Hands-On Lab: How to Set Up and Configure SAP

Process Control
(Based on SAP Process Control 10.1)

Jessica Scott and Mel Hensey

Deloitte

jessicascott@deloitte.com

mhensey@deloitte.com
SECTION 1 - Lab Contents
 Section 1: Lab Introduction
o Lab Overview
o Lab Schedule
o Lab User Access Information
 Section 2: SAP Process Control Master Data Creation
 Section 3: SAP Process Control Automated Rule Configuration

SECTION 1 - Lab Overview

 GRC System for this lab is running locally on the laptops and not on a server across the
network.
 We have 40-50 GRC systems running here, one per laptop.
o This was done to guarantee performance and complete independence from
others working on the same system.
 The system is strictly yours and not shared.
 Laptop is running VM Workstation 10.
 The GRC system is running on SUSE Linux 11.3 Server and uses MAXDB database.
 The GRC system is based on SAP NetWeaver 7.40 SP13.
 The GRC system is running GRCFND_A 10.1, SP11.
 The GRC plug-in is installed and is version 10.1, SP11.
 The SAP GUI is installed and is version 7.40 SP2.

2
SECTION 1 - Lab Schedule

Thursday, March 17th, 2016

Section 1 – Lab Overview 10 Minutes (3:00 – 3:10)

Lab – Section 2 Overview
Lab – Section 2 Hands On Lab
Short Break
Lab – Section 3 Overview
Lab – Section 3 Hands On Lab
10 Minutes (3:10 – 3:20)
70 Minutes (3:20 – 4:30)
10 Minutes (4:30 – 4:40)
10 Minutes (4:40 – 4:50)
70 Minutes (4:50 – 6:00)

SECTION 1 - Lab User Access Information

• SAP System SID is “GRD”

• Client number is 600 (if default is 200, must specify 600 when logging in)

• Server host is “USSLTCSNL1271”

• Instance number is 00

• Start the SAP GUI

• Launch the GRD LAB system GUI

• Log in to client 600 as grctrain1 or grctrain2 with password of “grc2016lab"

• Launch Transaction “NWBC” for the GRC Web Interface

3
SECTION 2 – SAP Process Control Master Data Creation

Map Regulation and

Regulation Review Organization
Log in to the System Requirement to Hierarchy
Control

Access Netweaver
Create an
Business Client Create Control
Organization
(NWBC)

Map Subprocess and

Review Regulation Map Regulation to
underlying Controls
Hierarchy Subprocess
to Organization

Review Master Data

Review Process Level Security Roles
Create Subprocess
Structure (Control Owner /
Control Tester

4
Steps Steps to be performed

Section 2 Note: The lab system should have the VMware Workstation Lab System “USSLTCSNL1271” loaded and
Step 1 running for you already. If you get an error when accessing the system using the SAPGUI in the next step,
contact the instructor.

STARTUP 1) Start SAP GUI and connect to GRD LAB System.

LOGIN

2) SAP Login screen. Log in to the GRD system.

3) Log in client 600 with user grctrain1 (or grctrain2 for some parts of the lab) and password
“grc2016lab”.

5
Steps Steps to be performed (NAVIGATION ONLY, NO CHANGES)
Section 2 1) To navigate to the GRC Front End, enter transaction NWBC in the transaction window to the right of
Step 2 the green check. (NWBC = NetWeaver Business Client)

Navigate TIP: If you are not currently at the main menu but inside another screen or transaction, enter
to NWBC / /nNWBC to run the NWBC transaction.
GRC Front
End

The NWBC screen should appear in a new browser window (pop up). The screen defaults to the “My
Home” tab.

This completes the navigation to the NWBC screen.

6
Steps Steps to be performed (REVIEW ONLY, NO CHANGES)

Section 2 PURPOSE: To understand navigation and key characteristics of the Regulation Hierarchy.
Step 3
FROM PRIOR STEP: The NWBC screen should be open.
Review
Regulation 1) Select the “Master Data” tab at the top of the NWBC screen.
Hierarchy

The Master Data tab and underlying sub-menus are displayed.

Note the sub-menu headings that correspond to the three key Master Data hierarchies –

Organizations

Regulations and
Policies

Activities and
Processes

7
 2) Select the “Regulations” task within the “Regulations and Policies” sub-menu.

8
 The Regulation Hierarchy screen is displayed.

KEY FEATURE: Note the summary of key data fields (right-hand pane) for the item highlighted in
the hierarchy (left-hand pane).

3) Select “Actions” > “Expand All” to display all nodes in the hierarchy

All of the Regulation Hierarchy nodes are displayed.

BUILDING BLOCKS: Note that there are three types of nodes displayed for Regulations;
Regulation Group, Regulation, and Regulation
Requirement.

Regulation Group is the highest level node

type in the hierachy; it may be subordinate to
another Regulation Group. In this way, it is
possible for a regulation hierarchy to be
constructed that is more than three levels
deep.

A Regulation is always subordinate to a

Regulation Group; it may NOT be subordinate
to another Regulation. Multiple Regulations
may be present under a single Regulation
Group.

A Regulation Requirement is always subordinate to a Regulation; it may NOT be subordinate

directly to to a Regulation Group or to another Regulation Requirement. Multiple Regulation
Requirements may be present under a single Regulation.

9
 4) Select the “Sarbanes-Oxley (SOX)” Regulation to highlight it and then select “Open”.

The Regulation details pane is displayed.

HEADS UP: Note that there is a dropdown to select a specific pre-configured value (in this case
“SOX”) that must be associated to the Regulation when it is initially created.

A configured value (Regulation Configuration) may only be associated with a single Regulation, and each
Regulation in the hierarchy requires its own unique configured value.

SAP delivers two regulations (SOX and FDA) which may be activated via configuration and used to model
configuration for additional regulations. Additional Regulations may be configured as required to meet
specific compliance needs (e.g., NERC/FERC). For the purpose of this lab exercise the SAP delivered
regulations (SOX and FDA) have been activated. Please retain SOX for the current exercise.

NOTE: Configuration of Regulation values is not in scope for this workshop.

10
 5) Exit the Regulation screen by selecting the “X” in the top right corner.

The Regulation Hierarchy screen remains open.

6) Exit the Regulation Hierarchy screen by selecting the “X” in the top right corner.

This completes the review of the Regulation Hierarchy.

11
Steps Steps to be performed

Section 2 PURPOSE: To understand navigation and key characteristics of the Process Structure [hierarchy].
Step 4
FROM PRIOR STEP: The Master Data tab and underlying sub-menus remain open.
Review
Process 1) Select the “Business Processes” task within the “Activities and Processes” sub-menu.
Structure;

Set Date

The Process Structure screen is displayed.

KEY FEATURE: Note the summary of key data fields (right-hand pane) for the item highlighted in
the hierarchy (left-hand pane).

12
 KEY FEATURE: The “Date” field that is present on the hierarchy screen for each type of master data
may be changed using the dropdown and selecting “Apply”. Note that this drives two functions:
(1) display of the hierarchy that is effective at a particular point in time, and (2) setting the date
that will default into the “Valid From” date when creating or changing master data.

TIP: Always confirm that the “Date” is set as expected prior to creating or updating master data.
The “Advanced” function may be used to set the date so it will stay the same whenever any master
data screen is accessed during the session.

2) Using the “Advanced” function, select “Fixed Date” and use the date dropdown to set the date to
15.01.2015 (January 15, 2015), then select “OK” to complete.

3) Confirm that the “Date” field now displays “15.01.2015”.

4) Select “Actions” > “Expand All” to display all nodes in the structure

13
 All of the structure nodes are now displayed (see system screenshot below).

BUILDING BLOCKS: Note that there are three types of nodes displayed in the Process Structure;
Process, Subprocess, and Control.

Process is the highest level node type in the

structure; it may be subordinate to another
Process. In this way, it is possible for a process
structure to be constructed that is more than three
levels deep.

A Subprocess is always subordinate to a Process; it

may NOT be subordinate to another Subprocess.
Multiple Subprocesses may be present under a
single Process.

A Control is always subordinate to a Subprocess; it

may NOT be subordinate directly to a Process or to another Control. Multiple Controls may be
present under a single Subprocess (and typically are).

5) Select the “1 - Accounting” Process to highlight it and then select “Open” to review it.

The Process details pane is displayed.

BUILDING BLOCKS: Asterisked fields require input before a new Process may be saved.

- “Name”: Restricted to 40 characters

- “Description”: To further describe the Process if necessary beyond the 40 character limitation
of the "Name"

BEST PRACTICE: It is recommended that the “Name” provided for each master data element be
unique, although the system does not require it. Identical names can be confusing when master
data is presented in list displays and reports.

14
 6) After your review, exit the Process screen by selecting the “X” in the top right corner.

15
Steps Steps to be performed

Section 2 PURPOSE: To add a new Subprocess node within the

Step 5 Process Structure and subsequently map relevant
Regulations from the Regulation Hierarchy.
Create a
new FROM PRIOR STEP: The Process Structure screen is
Subprocess; displayed, or otherwise navigate via the “Master Data”
tab, “Business Processes” task.
Map a
Regulation 1) Confirm that the “Date” is set to “15.01.2015”
to the (January 15, 2015) or other date provided by the
Subprocess workshop leader.

2) Select Process “6 – Sales Management” to highlight it and then select “Create”, and then select
“Subprocess” from the drop-down.

The “Central Subprocess” new entry screen is displayed, “General” tab.

KEY FEATURE: Note that the “Valid From” date defaults to the value of “Date” from the prior
screen, and the “Valid To” date defaults to the value “31.12.9999” (December 31, 9999), or
indefinite.

KEY FEATURE: Note that there is a system-generated unique “ID” for every master data object
created within GRC.

16
 3) Enter the following text into the “Name” field: “6.1 - Customer Master Data”. This field is restricted
to 40 characters.

BEST PRACTICE: It is recommended that the “Name” provided for each master data element be
unique, although the system does not require it. Identical names can be confusing when master
data is presented in list displays and reports.

4) Enter the following text into the “Description” field: “6.1 - Customer Master Data - Process -
description”.

17
 5) Select the “Regulations” tab.

BUILDING
BLOCKS:

Subprocesses are mapped to one or more Regulations so that underlying Controls may be
subsequently mapped to the Regulation and underlying Regulation Requirements.

Subprocesses may be mapped to multiple Regulations; Regulations may be mapped to multiple

Subprocesses.

The “Regulations” tab is displayed.

6) Select “Add”, select “Sarbanes-Oxley (SOX)” from the list of Regulations, and select “OK”. NOTE: If
“SOX” appears in the list twice, select the first instance.

18
 The “Regulations” tab now lists the selected Regulation.

7) Select “Save”.

The display returns to the Process Structure screen with the message that “Data has been saved”.

This completes the creation of the “6.1 - Customer Master Data” Subprocess and the linking of the
“Sarbanes-Oxley (SOX)” Regulation.

19
Steps Steps to be performed

Section 2 PURPOSE: To add a new Control within the Process

Step 6 Structure and subsequently map relevant Regulations and
Regulation Requirements from the Regulation Hierarchy.
Create a new
Control; FROM PRIOR STEP: The Process Structure screen is
displayed, or otherwise navigate via the “Master Data”
Map a tab, “Business Processes” task.
Regulation
and 1) Confirm that the “Date” is set to “15.01.2015” (January
Regulation 15, 2015) or other date provided by the workshop
Requirement leader.
to the
Control 2) Select Subprocess “6.2 - Customer Credit Management” to highlight it.

3) Select “Create”, and then select “Control” from the drop-down.

The “Central Control” new entry screen is displayed, “General” tab.

20
 KEY FEATURE: Note that the “Valid From” date defaults to the value of “Date” from the prior
screen, and the “Valid To” date defaults to the value “31.12.9999” (December 31, 9999), or
indefinite.

21
 4) Enter the following text into the “Name” field: “CR-621 – Credit Limit Sales Order Block”. This field
is restricted to 40 characters.

5) Enter the following text into the “Description” field: “SAP is configured with automatic credit
checking to block production orders / planned orders when they exceed credit limits in SAP.”

6) For the remaining fields, select the indicated values from the dropdown lists.
BUILDING BLOCKS: Most of these fields are “information only”, that is, they document
characteristics of the Control for documentation purposes, but do not drive or control action
within the GRC tool. Asterisked fields require input before a new Control may be saved.

22
 7) Select the “Regulations” tab.

BUILDING BLOCKS: Controls are mapped to one or more Regulations and underlying Regulation
Requirements in order to support compliance tasks.

Regulations and underlying Regulation Requirements may be mapped to multiple Controls.

The “Regulations” tab is displayed.

23
 8) Select “Add”.

9) Select “Sarbanes-Oxley (SOX)” from the list of Regulations.

10) Select “OK”.

KEY FEATURE: Multiple Regulations may be selected (test Control once, satisfy many
Regulations concept).

HEADS UP: Note that the Regulation must be mapped to the Control’s parent Subprocess
before it can be linked to the Control.

24
 The “Regulations” tab now lists the selected Regulation.

KEY FEATURE: Note that, by selecting “Maintain Regulation-Specific Attributes” = “Yes”, it is

possible to change characteristics of the Control as it applies to the specific Regulation. No
changes are required to complete this exercise.

11) Select the “Requirement” tab.

The “Regulation Requirement” tab is displayed.

12) Select “Add”, then select “SOX Section 404” from the list of Regulation Requirements, then select
“OK”.

KEY FEATURE: Multiple Regulation Requirements may be selected.

25
 The “Requirement” tab now lists the selected Regulation Requirement.

13) Select “Save”.

The display returns to the Process Structure screen with the message that “Data has been saved”.

The Process Structure screen remains opened.

14) Exit the screen by selecting the “X” in the top right corner.

This completes the creation of the “CR-621 – Credit Limit Sales Order Block” Control and the linking of
the “Sarbanes-Oxley (SOX)” Regulation and underlying “SOX Section 404” Regulation Requirement.

26
Steps Steps to be performed (REVIEW ONLY, NO CHANGES)

Section 2 PURPOSE: To understand navigation and key characteristics of the Organization Hierarchy
Step 7
FROM PRIOR STEP: The Master Data tab and underlying sub-menus remain opened.
Review
Organization 1) Select the “Organizations” task within the “Organizations” sub-menu.
Hierarchy

The Organizations screen is displayed.

2) Confirm that the “Date” field displays “15.01.2015” (January 15, 2015).

3) Select “Actions” > “Expand All” to display all nodes in the hierarchy.

27
 All of the Organization Hierarchy nodes are now displayed (see system screen print below).

BUILDING BLOCKS: Note that, unlike the

Regulation Hierarchy and Process Structure,
there are only two different types of
Organization nodes:

A single ROOT node is the highest level node type

in the structure; all other nodes are directly or
indirectly subordinate to the root node.

The root node and one child node must be created via configuration; all other nodes are
created in the front end. In this structure, “ABC Corporation” is the root node and
“Accounting” is the child node that was created during configuration of the root node.

Multiple nodes may be present under any single node. The hierarchy may be many levels deep.

4) Select the “Information Technology” node to highlight it and then select “Open”.

28
 The Organization details screen is displayed.

BUILDING BLOCKS:

- “Name”: Restricted to 40 characters

- “Description”: To further describe the Organization if necessary beyond the 40 character
limitation of the "Name"
- Asterisked fields require input before a new Organization may be saved.

BEST PRACTICE: It is recommended that the “Name” provided for each Master Data element
be unique, although the system does not require it. Identical names can be confusing when
master data is presented in list displays and reports.

5) After completing the review, exit the Organization details pane by selecting the “X” in the top right
corner.

29
Steps Steps to be performed

Section 2 PURPOSE: To add a new Organization node within the Organization Hierarchy and subsequently map a
Step 8 relevant Subprocess and underlying Controls from the Process Structure. GRC requires Controls to be
associated with an Organization before compliance activities can be performed.
Create an
Organization; FROM PRIOR STEP: The Organizations screen is displayed, or otherwise navigate via the “Master Data”
tab, “Organizations” task.
Map a
Subprocess 1) Confirm that the “Date” is set to “15.01.2015” (January 15, 2015) or other date provided by the
and workshop leader.
Underlying
Controls 2) Select Organization node “Americas” to highlight it.

3) Select “Add”.

30
 The “Create Organization” new entry screen is displayed, “General” tab.

KEY FEATURE: Note that the “Valid From” date defaults to the value of “Date” from the prior
screen, and the “Valid To” date defaults to the value “31.12.9999” (December 31, 9999), or
indefinite.

KEY FEATURE: Note that there is a system-generated unique “ID” for every master data object
created within GRC.

31
 4) Enter the following text into the “Name” field: “Sales & Marketing (Americas)”. This field is
restricted to 40 characters.

BEST PRACTICE: It is recommended that the “Name” provided for each master data element
be unique, although the system does not require it. Identical names can be confusing when
master data is presented in list displays and reports.

5) Enter the following text into the “Description” field: “Sales & Marketing (Americas) - Organization -
description”.

For purposes of this exercise, it is not necessary to change the defaulted values for the remaining
fields.

32
 6) Select the “Subprocess” tab.

BUILDING BLOCKS: Organizations at any level may be mapped to one or more Subprocesses
and underlying Controls in order to support compliance tasks.

Subprocessess and underlying Controls may be mapped to multiple Organization nodes.

33
 The “Subprocess Assignment” screen is displayed.

7) Select “Assign Subprocess”.

8) Select “6.2 - Customer Credit Management” from the list of Subprocesses.

9) Select “Next”.

The “Subprocess Assignment” screen now lists the selected Subprocess.

10) Accept the default response “No” for “Allow Local Changes” and select “Next”.

KEY FEATURE: Central Control (Allow Local Changes = “No”) vs. Local Control (Allow Local Changes =
“Yes”)

34
 Central Control – exists within the Process
Structure
Maintained in the Process Structure
Control attributes are maintained centrally and
pushed out to all organizational assignments
Can utilize shared services
All controls within a subprocess are mapped to
each linked organization
Cannot be used as mitigating controls
Local Control – an instance of a control mapped
from the Process Structure to an Organization
Maintained in the Process Structure or
Organizational Hierarchy (based upon
configuration)
Attributes are maintained specifically for each
organization (based upon configuration)
Cannot utilize shared services
Any or all controls within a subprocess may be
mapped independently to each linked organization
Can be used as mitigating controls (in conjunction
with the GRC Access Control module)

The “Subprocess Assignment” screen now lists the Control(s) associated with the selected subprocess,
as well as any risks that have been linked to the controls (risks are not in scope for this workshop).

11) Select “Submit”.

The screen displays “The assignments are made . . .”

12) Select “Finish”.

35
 The added subprocess now displays as being linked on the “Subprocess” tab. The underlying control(s)
may also be listed by selecting the expansion icon (triangle).

13) Select “Save”.

The display returns to the “Organizations” screen with the message “Organization created
successfully”.

The Organizations screen remains opened.

36
 14) Exit the screen by selecting the “X” in the top right corner.

This completes the creation of the “Sales & Marketing (Americas)” Organization and the linking of the
“6.2 - Customer Credit Management” Subprocess.

37
Steps Steps to be performed (REVIEW ONLY, NO CHANGES)

Section 2 PURPOSE: Review the front-end role assignments that identify workflow task owners for the Control that
Step 9 will be set up in Section 3 for automated monitoring. User IDs assigned as Control Owners receive issues
in their work inboxes as a result of control deficiencies identified during automated control monitoring.
Review
Front End FROM PRIOR STEP: The Master Data tab and underlying sub-menus remain opened.
Assignment
1) Select the “Access Management” tab.

2) Select the “Business Processes” task within the “GRC Role Assignments” sub-menu.

38
 The “Assign Process, Subprocess and Control Roles” screen appears.

3) Enable the “Control” checkbox in the “Select Role Levels to be assigned” section.

4) Select “No” under the “Show Cross-Regulation Roles?” section.

5) Select “Add” Regulations.

The “Select Regulations to Filter” pop-up appears.

6) Select the first instance of the “Sarbanes-Oxley (SOX)” Regulation listed in the “Available” pane and
select the arrow icon to move it to the “Selected” pane.

The “Sarbanes-Oxley (SOX)” Regulation is moved to the “Selected” pane.

7) Select “OK”.

39
 8) Add a filter to narrow down the items presented on the subsequent screen by selecting “Add” under
“Filters: Process”, moving the “2 - Information Technology” Process to the “Selected” pane, and
selecting “OK”.

9) Once selections and filters have been completed, select “Next”.

40
 The “Assignments” screen is displayed.

10) Note that the User named “GRC GRCTRAIN1” has been assigned as the Control Owner for Control
“IT-232 – Monitor Client Setting Changes” as linked to the “Information Technology” Organization,
and that the User named “GRC GRCTRAIN2” has been assigned as the Control Tester.

BUILDING BLOCKS: Each column on the assignment screen represents a role that has been
configured to receive specific workflow tasks. Specific Users are entered at the intersection of a
role with a specific entity, in this case, a Control.

The Control Tester is the default role to perform regulation-specific control testing (in this
case, SOX). Users with such roles will receive the task to perform or confirm the results of
a control test in their work inbox.

The Control Owner is the default role to receiver of issues that result from regulation
specific control monitoring.

This completes the Review of Front End Assignments for the Control “IT-232 – Monitor Client Setting
Changes”.

This completes SECTION 2 – SAP Process Control Master Data Creation.

41
SECTION 3 – SAP Process Control Automated Monitoring

Review
Create Data Take Required
Monitoring
Source Action
Exception Details

Receive
Create Business
Exception Task in Close Issue
Rule
Work Inbox

Schedule
Assign Business
Automated
Rule to Control
Monitoring Job

42
Steps Steps to be performed

Section 3 The automated monitoring process starts with the creation of a Data Source. To monitor any
Step 1 system in your IT landscape, GRC PC first has to be able to extract data from it. The data could be
anything: configurations, master data, transactions, usage logs, or any structured information which
Create Data the monitored system can provide on demand. Data Sources store the information about the actual
Source sources of data in the remote systems which will be invoked when an automated monitoring rule
runs.

For the purpose of this exercise, we are building a Data Source to pull information from table: T000
from system GRDCLNT600 that contains information about “client maintenance settings”.

1) Navigation Path: Rule Setup >> Continuous Monitoring >> Data Sources.

2) If the date field is not visible, select “Show Quick Criteria Maintenance”; confirm that the date is set
to 14.01.2015 (January 14, 2015) or use the date dropdown to select it; then select “Apply”.

43
 3) Click on “Create”.

4) Enter details in “General Tab” –

a. Data Source – Enter name for the Data Source – “Client Maintenance Settings v2”
b. Description – Enter description – e.g., “Data Source for table T000 to monitor client
maintenance settings”
c. Valid From – By default Today’s Date if the date has not been reset to “14.01.2015” as shown in
task 2 for this exercise
d. Valid To – By default 31.12.9999 – retain for this exercise
e. Status – Select “In Review” from drop-down
f. Navigate to “Object Field” tab

44
 5) Enter the following details in “Object Field” tab:
a. Sub-Scenario – Select “Configurable” from drop-down for purpose of this exercise.

KEY FEATURE: Note that, SAP delivers multiple sub-scenarios for selection at this step. These
sub-scenarios are different types of Data Source options available in PC. Details for each of the
available sub-scenario is as follows:

i. ABAP Report – use to leverage suitable ABAP reports already available

ii. SOD Integration – use to invoke access control risk analysis in the context of PC controls
iii. BW Query – use to invoke queries against SAP BW
iv. Configurable – use to monitor values or change logs for tables in remote systems
v. Event – use value check
vi. External Partner – use to define simple deficiency conditions for monitor expections or
values
vii. Process Integration - use to define simple deficiency conditions for monitor expections
or values
viii. Programmed – use to invoke programs available
ix. SAP Query – query to invoke data from single or multiple tables based on query built in
the backend

b. Connection Type – Auto populates to “SAP System”.

45
 6) Select “Main Connector” – GRDCLNT600.

BUILDING BLOCKS: Note that, multiple connectors can be defined for selection at this step.
Typically ECC connectors are defined to monitor changes/values in the ECC systems. For the
purpose of this exercise, we have pre-set a connector to the same GRC system.

7) Click on “Main Table Lookup”.

46
 8) Enter Table Name “T000” and click “Apply” in the pop-up window.

9) Select table “T000” entry and click “OK”.

47
 10) Scroll Down on the main screen and click “Select Additional Table Fields”.

11) Select all the fields using the Right Double Arrow button. Click “OK”.

NOTE: Specific fields can be selected using the Single Right Arrow button but typically all the
fields are selected at this point to allow flexibility in building multiple Business Rules (if required)
with the same Data Source. PC allows re-use of a Data Source for multiple Business Rules.

48
 12) Validate that fields are pulled to the main screen window and click on the “Adhoc Query” tab.

13) Select “Target Connector” for the drop-down – GRDCLNT600 and click the “Execute Query” button
to validate that data is pulled from the selected T000 source table for monitoring.

49
 14) Click on “Connector” tab and validate your defined connector is displayed.

15) Click “Save” on the top.

16) Validate that the Data Source created is successfully SAVED.

50
 17) Select the Data Source and click “Open”.

18) Select the “Status” drop-down and change value to “Active”. Click “Save”.

19) Saved Data Source is successfully ACTIVATED.

51
Steps Steps to be performed

Section 3 The next step in the process of setting up automated monitoring is the creation of a Business Rule.
Step 2 Business Rules filter the data stream coming from Data Sources, and apply user-configured conditions
and calculations against that data to determine if there is a problem which requires attention. In PC this
Create is called a deficiency. The nature of the Business Rule depends strongly on the Data Source type, which
Business is why the process of creating a Business Rule begins with Data Source selection.
Rule
For the purpose of this exercise, we are creating a Business Rule to monitor values for specific fields in
table: T000 – client maintenance settings. Details of fields and values being monitored in this Business
Rule are:

a. “Protection reg. client program and comparison tools” – There are 3 values that can be
maintained for this field:
i. Blank – Protection level 0: No Restriction
ii. X – Protection level 1: No overwriting
iii. L – No overwriting, no external availability
Typically, the field is set to “L”, i.e., the client is not available externally and does not allow
overwriting. In the Business Rule for this exercise, we will monitor if the value is not set to “L”.

b. “Changes and transports for client-specific objects” – There are 4 values can be maintained for
this field:
i. Blank - No automatic recording of changes for transport
ii. 1 - Changes are recorded in transport request
iii. 2 - Customizing in this client cannot be changed
iv. 3 - Customizing: Can be changed as req., but cannot be transp.
Typically, the field is set to “2”, i.e., the channges and transports for this client cannot be
changed. In the Business Rule for this exercise, we will monitor if the value is not set to “2”.

c. “Client Control: CATT und eCATT Authorization” – There are 5 values that can be maintained for
this field:
i. Blank - eCATT and CATT Not Allowed
ii. X - eCATT and CATT Allowed
iii. T - eCATT and CATT Only Allowed for 'Trusted RFC'
iv. E - eCATT Allowed, but FUN/ABAP and CATT not Allowed
v. F - eCATT allowed, but FUN/ABAP and CATT only for 'Trusted RFC'
This field determines if you can run test cases, test scripts and test configurations in this client.
Running such cases or scripts cause extensive database changes, which is typically not allowed.
In this Business Rule, we will monitor if the value is set to “X”, i.e., running test
scripts/cases/configuration is allowed in this client.

52
 1) Navigation Path: Rule Setup >> Continuous Monitoring >> Business Rules

2) If the date field is not visible, select “Show Quick Criteria Maintenance”; confirm that the date is set
to 14.01.2015 (January 14, 2015) or use the date dropdown to select it; then select “Apply”.

3) Click on “Create”.

53
 4) Select “Search”.

5) Click on “Search” in the pop-up window.

6) Select the Data Source “Client Maintenance Settings” click “OK”.

54
 7) Click on “Continue” to start Business Rule creation for the Data Source.

8) On tab 1 “Basic Information”, enter the following details:

a. Name – Short name for the Business Rule – “Monitor Client Maintenance Settings v2”
b. Description – Business Rule description – “Monitor field values for client maintenance
settings”
c. Select Category – Value Check
d. Status – select “In-Review” from drop-down
e. Valid From – By default today’s date if the date has not been reset to “14.01.2015” as shown
in task 2 for this exercise
f. Valid To – By default 31.12.9999 – retain for this exercise
g. Click on “Next”

55
 9) On tab 2 “Data for Analysis”, select all fields for analysis using arrows (Double Right Arrow will
select all fields):

10) Once fields are selected, click on “Next”.

56
 11) On tab 3 “Filter Criteria”, select “Select/Unselect Filters”, then check the box for “Client” and
click “OK”.

57
 12) Scroll down and Click “Add” to add specific filters to “Client” to monitor deficiencies for the
defined field filtered for a specific client. Add the following details:
a. Sign – Range Limit Included
b. Option – Equals
c. Low – Select dropdown, select Client “600"

58
 13) Click on “Next” to go to tab 4 “Deficiency Criteria”. Click on “Select/Unselect Deficiency” to add
fields to be monitored for deficiencies from table T000 that could generate an exception
whenever the table is monitored. Select the field names displayed in below screen print, i.e.,
“Protection req . . . “, “Changes and transports . . . “, and “Client Control . . . “, then select
“OK”.

BUILDING BLOCKS: Note that, for “Field Analysis Type” – values that may be selected are
“Blank Check” (exception generated if the field is blank in the table T000) or “Value Check”
– (exception generated whenever the field value is changed to something other than
specified). For purposes of this exercise, you will be selecting “Value Check” for all three
monitored fields in the next task.

59
 Using the dropdowns in the “Field Analysis Type” column, select “Value Check” for each of the
three selected fields.

BUILDING BLOCKS: Note that, a deficiency is a condition which requires human attention.
This section of the Business Rule lets you define such conditions. There are two main ways
to do this: you can treat everything pulled back by the Data Source as requiring human
review, or pick a specific field and define a logical condition against it (for example,
document amount exceeding a set limit). A variation on the latter would be to define a
calculated field deficiency, which represents an arithmetic/logical operation on any of the
available fields. Calculated fields are explained fully in the next section.

For all such deficiency criteria, you can choose a “value check” or a “blank check”. A blank
check restricts you to monitoring whether a field should be populated with any value or
should be blank. A value check assumes the field has a value, and allows you to define a
wide range of conditions using the usual logical operators such as equal to, less than,
between, and so on. You can define three conditions, corresponding to three levels of
deficiency: low, medium and high. The “Deficiency Description” column allows you to
optionally define what to call each deficiency level.

REVIEW: Details of fields and values being monitored in this Business Rule are:

a. “Protection reg. client program and comparison tools” – There are 3 values that can be
maintained for this field:
i. Blank – Protection level 0: No Restriction
ii. X – Protection level 1: No overwriting
iii. L – No overwriting, no external availability
Typically, the field is set to “L”, i.e., the client is not available externally and does not allow
overwriting. In the Business Rule for this exercise, we will monitor if the value is not set to
“L”.

b. “Changes and transports for client-specific objects” – There are 4 values that can be
maintained for this field:
i. Blank - No automatic recording of changes for transport
ii. 1 - Changes are recorded in transport request
iii. 2 - Customizing in this client cannot be changed
iv. 3 - Customizing: Can be changed as req., but cannot be transp.
Typically, the field is set to “2”, i.e., the channges and transports for this client cannot be
changed. In the Business Rule for this exercise, we will monitor if the value is not set to “2”
60
 c. “Client Control: CATT und eCATT Authorization” – There are 5 values that can be maintained
for this field:
i. Blank - eCATT and CATT Not Allowed
ii. X - eCATT and CATT Allowed
iii. T - eCATT and CATT Only Allowed for 'Trusted RFC'
iv. E - eCATT Allowed, but FUN/ABAP and CATT not Allowed
v. F - eCATT allowed, but FUN/ABAP and CATT only for 'Trusted RFC'
This field determines if you can run test cases, test scripts and test configurations in this
client. Running such cases or scripts cause extensive database changes, which is typically
not allowed. In this Business Rule, we will monitor if the value is set to “X”, i.e., running test
scripts/cases/configuration is allowed in this client.

14) Scroll down and add deficiency types and values.

Highlight each field description row in turn and select the following deficiency values:

“Potection reg . . .” – Deficiency Type = “High”, Sign = “Range limit included”, Option = “Not
equal to”, Low = “L”
“Changes and . . .” – Deficiency Type = “High”, Sign = “Range limit included”, Option = “Not
equal to”, Low = “2”
“Client Control . . .” – Deficiency Type = “High”, Sign = “Range limit included”, Option =
“Equals”, Low = “X”

61
 15) Click “Next” to go to tab 5 “Conditions and Calculations” to add any specific condition to
monitor – OPTIONAL.

BUILDING BLOCKS: Note that, this tab is used to define the calculations necessary to compute the
value of a “calculated field” deficiency. PC uses the standard NetWeaver rule engine, to allow
users to define calculations. You can configure very powerful processing using this rule engine,
and the goal was to make it easy to configure relatively simple rules (calculate an average of
two fields, say, or compare two dates), and yet provide a path to configure more complex rules
if needed.

For purposes of this exercise, you will not be defining any conditions or calculations.

16) Click “Next” to go to tab 6 “Output Format” to select the output fields and sequence of columns
in the exception notification. “Output Format” section is common to all Business Rule/Data
Source types, and arranges the output of any detected deficiencies in the left-to-right column
order specified. You can also hide unwanted columns here.

62
 Output fields are defined for each Deficiency. Select each Deficiency from the drop-down and
click on “Select/Unselect Output Fields” button. A pop-up window opens up for selection of
output fields. For the purpose of this exercise, please select the following output fields for each
of the Deficiency and click “OK”:

- Client, Client Name, Date of Last Change, Last Changed By

17) Click on “Next” to go to tab 7 “Technical Settings”.

63
 BUILDING BLOCKS: Note that, these primarily affect the execution and performance of
monitoring. Most Data Sources (although not all) will allow users to cap the maximum
amount of data they will process, as a performance management feature. Since
performance can be difficult to predict and manage—too much depends on the size of
tables, network issues, etc.—we strongly advise all customers to test the performance of
any monitoring rules before putting them into production. Note that most monitoring rules
can be run in synchronous or asynchronous mode. The impact of the two is stated below:

Synchronous – This is a one-way communication. The execution will make a RFC call to the
selected connector to perform its task and wait for RFC call to return, then it will continue
on the PC server side. In most Sub Scenario, the RFC only collects data on the remote side,
apply the Business Rule is carried out on the PC side.

Asynchronous – This is a two-way communication. The execution will make a RFC call to
submit a background job on the selected connector to perform its task and then execution
on the PC side is done. Once the background job step on the destination side is done, it will
make a RFC call back to PC side to update the job step.

For example, by default, Sub Scenario Configurable is sync; SAP query and BI query BRs have
to be sync and Programmed can only be async. Async uses two-way communication which
could have some performance overhead; but if the data volume is too high, you may
consider async since the RFC could drop if the network goes down or there is a lot of traffic
on the network.

Validate settings. Click on edit button (pencil icon) to make any changes. For the purpose of this
exercise, please change the “Max. No. of Records to Analyze” to “10000”.

64
 18) Click on “Next” to go to tab “Ad-hoc Query” to validate data is pulled by the Data Source from
the required source system and that the Business Rule criteria is used to:
(1) collect data (select “Data Collection” and select “start” to view results).
(2) identify deficiencies (select “Apply Rule”, select “Deficiency” on which to filter, and
select “start” to view results); this query setting may be used to view results for each of
the three deficiencies in this exercise.

19) Click on “Save” and validate the Business Rule was successfully SAVED.

65
 20) Select the saved Business Rule and click “Open”.

21) Change status to “Active” and click “Save”.

66
 22) Once the Business Rule is set to “Active” status then the rule can be assigned to a control and
an automated monitoring job can be scheduled. No further changes are allowed to the rule. To
make any edits, the status has to be changed from “Active” to “In-Review” for fields to become
editable for update.

67
Steps Steps to be performed

Section 3 The next step in the Automated Monitoring process is assignment of defined Business Rules to the
Step 3 controls. This allows the automated monitoring jobs to be scheduled for the assigned control. This is a
mandatory step before automated monitoring jobs can be scheduled.
Assign
Business 1) Navigation Path: Rule Setup >> Continuous Monitoring >> Business Rule Assignment
Rule to
Control

The “Business Rule Assignment” link brings up the following page.

2) Select today’s date and Click “Apply”.

BUILDING BLOCKS: Note that, the search widget at the top of this page lets you narrow the
search for local Controls to which the Business Rule may be assigned — that is, Controls
assigned to a particular Organization node, Process, Subprocess or even a specific Control. The
next step is to select a specific local Control in the middle part of the screen, by clicking on its
row. You then modify the Business Rules assigned to the Control by choosing the “Modify”
pushbutton, and then choosing the “Add” pushbutton in the bottom portion of the screen. A
screen displays then allows you to search through Business Rules in the “Active” state, which
you can then assign to the local Control. You can also modify existing assignments and maintain
frequencies of monitoring or compliance checks.

Once this assignment step is complete, you will be able to schedule the monitoring rule in the
Automated Monitoring scheduler.

68
 3) Click “Search” to seach for Controls (filtering is not required). Select Control “IT-232-Monitor Client
Setting Changes”.

4) Scroll down and click on “Modify”.

5) Click on “Add”.

69
 6) Click Search in the pop-up window, Select the Business Rule created in the previous step, Click
“OK”.

7) Select the new Business Rule and click on “Maintain Frequencies”. This allows the user to define
the frequencies that express the usage limitation for a monitoring rule. This is typically done to
avoid scheduling monitoring rules that scan high volume data tables and might impact system
performance or to ensure the same rule is not scheduled more than the frequency defined for the
assigned control.

For the purpose of this exercise, please select “Any Frequency” for both the “Monitoring” and
“Compliance” checkboxes to provide the flexibility to schedule the job as many times as required.

70
 8) In the pop-up window select “Any Frequency” and click “OK”.

9) Click on “Save” and validate assignment of Business Rule to Control and that frequencies have been
maintained.

71
Steps Steps to be performed

Section 3 The next step in the process of setting up automated monitoring is to schedule the automated
Step 4 monitoring job.

Schedule SAP Process Control automated monitoring capabilities enable customers to define their expectations
Automated of how controls should be configured, and how transactions should occur. Correct configuration
Monitoring settings ensure that business process steps controlled by those settings will always comply with the
Job enterprise’s intentions; broader transaction monitoring can then be used to cover those situations
where configuration-based controls are not enough, or to look for fraud at the margins.

The monitoring methods available to PC customers fall into one of two broad classes: query-driven or
event-driven. PC initiates query-driven monitoring, typically via the scheduler. This is why some
practitioners also call it schedule-driven monitoring.

1) Navigation Path: Rule Setup >> Scheduling >> Automated Monitoring.

2) Click on “Create Job”

3) Click on “Continue”.

72
 4) The top of the screen shows that scheduling is a 4-step process, and the wizard guides you through
it. The most important thing to note about the scheduler is that you can run jobs as frequently as
hourly, and as infrequently as annually. Enter the following details on tab 1 “Header” and click
“Next”:
a. Job Name: Name for the job (e.g., MONITOR CLIENT MAINT- 1)
b. Execution Type: Immediate
c. Frequency: Daily
d. Test Period From: Today’s Date
e. Test Period To: Today’s/Tomorrow’s Date
f. Target Connector: GRDCLNT600

5) Select Regulation: “Sarbanes-Oxley (SOX)” in tab 2 “Share Regulation”, select radio button “Do not
share”, and click “Next”.

73
 6) Click on “Search” on tab 3 “Select Controls”.

7) Select the control and click on Single Arrow Down button to move the selected control to the
lower half of the screen. If there are multiple controls and all the controls need to be selected then
click on Double Arrow Down button. Single and Double Arrow Up buttons can be used to deselect
the controls.

Click “Next”.

74
 8) Select and validate the Business Rule(s) on tab 4 “Control Details”. Click “Save”.

The screen displays “Your schedule has been saved successfully”; when this screen is closed the
“Active Queries” screen remains opened.

9) Validate that the job is successfully scheduled (an entry for the newly scheduled job appears on
the “Active Queries” screen). Monitor for the “Status” to be displayed as “Completed”. Click on
“Refresh” on the lower right of the screen in case the job status is not updated.

75
Steps Steps to be performed

Section 3 Next step would be to login to your work inbox to review the automated monitoring exception
Step 5 notification.

Receive REVIEW: All users previously assigned as a Control Owner for the control being monitored will
Exception receive the issue in the their work inbox.
Task in Work
Inbox 1) Navigation Path: My Home >> Work Inbox

2) Validate that exception task “Remediate Exception: Automated Monitoring” is received in the work
inbox. The “Created On” date should match today’s date for the exception that was just generated
in the previous Step 4.

76
Steps Steps to be performed

Section 3 The purpose of this step is to review the details of the issue received in the Work Inbox.
Step 6
1) Open the automated monitoring task received in the Work Inbox by selecting on the link in the
Review “Subject” column.
Monitoring
Exception
Details

2) Review issue details and click on the “Evaluation” tab to review the exception details

77
 3) Click on “Fail” to open the exception details

4) Select the drop-down on the top of the next screen to review the exception details for each of the
fields selected for deficiency monitoring at the time of Business Rule set up. The lower half of the
screen displays the results in the output format defined at the time of rule definition. Other links
such as “Administrative Info”, “Business Rule Info”, etc., can be clicked to see additional details like
when was the job scheduled, what are the conditions defined in the Business Rule, etc.

78
 5) Select another parameter to validate exceptions. Close the window once validated.

79
Steps Steps to be performed (REVIEW ONLY, NO CHANGES)
Section 3 1) Once exception details have been reviewed, navigate back to the “Issues” tab to take action on the
Step 7 issue. For the purpose of this exercise, please proceed to the next step (Step 8) after you have
reviewed the possible actions in this step.
Take
Required NOTE: For your reference, the following actions (a, b, c, d, e) are available:
Action
a. Assign Remediation Plan: Click on this to select a remediator and assign a remediation plan

80
 b. Close Without Plan: Close the issue without assigning a remediation plan

81
 c. Reassign the issue: Click on this to select a user to reassign the issue recevied

82
 d. Exception: Status of each of the exception items

83
 e. Void: Close out the issue as it is not valid

84
Steps Steps to be performed

Section 3 In this step, you will select the action to close the issue without a plan.
Step 8
1) Click on “Close Without Plan” in the “Issues” tab.
Close Issue

2) Enter comments in the pop-up box and click “OK”.

85
 3) Validate comments entered are updated in the “Comments” field. Click “Submit”.

4) Validate that the action was submitted successfully. Close the Window.

86
 5) Refresh the Work Inbox and validate that the task is not longer displayed.

This completes SECTION 3 – Automated Monitoring.

END OF LAB – Good Job and Congratulations for Completing.

87
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2016 Wellesley Information Services. All rights reserved.