GRC 5.3 Create Password Self Service

GRC 5.3 - Create Password Self Service with Challenge Response with the following steps:

1. GRC > CUP > Configuration > Self Service >
   
2. Authentication Source : Challenge Response
3. Select Service to Disable Verification: None 
4. Scroll down > Create > Now add your questions > Save
   
5. Repeat step 4 for other questions
6. Change >
   Number of questions End User has to register : 2
   Number of unsuccesful attempts after which user is locked: 3
   The above value is up to your to define
7. To make PSS link visible at main AE page > CUP > Configuration > Request form Customization
8. Check password self service > Change > Visible : Yes > Save
9. 
   
10. Its visible now
    
11. CUP  > Configuration > Connectors  > Look for existing connectors > Change PSS to Enable 
12. If you failed to perform step 10, you will not see the child system when requesting for password reset
    
13. CUP  > Configuration > Workflow > CUA SYSTEM > Create / Change to ensure you identify child - parent relationship of your CUA systems.
    

SCUM SETTINGS - LOGON DATA TAB

SCUM SETTINGS - LOGON DATA TAB has the following settings as below:

Global	You can only maintain the data in the central system. The data is then automatically distributed to the child systems. These fields do not accept input in the child systems, but can only be displayed. All other fields that are not set to “global” accept input both in the central and in the child systems and are differentiated only by a different distribution after you have saved.
Proposal	You maintain a default value in the central system that is automatically distributed to the child systems when a user is created. After the distribution, the data is only maintained locally, and is not distributed again, if you change it in the central or child system.
RetVal	You can maintain data both centrally and locally. After every local change to the data, the change is redistributed to the central system and distributed from there to the other child systems.
Local	You can only maintain the data in the child system. Changes are not distributed to other systems.
Everywhere	You can maintain data both centrally and locally. However, only changes made in the central system are distributed to other systems, local changes in the child systems are not distributed.

SAP SECURITY EXPORTING USER EMAIL

To extract user's email, you may search from table USR21 and ADR6

1. SE16 > USR21 and enter user ID
2. Copy the PERNR (personal number) 
3. SE16 > ADR6 and paste the PERNR
4. You will get a list of email addres

Alternatively, you may replace Table ADR6 with  PA0105 but this table only exist in HR system.

GRC does not process report real time. It has to be schedule as a job for RAR reporting to work.

1. Schedule USER, ROLE, PROFILE SYNCHRONIZATION. This job is used for Batch Risk Analysis job later for reporting
   
2. GRC > CONFIGURATION > SCHEDULE JOB > Check only the 3 below > Then click schedule button at the bottom
   
   
3. Give a Job name > You may specify any options you like > Click Schedule. In our case, it will run weekly starting from 6th Oct 2011
   
   
4. Now schedule a new job > Select the 4 check box below > Click Schedule at the bottom
   
   
5. Same as before, just specify a job name and any option you like. Now click schedule again.
   
   
6. To check if the job you schedule is ready or running, just click "SEARCH"
   
7. Then enter the search criteria and result will show as below:

SAP SECURITY : GRC maintaining Workflow CUA system

CUA system must also be maintain in front end GRC - not just back end  ABAP CUA system.

1. Login to GRC system
2. Go Configuration > CUA System
   
3. Create (system is your child while CUA system is the parent)
   
   
   Save
   
   
   
   
   

SAP AUTHORIZATION - GRC Creating new connector

Connector in GRC like ABAP RFC. Connector is used to connect front end GRC to the backend ABAP system.

1. Open GRC CUP > Configuration > Connectors > Create Connectors
   
2. Fill in the details
   
3. Now you may test the connection
   
4. If successful, you will see below
   

System Log for GRC

It could be found here:

OS LEVEL:
usr\sap\SID\JC00\j2ee\cluster\server0\apps\sap.com\grc~aeear\servlet_jsp\AE\root\logsAE

Or GRC > Configuration > Monitoring > System Log
logsAE/logger.log