Introduction:

HANA databases often serve as repositories for organization's critical financial data, making them subject to stringent regulatory requirements such as SOX. Leveraging SAP GRC Process Control Continuous Controls Monitoring (CCM) module provides an effective solution to record and monitor database activities in real-time. This article comprehensively covers the steps to setup an automated control in GRC PC for HANA database. I am taking the below real time use case and creating an automated ITGC control in PC to monitor HANA Database and report the exceptions.

Use case:

The HANA Database administrators often make configuration changes in HANA DB such as parameters related to memory allocation, disk storage, network settings, security configuration, etc.  Such changes are generally allowed to be happened using SYSTEM account. In this case, there's a need to have a control to review who actually used the SYSTEM account and made the changes to meet the SOX compliance objectives. GRC PC can be leveraged to automate the control monitoring and reporting by following below steps.

I am using the standard view "SYS.M_INIFILE_CONTENT_HISTORY" that stores the database global parameters (refer below screenshot). The field USER_NAME shows the actual database user id who made the change and APPLICATION_USER_NAME is the one who used the DB user (USER_NAME) to make the change and APPLICATION_NAME shows the application where the change is initiated from like HDBStudio, HANa Cockpit or from OS level etc.

Let's say only the SYSTEM user is allowed to make configuration changes. The control requirement is to review the logs at the end of each month and report any changes made by the users other than SYSTEM.

Let's define a control in PC and automate monitoring. To achieve it, perform below steps.

1. Create a calculation view in HANA database to list the configuration changes and send it to process control.
2. Establish a connection between PC and HANA Database and assign the connector to Integration scenario "AM"
3. Create a Data source in PC
4. Create a Business Rule in PC
5. Create an automated Control in PC and assign the owner (agent)
6. Assign business rule to the control.
7. Schedule an automated monitoring job

Pre-requisites:

• GRC system - At least on 10.1 (Please refer to SAP Product Availability Matrix for more information)
• GRC Plugin to be installed on HANA Database - Delivery Unit Deployment (Ref: 2589878 - Installing or upgrading HANA GRC Plug-in - SAP for Me)

• Create a calculation view in HANA database:

GRC process control can read only the calculation view result returned from the Hana data base. So, you need to create a calculation view in Hana database by including the columns from the view to be returned. (Best practice is to minimize the amount of data to be passed to PC by applying conditions and calculations at HANA database side rather than passing large chunk of data to PC and apply the filters and calculations there).

Limitations:

1. PC supports only "SQL Script" type calculation view.
2. PC supports only four datatypes - DATE, INTEGER, NVARCHAR and DECIMAL. If any fields of other datatype, their type to be converted to one of the supported data type.
3. Calculation view must have at least a measure field.

Here's a sample script for calculation view.

 Note: Customers who have Enterprise HANA is in place (do not allow development on HANA tenant databases) can achieve this by creating virtual tables. (I am going to cover this with another use case very soon)

• Establish a connection between PC and HANA Database:
• Create HANA Database connector in GRC system using the transaction code DBCO
• Create a connector using SM59 (type: "L")
• Define Connector and Connector group in GRC and assign the connector to connector group.
• Maintain Connection settings - assign the Hana DB connector to the integration scenario (AM - automated monitoring")

The remaining steps are common for all automated controls. I am going to cover those steps in a separate blog.

Hope you enjoyed reading this blog. In case of any queries, let me know in comment or get in touch with me at LinkedIn or email.