I decided to create this blog to gather the issues of not having the GRC object created in SE75.



First of all, a brief explanation about the transaction:


SE75 – Long text (SAPScript texts)


"Long Texts (also referred as SapScript texts or text objects) are the containers for containing long texts in SAP systems, and they are usually attached to business objects, that users can enter free comments.

Long Texts were initially created for SapScript tool because old database systems had text columns limited around 255 characters. The "new" database systems do not have this restriction any more, but Long Texts remain."


Source: http://wiki.scn.sap.com/wiki/x/1YRMB



The GRC object in SE75




Main issues:


If GRC text object ID is not in SE75 list, the following issues may occur in the system. The notes listed below are In chronological order:


1895324               Role Import ends with an error "LONG_TEX failed"

2156904               Access Request Creation Error

2151993               Description and Control Objectives Blank After Access Risk Save

1983201               Error while saving comment in Notes section of ad hoc issue

1982125               Reason code and Activity description is missing in reports

1801435               'Error Inserting Records' error on request submission

1847877               Risk ID detail Description not getting saved

1800347               Short Dump on FF Login

1890058               "Saving note failed" error comes while saving Mitigation Control

1793111               Error 'Creating TEXT/LONG TEXT failed"

1843287               Submitting a request there is an error while inserting request reason

1791799               GRC 10.0 - Error while inserting the request reason



All the notes above present the same solution.



Object GRC must be created in SE75.



KBA 2156904 shows the manual steps on how to do it.



You can also use the following SAP note to run a script to update the text tables directly into the database:


2058516 - Creating entries in TTXOB,TTXOT,TTXID and TTXID Table

Below are the steps to create the first HR Triggers BRF+ Rule, the simplest and basic way to create it.


Creating the objects






  The order in which you create the objects may vary according to your preference.



1- Data object of type Table, called HR_TRIGGER_TABLE, with binding to GRAC_T_HR_TRIGGER_BRFP

2- Data object of type Table, called ACTION_ID, with binding to GRAC_T_HR_ACTION_ID_BRFP

3- Function, assigning the context in Signature

4- Decision Table

5- Rule2

6- Loop

7- Rule1

8- Ruleset

9- Assign the Ruleset to the Function





  My suggestion is to create the objects in the above order, but only ACTIVATE them at the end, once all objects are created.


  This way you avoid activation errors.








Assign the context in the function signature, as follows:




Data Objects


1- Data object of type Table, called HR_TRIGGER_TABLE, with binding to GRAC_T_HR_TRIGGER_BRFP

2- Data object of type Table, called ACTION_ID, with binding to GRAC_T_HR_ACTION_ID_BRFP


Once you create them, automatically the correspondent Structure and Elements will appear.




Decision Table





Rule_2 object


To add operartion (1): in Edit mode, go to Add->Process Expression->Decision Table and select the decision table object.



To add operartion (2): in Edit mode, go to Add->Assign Value to Context->Table type for Action ID.



Click on Change, and select "Select Context Parameter", choose "Action ID" (text type).


In addition, click on Change, and set it to "Insert", once you complete, it should look like below:






LOOP object

In Edit mode, go to Options>Add Rule->Select an Existing Rule.

And select Rule_2 object.







Rule_1 object

In Edit mode, go to Add->Process Expression->and select LOOP_1 object.







Ruleset_1 object

In Edit mode, go to Options>Add Rule->Select an Existing Rule.

And select Rule_1 object.



Save it.















Assign the ruleset in the function:


HR Triggers business logic getting too complex?











Why not make use the entire world of ABAP to code the business logic for HR Triggers?




Business Rule Framework plus (BRFplus) provides a comprehensive application programming interface (API) and user interface (UI) for defining and processing business rules. However the tool can be complex to users that have limited knowledge and experience working with it.




BRFPlus applications can become very complex, and it may come to a point where the business logic for some HR Trigger scenarios are better off being created in pure ABAP procedure instead. Of course, for those who are BRFPlus developers, this blog does not make sense, but I would like to address here those users with very limited knowledge on the tool.



BRFPlus Application that calls an ABAP procedure, is all you need



Follow the three videos below, to create a BRFPlus application from scratch, which in turn calls an ABAP procedure where you can use your ABAP skills to create any logic you desire. As long as your business logic for HR Triggers can be coded using ABAP, you should be okay!




BRFPlus - Part 1 - Create Function Module

This video demonstrates how to create the Function Module to be used in the BRFPlus rule with a Procedure Call, for Access Control HR Triggers functionality.


BRFPlus - Part 2 - Create BRF Application

This video demostrates how to create and configure the BRFPlus Application with Procedure Call, to be used in HR Triggers.


BRFPlus - Part 3 - Map the BRFPlus Function ID in SPRO

This video demostrates how to map the newly created BRFPlus rule into SPRO configuration




More info on WIKIS:




Debugging HR Trigger - PA40 changes to infotypes


Debugging HR Trigger - Simulation


As companies grow and expand globally, there is an increasing number of enterprise application users, and with this growth, an ever increasing risk of security breaches and violations. As enterprises are becoming more susceptible to security risks and violations from internal users, businesses are moving towards implementing more preventative measures rather than staying in reactive mode.


SAP GRC enables organizations to establish effective internal controls, along with processes to make sure these controls remain consistent, updated and cost-effective to manage. Administrators can now use a single SAP GRC framework to monitor and enforce business, compliance and security policies across the enterprise. SAP has enhanced the GRC offering to include the SAP Dynamic Authorization Management by NextLabs to ensure that companies can quickly adapt to changing policies and streamline enforcement and administration of those policies.



GRC customers can now integrate more fine-grained contextual information about the user. This information can include location, project, cross-departmental access, territory, and real-time segregation of duties attributes. The tight integration provides real-time risk enforcement to prevent misappropriation of information before it happens. Customers can monitor and track all activity.





Segregation of duties violation example:

  • Charles can maintain a vendor master and post a vendor invoice payment.


  • Charles can maintain his own vendors and transfer money to the vendors at any time without external authorization.It poses a huge financial risk for business.






With SAP Dynamic Authorization Management implementation:

Case #2.1 - There are no mitigating controls in place in GRC rule set for SOD Violation:

  • When Charles performs the action of paying the vendor he created, he is blocked.


Case #2.2 - There are mitigating controls in place in GRC rule set for SOD Violation:

  • When Charles performs the action of paying vendor he created, Charles has an option to move forward by signing an NDA (SAP DAM self attestation feature).


In all the use cases discussed above, the activity performed by Charles is recorded and reported back to SAP DAM Analytical Dashboard.


Anand Kotti

Business Scenario

In one of the GRC projects I have worked for, the client's requirement is to send the User Access Review Workflow to User for review at First Stage and then to Manager for review. Since there is no standard User agent provided by SAP we developed a custom user agent by making use of BRF+ functionality


BRF+ Agent Design


As per User Access Review process, first UAR request generation job is scheduled which will generate the requests and then UAR Workflow update job is scheduled which will push all UAR requests into workflow and then they go to corresponding workflow path and stages


Since "User Agent" is requested by the client, now "User" also becomes one of the GRC Approvers and hence "User" should exist in Target system and GRC System as well


Once the requests are generated by "UAR Request Generation" job, these requests will be stored in GRC table "GRACREVITEM - Review Request Related Items"


In our UAR User Agent design we used DBLOOKUP functionality to the table GRACREVITEM to get the result as UserID based on the UAR Request ID.


NOTE: This Agent design works for UAR workflows having MANAGER as REVIEWER


BRF+ Agent Configuration

You have to generate the BRF Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.

Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control  => Define Workflow related MSMP rules.


Directly execute Tcode GRFNMW_DEV_RULES

  • Fill generation criteria (Process ID, Rule type, etc.)
  • Specify Generation options
  • Generate rule shell (Execute button)


Click Execute or Press F8. This now generates a successful message for BRFPlus Rule with name and ID. You can run BRF+ Tcode and can check the newly created BRF+ application there.



Functions Signature Update

In BRF+ function, change the mode to “Event Mode” and activate the function as shown below.

  • Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
  • In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID


Create Ruleset in BRF+ Application

Create Ruleset in your BRF+ application by clicking on “Create Ruleset” button under “ASSIGNED RULESETS” tab of function. Ruleset is a combination of business rules that can only be assigned to a function in the BRFPlus framework.

Create Rule within Ruleset - Create Expression of Type “Loop”

  1. Click on “Insert Rule” button to create new rule
  2. From within rule, click on “Add” -> “Process Expression” -> “Create” to create a new expression
  3. Create expression of type “Loop” and provide suitable name and description.
  4. Loop gets created as shown below. Processing Mode and Loop Mode maintain as mentioned below.


Create Rules within Loop Expression

First Rule

a. Request ID field which we use in this particular agent rule is sent with prefix as "ACCREQ/REQ_ID". Before doing DBLOOKUP the prefix has to be removed and only "REQ_ID" should be sent to DBLOOKUP. To achieve this, I used "FORMULA" expression with SUBSTRING function.


b. Once the Request ID field is trimmed, then this Request ID field is used in DBLOOKUP and gets the UserID. The second rule is to create DBLOOKUP for tables GRACREVITEM



C. Each LineItem in BRF+ need to be assigned to context parameter ITEMNUM as we didn't initialize the LineItem key.


Second Rule

Second rule is used to assign value to context as shown below. This rule will be included in your loop for inserting the values into Agent ID table after processing each LineItem.


Finally Loop expression will have all required rules as shown below.



Once above rules creation is done, activate your expressions REMOVE STRING, DBLOOKUP, LOOP, FUNCTION and then check by simulating your function by adding Line Items rows and enter any Request_ID from table GRACREVITEM and check if your agent is returning correct results.


After verification this BRF+ agent can be used in MSMP UAR workflow and your UAR requests can be routed to User's for Approval/Notifications

Looking forward for all your feedback


Thanks for reading.


Best Regards,

Madhu Babu Sai

Sandeep Poojary

Being GRC Expert

Posted by Sandeep Poojary Apr 22, 2015

Hello Friends--

For past so many years i have been taking GRC interviews and  some important aspect i would like to share for all those who are willing to pursue the career in GRC --

There are 2 aspects to look into this :

On the Functional Point of view :

1 - Firstly understand why an Organisation needs SAP GRC, and what are the benefits of implementing the complete Kit.
2 - Understand the various compliance structure around the Globe and how they are mapped to the organisations internal process.
3- Design a Standard Roadmap for various sectors of the Industry and align it to the organizational need.

On the Technical Point :

1 - Those who are from SAP Security background, who understand SAP Authorizations, believe me, GRC will be a smooth ride, you just need to understand what are the different functionality in SAP GRC and need to know when and how to use this functionality.-- Technically its a cake walk.

2 - Those with Support experience of SAP GRC - In your job, the work is restricted to certain tabs of GRC, but with the help of social media you can explore lot of learning. Utilise your time in understanding various functionality, learn the subject well, when you get an opportunity learn in the demo servers, Implementation is not the only means of having expertise in GRC, its ones commitment and learning skills which will help in understanding the concepts.

3 - Those who want to learn SAP GRC - Please go through the GRC training material, and seek help in the social media, i am sure our fellow colleagues will come forward and help in training.

Whenever you prepare for an interview, make sure you have known the subject well, even without experience, what the recruiters will look for is how good are you with the concepts and how well you can explain those functionalities. It clicksss..

And yes, i am waiting for all those who are willing to be an GRC expert to work along

All the Best--


Sandeep Poojary


In GRC Access control as part of Workflow approvals and reviews Managers, Role Owners, FF ID Owners and Controllers, Function/Risk/Mitigation Approvers, Monitors, Users, Requestors etc. receive various Email notifications. Based on the client’s requirements these Email notifications are enhanced and maintained. This blog is to discuss about various customizing options available for GRC notifications as well as notification variables and their limitations and scope

For beginners below document gives details on how to customize email notifications templates in GRC

AC 10.0 - How to Customize Notification Templates for AC Workflow

Email Notification Templates - HTML Tags

1. HREF (For Email ID and URLs)

Business Scenario:

Notification variables which gets converted to URLs in the notification emails will have a very big URL with Path ID, Stage ID etc. Basically when the URL is not maintained as HREF using HTML tags, in most of the cases Emails get routed to JUNK folder in mailbox because of various special characters in the URL. Hence it is suggested to use HREF tag and make these GRC URLs as links which will avoid routing to JUNK folder issue as well as avoids end users directly seeing all technical details of the URL. Below are some of the variables which gets converted to URLs in notification Emails.

LINK_APPROVE_REJECT    Link to Approve/Reject by Email

LINK_GET_APPROVERS    Link to get Approvers

LINK_GET_REQ_STATUS    Link to get Request Status

Example: How the above variables look in notification emails with and without HTML tags



b. Click <A HREF = %LINK_APPROVE_REJECT% > here </A> to approve/reject the request



2. To Include GRC Help-desk Email


Business Scenario:

When end users receive email notifications for GRC related requests then most of the times we observed that users will have queries with the Emails or about their GRC requests and wanted to contact concerned GRC Admin/Help-desk for clarifications. In order to make it easy for end users to contact HELP-DESK, we can include Email ID in notification emails.

Example: How to include Email link in notifications

Please contact GRC Admin at <A href="mailto:Test@test.com"> GRC Helpdesk </A>



Reason behind sharing details about BOLD, UNDERLINE and ITALICIZE tags is because these doesn't work with traditional HTML tags like <B> <U> and <I> in notification templates.

Example: <strong> <span style="text-decoration: underline;"> Quick Reference for approvers: </span> </strong>



<span style="font-style: italic;">

Select the approval status as "REJECT" beside the role that you wish to reject.



How to insert Company Logo in Email Notification Templates

First you need to store the Logo which you want to use in Email notifications in GRC MIME repository

Go to SE80 Tcode and click on MIME REPOSITORY. Import the Logo which you wanted to use into MIME objects repository as shown below:



Mime 2.png


Mime 3.png


Once the above activities are completed, the next step is to use the LOGO in Email notification Templates.


Note: URL for logo is no transportable and need to be individually changed in each system when notification template is transported.


Use the image source tag as shown below:


<img src = "http://my_server.my_domain/sap/public/bc/ur/MyLogo.png">


Example: <img src = "http://myserver_mydomain/sap/public/bc/ur/MyLogo.png">



How to create New Message Class for Notification Templates

How to create new Message Class for any workflow in GRC ?


Very common requirement is customers request to have specific Email notifications at each stage individually and for such scenarios it might require creation of Custom message classes to be used at various stages in workflow and you can follow below process for creating new message classes


Example: For EAM Log Review Workflow there are no FORWARD and RETURN Message Class available.


Execute Tcode SM30


Open table GRFNVNOTIFYMSG and click on Maintain button and then click on "NEW ENTRIES" and maintain as below and once done click on SAVE button



Execute Tcode SM30


Open table GRFNVNOTIFYMSGC and click on Maintain button and then click on "NEW ENTRIES" and maintain as below and once done click on SAVE button



Once the above mentioned activities are completed, now the newly created Message Class can be added to your MSMP Variables & Templates Notification Templates section as shown below



Notification Variables in GRC

Each workflow process comes with a number of notification variables that are available to all notification templates that belong to it. They are displayed on the bottom of the screen in step 4, ”Variables & Templates”, in the customizing activity Maintain MSMP Workflows.

Few queries regarding Notification Variables customization especially %PROVISIONING% and %PROVISIONING_WITHOUT_PASSWORD%

For ARQ provisioning there are 2 variables which are sent along with END OF REQUEST notification( with Roles and Password details) PROVISIONING and PROVISIONING_WITHOUT_PASSWORD


These variables are standard variables which are calculated run-time.. if you are not happy with the formatting, please raise a CSS message and let SAP developer fix that for you.. there is no customizing available for it..


Other option can be to have your own custom variable created, but again that require development


2012041 - Is it possible to suppress the role details in the variable %PROVISIONING%

1854408 - Potential information disclosure relating to user password

How to create custom notification variables in GRC

In the MSMP configuration, Select the process ID and goto Step 4 Variables & Templates kindly add a Z variable.


Now in the backend GRC system goto transaction SE37 and enter the function module GRAC_NOTIF_VAR_RULE_AR. and copy this function module and

create a custom Z Function Module and add the logic for the Z variable in the function module.


Once done activate the Function Module


Open the MSMP configuration and goto Step 2. Maintain Rules. Add this newly create Z function module as a Notification Variables Rule. Also maintain this Z Function Module in the Notification Rule under Global Rules in Step 2.


Save and Activate the MSMP workflow configuration.


Now you can use the custom Z variable in the document objects.

How to modify URL shown in GRC notification variables to enable SSO

First setup Single Sing On (SSO) between Enterprise Portal and GRC system.

Once done, create a Portal iView in Content Adminstration -> Portal Content Management using standard GRC Access Control iView Template.

In the template, Application Name, Configuration Name, System, Location etc fields are maintained and once the template is maintained then PERMISSIONS need to be maintained for iView.

Once the above steps for creation of portal iview are completed, modify the URL used in the notification variables by creating a Custom Notification Variable Function module and replace the URL with Portal iView which you can work with ABAPer and Portal guys to get the details.

Once all above steps are done even the approvers can access all Approval Links in Email notifications via SSO without entering UserID and Password

Note:Deactivate password for all users in GRC System including approvers UserIDs

Looking forward for all your inputs in improving this blog with all other additional details



Thanks for reading.



Best Regards,

Madhu Babu Sai



As a foreword I would like to use popular Rolling Stones’ song adopted to the topic of the article.

When I'm customizin' my GRC

And that support comes in the message

It's tellin' me more and more

About some useless information

Supposed to fire my imagination

I can't get no, oh no, no, no

Hey hey hey, that's what I say


Here on SCN and on SAP promo materials everybody can read about the powerful tool – BRF+ and very flexible workflow of the new GRC. So, I will not be arguing with those promises, but I would like to share my experience. Now we are reimplementing GRC, we just try to make the same settings in GRC 10 that we have in GRC 5.3. During the reimplementation we have faced with the non-resolving issues and I hope that this article “fire your imagination”.

The first issue

Really we don’t have so many issue, but they stuck our project. The first thing is CUA setting. I don’t know for what purpose SAP made “Maintain CUA Settings” in SPRO. In fact, it doesn’t work. Why have I decided so?

I have CUA with 3 systems (SSDCLNT001 – CUA central system, SSDCLNT200 – CUA managed system, GRDCLNT200 – CUA managed system), it configured in (I call it) Mix mode. Mix means that we use many parameters (such as name, user type, format…) set as global, and the others (such as roles, profiles, user parameters…) set as local.

We were surprised when had known that this configuration is not supported by the new GRC.

Quote from the message

Hi Artem,

I had discussions with our architect and other technical experts on

this. Currently it is not possible to consider the mixed settings and

hence would request you to maintain them as globally in the SCUM

settings in order to resolve your issue.

Of course, during the correspondence, we tried to use “Maintain CUA Settings”, but I was advised to not use it at all. Even if use global or local settings. Here is the question for experts: what is the purpose of this setting?! More over if I set here CUA-manager system and CUA-managed system and not activate “CUA Global System”, I get the dump: OBJECTS_OBJREF_NOT_ASSIGNED_NO CX_SY_REF_IS_INITIAL CL_WDR_INTERNAL_WINDOW========CP

The second issue

BRF+ is really great thing and MSMP too! But… it is not flexible for logically standard scenario. When we started to implement new GRC I see that systems go as independent items in the request and should be approved as roles. Finally, systems go not just as an attribute of the request (like it was in 5.3), but they have owners. However, to customize simple workflow is not possible:

1st stage - Manager selects systems and roles.

2nd stage – Systems should be approved/rejected by the owners.

3rd stage – Roles should be approved/rejected by the owners, and the roles assigned to the rejected systems should be rejected automatically.

Doesn’t it seem logically simple?

In fact, it’s not possible using the standard tools to realize this scenario. You may say: Use ABAP. But for what we need ‘flexible’ BRF and MSMP then?

I should thank Madhu Babu for his helpful blog http://scn.sap.com/community/grc/blog/2014/03/24/grc-request-with-both-system-and-role-line-items

He does a great work, and I see that he is one the most active contributor on scn! Unfortunately, the above configuration doesn’t resolve the issue. Imagine that you are a role owner, you get a request with, say, 20 roles. You analyse them, wright some comment, in common, waste your time to process the roles. In parallel, some system owner doesn’t think that the user of the request must have the access to the system and reject system assignment. In the result, user will not get the access to the system and the roles (for which you and the other owners have wasted the time!).

I should also thank Marina Volynets, because she tried to help me find out that the issue cannot be resolved with the standard tools.

Need an idea to resolve split procedure

The third issue

BRF+ in its decision table must have approvers for each item in the request, otherwise we get “No agent found” on the workflow level. There no option in MSMP to send all line items without approvers to the next stage. Previously (in 5.3), all orphaned roles go to the next stage. Yes, it might be a breach in the security area, but why 10.x doesn’t have an option (check box, for example) to pass forward orphaned items?


From my point of view, we get a new GRC that is neither better nor worse than the previous. They are the same with slight differences.

I hope that my article will raise a wave of indignation and experts provide their view on the issues. Maybe someone points me that I'm wrong or points me on the idea place… If someone has issues to add to the article, you are welcome!


Best regards,


Hi Team


During GRC Access Control Implementation ,the most of the concerns of the business is towards the access risks present in the landscape and how is it addressable from GRC AC perspective. I have tried to cover all aspects of the implementation of ARQ Workflow .As the per the business we had some requirements which i guess many of our colleagues will have during Access Request Workflow Implementation.



1) Risk analysis should happen automatically on access request submission

2) Role Owner should approve all the assignment of roles to user and in case of SOD voilations it request should route to SOD Owner stage

3) SOD owner should address all the SOD access risks and mitigate it and finally approve the request.The request should not be approved without mitigating SOD risks.They need HARD STOP on approval.

4) For access removal there should not be any approval but the request needs to be validated by Security Admin before its implementation.



For requirement 1, We need to enable to below parameter in SPRO in GRC system.

SPRO->Governance Risk and Compliance->Access Control->Maintain Configuration Parameters


Risk   Analysis - Access request1071YESEnable risk analysis on form   submission
Risk Analysis10232(Permission level)Default report type for risk analysis

For requirement 2 ,the Workflow(Account Creation/modification) needs to be created in MSMP with stage approval on GRAC_ROLEOWNER stage with routing rule enabled for rule id  GRAC_MSMP_DETOUR_SODVIOL and therafter maintain route mapping


For requirement 3,We need to enable to below parameter in SPRO in GRC system.

SPRO->Governance Risk and Compliance->Access Control->Maintain Configuration Parameters


Risk   Analysis - Access request1073YESEnable SoD violations detour on   risks from existing roles

Now,maintain the SOD routing in MSMP


For requirement 4

Create a Delete Request Path in MSMP with any stage for Security Admin(Agent id: GRAC_Security) so that when user or his/her manager raises delete request it gets validated by security admin and after validation security admin should submit the access request for it.


The Delete request will lock the user in backend(System  can be chosen by requestor) and also it can set the validity dates. For roles removal, Requestor needs to select all the roles by clicking on existing assignment and chose remove actionfor the Roles.


The actions to be maintained for Delete Request-

1) Change and Lock user

2) Remove


Issues: 1) SOD owner was able to mitigate the SOD access risks and approve the request but also SOD Owner was able to approve the request without mitigating the Risk.The HARD BLOCK is not working.


Go to below path

Governance, Risk and Compliance > Access Control > Maintain AC Applications and BRFplus Function Mapping. Within the transaction SPRO follow the path “Governance, Risk and Compliance” > “Access Control” > “Maintain AC Applications and BRFplus Function Mapping” and click the execute button.

Request Mitigation Policy application id is deleted from the screen to enable hard stop of approval of access request form in SOD owner stage with SOD access risks.


Issue 2: Access Request in Editable mode for Approver i.e.Approver has an option to deselect the risk analysis in Permission level and approve the request.This may dilute the Requirment 1.


The Webdynpro GRAC_OIF_REQUEST_APPROVAL  needs to customized to change the risk analysis in Read only mode for the approver.

In SE80, open the web dynpro in test-admin mode and copy the link which was opened and added the HIGHLIGHTED string to it. The REQ ID can be fetched from GRACREQ table




After hitting the above link, the request will open in customize mode and then we can go to go risk violations tab and right click on Permission level level and go to settings configuration and make the tabs in Read only mode and save it.


I hope the document will help everyone here.

Appreciate your feedback.


Best Regards


It may be difficult to believe that 2015 is flying by so quickly, but planning is already underway for SAP TechEd 2015 in Las Vegas.

SAP TechEd logo.png

The design team for the ASUG education sessions this year is Tammy Powlas, ASUG volunteer Kristen Dennis, and myself, along with our SAP Point of Contact Peter McNulty. Tammy posted a very informative blog in the Business Intelligence space to entice BI people to start thinking about presenting.,Plan Now for Call for ASUG Speakers for SAP TechEd Las Vegas . I am not going to repeat everything she already said so well, but I do want to encourage you to review her post and to consider presenting.


You might be thinking, I don't see a GRC track at TechEd, and if you are thinking that, you are right: there is not a track solely dedicated to GRC. However, the Security, Secure Development, and Configuration track covers SAP security products as well as standard features, capabilities and recommendations. In this track we welcome and encourage customers to present on SAP Access Control, SAP Identity Management, SAP Threat Detection, SAP Single Sign-on, security redesign projects, secure development and configuration - really, just about anything related to the security function in your SAP landscape. Lessons learned from implementations and upgrades, tips and tricks, believe me when I say that ASUG's Design Team wants to offer more than just SAP HANA all the time. Certainly, if you have a SAP HANA security success story, we welcome it, too, but think bigger. We have a lot of education slots to fill, and the feedback we have received is that customer presentations are highly desired. So put on your thinking cap now and get ready for the call to open on April 20.


Here is the expected timeline  (Source: SAP):

TechEd Timeline.png

ASUG members who are not customers are also welcome to submit an abstract; just keep in mind that customer presentations are preferred. If you are a consultant who had a successful security or GRC project, perhaps you can persuade one of the customers on the team to present and tell your mutual success story. I hope to see many abstracts submitted on security, IdM, GRC, and other related topics.

From my experience, in many companies country risk is treated separately to risks registered in their Enterprise Risk Management (ERM) framework and reported independently to the Board - most often by using political risk maps.


To me, this is an error as country risk has a direct impact on operational risks and this impact should be materialized so that the correct mitigation strategy can be decided and applied.


First, let me define what I mean by country risk. To me, it is the potential negative events arising from political, economic and societal uncertainty in a given country.

Many equate country risk to political risk but as you can see in my definition, I believe that political risk is only a component of country risk - albeit an important constituent - it does not cover its complete scope.


This concept is very mature within investment companies as it is usually one of the criteria applied when deciding whether to invest in one country or another but I think it applies more widely.


All companies face a country risk, some with a higher level than others but all companies operate at least in one country. So, even if this country is rather “stable” today, this risk should still be recorded, assessed and monitored as situations can evolve sometimes more rapidly than expected.


Direct links with your ERM framework


Consider the following situations:


  • Do you have operations? If yes, then regulatory changes decided by a government can affect you directly and subject you to new regulatory obligations;
  • Do you have production facilities? If yes, in extreme cases, you may be facing unilaterally decided nationalizations;
  • Do you have sales activities? If yes, then these can be significantly impacted by the national economic climate, especially if you are in a B2C business;
  • Do you have employees? If yes, then these can be at risk if there is a sudden outburst of unrest. On a less drastic scale, a change in labour laws can also directly influence your HR organization and even decrease your profitability;
  • Do you invest in innovation? If yes, you may have to agree to technological or knowledge transfer to be able to supply the local market with your products, increasing your competitive risk.


In another post (The Critical Role of Marketing Executives in the Risk Management Process) I had discussed the fact that reputational risk is a direct result from other risks. Well, I believe that country risk is at the opposite side of the spectrum and can be a trigger for many operational risks.


As such, even in low risk profile countries, assessing and regularly reviewing the risk level is part of a sound risk management practice.


How to assess country risk?


There isn't one common agreed measure to assess this risk category but I would like to try to suggest a simple method:


  • Likelihood of occurrence: here would be assessed the combined probability of potential evolution of the political, economic and societal conditions. Some countries have a stable political environment either because it appropriately represents the opinion of the population or because the government secures its re-elections by different means. Nevertheless, this does not mean that societal conditions can’t evolve rapidly, as precisely illustrated during the Arab Spring. Taking into account these three criteria will therefore result in a more truthful probability of occurrence;
  • Impact: here would be documented the potential direct impact of a country risk for your company and its different activities carried out in the country: manufacturing, sales, R&D, etc.;
  • Speed of Onset: here would be assessed the velocity with which the risk can occur. For instance, in countries where political representation effectively embodies public opinion, a change in the political landscape can be rather long compared to personalized regimes where a change in leader can bring a system down rapidly. This is likely to be the most difficult criteria to assess, but publicly available geopolitical analyses can be a good starting point.


Then what?


Here is why I believe political risk maps can’t be used as is by companies as country risks: not all companies will be affected in the same way by changing events. Integrating this risk category in your ERM framework means that you can not only assess a macro-impact at your company level, but that you can also document the influence of this country risks on your objectives and on other risks in the ERM framework: potential effects on your supply chain, manufacturing activities, sales process, etc.


From there, appropriate mitigation strategies for these operational risks can be defined and implemented.


The intent of this post is certainly not to say that all countries are at risk, far from it, but that internal and external influences can lead to a rapid change in the rules of the game for your organization and its activities and that this should be monitored so as to avoid being taken off guard.


What about you, do you monitor country risk?

There are frequent questions why "Custom Field" option is disables when the Details are not saved while creating an Role via BRM application.


  • The Details (First Phase) are becoming mandatory because the Role ID is required to initiated the BADI IF_GRFN_API_CUSTOMFIELD_BADI, then BADI can become active on the Fields that are desired by Custom Fields.


  • Logically the Post Exit method POPULATE_ROLE_ATT in ZFILL_ROLERELAT_CUSTFIELDS is not called when creating a role in BRM application. Because the Role ID is required for the second phase.


  • The functionality flows, first phase the basic attributes of the Role eg Role Name has to be defined and in second phase enhanced attributes would be defined like Owners/Approvers then BADI for Customer Fields is called.

Hi GRC Community


Do you get frustrated by functionality that it lacking? Do you see something in the solution and consider it an incident but are then told it’s by design? Are you creative and love to continually improve this product? Are you stuck in a situation where you have to minimise custom developments for the GRC system? Are you nodding your head in agreement? Are you the type of person who strives for continual improvement? Is that a Yes?


Then time to take a journey to the SAP ideas Place for the GRC Products. This is your opportunity to have your voice heard and get the support of the community. It is a direct connection to the SAP GRC Product Owners – a great opportunity that can be hard to come by.


pic ideas.png

Here’s the Ideas Places for GRC component:

SAP Access Control: Home

SAP Process Control: Home

SAP Risk Management: Home



Create Your Idea

  • You will need to register your account if you have not done so already
  • Assumption you have searched to make sure there is not duplicate idea
  • Make sure you create it under the appropriate category
  • Take your time to provide as much information as possible
    • Did the idea come about from a SCN thread?
    • Did you get requested to raise it in response to being told it’s not an Incident in Marketplace?
    • Do you have screen shots or uploads to better explain your example
  • Let your network know about your idea and get their support



Vote and Comment

But hey, if you’re not an Ideas person then you get still join in. If anything, you are integral to an idea being considered. Vote in Support. Vote in Disagreement (some times the ideas have flaws). Just Vote! Add your feedback in comments.


SAP GRC team will only review ideas that have at least 10 votes.



GRC Product Team Listens and Reviews

The regularly review the Ideas Space and their next review is February 20 2014 – less than 10 days away. They will only review suggestions with more than 10 votes – Ideas cost money to develop. They will not consider ideas without customer support.


GRC Product team will add comments, request further feedback or review the idea in conjunction with their road map. You might find your idea accepted and scheduled for delivery (what an achievement) or you might find the idea is dismissed if it doesn’t fit the product road map. But hey, if it's dismissed at least you'll know why.



Get involved

So dear community, we have an opportunity to provide improvement suggestions to improve GRC. It may not help you today but with a strong voice and support of the community, your idea could be there to help you next time.


There are lot of ideas created in the past two years that are still valid. They have less than 10 votes and aren’t getting considered due to lack of support. Someone may have a proposed a solution to your current challenge but their voice is not loud enough to be heard. Time to shine some light on the ideas and get behind them.



And remember to check back regularly for new ideas!


Vote on! The count down is on!





     I am striking a discussion away from the technical aspects of GRC. The reason being, it is interesting to know how all the technical build-up and maintenance actually helps the organizations. I have a very basic and limited understanding in this area, that I have put across here and would really like to get more information to understand the overall picture.


     From the purpose of SAP GRC, it is clear that it caters to regulatory compliance based on certain legal acts / laws. These are specific to industries and geographies. We usually implement SAP GRC Access Control with majorly separation / segregation of duties in mind. This primarily in turn caters to help comply with certain regulatory laws. For example, the major one we hear of - SOX (Sarbanes-Oxley) Act.


     Now, SOX Act consists of over 50 legal sections. Most of which are not specifically IT related. SAP GRC Access Control's Separation of duties caters to the SOX Act's Section 404, which deals with Internal controls. This requires the management of an organization to have enough internal controls to assess risks and prevent frauds. Similarly, having approval logs, audit logs as part of SAP GRC features caters to the SOX Act's section 802, which deals with altering documents. This requires that no documents is altered in the due course of business in an organization.


     I, having worked specifically on Access Control part of SAP GRC, usually get to only look at the side of the separation of duty policies heavily. I know that Process Control does cater to specific regulatory compliance much more than what Access Control does, that being its purpose.


     So, please share your experiences, regarding how you have used SAP GRC Access Control or Process Control to cater to which regulatory compliance and how.




The Dotcom boom of late 90’s, also saw some major corporate scams like Worldcom, Enron & Adelphi.  Some national headlines in US media (“Data theft at nuclear plant went unnoticed for six months” – June 10 , 2006 New York Times, XYZ Manufacturer violates EU pollution laws” – July 06 2006 CIO Tech Informer “US imposes record $100 Million penalty for export control violations” – March 27, 2007 Washington Post, etc.) would accentuate the changed milieu.  This necessitated a major emphasis on data security & vigorous audits (financial / system audits).  Sarbanes-Oxley (commonly called as SOX) act came into existence.  (The sections of the bill cover responsibilities of a public corporation's board of directors, adds criminal penalties for certain misconduct, and requires the Securities and Exchange Commission to create regulations to define how public corporations are to comply with the law).  There was a growing need of more transparent corporate governance, a well-designed whistle-blower policy framework & detail audit log (of who did what & when).


IT firms took these challenges into cognisance & turned it into opportunity to come up with security solutions, seamlessly integrated with organizations’ ERP softwares. ERP players like SAP acted upon it swiftly & integrated security solutions into SAP under a growing niche product suite called GRC (Governance, Risk & Compliance). SAP’s GRC 10.1 suite handles it through 3 sub-modules of 

Access Control, Process Control & Risk Management.


  • Access Control – It involves managing user roles, who will (& who can) do what in the systems. The principle of Segregation of Duties (SoD) needs be considered while providing access. A simple example of SoD is, never to provide the same user access of creating new vendors as well as issuing/printing cheques. Giving too little access to user hinders work, whereas giving too much access attracts risk, so due care needs to be taken while designing access control. It also involves super user management & emergency access management.
  • Process Control – This involves checks and balances built into the business processes to avoid/minimize occurrences of fraudulent activities. There are three different types of controls need to be designed: Preventive Controls, Detective Controls & Corrective Controls. The other way to look at building a healthy internal control environment is, following below 5 steps.  1. Documentation 2. Testing 3. Remediation 4. Analysis 5. Optimization.  (The details under each will be covered in a separate article)
  • Risk Management – It helps reduce the risk of failing to comply with the regulations for financial reporting, trade regulations, factory act/s & environmental protection. At a very high level, Risk Management involves:  Identify the risks, analyse the risks, identify risk owners & coordinate responses.


Considering the growing need of ERP-agnostic solutions, many IT consulting companies (like Infor Approva, Greenlight Corp etc) came up with GRC solutions which complement the ERP software (like SAP, Oracle, Microsoft Dynamics) or seamlessly integrate with it. 


If we talk of India, the Indian corporate world was shaken by Satyam scam, Reebok India & a recent case in India’s top IT firm. In India, Clause 49 came into existence from 31st Dec 2005, for the improvement of corporate governance of all listed companies. (Which entails - It would be necessary for Chief Executives and Chief Financial Officers to establish and maintain internal controls and implement remediation and risk mitigation towards deficiencies in internal controls, among others)


In short, the question ‘Do-I-need-to-implement-GRC’ is no more relevant. Instead it should be, “What are we going to implement under GRC and when?”


Filter Blog

By author:
By date:
By tag: