The essence of this article is to highlight technical configurations and elements that are specific to SAP Assurance and Compliance software to have a system ready for productive functional use of the product. I discuss the following important technical activities that need to be performed after the successful installation of the add-on software component SAP Fraud Management 1.1 (SAPFRA 110, which runs on SAP NetWeaver ABAP 7.4) for SAP Assurance and Compliance software:

• Maintenance of PFCG (Profile Generator) ABAP roles and profile generation
• Maintenance of profile parameters
• Maintenance of settings for SAP HANA content activation
• Configuration of SAP HANA database connection
• Configuration of task lists
• Maintenance of time data parameters
• Setup of SAP Net Weaver Gateway
• Configuration of Open Data Protocol (ODP) technical services

Maintain PFCG ABAP Roles and Profile Generation

The use of the system is driven by the assignment of appropriate PFCG ABAP roles to users. SAP Fraud Management and SAP Audit Management coexist in the same software component. However, the application to which a user has access is controlled by the assigned authorization (via PFCG roles). Depending on what activity a user needs to perform in the system, you assign either an SAP Fraud Management-specific role, an SAP Audit Management-specific role, or SAP Basis or technical roles. The system comes with pre-delivered standard roles. Ideally, standard roles should be copied into the customer namespace. These roles need to be generated to make them productive. Several roles need to be generated after they are copied into the customer namespace.

The following roles are specific to the technical configuration of the system:

• SAP_BC_DB_ADMIN (database administrator)
• SAP_BC_SIW_DEV (service implementation workbench: service implementation developer)
• SAP_BC_CTS_ADMIN (administration/support role for the change and transport system)
• SAP_BC_CUS_ADMIN (customizing project administrator)
• SAP_BC_DWB_ABAPDEVELOPER (ABAP developer)
• SAP_BC_STC_USER (role for a technical configuration user)
• SAP_BC_WEBSERVICE_ADMIN_TEC (standard role for technical administration of Web services)
• SAP_ESH_CR_ADMIN (enterprise search embedded: administration and monitoring)

The following roles are relevant to SAP Fraud Management:

• SAP_FRA_SYSTEM_ADMIN (system administrator)
• SAP_FRA_CHIEF_RISK_OFFICER (chief risk officer)
• SAP_FRA_BUSINESS_ANALYST (business analyst)
• SAP_FRA_FRAUD_INVESTIGATOR (fraud investigator)
• SAP_FRA_FRAUD_MANAGER (fraud manager)
• SAP_FRA_FRAUD_DISPATCHER

The following roles are relevant to SAP Audit Management:

• SAP_GRCAUD_SYSTEM_ADMIN (system administrator )
• SAP_GRCAUD_CAE (chief audit executive)
• SAP_GRCAUD_AUDIT_MANAGER (audit manager)
• SAP_GRCAUD_AUDITOR (auditor)

The authorization objects assigned and maintained for these roles must be reviewed thoroughly to ensure that they satisfy the corresponding business and security requirements of the organization. The associated profiles of roles must be generated in order to be able to use them productively.

For the purpose of this article, I show you how to generate the corresponding profiles of the standard roles. Follow the procedure below to mass generate technical and functional roles.

Enter transaction code SUPC in the command line. In the Roles screen that displays, select the All Roles radio button as shown in Figure 1.

Figure 1

Select the roles to output

Click the empty Role field and press F4. In the screen that appears, enter selection criteria (for example, *SAP_FRA*, *SAP_GRCAUD*) as shown in Figure 2. I have used * as a wildcard search condition. After you enter your selection criteria, click the execute icon or the enter icon (the green check mark).

Figure 2

Define selection criteria for roles

In the next screen, click the execute icon (Figure 3).

Figure 3

Filtering defined for role selection for profile generation

In the screen that appears, click the select all icon circled in Figure 4.

Figure 4

Output of the filtered roles for profile generation

Figure 5

Highlighted roles for mass profile generation

Figure 6

Options for profile generation dialog box

Figure 7 displays the status of the generation activity.

Figure 7

Status of profile generation activity

Maintain Profile Parameters

Profile parameters are a collection of settings that drive the behavior of the system at system startup or while the instance is running. Following the successful installation of the SAP NetWeaver ABAP system, you need to import profiles from all active application servers via transaction code RZ10. This post-installation activity allows you to save an SAP profile to the database and edit it to suit your business need.

As part of the setup activities of the system, you need to maintain a number of profile parameters to influence the behavior of the system and satisfy specific technical requirements. As it relates to the SAP Assurance and Compliance software system, you need to maintain a number of profile parameters to be able to use the software productively. Some of the major profile parameters include a fully qualified domain name (FQDN), secured HTTP, Secure Sockets Layer (SSL) protocol, and exclusion of file extensions from HTTP compression.

FQDN: One of the prerequisites for a functional SAP Fraud Management and SAP Audit Management System is defining a fully qualified domain name. As a precondition to using an HTML 5 and Web Dynpro ABAP screen, the URL defined in the browser must contain the fully qualified domain of the host. Note that IP addresses or underscores (_) are not supported in FQDN. To configure the FQDN, the following profile parameters are relevant for the maintenance of the FQDN:

• SAPLOCALHOSTFULL:
• icm/host_name_full:

The attributes that are needed in maintaining these parameters are the host name and the domain. SAP recommends that you define values for either of the following profile parameters – SAPLOCALHOSTFULL or icm/host_name_full. The system considers the entry against the profile parameter SAPLOCALHOSTFULL if set before it considers the value defined against the profile parameter icm/host_name_full.

Secured HTTP: SAP Assurance and Compliance software supports strictly HTTPS (secured HTTP). HTTP call is not supported for SAP Fraud Management and SAP Audit Management. To enforce a secure HTTP connection, you must set up the browser to only send logon tickets for HTTPS connections by setting the profile parameter login/ticket_only_by_https to 1. Other related profile parameters are:

• icm/HTTP/redirect_xx
• icm/server_port_xx

SSL protocol: The SSL protocol is used to secure HTTP connections in an application server ABAP environment. SAP Note 1527879 provides detailed information on setting up an SSL secured HTTP connection.

Exclusion of file extensions from HTTP compression: GZIP compression in the Internet communication framework requires some files to be compressed (and some not compressed) based on the values maintained in the negative compression list. Specifically in SAP Fraud Management, .css files need to be compressed, whereas .jpg and .jpeg must not be compressed. The definition of the file format that is not compressed is defined using the profile parameter ict/exclude_compression (file extensions that are excluded from HTTP compression).

Profile parameters can be reviewed for correctness via program RSPARAM (which can be accessed via transaction code SE38). This program can be maintained via transaction code RZ10. In the following instruction, I show you how to maintain the associated profile parameter for secured HTTP configuration (as an example). You can follow the same procedure for other profile parameter maintenance activities.

Enter transaction code RZ10 in the command line. In the screen that displays, select the instance profile you intend to maintain as shown in Figure 8.

Figure 8

Select the profile parameter for maintenance

Select the Extended maintenance radio button (Figure 9). Click the Change button.

Figure 9

Select a profile editing option

In the next screen, click the create Parameter button (Figure 10).

Figure 10

The initial screen for the maintenance of profile parameters

Enter a value in the Parameter name field of the next screen (Figure 11). Press Enter to populate the unsubstituted and substituted standard values fields.

Figure 11

Define a parameter name

The next screen displays the unsubstituted and substituted standard values (Figure 12).

Figure 12

Population of unsubstituted and substituted standard values

Enter a value in the Parameter val. field as shown in Figure 13.

Figure 13

Define a profile parameter value

Click the Copy button. A status message displays in the next screen (Figure 14). Click the back icon.

Figure 14

Status of profile parameter change activity

The profile parameter that you defined appears in the next screen (Figure 15). Click the back icon.

Figure 15

Maintained profile parameter

In the dialog box that appears, click the Yes button (Figure 16).

Figure 16

Dialog box for profile change confirmation

A status message appears in the next screen (Figure 17). Click the save icon.

Figure 17

Status message for profile parameter change

In the dialog box that appears in the next screen, click the Yes button to activate the profile (Figure 18).

Figure 18

Activation of profile confirmation dialog box

In the next dialog box, click the enter icon (Figure 19).

Figure 19

Information dialog box for successful saving and activation of new profile version

A dialog box appears confirming the need to restart the application server (Figure 20). Click the enter icon.

Figure 20

Dialog box confirming the need to restart the application server

The update profile parameter appears in the next screen (Figure 21).

Figure 21

Updated profile parameter in the new profile version

Maintenance of the Settings for SAP HANA Content Activation

It is important to get the system ready for successful activation of the SAP HANA content. The activation of SAP HANA content generates SAP Fraud Management- and SAP Audit Management-specific data sets in the SAP HANA database system. To ensure that the activation of SAP HANA content is successful, you need to define specific settings against certain configuration nodes in the SAP HANA database via the SAP HANA studio.

Log on to SAP HANA studio (Figure 22). Click the open perspective icon.

Figure 22

The initial screen of SAP HANA studio

In the next screen, select SAP HANA Modeler from the list of open perspective options (Figure 23). Click the OK button.

Figure 23

Select the SAP HANA Modeler option

In the next screen (Figure 24) double-click the system SID node (e.g., FRD).

Figure 24

The initial screen of the SAP HANA Modeler

The next screen displays an overview of the SAP HANA Modeler system. Click the Configuration tab (Figure 25).

Figure 25

Overview of the system

The screen now displays a list of nodes (Figure 26).

Figure 26

The configuration tab of the system

Expand the daemon.ini node as shown in Figure 27.

Figure 27

The Daemon.ini node

Expand the scriptserver subnode as shown in Figure 28.

Figure 28

The scriptserver subnode

Double-click the instances subnode. The initial screen for maintenance of the instances subnode appears (Figure 29). Enter 1 in the New Value field under the System section and click the Save button.

Figure 29

Maintain the instances subnode

The next screen displays the instances subnode with the new value of 1 (Figure 30).

Figure 30

Successful maintenance of the instances subnode

Expand the node repository as shown in Figure 31. Double-click the sqlscript_mode subnode.

Figure 31

Repository configuration subnode

Enter READWRITE in the New Value field (Figure 32). Click the Save button.

Figure 32

Define a new value for the sqlscript_mode configuration subnode

The next screen displays the READWRITE value maintained against sqlscript_mode configuration subnode (Figure 33).

Figure 33

READWRITE value maintained against sqlscript_mode configuration subnode

Configuration of the SAP HANA Database Connection

To maintain the SAP HANA database connection attributes in the SAP ABAP system, use transaction code DBCO. The user defined in the database connection settings should be the SYSTEM user. This is because it is important that appropriate authorization is granted to _SYS_REPO and SAP<SID> users as a prerequisite for performing the configuration of the task list activity successfully.

To maintain the SAP HANA database connection properties, enter transaction code DBCO in the command line. In the screen that appears, click the change icon (Figure 34) to change the screen to edit mode (Figure 35).

Figure 34

The initial screen for the maintenance of the HANA database connection

Figure 35

Edit mode of the database connection maintenance interface

Click the New Entries button. In the screen that displays, enter the appropriate values for the database connection as shown in Figure 36. DBMS and User Name fields must be HDB and SYSTEM, respectively. Click the save icon.

Figure 36

Maintained connection settings

A status message appears in the next screen confirming that the data was saved (Figure 37).

Figure 37

Status of SAP HANA database connection maintenance activity

Configuration of Task Lists

Task lists are a collection of customization activities whose execution can be automated as part of the post installation activities. Examples of these customization activities include the definition of technical configuration parameters, activation of services, activation of SAP HANA content, and creation of text indices.

The technical task list FRA_INITIAL_SETUP must be executed successfully to use the system productively for SAP Fraud Management and SAP Audit Management. Task lists FRA_SUITE_CORE_SETUP_PART_1 and FRA_SUITE_CORE_SETUP_PART_1 need to be executed to take advantage of the integration of SAP Fraud Management with internal audit and usage of anti-corruption content available on SCN at https://wiki.scn.sap.com/wiki/display/GRC/SAP+Fraud+Management

Also, task lists FRA_CM_SETUP and FRA_CM_SETUP_TEXT_INDEX are provided to handle the integration requirement of SAP Fraud Management with SAP Claims Management.

To configure the task list, enter transaction code STC01 in the command line. In the screen that appears, enter the name of the task list you intend to activate in the task list field. In my example, it is FRA_INITIAL_SETUP (Figure 38). Click the execute icon beside With Variant.

Figure 38

Task list name definition

In the next screen click the pencil icon under the Param column (Figure 39).

Figure 39

Maintenance of task list

In the next screen, select Installation in the Installation Mode section, then select the Activate Services option under Services for User Interface, and select Notes implemented under Required Notes from Release Information Note as shown in Figure 40. In the DB Connection Name field that displays when you choose the installation option, enter the DB connection defined earlier. Click the save icon.

Figure 40

Maintenance of task list run variant attributes

The next screen displays a status message confirming the saving of the variant (Figure 41).

Figure 41

Save the definition of the variant for the task list run

Click the back icon. The next screen displays with further status information (Figure 42).

Figure 42

Status confirmation of variant maintenance of the task list run

Click the check icon . The next screen displays with the status of the check operation (Figure 43).

Figure 43

Confirmation of successful check of task list

Click the job icon . The next screen shows the execution of the different tasks running in background (Figure 44).

Figure 44

Status update of the task list run background job

After the job is completed, the next screen shows the successful status of the job run (Figure 45).

Figure 45

Status of the task list run

You can monitor the logs of the activation of the task list via transaction code STC02. In the screen that appears, click the Execute icon (Figure 46).

Figure 46

The initial screen of the task list run monitor

The next screen displays the status of the activation (Figure 47).

Figure 47

Log of task list run

Generation of Time Data Parameters

The generation of time data is an important activity in the configuration of SAP Fraud Management and SAP Audit Management. This is because the user interfaces are heavily reliant on time data, and therefore, it is important to properly maintain these interfaces.

To maintain time data in the SAP HANA system for SAP Fraud Management and SAP Audit Management use cases, log on to SAP HANA Studio and access the Quick Launch section in the SAP HANA studio. Click Generate Time Data (Figure 48).

Figure 48

SAP HANA Studio Quick Launch

In the box that appears, leave the default for Calendar Type as Gregorian. Enter the following values as shown in Figure 49:

• From Year: 1950
• To Year: 1999
• Granularity: Day
• First day of the week: Monday

Figure 49

Time data generation attributes definition

After you click the Generate button, the next screen displays a job log showing the status of the time data generation run (Figure 50).

Figure 50

Job log for time data generation run

Repeat the above activities for the time period: 2000-2049. To confirm that the time data was generated, follow menu path (in SAP HANA Studio) FRD (SYSTEM) > Catalog > _SYS_BI  > Tables > M_TIME_DIMENSION. Right-click the highlighted table as shown in Figure 51.

Figure 51

Open content option of table M_TIME_DIMENSION

Choose the Open Content option. The next screen displays the generated data for every day for the period defined when generating data (Figure 52).

Figure 52

Content of table M_TIME_DIMENSION

Setup of SAP NetWeaver Gateway

SAP NetWeaver Gateway provides an application programming interface that is based on the open data protocol (OD protocol). SAP NetWeaver Gateway uses OData for SAP applications, which contains SAP-centric metadata that helps developers to consume SAP business data that can be retrieved from the SAP Data Dictionary. The SAP NetWeaver Gateway needs to be properly configured to use SAP Fraud Management and SAP Audit Management capabilities.

The configuration of the SAP NetWeaver Gateway involves a number of activities:

• Create an RFC destination
• Maintain the RFC destination as the system alias
• Activate SAP NetWeaver Gateway

Create an RFC Destination

The first activity to perform in configuring SAP Net Weaver Gateway connectivity in an SAP ABAP system is to create a remote function call (RFC) destination that points to itself. Create an RFC destination via transaction SM59. Note that the name of the RFC destination should follow the convention SID < CLNT>Client Number (for example, FRDCLNT001). The defined RFC destination is consequently used as the system alias in the following activity.

Maintain the RFC Destination as the System Alias

After you define the RFC destination, you need to define the RFC destination as the system alias. To do this, follow menu path SPRO > SAP Reference IMG > SAP NetWeaver > Gateway > OData Channel > Configuration > Connection Settings > SAP NetWeaver Gateway to SAP System > Manage SAP System Aliases.

Enter the name of the RFC destination defined in the preceding section under the RFC Destination and also select check the box For Local App as shown in Figure 53. Click the save icon.

Figure 53

Maintenance of RFC Destination against the system alias

The next screen displays a status message (Figure 54).

Figure 54

Status message for the maintenance of SAP system aliases

Activate the SAP NetWeaver Gateway

Figure 55

Confirmation dialog box for the activation of SAP NetWeaver Gateway

The next screen displays the status of the SAP NetWeaver Gateway (Figure 56).

Figure 56

Active status of SAP NetWeaver Gateway

Configuration of Open Data Protocol (ODP) Services

SAP Fraud Management and SAP Audit Management depend on OData requests to get data from the satellite systems via the SAP NetWeaver Gateway. Therefore, you need to configure and activate the OData services to facilitate the successful collection of these data sets. The activation of OData services involves the following activities:

• Create a development package
• Register SAP Fraud Management and SAP Audit Management technical services with the SAP Net Weaver Gateway

Create a Development Package

Packages are objects that are designed to help  modularize, encapsulate, and decouple development units in the SAP system. Changes to technical services need to be stored in a package. To create a development package in the system, enter transaction code SE21 (Package Builder) in the command line. In the screen that appears, enter a name for the package in the Package field as shown in Figure 57. Click the Create button.

Figure 57

Define a package name

The next screen appears with a dialog box to define the attributes of the package. Specify the attributes for the development package as shown in Figure 58. Click the enter icon.

Figure 58

Define attributes for the development package

The next screen displays (you normally are prompted for a transport request). This screen confirms the creation of the development package (Figure 59).

Figure 59

The Basic Data section confirming the successful creation of the development package

Register SAP Fraud Management and SAP Audit Management Technical Services with the SAP Net Weaver Gateway

The registration of SAP Fraud Management and SAP Audit Management with the SAP NetWeaver Gateway involves the assignment of a system alias (maintained previously) to the appropriate external technical services. To assign a system alias to external technical services, follow menu path SPRO > SAP Reference IMG > SAP NetWeaver > Gateway > OData Channel Administration > General Settings > Activate and Maintain Services. Alternatively, you can access the transaction code /IWFND/MAINT_SERVICE. In the screen that appears, click the Add Service button (Figure 60).

Figure 60

The initial screen of services maintenance and activation

Enter a value in the System Alias field as shown in Figure 61 and press Enter.

Figure 61

Define a system alias name

In the next screen, click a service, such as FRA_ALERT_SRV (Figure 62).

Figure 62

List of services to be associated with LOCAL system alias

In the next screen, enter a value for the Technical Model Name. In my example, I retained the default (ZFRA_ALERT_MDL). Specify a package name (created previously) in the Package field in the Creation Information section as shown in Figure 63. Ensure that the check box Set current client as default client in ICF Node is selected. Click the enter icon.

Figure 63

Maintenance of the attributes of a technical service

The next screen displays a status message (Figure 64). Note that you will be prompted for a transport request. Click the enter icon to exit this screen.

Figure 64

Maintenance of the attributes of a technical service

You need to repeat the activities above for the following technical services:

• FRA_ALERT_SRV
• FRA_BASIC_SETTINGS_SRV
• FRA_CALIBRATION_SRV
• FRA_HOME_SEARCH_SRV
• FRA_HOME_KPI_SRV
• FRA_NWBC_USER_INFO_SRV
• FRA_ODATA_RT_KPI_TICKER_SRV
• FRA_PERSONAL_SETTINGS_SRV
• FRA_SHELL_NAV_TREE_SRV
• FRA_SNA_SRV
• FRA_STW_SERVICE_SRV
• FRA_THING_INSPECTOR_SRV
• FRA_UI5_APPL_HELP_SRV
• FRA_EQ_ALERT_ACCURACY_SRV
• FRA_EQ_ALERT_COUNTRY_SRV
• FRA_EQ_ALERT_LOSS_SRV
• FRA_EQ_ALERT_LOSS_Y2_SRV
• FRA_EQ_EX_KPI_SRV
• FRA_EQ_KPI_CLOSED_SRV
• FRA_EXECUTIVE_INSIGHT_SRV
• FRA_USER_PHOTO_SRV
• /UI2/PAGE_BUILDER_CONF
• /UI2/PAGE_BUILDER_CUST
• /UI2/PAGE_BUILDER_PERS
• FRA_PUR_COI_SRV (only if internal audit is actively used)

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management. You may contact the author at eseyinok@gmail.com. If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.