GRC
HR
SCM
CRM
BI
Expand +


Article

 

How to Simplify the Data Sources and Business Rules Logistics Process in SAP Process Control 10.1

by Kehinde Eseyin, Security Architect

April 7, 2014

The data sources and business rules logistics process works on the mechanism of exporting a set of files in the source system and importing them into the destination system. Learn how to use standard tools to drive the logistics process of the data sources and business rules components of the continuous control monitoring engine.

 

Continuous controls monitoring is a functionality that is at the core of SAP Process Control. The capability relies largely on defined data sources and business rules to drive controls monitoring. Therefore, data sources and business rules are sets of important master data.

SAP Process Control supports the building of compliance, error, or fraud detection rules using a Web interface. This capability has been enhanced over time to make the maintenance of these objects easy. A lot of work goes into setting up these master data elements (data sources and business rules) and as such, SAP has designed them to be reusable so that you define them once and then use them several times across your system landscape.

In defining a business rule, you need to define a number of attributes such as basic information, data for analysis, filter criteria, deficiency criteria, conditions and calculations, and technical settings aside from associating it to a predefined data source. In SAP Process Control 10.1, effort has been put into allowing the data sources and business rules definition to be propagated from one GRC system to another system. This capability avoids the need to redefine separate data sources and business rules in every specific system environment. You just need to download the data sources and business rules from one system environment and upload the same in another system environment. This saves maintenance and project time and enforces data consistency across different system landscapes where applicable.

SAP Process Control 10.1 provides a wizard-driven functionality that facilitates the movement of data sources and business rules across different system landscapes irrespective of connector association and status in the source system. You export a zip XML file in a source system and then import the file into another system. The XML-based format of the exported content is a reflection of the metadata discovery of process control, which allows you to search back-end SAP system tables while providing a user-defined view of data.

Also, you can use the import tool to import SAP-delivered rule templates contained in a zip file. The import tool allows you to simulate the import process, thereby ensuring that data inconsistency issues do not occur after data import.

The import tool supports the selective maintenance of the status and connector association of business rules at line item level and also globally during the import process. This provides flexibility in real-time business rules maintenance. The import and export tools are browser based (Web Dynpro driven) and can also be accessed via the IMG, as you see later in this article.

The phases of the export process are:

  • Select business rules: Select the business rules you want to export to another system.
  • Set exporting options: Define what to consider as part of the export process – for example, search terms and connectors assignment.
  • Review and confirm: Validate the value definition, settings, and options of the export process.

The phases of the import process are:

  • Select entries: In this phase you define the business rules you want to import into the target system.
  • Set default values: This phase allows you to define and maintain default values such as validity period, connector assignment, and business rule status.
  • Set importing options: In this phase you define what to consider as part of the import process – for example, connectors assignment.
  • Review and confirm: In this phase you validate the value, settings, and options of the import process.

The data source establishes the relationship between the technical aspect and business aspect of the continuous control monitoring framework. Continuous control monitoring supports different data sources such as queries, database tables, or reports, which results in broader automated business rules functionality. The system is designed to support reusable data sources in which data sources are defined once and can be used for multiple analyses. This can lower implementation, administrative, and maintenance costs. Reusable data sources allow for the quick adoption of continuous control monitoring because of the fast and efficient data definition for complex business requirements and analysis.

The relationship between data sources and business rules is that data sources need to be attached to a business rule. When exporting data sources and business rules, it is also possible to export associated search terms and connectors. Search terms are used to define what you can use to search for a particular query. Search terms are defined by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Common Component Settings > Maintain Search Terms for Business Rule and Data Source. Usually, a data source is associated with one main connector. The main connector is typically the client in which metadata is retrieved.

I discuss the process of exporting and importing data sources and business rules under the following headings:

  • System preparation activities
  • Exporting data sources and business rules
  • Importing data sources and business rules
  • Confirmation of the imported data sources and business rules in the target system

(Note: Source system is the system containing the data sources and business rules to be moved to another system (target system) – for example, SAP system SID - GRC client 100. Target system refers to the system that is the recipient of the exported file – that is, the system in which you perform the import process (typically another GRC system or the same system but a different client). An example is SAP system SID – GAC client 100 or SAP system SID - GRC client 200.)

The steps involved in creating data sources or business rules and the configuration and operation of continuous control monitoring are beyond the scope of this article. I assume that the reader has expertise in the workings of continuous control monitoring functionality and that the post-installation activities have been done successfully and correctly.

System Preparation Activities

To take advantage of this functionality aimed at easing the movement of data sources and business rules across the landscape, it is important to ensure that your environment satisfies the following prerequisites:

  1. SAP Process Control 10.1 must be installed. You can check the installed system components via transaction code SAINT (Add-on Installation Tool) or SPAM (Support Package Manager). The GRC foundation component and release version to look for is GRCFND_A V1100.
  2. Post-installation activities must have been done and the system properly configured for continuous control monitoring capability. The connectors need to be assigned to the integration scenario: AM – Automated Monitoring. As it relates to this article, if you do not perform this activity, you are not able to select the target system when performing the import of the data source and business rules even if you have set up the connector definition and connector settings. Broadly, you will not be able to use the continuous control monitoring capability at all. The assignment of the connector to the integration scenario is done by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connection Settings.
  3. The GRFN_AM_RUNTIME application object must exist in the BRF+ workbench engine and the application identifier must be consistent across the beneficiary systems.

You can check for the existence of GRFN_AM_RUNTIME application accessing transaction code BRF+ or by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Access Control > Workflow for Access Control > Define Business Rules Framework (Figure 1).


Figure 1
The initial screen of BRFplus workbench

Click the Search button to go to Figure 2.


Figure 2
The initial screen for the search of BRFplus GRFN_AM_RUNTIME application

Enter values for these criteria fields in Figure 3:

  • Application Name: GRFN_AM_RUNTIME
  • Object Type: Application


Figure 3
Search criteria defintion for GRFN_AM_RUNTIME application

Click the Search button. Figure 4 displays confirming the availability and active status (green) of the BRFplus application GRFN_AM_RUNTIME.


Figure 4
GRFN_AM_RUNTIME application with active status

Click the GRFN_AM_RUNTIME folder to go to Figure 5.


Figure 5
Details of the application GRFN_AM_RUNTIME

Expand the General pane by clicking the icon circled in Figure 5.  In the expanded screen (Figure 6) if the application exists, confirm that the following values are correct for the GRFN_AM_RUNTIME application attributes:

  • Name: GRFN_AM_RUNTIME
  • ID: 80E0ED08B0561DEF92B59B6E451DCE60

Follow SAP Note 1588564 (Re-create BRF+ Application Name & ID) for more information on the GRFN_AM_RUNTIME application ID.


Figure 6
GRFN_AM_RUNTIME application name and ID

If the application does not exist in the destination system, you get the error message shown in Figure 7 when you attempt to import data sources and business rules XML file. It is best to confirm this first before initiating the import of the file to avoid the unnecessary error message.


Figure 7
Error for non-existence of GRFN_AM_RUNTIME application

In this circumstance, you need to create the application in the target system. SAP Note 1519164 (Create BRF+ application name & ID for Continuous Monitoring) explains how to create and activate the GRFN_AM_RUNTIME application via program GRFN_AM_FDT_XML_IMPORT, which you access via transaction SE38. The program takes an SML file as input. The XML file is attached to the SAP Note 1519164 and needs to be unzipped.

  1. The file to be imported into the target system must have been generated using the export tool in the source system. Also, the SAP-delivered rule content template can be used as a source file during the import process.
  2. Internet Communication Framework (ICF) Services have been activated. The interface for the export and import utilities for data sources and business rules are based on Web Dynpro applications, so the corresponding ICF service needs to be activated. The corresponding SICF services for the export and import utility are detailed below respectively:
  • /sap/bc/webdynpro/sap/grfn_gaf_export_ccm?WDCONFIGURATIONID=GRFN_GAF_EXPORT_CCM_AC
  • /sap/bc/webdynpro/sap/grfn_gaf_import_ccm?WDCONFIGURATIONID=GRFN_GAF_IMPORT_CCM

The error in Figure 8 displays when the corresponding SICF services are not activated and you attempt to call the corresponding tool.


Figure 8
Inactive SICF service error message

To activate SICF services, follow this procedure. Enter transaction code SICF to go to Figure 9.


Figure 9
The initial screen for the activation of SICF services

Enter a filter value to search for the service. For example, *GRFN_GAF_IMPORT_CCM* as shown in Figure 10.


Figure 10
Definition of search criteria for SICF services

Click the execute icon and Figure 11 shows the filter result.


Figure 11
Filtered SICF service result

Right-click the name of the service and select Activate Service from the options in the menu (Figure 12).


Figure 12
Activate the SICF service

In the pop-up screen (Figure 13) click the Yes button.


Figure 13
Confirmation for the activatoin of an SICF service

The next screen displays the activated SICF service (Figure 14).


Figure 14
The activated SICF service

Exporting Data Sources and Business Rules

To initiate the logistics process for data sources and business rules, you first need to export the objects (i.e., the data sources and business rules). To export data sources and business rules, access menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Common Component Settings > Continuous Monitoring > Export Data Sources and Business Rules. 

Figure 15 displays.


Figure 15
The initial screen for the expert of data sources and business rules

The export utility allows you to export business rules with associated data sources or just the data sources. For the purpose of this exercise, I am adopting the option Export Business Rules with relevant Data Sources. Then click the Continue button to go to Figure 16.


Figure 16
The initial screen for business rules selection

Enter an applicable search term in the Name field so that you can search for password-related business rules or data sources: for example, *password* as shown in Figure 17. Click the Search button to go to Figure 18, which displays the filtered records.


Figure 17
Business rules selection screen with search term defined


Figure 18
Output of the business rules search using a defined filter value

Highlight the business rules items you want to export, as shown in Figure 19. Click the Next button to go to Figure 20.


Figure 19
Highlighted business rules

You can choose to include (or exclude) search terms and connectors. For my example, I adopt the default options to exclude the search terms and connectors assignment as shown in Figure 20. Click the Next button to advance to the next screen (Figure 21).


Figure 20
Export options definition

Click the Export Business Rules button.


Figure 21
Review and confirmation screen for data sources and business rules export

The next screen (Figure 22) displays the following message about the status of the export activity: Business Rules have been exported successfully. You are prompted to save the exported .zip file. The prompt display may vary depending on the browser type and settings. Click the Save button and choose Save as. 


Figure 22
Download location prompt

In the next screen (Figure 23) click the Save button.


Figure 23
Location definition to save downloaded zip file

The next screen (Figure 24) shows the status confirmation.


Figure 24
Successful download of the exported zip file

Importing Data Sources and Business Rules

The next activity after exporting the file is to import the file into the target system. To import the exported data sources and business rules into the target system, follow menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Common Component Settings > Continuous Monitoring > Import Data Sources and Business Rules (Figure 25).


Figure 25
Define an upload file

You have to move the downloaded file to a directory accessible in the destination system. Click the Browse button and choose the zip file you exported in the previous section (Figure 26). Click the Continue button.


Figure 26
Directory definition for the exported file

In the next screen click the Next button (Figure 27).


Figure 27
Select business rules phase

The next screen displays an error message because you did not highlight any business rule line item (Figure 28).


Figure 28
Error displayed because an entry was not selected

Highlight specific business rule line items as shown in Figure 29. Click the Next button.


Figure 29
Highlighted business rules line items

The next screen (Figure 30) displays the default values for business rules status and main connectors. 


Figure 30
Set default values phase

Maintain the Business Rule Status and Main Connector columns as shown in Figure 31. Business rules can assume different statuses, namely, Active, Inactive, In review, and New.


Figure 31
Maintenance of business rules status and connector assignment

Now highlight the business rules line items you want to process again as shown in Figure 32.


Figure 32
Highlighted business rules line items

To import the business rules successfully, you need to validate the connector status. Click the Validate Selected Connector Status button. The Connector Status Icon column must have a green check mark (Figure 33). Click the Next button.Note

If you do not click the Validate Selected Connector Status button, the system generates the following message: The status of main connector should be validated. This message would appear near the top of the screen, shown in Figure 33.


Figure 33
Validated connected status for business rules

In the next screen, indicate whether you want to import search terms or not (Figure 34). For my example, I leave the default option at No because I did not even import the search term.  Click the Next button.

(Note: If the business rule already exists in the target system, the validity dates are not changed.)


Figure 34
Importing options definition

It is good practice to always simulate the import process. This allows you to evaluate any possible issues with the import activity and resolve them accordingly. Click the Simulate Importing button (Figure 35).


Figure 35
The Review and Confirm phase

The next screen (Figure 36) displays a status message confirming the number of data sources and business rules that were processed and those that failed (with error).


Figure 36
Simulation of the import process

Because there are no errors with the import simulation run, click the Import Business Rule button to process the import operation. Figure 37 shows the status message of the import process.


Figure 37
Status message for the import of data sources and business rules

Confirmation of the Imported Data Sources and Business Rules in the Target System

You can confirm the import of the data source in the target system by following menu path NWBC > Rule Setup > Continuous Monitoring > Data Sources (Figure 38).


Figure 38
Imported data source in the target system

You can confirm the import of the business rule in the target system by following menu path NWBC > Rule Setup > Continuous Monitoring > Business Rules (Figure 39).


Figure 39
Imported business rules in the target system

An email has been sent to:





 

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ