When we execute the log report in EAM, we would like to see the report based on which we can take a decision.

But, sometimes we get to see errors when we execute the log report in EAM. In this document, Please find some of the common issues along with solutions here.

Error No: 1

When we are executing consolidated log report under reports and analytics tab, we could able to see only transaction information not able to see descriptions of those transactions


  • The transaction description is not available in the consolidated report due to performance issue.
  • As in 10.0 there are multiple systems and logs come from multiple systems of different basis release.
  • Now for showing transaction description RFC calls have to be made for each system.
  • So it was found that fetching the transaction description for each system is degrading the performance of the log report, hence as per the design the transaction description has not been supported in EAM reports.
  • This can be found in SAP NOTE : 2010385


Error No: 2

Transactional logs are not giving any data



  • This error occurs due to missing authorization issue.


1. Assign the authorization S_TOOLS_EX to your RFC user in the target connector

2. Along with the Authorization issue, This SAP NOTE will help you: 1775432


Error No: 3

When the Consolidated Log Report is executed, the following error is displayed.



  • This kind of error occurs if the Service is deactivated. To solve this error:
  • Go to transaction SICF > Default host > SAP > BC> webdynpro > SAP > GRAC_UIBB_SPM_Tcode_REPORTS to check the service status.
  • Right click on this and activate it.  Now you will be able to open the "Transaction and session details" page without any error.


Error No: 4

Consolidated Log report is giving the error showing the following error:




  • There kind of error occurs due to large volume of data or due to some other reason the extended memory is used up and so the TSV_NEW_PAGE_ALLOC_FAILED exception is coming.

  • For resolving that problem, it is necessary to configure the memory parameters correctly. Refer to SAP Notes 146289 and 425207 to check the parameters to be maintained. This memory utilizing issue is caused by too much of data selected. So, If changing the parameters cannot solve the problem, then reduce the data selection by creating variants for log display.

Error No: 5

Reason code and Activity description is missing in reports




  • This error is due to missing of the text entry in T-code SE75 for object 'GRC'.
  • To Resolve this issue: Refer to SAP Note No: 1982125


Error No: 6

Audit Log Report is not displaying any data




  • The following reasons could be the cause:
    1. 1. Firefighter log sync job has not been run.
    2. 2. There are no records in the plug-in system for the transactions: SM20, SM21 and SM49



Everyone is free to correct the mistakes in this and

Add more issues of this type into the document.



Deepak M

This is a minor tip to check some access parameter is SPRO,


In “AC Configuration Settings” screen in SPRO as you can see it is not possible to use CRTL + F  (this was really annoying me)





But if you click in Printing button (CRTL + P)  the screen reorganize and you can use the CTRL + F




I know it's a little tip , but every colleague I showed liked





Rafael Guimbala

To exclude objects from Batch risk analysis (Dashboards) choose option Maintain excluded objects under :


Batch Risk Analysis >> Access Risk Analysis >> Access Control >> Governance, Risk and Compliance >> SPRO


There is this options:




To exclude one role (example role: Z_TEST):





If you want to exclude a range there is two ways:




Please Noticed the using of " * " the second line will not exclude any objects:






Dear all,


Find the information on dumps and errors in process controls,mainly these issues with missing configuration,missing authorization.

Hope its helpful.


1.Case Management


     SPRO->Governance, Risk and Compliance->Process Control->Cases->Check Customizing for Case Management


    Types of errors:

  1. Throws a dump “ASSERTION_FAILED CL_GRFN_API_IDENT=============CP”when opening controls in organization under master data
  2. We cannot open any Ad-Hoc Issues from My Homework center.
  3. Throws a error with “GRFN_ENTITY_API:102” when schedule automated monitoring job


     Solution: The entries should be green for case management, if not transport them

     SPRO->SAP Net Weaver->Application Server->Basis Services->Case Management->Set Status Administration->Create Status Profile and

     SPRO->SAP Net Weaver->Application Server->Basis Services->Case Management->Define Case Types


     Check Note 1526732 - Transfer client-specific Customizing


2.Configure Email Inbound Process


     SPRO->Governance, Risk and Compliance->Process Control-> Offline Work Process -> Configure Email Inbound Process


     Type of error:Job GRFN_OWP_SUB_JOB_SENDER for Offline Working Process throws error

                    “Assertion failed" dump in class  CL_GRFN_OWP_Deliver


Solution: SPRO->Governance, Risk and Compliance->Process Control-> Offline Work Process -> Configure Email Inbound Process

Insert a row with Communication Type as Internet mail.

Enter a valid Email Address in the recipient address column.

Enter the document class as "*".

Enter the Exit name - "CL_GRFN_OWP_DELIVER".

Enter the call sequence.Save the settings.


Note: Assign email id to all users who will be receiving notifications.


               Check Notes 1866809, 455140

3.Maintain Entity Role Assignment


          SPRO->Governance, Risk and Compliance-> General Settings -> Authorizations -> Maintain Entity Role Assignment


          Type of error: While submitting Ad Hoc issues, throws dump “The ASSERT condition was violated


          Solution: SPRO->Governance, Risk and Compliance-> General Settings -> Authorizations -> Maintain Entity Role Assignment

                    Click "New Entries"

                    Select the Entity " G_AI"

                    Select the Role "SAP_GRC_FN_ADISSUE_PROCESS"

                    Select check box "Unique"




          SPRO->Governance, Risk and Compliance->Process Control-> Scoping


          Type of error: 1.Throws dump “CL_GRFN_API_TIMEFRAME=========CP”while creating account group in master data


                                 2.Throws dump “CL_GRFN_API_TIMEFRAME=========CP”while running the MDUG (Master Data Upload Generator)

                                   in order to upload a template


          Solution: SPRO->Governance, Risk and Compliance->Process Control-> Scoping-> Maintain Scoping Materiality Analysis Frequency


5.Missing authorization


Type of error: Throws dumps “CL_GRFN_API_IDENT=============CP “for master data change reviewer in work inbox


Solution: Approver should have DISPLAY Authorization to the entity CONTROL and XCONTROL


6.In Programs


               Type of error: Execution of program GRFN_CHECK_CDF ends with dump “ASSERTION_FAILED


Solution: T code: SM30;

Inform T7771 as the Table/View and click on Maintain;

Select the custom info type used in the CDFs;

Click on Time Constraint on the Left Side Panel;

Make sure that Time Constraint field has value 2 or 3. Value 1 cannot be used in GRC;

If necessary, change the value of Time Constraint and save.


               Type of error: program GRPC_MASS_PROCESS_ASSIGNMENT throws dump


               Solution: While executing the program GRPC_MASS_PROCESS_ASSSIGNMENT, make sure

               that the organization unit used here is not locked.



Hello GRC Mates,

When Roles are imported into BRM, the message that we like to read on the monitor is: All Roles are imported successfully.

But, sometimes we get to see errors when the Roles are imported into BRM. In this document, Please find some of the common issues along with solutions here.

Error No: 1

While uploading roles through the NWBC via Role Import in Role Mass Maintenance, you receive the following error:




You need to increase the Max Length for Single (SIN) and Derived (DRD) roles at the following path: SPRO -> IMG -> Governance, Risk and Compliance ->Access Control ->Role Management >Maintain Role Type Settings >Specify Maximum Length for Role Type.

Set the Max Length to the desired value and then try to import the roles.


Error No: 2

While Importing roles through the NWBC via Role Import, if you receive the following error:


LONG_TEX failed.png


  • This error occurs due to missing Text ID for SAP Script Object 'GRC' in the transaction SE75
  • To Solve this kind of issue:
    1. 1. Go to transaction SE75.
    2. 2. Select "Text objects and IDs"
    3. 3. Click on Display button
    4. 4. Select 'GRC' as Object and then click on 'Text IDs'.
    5. 5. There should be an entry for 'Text ID' as 'LTXT' with description as 'LONG TEXT'.


Error No: 3

While Importing Composite roles through the NWBC via Role Import, if you receive the following error:



  • In order to Import the Composite Roles in BRM, you need to ensure that its Child Roles (Single Roles) exists in the system.
  • First, import all the Child roles and then try Re-Importing the Composite Role in the system which will remove the error message and upload the Composite role successfully.


Error No: 4

While Importing roles through the NWBC via Role Import, if you receive the following error:




  • Ensure that the Single master roles exist in the system.
  • Try importing the single master roles first
  • Also ensure the parent/child role relation is entered within the import sheet correctly.


Error No: 5

While Importing roles through the NWBC via Role Import, if you receive the following error:




  • This error is due to uploading roles with t-code which does not exist in dictionary
  • Remove the t-code from role before import, otherwise validation will not allow for import.


Error No: 6

  • While uploading roles through the NWBC via Role Import in Role Mass Maintenance, if you receive the following error:







Everyone is free to correct the mistakes in this and

Add more issues of this type into the document.



Deepak M

Access control decisions for business are no longer about permission to allow and deny. When Roles were introduced way back in 90’s, there was nothing like internet of things and the whole technology advancements we see in todays world. In 90’s Business operated in silo’s, there was minimal collaboration. Now in 2015 in a globalized world, if you are still sticking to the role based model, It is about the time you might want to rethink.


An access control decision is made based on multiple factors.


How can you apply the above contextual information to make access control decisions, JUST by using Role Based model?

This is a typical question that I pose for most of our prospect customers.  The answer I hear back from them often is                                                                #1 Customization  #2 More Roles …. More … More & More Roles





With SAP GRC new product offering SAP Dynamic Authorization management (SAP DAM), customers now have an option to choose from Customization, More Roles…More Roles/ SAP DAM.


SAP DAM access control model is a Hybrid of RBAC+ABAC.

  • RBAC stands for Role based access control model
  • ABAC stands for Attribute based access control model


In an RBAC model the PRIMARY roles defined would allow or deny the users at Transaction Code level.In an ABAC model we take the subject, environment, resource and action performed as attributes to make access control decisions at Org level.


A combination of RBAC+ABAC, becomes a very powerful access control tool for security administrators. The reason being  business can now make Fine Grained Dynamic attributes based access control decisions without any customization/ adding more and more roles. This is how the hybrid model works



With SAP DAM offering,SAP GRC gave a new dimension to streamline how we traditionally have been making access control decisions.


Anand Kotti

GRC Access Control



2094723 -Consolidated Note for SAP Access Control 10.0 Master Notes


2096196 -Consolidated Note for SAP Access Control 10.1 Master Notes


2150899 -Consolidated Note for Access Control Org Rules - 10.1, 10.0 and Plugin Issues


2113778 -Consolidated Note for EAM workflow in GRC Access Control 10.1


2157603 -Consolidated Note for all BUSINESS ROLE related issues in GRC 10.1


2150961 -Consolidated Note for Access Control - Dashboard 10.1 & 10.0 Issues


2150954 -Consolidated Note for Access Control - Mitigation Control 10.1 Fixes


2163107 -Consolidated Note for UAR Review: Master Note 10.1


2105778 -Consolidated Note for UAR Review: Master Note


1967403 - EAM:Key note for Firefighter Log and Review Workflow issues


2150850 - Key note for Access Risk Analysis, Batch Risk Analysis Access Risks,Function & WorkFlow issues



2150899 - Consolidated Note for Access Control Org Rules - 10.1, 10.0 and Plugin Issues



GRC Process Control


2126446 -Consolidated Note for Process Control 10.0 Manual Test Plan


2126494 -Consolidated SAP Note for Process Control 10.1 Manual Test Plan


2105791 -Consolidated Note for Process Control 10.1 Master Data


2104086 -Consolidated Note for Process Control 10.0 Master Data


2179893 -Consolidated Note for Process Control 10.0 Assessments


2126644 -Consolidated Note for Process Control 10.0 Automated Control


2170668 -Consolidated Account Balances Screen -Text cannot be entered in the 'Reason' field


2169236 -Consolidated Note for SAP Process Control 10.1 Performance



2210244 - Consolidated Note for Process Control 10.0 - OWP (Offline Work Process)

2210770 - Consolidated Note for Process Control 10.0 MDUG


2213122 - Consolidated Note for Process Control 10.1 MDUG

2210317 - Consolidated SAP note for Process Control Disclosure Survey Assessment



2210727 - Consolidated Note for Process Control 10.0 Sign off



2218949 - Consolidated Note for Process Control 10.1 Sign off


Risk Management


2118405 -Consolidated Note for SAP Risk Management 10.1 Master Notes


2118403 - Consolidated Note for SAP Risk Management 10.0 Master Notes


GRC Generic

2133498 - New Functionalities added in GRC 10.1 and their code corrections: Consolidated Note


2185282 -Consolidated Note: TSV_TNEW_PAGE_ALLOC_FAILED

Hello folks,


You may have the requirement in your company, that you only want to create new hires/terminations from HR Triggers for users that belong to a certain Company Code (BUKRS).


How can you do that?


My suggestion is to create a Procedure Call that executes a function module to get the user BUKRS. Then you add BUKRS to the condition columns of your Decision Table, and it is done!


Okay, you will ask me.. why not use a DBLookup instead of a Procedure Call? Answer is, BUKRS field is stored in HR System table PA0001. If I was wanting to retrieve field value from any table sititng in the GRC Foundation system itself, I could have used a DBLookup - no problem. But the table I need to access is on another system, the HR System. Therefore, by using a Function Module tied to a BRF+ Procedure Call expression, I can make use of SAP Standard Function Module RFC_READ_TABLE to complete this task.


Below are the steps suggested to achieve it.




Code for the Function Module:

NOTE: this code is a sample, and IS NOT standard application code. It is merely a suggestion on how to create the Z Function Module in order to get Company Code (BUKRS) for the PERNR user triggered by HR Triggers.


NOTE2: I made this sample in the most basic form, you will need to add treatment for Exceptions, etc.


IMPORT parameter:



EXPORT parameter:




My FM is called "Z_HR_TRIGGER_GET_BUKRS", and you may call it whatever you like.


Also you may use it for any other HR info type information that you would want to add to your Decision Table. In this scenario, the data I want is BUKRS, but you may want to use WERKS, Personnel Area, etc. As long as the data is stored in a HR Table related to the employee PERNR number, you can map it following this blog.


The suggested code is:



*"*"Local Interface:

DATA:   lv_pernr      TYPE string,



DATA:   lv_data       TYPE string,



TYPE string,


TYPE string,


FIELD-SYMBOLS <fs_hr_data> LIKE LINE OF it_hr_data.

FIELD-SYMBOLS <fs_lt_data> LIKE LINE OF lt_data.

CLEAR lv_connector.

CLEAR lv_pernr.

LOOP AT it_hr_data INTO ls_hr_data WHERE field_name = 'PERNR'.

= ls_hr_data-CONNECTOR.

= ls_hr_data-NEW_FIELD_VALUE.



IF lv_connector IS NOT INITIAL AND lv_pernr IS NOT INITIAL.

CLEAR lt_data.

CLEAR lv_options.

CLEAR lt_options.

CLEAR lt_fields.

= 'BUKRS'.

APPEND lv_fields TO lt_fields.

CONCATENATE 'PERNR EQ' lv_pernr 'AND ENDDA GE "' sy-datum '"' INTO lv_options SEPARATED BY ' '.


APPEND lv_options TO lt_options.

WRITE: lv_options.

= 'PA0001'.


      DESTINATION lv_connector


= lv_table

= 1


= lt_options

fields               = lt_fields

data                 = lt_data


= 1

= 2

= 3

= 4

= 5

= 6

OTHERS               = 7.

CASE sy-subrc.


" fine, do nothing


"lv_msgno = '082'.


"lv_msgno = '083'.


"lv_msgno = '084'.


"lv_msgno = '085'.


"lv_msgno = '086'.


"lv_msgno = '087'.


"Only one line must be in lt_data, only one Active BUKRS per PERNR is expected in PA0001.

IF lines( lt_data ) = 1.

READ TABLE lt_data ASSIGNING <fs_lt_data> INDEX 1.

= <fs_lt_data>.

MOVE lv_data TO et_bukrs.

WRITE: lv_data.


CLEAR lv_data.

"WRITE: 'Error'.
















Assuming your BRFPlus HR Triggers rule is created according to blog:



Creating your first HR Triggers BRFPlus - BASIC



we will make the below modifications:



1) Create two Data Elements. Type: TEXT, Length: 4








2) Add the newly created Element "DT_BUKRS" to the Function context:






3) Create an Expression of type "Procedure Call", I am calling it "GET_BUKRS".



In my sample, I have created a Function Module in the GRC Foundation system, called Z_HR_TRIGGER_GET_BUKRS.



Below I mapped the FM parameters for Import and Export.







4) Create an Expression of type "Formula". I called it "FORMULA".



Assign "Result Data Object" to Element "DT_BUKRS".



To add the GET_BUKRS to the formula, right-click anywhere in the formula area (white box), choose "Insert Expression" and select the existing "GET_BUKRS".






5) Now go to Rule 1 (if you have named them differently, go to the Rule that has the LOOP.



Add below expression and make it the first expression (1).






6) Open Decision Table, and add DT_BUKRS to the "Condition Columns"














Lets simulate the scenario.



1) In my test HR system called GH7CLNT600, I have PERNR 3, with BUKRS "US01".



Note that there are two rows for the PERNR 3, the Function Module must take the valid entry, and ignore the expired entries.





2) My decision table has below conditions, for New Hire (0105 0001):





3) Simulating the FUNCTION:



Click Start Simulation.







I have entered two lines in my simulation.

The first line is to match the New Hire condition.



The second entry  always comes within HR Trigger data from HR system, which is the PERNR number.



If PERNR is not coming, it will fail. In real scenario, it will always come along with the changed info types.






What must happen: in Rule 1, the BUKRS will be collected for the PERNR 3, and my New HIre condition will meet only if all columns are matched, including DT_BUKRS.












Other HR Trigger documents and on WIKIS



Debugging HR Trigger - PA40 changes to infotypes


Debugging HR Trigger - Simulation

When a user has to delete one Connector/System from GRC the syncs jobs will not remove from the tables the data from this connector,

but there is a report GRAC_DELETE_ACCESS_RULES that do the job, if you select the last check box as you can see in image:





You will delete data from the selected connector for the following GRC tables, *Noticed that all this tables has connector field and if this field is equal the connector that was choose the data will be erased.*



  1. gracactionsyst 
  2. gracactpermsys 
  3. gracactusage 
  4. gracauthpmsyst
  5. gracclasssyst 
  6. gracfldsys 
  7. gracfldsyst 
  8. gracfldvalsys       
  9. gracmgmtactusage 
  10. gracobjectauth 
  11. gracpdprofiles
  12. gracpermclssys 
  13. gracpermfldsys 
  14. gracpermfldval 
  15. gracprofile 
  16. gracprofilet 
  17. gracrlconn
  18. gracroleorg 
  19. gracroleusage 
  20. gractaskexecstmp 
  21. gracuser 
  22. gracuserconn 
  23. gracusermap 
  24. gracuserorg 
  25. gracuserprofile   
  26. gracuserrole      
  27. gracusrpdprofile 
  28. gracclasssyst 
  29. gracfldsyst 
  30. gracfldvalsys 
  31. gracprofile 
  32. gracroleorg 
  33. gracroleusage 
  34. gracusermap    
  35. gracuserorg 
  36. gracactionsyst 
  37. gracactpermsys

When choosing the background option in Risk Analysis, some users are facing a dump, this is relative to duplicates parameters, one example is one risk analysis with two roles or two kinds of risk,


This is how the error presents in front end


500 Sap Internal Server Error

ERROR: Open SQL  array insert produces duplicate records in the database. (Termination: RABAX_STATE)



And this is the error in ST22






The error line in >>>>insert gracbrange from table mt_range_table.



For more information to solve this issue view SAP Note 2183633 - Background Batch Risk Analysis raising

I decided to create this blog to gather the issues of not having the GRC object created in SE75.



First of all, a brief explanation about the transaction:


SE75 – Long text (SAPScript texts)


"Long Texts (also referred as SapScript texts or text objects) are the containers for containing long texts in SAP systems, and they are usually attached to business objects, that users can enter free comments.

Long Texts were initially created for SapScript tool because old database systems had text columns limited around 255 characters. The "new" database systems do not have this restriction any more, but Long Texts remain."


Source: http://wiki.scn.sap.com/wiki/x/1YRMB



The GRC object in SE75




Main issues:


If GRC text object ID is not in SE75 list, the following issues may occur in the system. The notes listed below are In chronological order:


1895324               Role Import ends with an error "LONG_TEX failed"

2156904               Access Request Creation Error

2151993               Description and Control Objectives Blank After Access Risk Save

1983201               Error while saving comment in Notes section of ad hoc issue

1982125               Reason code and Activity description is missing in reports

1801435               'Error Inserting Records' error on request submission

1847877               Risk ID detail Description not getting saved

1800347               Short Dump on FF Login

1890058               "Saving note failed" error comes while saving Mitigation Control

1793111               Error 'Creating TEXT/LONG TEXT failed"

1843287               Submitting a request there is an error while inserting request reason

1791799               GRC 10.0 - Error while inserting the request reason



All the notes above present the same solution.



Object GRC must be created in SE75.



KBA 2156904 shows the manual steps on how to do it.



You can also use the following SAP note to run a script to update the text tables directly into the database:


2058516 - Creating entries in TTXOB,TTXOT,TTXID and TTXID Table

Below are the steps to create the first HR Triggers BRF+ Rule, the simplest and basic way to create it.


Creating the objects






  The order in which you create the objects may vary according to your preference.



1- Data object of type Table, called HR_TRIGGER_TABLE, with binding to GRAC_T_HR_TRIGGER_BRFP

2- Data object of type Table, called ACTION_ID, with binding to GRAC_T_HR_ACTION_ID_BRFP

3- Function, assigning the context in Signature

4- Decision Table

5- Rule2

6- Loop

7- Rule1

8- Ruleset

9- Assign the Ruleset to the Function





  My suggestion is to create the objects in the above order, but only ACTIVATE them at the end, once all objects are created.


  This way you avoid activation errors.








Assign the context in the function signature, as follows:




Data Objects


1- Data object of type Table, called HR_TRIGGER_TABLE, with binding to GRAC_T_HR_TRIGGER_BRFP

2- Data object of type Table, called ACTION_ID, with binding to GRAC_T_HR_ACTION_ID_BRFP


Once you create them, automatically the correspondent Structure and Elements will appear.




Decision Table





Rule_2 object


To add operartion (1): in Edit mode, go to Add->Process Expression->Decision Table and select the decision table object.



To add operartion (2): in Edit mode, go to Add->Assign Value to Context->Table type for Action ID.



Click on Change, and select "Select Context Parameter", choose "Action ID" (text type).


In addition, click on Change, and set it to "Insert", once you complete, it should look like below:






LOOP object

In Edit mode, go to Options>Add Rule->Select an Existing Rule.

And select Rule_2 object.







Rule_1 object

In Edit mode, go to Add->Process Expression->and select LOOP_1 object.







Ruleset_1 object

In Edit mode, go to Options>Add Rule->Select an Existing Rule.

And select Rule_1 object.



Save it.















Assign the ruleset in the function:


HR Triggers business logic getting too complex?











Why not make use the entire world of ABAP to code the business logic for HR Triggers?




Business Rule Framework plus (BRFplus) provides a comprehensive application programming interface (API) and user interface (UI) for defining and processing business rules. However the tool can be complex to users that have limited knowledge and experience working with it.




BRFPlus applications can become very complex, and it may come to a point where the business logic for some HR Trigger scenarios are better off being created in pure ABAP procedure instead. Of course, for those who are BRFPlus developers, this blog does not make sense, but I would like to address here those users with very limited knowledge on the tool.



BRFPlus Application that calls an ABAP procedure, is all you need



Follow the three videos below, to create a BRFPlus application from scratch, which in turn calls an ABAP procedure where you can use your ABAP skills to create any logic you desire. As long as your business logic for HR Triggers can be coded using ABAP, you should be okay!




BRFPlus - Part 1 - Create Function Module

This video demonstrates how to create the Function Module to be used in the BRFPlus rule with a Procedure Call, for Access Control HR Triggers functionality.


BRFPlus - Part 2 - Create BRF Application

This video demostrates how to create and configure the BRFPlus Application with Procedure Call, to be used in HR Triggers.


BRFPlus - Part 3 - Map the BRFPlus Function ID in SPRO

This video demostrates how to map the newly created BRFPlus rule into SPRO configuration




More info on WIKIS:




Debugging HR Trigger - PA40 changes to infotypes


Debugging HR Trigger - Simulation


As companies grow and expand globally, there is an increasing number of enterprise application users, and with this growth, an ever increasing risk of security breaches and violations. As enterprises are becoming more susceptible to security risks and violations from internal users, businesses are moving towards implementing more preventative measures rather than staying in reactive mode.


SAP GRC enables organizations to establish effective internal controls, along with processes to make sure these controls remain consistent, updated and cost-effective to manage. Administrators can now use a single SAP GRC framework to monitor and enforce business, compliance and security policies across the enterprise. SAP has enhanced the GRC offering to include the SAP Dynamic Authorization Management by NextLabs to ensure that companies can quickly adapt to changing policies and streamline enforcement and administration of those policies.



GRC customers can now integrate more fine-grained contextual information about the user. This information can include location, project, cross-departmental access, territory, and real-time segregation of duties attributes. The tight integration provides real-time risk enforcement to prevent misappropriation of information before it happens. Customers can monitor and track all activity.





Segregation of duties violation example:

  • Charles can maintain a vendor master and post a vendor invoice payment.


  • Charles can maintain his own vendors and transfer money to the vendors at any time without external authorization.It poses a huge financial risk for business.






With SAP Dynamic Authorization Management implementation:

Case #2.1 - There are no mitigating controls in place in GRC rule set for SOD Violation:

  • When Charles performs the action of paying the vendor he created, he is blocked.


Case #2.2 - There are mitigating controls in place in GRC rule set for SOD Violation:

  • When Charles performs the action of paying vendor he created, Charles has an option to move forward by signing an NDA (SAP DAM self attestation feature).


In all the use cases discussed above, the activity performed by Charles is recorded and reported back to SAP DAM Analytical Dashboard.


Anand Kotti

Business Scenario

In one of the GRC projects I have worked for, the client's requirement is to send the User Access Review Workflow to User for review at First Stage and then to Manager for review. Since there is no standard User agent provided by SAP we developed a custom user agent by making use of BRF+ functionality


BRF+ Agent Design


As per User Access Review process, first UAR request generation job is scheduled which will generate the requests and then UAR Workflow update job is scheduled which will push all UAR requests into workflow and then they go to corresponding workflow path and stages


Since "User Agent" is requested by the client, now "User" also becomes one of the GRC Approvers and hence "User" should exist in Target system and GRC System as well


Once the requests are generated by "UAR Request Generation" job, these requests will be stored in GRC table "GRACREVITEM - Review Request Related Items"


In our UAR User Agent design we used DBLOOKUP functionality to the table GRACREVITEM to get the result as UserID based on the UAR Request ID.


NOTE: This Agent design works for UAR workflows having MANAGER as REVIEWER


BRF+ Agent Configuration

You have to generate the BRF Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.

Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control  => Define Workflow related MSMP rules.


Directly execute Tcode GRFNMW_DEV_RULES

  • Fill generation criteria (Process ID, Rule type, etc.)
  • Specify Generation options
  • Generate rule shell (Execute button)


Click Execute or Press F8. This now generates a successful message for BRFPlus Rule with name and ID. You can run BRF+ Tcode and can check the newly created BRF+ application there.



Functions Signature Update

In BRF+ function, change the mode to “Event Mode” and activate the function as shown below.

  • Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
  • In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID


Create Ruleset in BRF+ Application

Create Ruleset in your BRF+ application by clicking on “Create Ruleset” button under “ASSIGNED RULESETS” tab of function. Ruleset is a combination of business rules that can only be assigned to a function in the BRFPlus framework.

Create Rule within Ruleset - Create Expression of Type “Loop”

  1. Click on “Insert Rule” button to create new rule
  2. From within rule, click on “Add” -> “Process Expression” -> “Create” to create a new expression
  3. Create expression of type “Loop” and provide suitable name and description.
  4. Loop gets created as shown below. Processing Mode and Loop Mode maintain as mentioned below.


Create Rules within Loop Expression

First Rule

a. Request ID field which we use in this particular agent rule is sent with prefix as "ACCREQ/REQ_ID". Before doing DBLOOKUP the prefix has to be removed and only "REQ_ID" should be sent to DBLOOKUP. To achieve this, I used "FORMULA" expression with SUBSTRING function.


b. Once the Request ID field is trimmed, then this Request ID field is used in DBLOOKUP and gets the UserID. The second rule is to create DBLOOKUP for tables GRACREVITEM



C. Each LineItem in BRF+ need to be assigned to context parameter ITEMNUM as we didn't initialize the LineItem key.


Second Rule

Second rule is used to assign value to context as shown below. This rule will be included in your loop for inserting the values into Agent ID table after processing each LineItem.


Finally Loop expression will have all required rules as shown below.



Once above rules creation is done, activate your expressions REMOVE STRING, DBLOOKUP, LOOP, FUNCTION and then check by simulating your function by adding Line Items rows and enter any Request_ID from table GRACREVITEM and check if your agent is returning correct results.


After verification this BRF+ agent can be used in MSMP UAR workflow and your UAR requests can be routed to User's for Approval/Notifications

Looking forward for all your feedback


Thanks for reading.


Best Regards,

Madhu Babu Sai


Filter Blog

By author:
By date:
By tag: