transaction SWU3.
Scheduled Periodic Tasks
Program Name/Task Recommended Frequency Description
Schedule Background Job for Every 3 minutes Specify a time interval at which the
Missed Deadlines background job is called regularly. With
each execution, the background job
checks whether new deadlines have been
missed since the last time it ran.
Schedule Job for Sending E-Mail Every 3 minutes This program checks whether there are
new work items for Process Control and
Risk Management, and determines the e-
mail addresses of the work item recipients.
GRFN_AM_JOBSTEP_MONITOR Hourly The monitoring program to update job /
job step status.

24/40 PUBLIC 2013-07-25

4 Managing the Application
4.4 Periodic Tasks

Program Name/Task Recommended Frequency Description

/GRCPI/GRIA_AM_CHANGELOG (in Daily This program captures the GRC PC
plug-in system. Process Control change log.
only)
Transfer Work Items to Daily The program transfers work items from
Replacement users that are no longer working in
Process Control and Risk Management to
the replacement users entered in the
system for these users.
Maintain DataMart Daily Schedule the report
GRFN_DATAMART_MAINTAIN. This can be
used for maintaining and uploading the
data to DataMart.
Execute KRI Queries and Evaluate Daily Schedule the report GRRM_KRI_RUNTIME.
Business Rules You schedule this job to query the KRI
(Risk Management only) values from the source systems, such as
SAP NetWeaver Business Warehouse or
SAP ERP, and the business rules are
evaluated to attain risk alerts.
Carryforward after Sign-Off After event Schedule the program close
(Process Control only) (GRPC_CLOSING_BACKGROUND). Once sign-
off has been performed for an
organization, the program copies any
open cases to the new timeframe, and
clears the workflows.
Document Copy after Sign-Off After event Schedule a job so that, after tasks have
(Process Control only) been carried forward into a new
timeframe, the documents for those tasks
are also copied into the new timeframe.
This applies to documents that were
created for issues or remediation plans
during assessment and tests.

Access Control Synchronization Tasks

The following tasks are accomplished through the Customizing activities (transaction SPRO) found at
SAP Reference IMG Governance, Risk, and Compliance Access Control Synchronization Jobs . Also, refer to
the documentation next to each activity for detailed directions.

NOTE

The frequencies are recommendations, but adjust these according to your business need. For
example, when you are first implementing the product, you might want to run these tasks more
often.

Access Control Synchronization Tasks

Customizing Task Name Recommended Frequency Transaction
Authorization Synch Weekly GRAC_AUTH_SYNC

2013-07-25 PUBLIC 25/40

4 Managing the Application
4.5 Load Balancing

Customizing Task Name Recommended Frequency Transaction

Repository Object Synch Daily GRAC_REP_OBJ_SYNC
(includes Profile, Role and User
Synchronization)
Action Usage Synch Daily GRAC_ACT_USAGE_SYNC

Role Usage Synch Daily GRAC_ROLE_USAGE_SYNC

Firefighter Log Synch Daily GRAC_SPM_LOG_SYNC

Firefighter Workflow Synch Daily GRAC_SPM_WF_SYNC

Fetch IDM Schema as needed GRAC_IDM_SCHEMA_SYNC

EAM Master Data Synch as needed GRAC_SPM_SYNC

4.5 Load Balancing

Process Control, Risk Management and Access Control use SAP NetWeaver for load balancing.

RECOMMENDATION

For more information, see the Technical Operations Manual for SAP NetWeaver at http://
help.sap.com/netweaver SAP NetWeaver Platform System Administration and Maintenance
Information

4.6 User Management

Process Control, Risk Management and Access Control use SAP NetWeaver for user management.

RECOMMENDATION

For more information, see the documentation on the SAP Help Portal at help.sap.com/
netweaver.

` ͧœ For specific user management and authorization functions, see the application security guides
at http://help.sap.com/grc.

4.7 Printing
Process Control, Risk Management, and Access Control use SAP NetWeaver for printing.

RECOMMENDATION

For more information, see the Technical Operations Manual for SAP NetWeaver at http://
help.sap.com/netweaver SAP NetWeaver Platform System Administration and Maintenance
Information

26/40 PUBLIC 2013-07-25

5 High Availability

5 High Availability

Process Control, Risk Management, and Access Control use SAP NetWeaver for high availability.

Integration
RECOMMENDATION

For more information, see the documentation at http://www.sdn.sap.com/irj/sdn/ha.

2013-07-25 PUBLIC 27/40

This page is left blank for documents
that are printed on both sides.
6 Software Change Management
6.1 Transport and Change Management

6 Software Change Management

Software Change Management standardizes and automates software distribution, maintenance, and
testing procedures for software landscapes and multiple software development platforms. These
functions support your project teams, development teams, and application support teams.
Software Change Management establishes solution-wide change management that allows for specific
maintenance procedures, global rollouts (including localizations), and open integration with third-
party products.
This section provides additional information about the most important software components.
The following topics are covered:
—Ö7Ê Transport and Change Management:
Enables and secures the distribution of software changes from the development environment to
the quality assurance and production environment.
—Ö7Ê Development Request and Development Release Management:
Enables customer-specific maintenance procedures and open integration with third-party
products.
—Ö7Ê Template Management:
Enables and secures the rollout of global templates, including localizations.
—Ö7Ê Quality Management and Test Management:
Reduce the time, cost, and risk associated with software changes.
—Ö7Ê Support Packages and SAP Notes Implementation:
Provide standardized software distribution and maintenance procedures.
—Ö7Ê Release and Upgrade Management:
Reduces the time, cost, and risk associated with upgrades.

6.1 Transport and Change Management

For transport and change management issues, the procedures of SAP NetWeaver apply.

RECOMMENDATION

For more information, see the Technical Operations Manual for SAP NetWeaver at http://help.sap.com/
netweaver SAP NetWeaver Platform System Administration and Maintenance Information

2013-07-25 PUBLIC 29/40

6 Software Change Management
6.2 Development Requests and Development Release Management

6.2 Development Requests and Development Release

Management
The standard procedures of SAP NetWeaver apply. For more information, see the Technical Operations
Manual for SAP NetWeaver in the SAP Library.

6.3 Quality Management and Test Management

You can use the SAP NetWeaver Development Infrastructure to learn about the various possibilities to
test your software changes.

6.4 Support Packages and Patch Implementation

We recommend you implement Support Package Stacks (SP-STACKS), which are sets of Support
Packages and patches for the respective product version that must be used in the given combination.
Read the corresponding Release and Information Notes (RIN) before you apply any Support Packages
or Patches of the selected SP-Stack.
The RIN and support packages for Process Control, Risk Management, and Access Control are available
in the SAP Service Marketplace at http://service.sap.com/patches.

RECOMMENDATION

For information about the tools required for implementing patches, see the Technical Operations
Manual for SAP NetWeaver at http://help.sap.com/netweaver SAP NetWeaver Platform System
Administration and Maintenance Information

30/40 PUBLIC 2013-07-25

7 Troubleshooting

7 Troubleshooting

Access Control, Process Control, and Risk Management are provided as add-on components for SAP
NetWeaver and use the same troubleshooting tools for the SAP NetWeaver Application server.

RECOMMENDATION

For more information about troubleshooting the SAP NetWeaver Application server, see the
Technical Operations Manual for SAP NetWeaver.

Use the following components when reporting issues:

«Ú3Ï´ GRC-SAC for Access Control
«Ú3Ï´ GRC-SPC for Process Control
«Ú3Ï´ GRC-RM for Risk Management

Process

Troubleshooting Process Control Scheduler

The following troubleshooting procedure applies to the Process Control scheduler function only.
Symptom
The Monitor Scheduler does not display Completed.
Procedure
1. Determine if the cause is in Process Control or the ERP server.
1. In the Monitor Scheduler, select the line item and click Show Log. The details screen appears.
2. Select the job and click Job Status. This shows the job log for process control. If the Job Detail
button is disabled, the cause is in Process Control. If the Job Detail button is enabled, the cause
is in the ERP application.
2. Do the following to troubleshoot issues in Process Control:
1. In transaction SM37, enter the job name, user, and date, and click Log to display the Job Status.
2. If there is an ABAP dump, click the line item or go to transaction ST22 to view more information
to address the issue.
3. Do the following to troubleshoot issues in the ERP server:
1. In transaction SM37, enter the job name and date, and click Log to display the Job Detail.
2. If there is an ABAP dump, click the line item or go to transaction ST22 to view more information
to address the issue.
The information for troubleshooting Process Control is maintained in SAP Notes. For troubleshooting
information, see SAP Note 1302302 Troubleshooting Guides for PC.

2013-07-25 PUBLIC 31/40

This page is left blank for documents
that are printed on both sides.
8 Configuring Remote Connection to SAP Support
8.1 Read Only Role

8 Configuring Remote Connection to

SAP Support

SAP offers access to remote support and remote services. You have to set up a remote network
connection to SAP.

RECOMMENDATION

For more information, see SAP Service Marketplace at http://service.sap.com/

remoteconnection.

8.1 Read Only Role

For remote support from SAP, a support user must have read-only access to the support tools. Since
these applications are built upon the NetWeaver ABAP stack, a support user can use the SAP standard
CSS remote support tool which is accessible through the SAPGUI or web browser.

Integration
The read-only roles are as follows:
�n™Ù�“ SAP_GRAC_DISPLAY_ALL for Access Control
�n™Ù�“ SAP_GRC_FN_DISPLAY for Process Control and Risk Management

2013-07-25 PUBLIC 33/40

This page is left blank for documents
that are printed on both sides.
9 Appendix
9.1 Categories of System Components for Backup and Restore

9 Appendix

9.1 Categories of System Components for Backup and

Restore
Categories of
System Suggested Methods for Backup and
Components Category Properties Restore Examples
I Only software, no No backup, new installation in case of BDOC modeler
configuration, or a recovery
application data Initial software backup after
installation and upgrade
Backup of log files
II Only software and Backup after changes have been SAP Gateway
configuration applied
information, no No backup, new installation, and Communication Station
application data configuration in case of a recovery
Backup of log files SAP Business Connector,
SAP IPC (2.0C)
III Only replicated Data SAP IMS/Search
application data, No data backup needed Engine
replication time is
Backup of software, configuration, SAP IPC (2.0B)
sufficiently small for a
log files
recovery
IV Only replicated Data SAP IMS/Search
application data, Application specific file system Engine
backup recommended backup or
because replication
Multiple instances Web server
time is too long, data
not managed by a Backup of software, configuration, SAP IPC (2.0B)
DBMS log files
V Only replicated Data SAP IPC (2.0B)
application data, Database and log backup or Catalog Server
backup recommended
Multiple instances Web server
because replication
time is too long, data Backup of software, configuration, SAP IPC (2.0B)
managed by a DBMS log files

Categories of
Systems Category
Components Properties Suggested Methods for Backup and Restore Examples
VI Original Data Web Server
application Application specific file system backup
data, Backup of software, configuration and log files

2013-07-25 PUBLIC 35/40

9 Appendix
9.1 Categories of System Components for Backup and Restore

Categories of
Systems Category
Components Properties Suggested Methods for Backup and Restore Examples
standalone
system, data
not managed
by a DBMS
VII Original Data none available
application Database and log backup
data, Backup of software, configuration and log files
standalone
system, data
managed by a
DBMS, not
based on SAP
NetWeaver
Application
Server
VIII Original Data Standalone SAP
application Database and log backup, application log backup SAP ERP
data, (such as job logs in file system) none available
standalone Backup of software, configuration and log files
system, based
on SAP
NetWeaver
Application
Server
IX Original Data none available
application Application specific file system backup, data
data, data consistency with other systems must be considered
exchange with Backup of software, configuration, log files
other systems,
data not
managed by a
DBMS
X Original Data SAP Live Cache
application Database and log backup, data consistency with other SAP Mobile
data, data systems must be considered Workbench
exchange with Backup of software, configuration, log files
other systems,
data managed
by a DBMS, not
based on SAP
NetWeaver
Application
Server
XI Original Data SAP ERP
application Database and log backup, application log backup SAP CRM
data, data (such as job logs in the system), data consistency with SAP APO
exchange with other systems must be considered

36/40 PUBLIC 2013-07-25

9 Appendix
9.2 Related Information

Categories of
Systems Category
Components Properties Suggested Methods for Backup and Restore Examples
other systems, Backup of software, configuration, log files SAP NetWeaver
based on SAP Business Warehouse
NetWeaver
Application
Server

9.2 Related Information

The following table contains links to information relating to the Solution Operation Guide.
Content Quick Link to the SAP Service Marketplace (http://service.sap.com)
Master Guide, Installation Guide and /instguides
Upgrade Guide /ibc

Related SAP Notes /notes

Released Platforms /platforms

Network Security /securityguide

/network

Technical Infrastructure /ti

SAP Solution Manager /solutionmanager

2013-07-25 PUBLIC 37/40

 SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com

© Copyright 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors. National product specifications may vary.
These materials are provided by SAP AG and its affiliated companies (“SAP Group”) for informational purposes only, without
representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP Group products and services are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries.
Please see http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark
information and notices.

Disclaimer
Please see http://www.sap.com/corporate-en/legal/copyright/index.epx for disclaimer information and notices.

Documentation in the SAP Service Marketplace

You can find this document at the following address: http://help.sap.com/grc

38/40 PUBLIC 2013-07-25

 SAP AG
Dietmar-Hopp-Allee 16
69190 Walldorf
Germany
T +49/18 05/34 34 34
F +49/18 05/34 34 20
www.sap.com

© Copyright 2013 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained
herein may be changed without prior notice.