Hi All,


We are currently on GRC SP13. I could see lot of community members also working on same SP. There are lot of issues in GRC SP13. I am just updating the issues with relevant SAP notes here just to make it easy for the guys who come across the issues just like mine


There are still lot of issues which we are working on and will update this blog regularly based on our issues and fixes.


Access Request (ARQ)

Password Self Service (PSS) - Issues

In Password Self Service (PSS) when the user clicks on “Register Security Questions”. Users can add questions using either Admin defined or User defined option.


As shown below “User Defined Questions” has spelling mistake where “DEFINED” is spelled as “DEFINDED” and this can be fixed using SAP note

1907848 - UAM: Incorrect text for User Defined Questions



1600374 - CUP: Admin and user questions option not configuration


EUP Issues

Below SAP notes are implemented for issues regarding EUP.


1897794 - UAM: Request for value not coming from EUP in model user

1842378 - Default roles are getting added though they don’t exist in BE

Role Mapping Issues

Below SAP notes are implemented for issues regarding role mapping.


1900076 - UAM: Role mapping not working based on parameter 2015

2014524 - Common mapped role deleted on removing one of parent


Provisioning Settings Issues

Below SAP notes are implemented for issues regarding provisioning settings.


1966404 - UAM: System level provisioning settings not considered correctly


Role and Function Approval Workflows

During Role and Function approvals, below SAP notes are implemented for resolving comments pop up issue.


2044309 - During role and function approval, Comments popup is opening in case of approval and rejection without checking the configuration

1906672: Removed Function apprear in Risk Approval Request


Risk Approval Workflow - Issues

In case of risk approval workflows, Title was not coming in header while opening the risk for approval as shown below.


Fix the issue using SAP note 1921318 - Risk Approval Screen - Title is not coming in header

2049421 - Forward with Return for Risk Approval WF issue

Mitigation Control Maintenance Workflow - Issues

In case of mitigation control workflows,no message is shown to the approver if one approver forwards the request to another approver.


Fix the issue using SAP note 2050047 MIC Upon Forward no successful message


Business Roles - Issues

Before discussing about business roles issues, please go through below SAP note on business roles which explains all Pros and Cons of business roles


1981001 - Recommendations: Using business role provisiong in access request


Business roles are not supported in GRC with “RETAIN” provisioning action. But in SP13 users are able to submit access requests with business roles having “RETAIN” provisioning action.


To fix this please implement the SAP note 1982339 - UAM: End user is able to submit request for business role with retain provisioning action

In case of Business roles having common technical roles, role de-provisioning is not happening correctly.


To fix this please implement the SAP note

1930923 - UAM:-Business role removal is not working correctly in Access Request
1922082    UAM: Rejected business roles are getting provisioned

1951749    UAM: Business role not provisioned correctly in language other than English

Role Import - Issues

Role Import in GRC SP13 is not showing all roles in the preview and as well as not importing all roles based on role range.

To fix this issue please implement the SAP note 1897975 - Role import does not show roles in the preview

Firefighter Login - Issues

When FF user is logging in with the assigned FF ID system is throwing dumps.

To fix this issue please implement the SAP note 1800347 - Short Dump on FF Login

Risk Analysis - Access Request - Issues

1938722 - Risk analysis icon incorrect in access request

Default Roles - Access Request - Issues

2056035 - UAM: Role descrip not displayed for default Roles

1842378 - Default roles are getting added though they dont

2061875 - UAM: Role description for default roles not displa

Mitigation Control – Issues


Create Mitigation control and assign Risk and Approver/ Monitor to that control.

Click on Save/Submit button.

Error comes: "Saving Note Failed"


To fix this issue please implement SAP note 1890058 - "Saving note failed" error comes while saving Mitigation Control

Create Mitigation control and assign Risk and Approver/ Monitor to that control. The AC Reports are not displayed in the "Reports" tab of a mitigation control

Error message Action is inconsistent with system is displayed when you add a new AC report to a mitigation control and save/submit.


To fix this issue please implement SAP note 1902129 - Unable to save Mitigation control after adding AC Report

Mitigation control assignments which are already deleted are still showing up in GRC system.


To fix this issue please implement SAP note 1873361 - Performance issue with GRAC_REPOSITORY_OBJECT_SYNC


LDAP Issues

2025895 - UAM: Users not searched from HR/LDAP connectors if real-time search parameter 2050 is YES

1867742 UAM: Manager information is missing in request submission


Access Request - MultiUser Request - Issues


1864399 and 1886411 - Incorrect Template - Multiuser Request

User Access Review (UAR) - Issues

UAR Requests are being generated for expired users or locked users though excluded in the filter criteria. Also UAR requests contains indirectly assigned roles like Child roles of Composite roles.


To fix this issue implement below SAP notes


GRC System

1970118 - UAM: Expired and locked Users and indirect role assignment are also display in UAR request

1988134 - UAM: Dump on executing UAR job for user group and indirect assignments displayed in UAR request

1917837 - UAM : Connector based brf + rule is not working

1997960 - Unable to generate request for UAR/SOD.

2103409 - UAR: UAR approved request shows in work inbox util refresh.

1988128 - UAM: Missing line items with forward and return in UAR



UAR Requests are still showing up even after approval in work inbox until click on refresh button

2103409 - UAR: UAR approved request shows in work inbox until refresh.



User Defaults - Issues

2020712 - UAM: User group not provisioned after approval

Delegated Approver - Mail Issues

1589130 - GRC AC 10.0 - MSMP Notification Override BADi - En

1915928 - Delegated approver is not visible in instance status

1887512 - Incorrect approver list shown in instance status

Enterprise Portal Integration with GRC - Issues

1889792 - UAM: Portal sync results in time out/ Portal Object

Synchronization Jobs – Issues

We are facing an issue related to the roles assigned to the users in the target system. When roles have been removed from users in the backend. They are still visible with existing assignments overview in GRC system (even after sync).


This results in provisioning error when requesting a "retain role" request. Plug-In system then gives error message that the role is invalid (because it was not assigned anymore to the user).


Once the roles are removed in the target system, they should not appear again under the existing assignments in GRC.


If this kind of issue is happening then the Synch jobs are not working fine and there is some issue with these.


To fix this issue implement below SAP notes


Target (Plug-In) System


1970532 - Audit log gives wrong information about role removal, the validity of the role is not getting changed in the backend systems


GRC System


1934813 - UAM: Incorrect audit log message for role assignment and provisioning error for multiuser request


Missing Notification Variables and Notifications Issues - GRC SP13

Notification variables like Request Reason, Comments, Approver First Name, Approver Last Name and Approver Full Name are missing.


To enable these variables please implement below SAP notes.


1971842 - Request reason notification variable is not available in Access Request workflow

1917639 - UAM: Adding Comments and approver name variables in Access Request approval mail




Symptom 1: Validity dates and user id are not shown in the submission notification for the system entry.

Symptom 2: In submission notification, some text available in English and not able to translate in any other language.

Symptom 3: Provisioning variable shown roles whose Allow Auto-provisioning value is No and which have not been provisioned to the user.

Symptom 4: Create an access request to assign roles to an existing user in CUA child system. The closing notification contains wrong message of user creation.

Symptom 5: Notification variable %submission% for EAM/FF access approval does not contain System level information and validity dates information like FF_XXX Superuser access added to the request for action assign.


To fix this issue implement below SAP notes


1907911 - UAM: Incorrect text in submission & provisioning variable


Email Notifications - Issues

SAP Note 2018395 - E-mail Notifications cannot use HTML

Unlock Account - Valid To Date Issue

2069094 - For Unlock Action type Valid To Date for user is coming from

Escalation Notifications - Role Owner Stage - Issues

2008881 - Approved request items are also escalated

2000779 - UAM: Escalation on roleowner stage not working

There are multiple issues related to this solution and in fact SAP has released a knowledge article to the topic that it is not allowed citing security reasons - SAP KBA: 1622881 - Approve by E-mail and Reject by E-mail functionality but there are certainly workarounds available.


The security issues, mainly, are:

• Validating correct approver and delegate approvers

• Emails could be sent with From option in mails making it even more difficult to validate


However, I did try to implement the process and succeeded in doing so with few (not recommended) workarounds.


My main motivation came from this link where a similar solution is suggested but for SAP Workflow:



The BASIS configurations remain the same as given in the above link: The steps are as follows:

1) Create Offline User in SAP (It could be a new user if the approver will forward the mail to approve or reject requests, in case of reply back it has to be      WF-BATCH)

2) Configure the SAP-Connect node via SICF Transaction

3) Configure and activate the SMTP Service via SMICM transaction

4) Configure and set the Inbound E-Mail Exit Configuration


Even the next few steps remain the same, only the actual approval process has to be changed. In the 4th step, we need to provide a class name to process emails. In this example, I named the class as: Z_PROCESS_INBOUND_WORKFLOW. Add Interface to the class: IF_INBOUND_EXIT_BCS. You will see 2 methods added from the interface.


Add the code in the methods:


Here, we need to create an instance of the class to be used for further processing.
Sample Code below:

  DATA: lo_ref TYPE REF TO z_process_inbound_workflow.

* check if the instance is initial

  IF lo_ref IS INITIAL.

    CREATE OBJECT lo_ref.


* Return the Instance

  ro_ref = lo_ref.



This method will be called automatically for the processing the message when it is received by the SAP system.

Sample Code Below:

* Declare for Inbound E-Mail processing
  DATA: lo_document     TYPE REF TO if_document_bcs,
        l_mail_attr     TYPE bcss_dbpa,
        l_mail_content  TYPE bcss_dbpc,
        lv_reqno        TYPE grac_reqno,
        lv_approve_reject TYPE char1,
        lt_cont_text    TYPE soli_tab,
        ls_cont_text    TYPE soli,
        lo_reply        TYPE REF TO cl_send_request_bcs,
        sender          TYPE REF TO if_sender_bcs,
        sender_addr     TYPE string,
        lv_email        TYPE ad_smtpadr,
        send_request    TYPE REF TO cl_bcs,
        lo_approval     TYPE REF TO z_grac_approbation_by_email.
*- Get a pointer to the reply email object -*
      lo_reply = io_sreq->reply( ).
    CATCH cx_send_req_bcs.
**** Check to make sure this is from an approved Sender
  sender = io_sreq->get_sender( ).
  sender_addr =  sender->address_string( ).
  lv_email = sender_addr.
**** Only reply if this message came from within our mail system or domain
**** SPAMMERS Beware, your e-mails will not be processed!!!
IF sender_addr CS '@xxx.COM'.
**** send reply and inbound processing
*- Get email subject -*
      lo_document = io_sreq->get_document( ).
      l_mail_attr = lo_document->get_body_part_attributes( '1' ).
*Get the request number from the desired position of the subject
      lv_reqno = l_mail_attr-subject+12(10).
    CATCH cx_document_bcs.
*- Get mail body-*
      l_mail_content = lo_document->get_body_part_content( '1' ).
      lt_cont_text = l_mail_content-cont_text.
      DELETE lt_cont_text WHERE line IS INITIAL.
      READ TABLE lt_cont_text INTO ls_cont_text INDEX 1.
      IF sy-subrc EQ 0.
        TRANSLATE ls_cont_text-line TO UPPER CASE.
        IF ls_cont_text-line+0(7) = 'APPROVE'.
          lv_approve_reject = 'A'.
        ELSEIF ls_cont_text-line+0(6) = 'REJECT'.
          lv_approve_reject = 'R'.
    CATCH cx_document_bcs.

  IF lv_approve_reject IS NOT INITIAL
    AND lv_reqno IS NOT INITIAL
    AND lv_email IS NOT INITIAL.

    CREATE OBJECT lo_approval
        i_reqno          = lv_reqno
        i_email          = lv_email
        i_approve_reject = lv_approve_reject.

    CALL METHOD lo_approval->process_request .




Now, I have created another class to validate approvers from their email addresses, process emails in case of any errors and finally start the approval process which is being called from above class method - Z_GRAC_APPROBATION_BY_EMAIL


First save the values in attributes of this class in the CONSTRUCTOR method.


Create a method PROCESS_REQUEST to do the processing.


In this method, the steps followed are:

  • First get the SAP user ID for the email ID of the sender
  • Validate by the SAP user ID, if the sender is actually the approver from checking tables GRFNMWRTINSTWI, GRACREQUSER
  • If not, check if the sender is a delegate approver. You can user Function Module SAP_WAPI_SUBSTITUTIONS_GET
  • If validated, create a background job using FM JOB_OPEN


The reason we need a background job is because the SY-UNAME in the system will be either WF-BATCH or a new user created by BASIS in the 1st step and that user is not the actual approver. So we create a background job and then change the user ID with the actual approver.

So, after the JOB_OPEN is called:

  • Change the user ID in Job Head and call FM BP_JOB_MODIFY
  • We will have to create a new Report Program to approve or reject the request (Z_REP_APPROBATION_BY_EMAIL) and SUBMIT the program


Now, the main logic is in the report program Z_REP_APPROBATION_BY_EMAIL.

I added 3 selection screen parameters to accept Request Number, BNAME(SAP User ID) of the approver and a field to identify Approve or Reject (A or R)

  • First step is to fetch Request ID from Request Number from table GRACREQ. Concatenate 'ACCREQ/' and the Request ID togeather.
  • Next is to fetch Work Item IDs for the Request Number from the table GRFNMWRTINSTWI
  • After collecting data, we will call standard methods that GRC system uses to do the processing, Code Snippets are shown below:

  go_session  =  cl_grfn_api_session=>open_daily( ).

  TRY .

      go_api ?= go_session->get( gv_reqid ).


      gv_bname = p_bname.


      CALL METHOD go_api->if_grac_api_access_request~retrieve
          iv_editable      = abap_true
          it_wi_id         = gt_wi_id
          iv_admin_mode    = lv_bool
          iv_approver_user = gv_bname.


      IF p_aprj EQ 'A'.


        ls_user_range-sign = 'I'.
        ls_user_range-option = 'EQ'.
        ls_user_range-low = gv_bname.
        APPEND ls_user_range TO lt_user_range.


        lv_user = gv_bname.

        CALL METHOD cl_grac_user_rep=>retrieve_realtime_user
            iv_user          = lv_user
            es_real_userinfo = ls_real_userinfo.

        CALL METHOD cl_grac_user_rep=>retrieve_user_systems
            it_user      = lt_user_range
*           it_user_name =
*           iv_max_rows  = 1000
            rt_user      = lt_user.


        ls_val-val1 = ls_real_userinfo-department.
        ls_val-val2 = ls_real_userinfo-location.
        ls_val-val3 = ls_real_userinfo-company.
        ls_val-val4 = ls_real_userinfo-costcenter.
        ls_val1-val1 = ls_real_userinfo-userid.
        ls_val1-val2 = ls_real_userinfo-user_group.
        ls_val1-val3 = ls_real_userinfo-orgunit.


        IF lt_user IS NOT INITIAL.

          LOOP AT lt_user INTO ls_user.

            ls_val1-val4 = ls_user-connector.

            IF cl_grac_auth_engine=>authority_check(
                  iv_auth_obj   =  graca_c_emp-auth_obj
                  iv_field1     =  graca_c_actvt-actvt
                  iv_value1     =  graca_c_actvt-change
                  iv_field2     = graca_c_emp-dept
                  iv_value2     = ls_val-val1
                  iv_field3     =  graca_c_emp-location
                  iv_value3     =  ls_val-val2
                  iv_field4     =  graca_c_emp-company
                  iv_value4     =  ls_val-val3
                  iv_field5     =  graca_c_emp-cost_centre
                  iv_value5     =  ls_val-val4
              ) EQ abap_true AND
                     iv_auth_obj   =  graca_c_user-auth_obj
                     iv_field1     =  graca_c_actvt-actvt
                     iv_value1     =  graca_c_actvt-change
                     iv_field2     = graca_c_user-userid
                     iv_value2     =  ls_val1-val1
                     iv_field3     =  graca_c_user-usergroup
                     iv_value3     =  ls_val1-val2
                     iv_field4     =  graca_c_user-org_unit
                     iv_value4     =  ls_val1-val3
                     iv_field5     = graca_c_user-connector
                     iv_value5     = ls_val1-val4
                 ) EQ abap_true.
              lv_flg = 'X'.
          ls_val1-val4 = ls_user-connector.
          IF cl_grac_auth_engine=>authority_check(
                iv_auth_obj   =  graca_c_emp-auth_obj
                iv_field1     =  graca_c_actvt-actvt
                iv_value1     =  graca_c_actvt-create
                iv_field2     = graca_c_emp-dept
                iv_value2     = ls_val-val1
                iv_field3     =  graca_c_emp-location
                iv_value3     =  ls_val-val2
                iv_field4     =  graca_c_emp-company
                iv_value4     =  ls_val-val3
                iv_field5     =  graca_c_emp-cost_centre
                iv_value5     =  ls_val-val4
            ) EQ abap_true AND
                   iv_auth_obj   =  graca_c_user-auth_obj
                   iv_field1     =  graca_c_actvt-actvt
                   iv_value1     =  graca_c_actvt-create
                   iv_field2     = graca_c_user-userid
                   iv_value2     =  ls_val1-val1
                   iv_field3     =  graca_c_user-usergroup
                   iv_value3     =  ls_val1-val2
                   iv_field4     =  graca_c_user-org_unit
                   iv_value4     =  ls_val1-val3
                   iv_field5     = graca_c_user-connector
                   iv_value5     = ls_val1-val4
               ) EQ abap_true.
            lv_flg = 'X'.

        IF lv_flg = 'X'.

          PERFORM f_fill_approving_details CHANGING ls_req_data

          lo_api ?= go_session->get( gv_reqid ).

          CALL METHOD lo_api->if_grac_api_access_request~update
              is_request_data = ls_req_data
              it_requser      = lt_requser
              it_reqlineitm   = lt_item
              it_reqsys       = lt_reqsys.

          CALL METHOD go_session->save.

      ELSEIF p_aprj EQ 'R'.

        CALL METHOD go_api->if_grac_api_access_request~reject .

        CALL METHOD go_session->save.


    CATCH cx_grfn_exception INTO go_grfn_exp.


*&      Form  f_fill_approving_details
*       text
*      -->LS_REQ_DATA  text
FORM f_fill_approving_details CHANGING   ps_req_data TYPE grac_s_api_req_data
                                        pt_item     TYPE grac_t_api_reqlineitem
                                        pt_requser  TYPE grac_t_api_user_info
                                        pt_reqsys   TYPE grac_t_api_reqsys.

  TYPES: BEGIN OF ty_gracreq,
          req_id          TYPE grfn_guid,
          req_created     TYPE grac_req_created,
          duedate         TYPE grac_duedate,
          reqtype         TYPE grac_reqtype,
          funcarea        TYPE grac_funarea,
          msmp_process_id TYPE grfn_mw_process_id,
        END OF ty_gracreq,

        BEGIN OF ty_gracitem,
          itemnum         TYPE grac_seq,
          connector       TYPE grac_reqsystem,
          prov_item_id    TYPE grfn_guid,
          prov_item_type  TYPE grac_prov_item_type,
          prov_action     TYPE grac_actiontype,
          prov_item_name  TYPE grac_prov_item_name,
          approval_status TYPE grac_approval_status,
          valid_from      TYPE grac_valid_from,
          valid_to        TYPE grac_valid_to,
          prov_type       TYPE grac_prov_type,
        END OF ty_gracitem,

        BEGIN OF ty_systems,
          systems TYPE grfn_connectorid,
        END OF ty_systems.

  DATA: lv_reqid TYPE grfn_guid,
        ls_gracreq TYPE ty_gracreq,
        lt_gracitem TYPE STANDARD TABLE OF ty_gracitem,
        ls_gracitem TYPE ty_gracitem,
        lt_gracuser TYPE STANDARD TABLE OF gracrequser,
        ls_gracuser TYPE gracrequser,
        ls_reqsys   TYPE grac_s_api_reqsys,
        lt_systems  TYPE STANDARD TABLE OF ty_systems,
        ls_systems  TYPE ty_systems,
        ls_requser  TYPE grac_s_api_user_info,
        ls_item     TYPE grac_s_api_reqlineitem.

  lv_reqid = gv_reqid+7.

    FROM gracreq
    INTO ls_gracreq
    WHERE req_id = lv_reqid.
  IF sy-subrc EQ 0.
    ps_req_data-req_id = ls_gracreq-req_id.
    ps_req_data-req_created = ls_gracreq-req_created.
    ps_req_data-req_approved = ls_gracreq-duedate.
    ps_req_data-reqtype = ls_gracreq-reqtype.
    ps_req_data-msmp_process_id = ls_gracreq-msmp_process_id.
    ps_req_data-funcarea = ls_gracreq-funcarea.

    SELECT itemnum
      FROM gracreqprovitem
      INTO TABLE lt_gracitem
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_gracitem INTO ls_gracitem.
        ls_item-itemnum   = ls_gracitem-itemnum.
        ls_item-item_name   = ls_gracitem-prov_item_name.
        ls_item-connector   = ls_gracitem-connector.
        ls_item-prov_item_id   = ls_gracitem-prov_item_id.
        ls_item-prov_item_type   = ls_gracitem-prov_item_type.
        ls_item-prov_action   = ls_gracitem-prov_action.
        ls_item-approval_status   = 'AP'.
        ls_item-valid_from   = ls_gracitem-valid_from.
        ls_item-valid_to   = ls_gracitem-valid_to.
        ls_item-prov_type   = ls_gracitem-prov_type.

        APPEND ls_item TO pt_item.

    SELECT * FROM gracrequser
      INTO TABLE lt_gracuser
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_gracuser INTO ls_gracuser.
        ls_requser-userid = ls_gracuser-userid.
        ls_requser-provuser = ls_gracuser-provuser.
        ls_requser-snc_name = ls_gracuser-snc_name.
        ls_requser-unsec_snc = ls_gracuser-unsec_snc.
        ls_requser-accno = ls_gracuser-accno.
        ls_requser-empposition = ls_gracuser-empposition.
        ls_requser-empjob = ls_gracuser-empjob.
        ls_requser-personnelno = ls_gracuser-personnelno.
        ls_requser-personnelarea = ls_gracuser-personnelarea.
        ls_requser-email = ls_gracuser-email.
        ls_requser-emptype = ls_gracuser-emptype.
        ls_requser-logon_langu = ls_gracuser-logon_langu.
        ls_requser-dec_notation = ls_gracuser-dec_notation.
        ls_requser-date_format = ls_gracuser-date_format.
        ls_requser-time_zone = ls_gracuser-time_zone.
        ls_requser-manager = ls_gracuser-manager.
        APPEND ls_requser TO pt_requser.


    SELECT systems
      FROM gracrequsersys
      INTO TABLE lt_systems
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_systems INTO ls_systems.
        ls_reqsys-systems = ls_systems-systems.
        APPEND ls_reqsys TO pt_reqsys.


ENDFORM.                    "f_fill_approving_details


Transport BRF+ Application from $Temp packge




I am not sure if you have already come across the phase associate with Copy the BRF+ application from $Temp package in order to make it transportable.


At the start of my implementaion project on GRC V:11 and SAP:04, I had created one BRF+ application and saved it to a $Temp package so as to avoid to capture it into a Transport Request, as I had to do some more configurations with the never ending requirements. So, when I completed all the configurations, I tried to put into TR which But couldn't fo that as I had saved it into $Temp so, got stucked.


So; to make an application transportable you have to follow these below steps:


1) Copy the application from $Temp package to SAP Development package


Execute BRF+ transaction code --> Navigate to the application which is saved into $Temp package



2) Right click on the application --> Copy



3) On the new screen, enter the New-Application name (target application name), description and short text.

You need to make sure to uncheck the box for "Create Local Application". Missing in doing it, you would agai end up copying the targer application into $Temp package.





If you have created a package specifically for BRF+ then you can mention the package name under "Development package" . If not, then you can create with transaction code: SE21 as below:





Fill in all the required details and confirm.


Now, after putting the development package, mention the Softwarre component and make sure to confirm the check box for "include contained objects". Click Copy.


It will ask to enter the TR, but you would see the error screen as below:



This is due to a bug within the GRC V:11 which would get resolved after implementin SAP Note# 2029700 http://service.sap.com/sap/support/notes/2029700



Thanks to SAP to provide this note, and now I am able to copy the application from $Temp package to SAP Development package to make it Transportable.

Thought of to share this experience with SCN-Community members to help them if they came across with this issue.








Here i would like to share my experience to Create Transportable BRF+ Rules in GRC AC 10.0. Please follow witha attached file.




Thanks & Regards,


Rajesh Srisailapu

This document talks about the challenges organizations face when upgrading Support pack/ Net weaver for SAP GRC 10.0. Organizations that upgrade support pack with Net weaver version for SAP GRC 10.0, might face many challenges at different stages of project. Here we are discussing some of the challenges faced in real time environment while upgrading GRC 10.0 to SP13 from existing SP07 and SAP Net Weaver 7.31 SPS 8 from existing SAP Net Weaver 7.02.

  • Backend Plugin Upgrade
    • If organization is planning to upgrading GRC 10.0 from SP level below SP10, they are require to plan and coordinate for GRC Plugin upgrade in backend systems also. GRC is normally connected to most of the system in any organization for user provisioning, risk analysis and emergency access…, which are at difference NW version and plugin level.
    • To avoid product compatibility issues, suggested to plan plugin upgrade before GRC system upgrade.
  • SU25 and Web dynpro components upgrade
    • It is tough for Security consultant to understand effect for authorization updates in SU25 steps 2a, 2b, 2c on GRC front end, as it don’t provide details for change in authorization check for  GRC front end application.
    • Suggested detail planning for testing strategy and scenario testing to cover all Authorization check changes and role charge requirement


  • Mass user locking
    • Normally in any ECC, BI… systems total number of user are in thousands, but in GRC system number of user is high, depending on number for systems connected to it and how user’s data is updated. While upgrade to avoid user to login, it is recommend to lock users.
    • In general SU10 is used for mass locking but for locking users in Lakhs via SU10 is not a suitable approach.


  • Agent not found access requests ending into error or completing without role owner approval
    • Post upgrade roles with approvers not defined in GRACOWNER table or not defined as owner in “Access control owner” in from end, will not be able to approve request. Post upgrade GRC started checking for approvers in GRACOWNER table. 
    • Before go live update all role approvers as Role Owners in Access control owner list.


  • Dumps in system while clicking on link in email received from GRC
    • Post NW and SP upgrade for GRC 10.0, users might start getting below ABAP dump in system

               ASSERTION FAILED

               Category           ABAP Programing Error

               Runtime Errors Assertion Failed

               ABAP Program  CL_GRFN_API_IDENT================CP

               Application Component GRC

    • Please check for OSS note 1888486 if applicable for your system to fix issue

On one of my first projects as the lead architect I needed to prototype GRC. I had supported GRC components before (albeit 5.3 version), attended the GRC300 training course and passed my certification. I was excited: finally a GRC 10.0 implementation. I was at a client and they had a need for it. I had the skill and enthusiasm to see it implemented. The client accepted my business case of lowering user administration and support cost, and I had the confidence to see this project through. Fantastic!! Woo-hoo GRC implementation here I come!!!!!!!!


Before I got my hands on the system, the business-process minded part of me had mapped out the strategy and approach. I put pen to paper and drew up my view of the access control processes: who would approve and what would they approve. My design integrated as much of Access Controls as possible.  I found my Internal Controls buddy to assist me in keeping this business orientated: yes I found my first friend. I realised at the beginning, this implementation would not be possible if my team did not include a business stakeholder who could define business requirements and help design what an unacceptable risk to the business is and what the business was prepared to do about it. This friend of mine came from an Audit background (yes, auditors are friends too!) and could provide valuable input on compliance requirements we needed to adhere to.


We were able to work together to not only define the process but identify the roles and responsibility (in the form of a RACI model). In doing this, we identified organisational changes which then led me to another group of friends known as the Change Managers.  We have not even got the system built and I am now spending more time with an ex-Auditor/Internal Controls expert and a Change Manager to properly define how the business would use GRC.  The Change Manager then asks ‘Will end users be impacted’? Well, of course they will be as we are trying to automate user access provisioning and we have segregation of duties and risk and so on. My next group of friends became the Trainers. Internal Controls, Change Managers and Trainers oh my! And still no system!


It came time to submit the high level design for approval. My awesome pretty crap process designs were too high level. What I thought was three or four business processes were rebuilt by my next friend: The Business Analyst. This friend knew how to model business processes and took my diagrams (really PowerPoint slides) and broke them down to a much lower level. The business analyst identified logical gaps and incorrect assumptions without even knowing what GRC is (that soon changed).  Had this friend not stepped in at the beginning I would have been in a world of pain with the workflow configuration and ultimately resulted in rework, project delay and additional cost.


Finally my system was built by my friend Basis. This team became my first-and-best-techy-friend (hey they always are). Until I started GRC, I had never raised a SAP message incident (I did not even know how to).  SAP Marketplace and SCN contained my answers so it was never necessary. However, solution to most of SAP incidents I raised was in the form of a heap of notes and support stacks to apply and Basis were there for every step of the way. In addition, I had them assist me with appropriate system settings: system parameter; RFC connections; trusted systems; LDAP connections and NWBC. Yes, I could go configure them myself but if this was an ERP system would a Functional Consultant be allowed to do the same?


As I started to prototype the solution and came across the business workflow I learned more about the flexibility and powerfulness of GRC. I was able to configure MSMP (I’m quite a fan of it) but then I realised, it would be great to make friends with the Workflow and ABAP Developers, especially if they have the BRF+ skills and pick their brains. These developers would know how best to configure the workflow rules (do I use a decision table or a case statement?); build new launch pads and customise screen layouts. They would have a great naming convention for custom objects. They would also allow me to sit and help debug to find why I am getting that short dump (i.e. confirm I need to raise a SAP incident).


I continued to prototype and refine some of the design as we all discovered what the system would be capable of. It then dawned on me how best to document the configuration and build. I reached out to a new group of friends and they were Functional Consultants who worked on the ERP system. My view was: we might be configuring different systems but we’re both doing configuration via IMG and maybe there is something I can leverage from them (via our Solution Architect).


So before I even go to the development system, I became friends with Internal Controls; Change Managers; Trainers; Basis; Workflow and ABAP developers; and Functional Consultants. Most of my friends were included on my project plan so that management knew up front the true effort and people necessary for a GRC implementation to be successful. Management knew that GRC was not a support tool but enabled business process. Internal Controls was my key business representative who had their own set of friends to determine business requirements that I could translate to technical deliverables.


My motivation in finding friends was a concern I had: if I relied only on my own skills we may deliver a workable solution but it may not be the most effective and efficient solution. Without calling on all friends here, I might have a solution that works for day one but what happens next year or the year after? What happens when business requirements change? What happens when support stack and enhancement packs are necessary?


I’m sure there are more friends. Had I continued on this project I would have met up with Change and Release Managers to migrate changes and thinking through planning for enhancement packs, system refreshes and overall landscape design in conjunction with Basis. Oh, and if you’re wondering why no security - I did not forget them as that was me.


My advice – depending on the size of your project you may not need all these friends. Consider them in your planning based on your own strengths and weaknesses. Leverage where you can as it will benefit your solution in the long term.


Do you have any recommendations for who’d you make friends with and leverage for a successful GRC implementation?  I would love to hear your thoughts in the comments below.





P.S. I would like to make a special thank you to Gretchen Lindquist for all your valuable feedback and encouragement to me for this blog.

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC

Since GRC 5.3 was on Java stack, customization of GRC screen was not possible on greater extend. As GRC 10.0 is on ABAP stack we have the flexibility of Customization of NWBC as the per the client requirement and you can customize the NWBC to provide access which are not delivered through SAP GRC ABAP Roles.


“Whatever you want see in NWBC choice is yours to enable it”


With this customization of NWBC launch pad we can do the followings provided for you:


  1. We can access all SAP systems
  2. Execute  all backend system reports ex: SUIM, SE16 reports
  3. Customize the GRC screens (SPRO) from NWBC itself, no need to login to ABAP and use SPRO T-code
  4. Create users & roles, develop and configure MSMP by using NWBC.
  5. BI related reports and queries  and many mores …….


Hence you might not need to use SAP GUI since we can customize the NWBC.


Below NWBC customization can be achieved from web based NWBC (internet explorer). You need to make sure that you have one alias name created for each SAP system (ECC/Portal) from SAP Enterprise Portal (SAP EP) as a portal administrator.


Below are  few examples of customization of NWBC:


  1. Accessing Backend systems
  2. Table Access
  3. MSMP Access
  4. BRF Plus Access
  5. Merging NWBC and SAP Login Screen in internet explorer




Step 1.

   Go to SPRO --> Governance, Risk and Compliance --> Configure LaunchPad for Menus

               Image 1.JPG

You can see below launch pad and GRC (AC, PC & RM) related Roles and Description. Before customizing, we need to decide in which work center we have to put customized menus/links in NWBC. I have chosen My Home work center in NWBC. For My Home work center choose GRACHOME role (see below).


Select GRACHOME Role and double click or choose edit button.

               Image 2.JPG

Step 2:


Select New Folder to create Main Menu in Work center and enter text which ever you need.
Here I have given the text My Company Access (showed in screen) and the same will show in NWBC as Main menu. System will provide default Icon for our customized menu. Save the screen.

Note: You can change the folder name whenever you wish to change.

              Image 3.JPG

               Image 4.JPG


Step 3:


Choose newly create Folder name (My Company Access) and select New Application button.


Provide the name of Menu/Link which can be execute from NWBC. Ex Table Access


Select any one of Application Category based on your requirement and find below few of SAP provided Application Categories


BEx Analyzer
BI Enterprise Report
BI Query
BI Webtemplete
Cristal Report
Infoset query
KM Document
Managers Desktop
Portal Page
Webdynpro ABAP


I have selected Application Category as Transaction, once you select Application Category as Transaction, system will request for transaction code. See below:


Note: For one application, you can select only one transaction or one application category.


As mentioned above, please select System Alias and in this example System Alias is SAP-GRC-AC or Local.


               Image 5.JPG

Click on Advanced Parameters tab


GUI TYPE: This is optional and you can select which ever you need.


               Image 6.JPG

Step 4

Link to a Repository Application


To add existing SAP Repository objects to our newly created custom folder, kindly follow the process mentioned below:


Select My Company Access (newly created one) and click Link to a Repository Application, system will prompt a launch pad window (marked in green color) to select existing role. See below example where I have selected GRCIAREPOS.


Double click on Role GRCIAREPOS


Once you link your Custom folder with SAP Repository Application, you can also add SAP standard links to our Custom Folder.

               Image 7.JPG

Once you double click Role GRCIAREPOS, you can see below screen:

               Image 8.JPG

Drill down the GRC_AccessControl Menu and select the relevant role which you want to have in the customized screen and drag in into our custom folder “My Company Access”.


This option gives us to restrict the access from NWBC apart from authorizations.

               Image 9.JPG


Add Separator if you wish to differentiate Custom objects and SAP objects.


Select folder My Company Access and select button Add Separator. Now you can move the links/menu and separator wherever you need.


               Image 10.JPG

You can see the below screens for NWBC with customizing and without customizing



NWBC without Customizing

               Image 11.JPG


NWBC Customizing with custom menus


               Image 12.JPG


Example 1: Access SAP system from NWBC

Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER


               Image 13.JPG


  1. Save and execute NWBC. Go to My Home --> click link SAP Backend system


               Image 14.JPG

One new window will open for SAP backend system and click start SAP Easy Access. This SAP will open in internet explorer


               Image 15.JPG


You can see the SAP screen in Internet Explorer/NWBC


               Image 16.JPG


Example 2: Accessing SAP Backend Tables & Reports from NWBC

Same steps you need follow : Create New Application --> Provide link name as Table acces --> select Transaction in Application Category ---> Provide T-Code SE16

Save--> Refresh NWBC and execute


               Image 17.JPG

               Image 18.JPG    


Example 3: Opening MSMP from NWBC


Same Steps we need follow for this example also

               Image 19.JPG

    Example 4: Opening BRF + application from NWBC

               Image 20.JPG


               Image 21.JPG

               Image 22.JPG


If you select MSMP Configuration link you will redirect to below screen without any internet explorer link option


Most important customization: Merging NWBC and SAP Screen in internet explorer


Configuring SAP screen and NWBC in one page


As explained in above (already given in example 1)

Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER and System alias is               SAP-GRC-AC

               Image 13.JPG

Go to Advance Parameters

In advance parameters select GUI Type : SAP GUI for HTML

Select Initial Screen in Entries Once started Option

Portal parameter: select  INPLACE Inplace

               Image 23.JPG

Save and execute in NWBC


Once you refresh NWBC, you can see the link "SAP Backend system"


               Image 28.jpg

Click SAP Backend system link and you will find below screen:

Here you can execute all SAP transactions


               Image 24.JPG

Click Start SAP SAP Easy Access button

You will see below SAP screen similar to SAP GUI Screen.

In this screen every thing is same as SAP GUI however you can also see the NWBC menus. Both SAP screen and NWBC are merged in the same screen.


Even if we do not have SAP GUI, we can login to SAP backend system by using this customization. This customizing will be useful for small devices such as smart phones & Tablets. In soon we can able to execute SAP from small devices based on accessibility and Network (Already SAP launched Android App for FF ID approve)

               Image 25.JPG

Executing SAP transactions from NWBC.

In this example I have executed PFCG and whatever transactions you execute, you can able to see NWBC work centers in the same screen.


               Image 29.jpg




In this way we can customize the NWBC without any ABAP and Java knowledge and whenever we need, we can design and change the screens without taking much time


SAP has provided flexibility to do the customization of NWBC based on the client requirement.

A common problem for SAP Access Control customers migrating to Access Controls 10.1 is that they want to take advantage of rule set changes made since their last rule set update, but they don’t want to lose the customizations they’ve made to their existing rule set. The business may also require a copy of the rule set for review by an external auditing firm or for backup purposes.

These tasks can be accomplished via two (2) Access Control transactions: GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

This blog will define the contents of the GRC rule set and will demonstrate how to download/upload the Access Risk Analysis Rule Set. Once downloaded, the rule set can be modified using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rule sets>risks>functions to a new namespace, such as "Z_".

SAP delivers a canned SoD rule set to run Risk Analysis reports against users, roles, profiles and HR objects. Companies are encouraged to modify the base rule set to meet their unique needs. Rule Set customization is accomplished via three (3) means:

  1. Direct modification of functions and risks in NWBC via WorkCentre: Setup>Function/Access Risks/Rule Sets
  2. Mass modification of functions in NWBC via WorkCentre: Setup>Function>Mass maintenance.
  3. Mass modification of functions and risks via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

The rule set is created during configuration, via BCSET activation using t_code SCPR20. This table lists the canned rules in SAP Access Control 10.x.



BC Set description


Rule Set for Common rules


BC Set for AC Rules for JDE


BC Set for AC Rules for ORACLE


BC Set for AC Rules for PeopleSoft


BC Set for AC Rules - SAP APO


BC Set for AC Rules - SAP BASIS


BC Set for AC Rules for SAP CRM


BC Set for AC Rules for SAP ECCS


BC Set for AC Rules for SAP HR


BC Set for AC Rules for SAP R3 less HR Basis


BC Set for AC Rules for SAP R3


BC Set for AC Rules for SAP SRM


The only mandatory BC set for activation is GRAC_RA_RULESET_COMMON. GRAC_RA_RULESET_SAP_R3 contains both HR and BASIS rule sets (SAP note 1033326)


All BC sets listed above, once activated will be automatically combined into the “Global” rule set

BC Set Example.jpg


SAP provides download and upload functionality via two (2) transactions:






The rule set is exported and imported via nine (9) individual files. The files can be named anything; however naming the files after its contents is useful for organizational purposes.


The following section lists a brief description, the format of the file exports and the NWBC screens associated with the file.






Business Process:

Business Process defines the business process, language, and business process description.


NWBC Business Process correlation:



Function defines the function, language, function description and single or cross system reference.


NWBC Function correlation:


Function Business Process:

Function to Business Process associates functions to business processes.


NWBC Function to Business Process correlation:


Function Actions:

Function to Actions associate’s functions to t_codes and if the function is active or inactive.


NWBC Function to Actions correlation:


Function Permissions:

Function to Permissions associates functions to t_codes, the perspective authorization objects, field values, operators and active or in-active status.


NWBC Function to Permissions correlation:


Rule Set:

Rule Set defines the rule set, language and rule set description.


NWBC Rule Set correlation:



Risk associates risks to functions, business processes, defines the priority of the risk, what type of risk, and active vs non-active status.


NWBC Risk correlation:


Risk Description:

Risk Description defines the risk, language and risk description.


NWBC Risk Description correlation:


Risk Rule Set Relationship:

Risk Rule Set Relationship associates risks to a rule set.


NWBC Risk Rule Set Relationship correlation:


Demo of how to download a rule set in SAP Access Control 10.1:


Downloading the Access Control Rule Set via GRAC_DOWNLOAD_RULES. Choose format and accept pop-ups.


Demo of how to upload a rule set in SAP Access Control 10.1:


Uploading the Access Control Rule Set via GRAC_UPLOAD_RULES. Choose format and accept pop-ups.


Merging Rule Sets:

I struggled with writing this section, because the details of the GRC rule set are proprietary SAP information. I would have loved to have done a demo here but any concrete examples shown merging rule sets could be  viewed as divulging this proprietary information.

That said, the Excel COUNTIF,CONCATENATE, and VLOOKUP functions are key to helping you identify records not contained in one of the rule sets you’re working on merging. Here are some key takeaways for those of you engaged in rule set merging:

Key takeaways for mass modification of rule set:

    1. When downloading the rule set, please note that function to actions and function to permissions are dependent on the logical group selected. Example:
      1. If you select the APO logical group. Only APO FUNCTION_ACTIONS and APO FUNCTION_PERMISSIONS are contained in the FUNCTION_ACTIONS and FUNCTION_PERMISSIONS downloaded file.
    2. When downloading the rule set, please note that selecting a connector i.e. (ECDCLNT100) FUNCTION_ACTIONS and FUNCTION_PERMISSIONS will have no data.
    3. Active and Non-Active status in RISK, FUNCTION_PERMISSIONS, and FUNCTION_ACTIONS key:







The primary method of updating the Access Control rule set is through NWBC and the Setup WorkCentre. Updating the Access Risk Analysis rule set via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES is still viable and should be considered during migrations, mass maintenance or to meet business requirements.

In Offline Workflow Process, a generic dump happens when delivering the PDFs to the recipients. In ST22, we can see the following Short Dump:


This short dump does not say what is the issue and how to resolve it. Below, I have separated the different issues I found for this generic message and how to resolve it:

Possible causes and solutions:


Valid E-mail address:

    • The users who receive the work items do not have a valid e-mail address in SU01. The e-mail is not delivered and the number of dumps in ST22 is huge.
    • More information on how to find the recipients or senders without e-mail address on the link: http://wiki.scn.sap.com/wiki/x/QwEjFg
    • SOLUTION: All the recipients and senders must have a valid e-mail address in SU01

Risk Management Inactive:

    • If you do not use Risk Management (you have disabled the application in SPRO), you can have an authorization issue when submitting the PDF to the users (a sub process assignment for example). The issue will not be visible so the same message will return (assertion_failed) in ST22.
    • SOLUTION: The following SAP note must be applied -> 1998579 - ASSERTION_FAILED in CL_GRFN_OWP_DELIVER




    • ABAP program name: GRFN_OWP_SENDER is scheduled with program name as GRFN_OWP_SUB_JOB_SENDER. The program will be cancelled as there is no Work Item to be delivered.
    • Error message is: Failed to load header of work item
    • More information on how to find this error message on the link: http://wiki.scn.sap.com/wiki/x/mYI5Fg
    • SOLUTION: cancel the background job GRFN_OWP_SUB_JOB_SENDER and leave just GRFN_OWP_SENDER



No Physical Content:

    • Physical content not found for document is the error message
    • It means that the file requested is not available or not found in the client.
    • SOLUTION: Users must check the file name and content in the system.


Adobe Services:

Failed to get OWP sender e-mail address:


                      1. Execute the transaction "SPRO".

                         2. Navigate through Governance, Risk and Compliance -> Process Control -> Offline Work Process -> Configure Email Inbound Process.

                         3. Insert a row with Communication Type as Internet mail.

                         4. Enter a valid Email Address in the recipient address column.

                         5. Enter the document class as "*".

                         6. Enter the Exit name - "CL_GRFN_OWP_DELIVER".

                         7. Enter the call sequence.

                         8. Save the settings.

GRC 10.0 - GRC Request with both System and Role Line Items


Most common question I have come across in this forum is how to handle the GRC requests with both System and Role LineItems. As system will not have any owner associated with it, SYSTEM lineitem should be moved to NO STAGE path and remaining roles should follow regular path.



End user logs on to GRC and will add both System and Role LineItems to the request.


1. Create an BRF+ Initiator decision table as shown below to separate System LineItem to NO STAGE path once the request is raised.



2. MSMP configuration should look as shown below.





Once above configuration is done. If a request has both system and role line items, System line item will go to a NO_ROLEOWNER_PATH and roles will go to regular path.


Recently, I came across with an unique issue where I was not able to transport the SoD rule set across the clients.


  • SoD transport issues with GRC AC10.0 SP14

While creating the Transport Request as Customized, the system was throwing an error and so asking to create the Transport Request as Workbench Request (I understand, you all would be amazed the same way as I got). It doesn't really require creating WB-TR to transport SoD across clients but just to give it a try, I created the same (WB-TR), then the system started behaving in strange way, It didn't even allow me to enter the WB-TR.

Transport issues.png


After a couple of try over the same and struggling for it and in absence of any supportive solutions over SDN/SCN/Google, decided to reach-out to SAP.

They provided the SAP Note: , but to the system version; GRCFND_A - SP14 and SAPNW 740 with version11 and as I was on version10, so couldn't apply the same and then requested SAP to provide the compatible note which I got today and in fact, released as of toady. The SAP Note: 1991730 - Not able to create transport for SoD Rules after upgrading to NW 740 SP04 AC 10.0 (http://service.sap.com/sap/support/notes/1991730) So, now fianlly able to rectify the original issue with the Transport SoD rule-sets.



  • SoD Transport issues with GRC AC 10.1 SP04/05

For those who are on AC 10.1 with SP04, I am sure they would encounter with the similar issues whilst transporting the SOD rule sets across clients/systems, as I did

With getting no solution from anywhere had decided to reach out to SAP seeking for the solution and it was so quick  and perfect solution. They recommended to implment http://service.sap.com/sap/support/notes/1968082


This note is applicable to GRC AC 10.1 with SP04 so is for SP04


I had almost forgotten to update this information until now when I saw a thread claiming to have encountered with the same issue.

Thinking of this could be new/helpful to others, I am sharing this to you.



Ameet Kumar

A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.


In this post I would like to clarify the lifecycle of user assignments to firefighter IDs. I have grouped them into four steps Assign, Usage, Delete and Review. Please see for each step expected Tasks and who is involved. Please see also my blog post about Firefighter ID lifecycle if you are interested to get more information in this regard.

The RACI matrix shows who is Responsible, Accountable, Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.



Assignment of User to Firefighter ID



  • Request FF ID assignment
  • Define validity of assignment
  • Assign user to FF ID
  • Define FF controller and method of notification


Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible




Usage of Firefighter ID



  • Usage of Firefighter
  • Check Firefighter logfiles


Involved functions

  • Firefighter ID user
  • Firefighter controller




Deletion of Firefighter ID assignment



  • Delete Firefighter ID assignment


Involved functions

  • Firefighter owner
  • SAP GRC responsible




Review of Firefighter ID assignment



  • Review if Firefighter ID assigment is still correct
  • Define actions if necessary


Involved functions

  • Firefighter owner
  • Firefighter controller
  • SAP authorization team
  • SAP GRC responsible



Please contribute and share your opinion as comment to improve the quality of this document.


Thanks and regards,


Knowledge, Skill & Performance Assessments and Tests are more critical than ever, especially within such industries as Utilities, Financial Services, Public Sector, and High Tech where knowledge needs to be assessed through testing and certifications on a regular basis.

Regulatory bodies and their requirements on such testing and assessment vary by Industry and country - please see here some examples: FDA Compliance (21 CFR Part 11), SOX (Sarbanes-Oxley), OSHA (Occupational Safety and Health Administration), AGG (Allgemeines Gleichgestellunggesetz) or GMP (Good Manufacturing Practice).


SAP Education added recently the assessment technologies powerhouse Questionmark to its portfolio under the brand: SAP Assessment Manager - so I thought this might also be of interest for the GRC Space on SCN.


Please find here a selection of Infosources on the general background as well as on the SAP Assessment Manager

  • Intro Blog to SAP Assessment Manager with press-release, video etc. by Stewart Davis
  • Blogpost on "Making a business case for “testing out” of training/ Online assessments in compliance #1" by John Kleeman
  • If you want to see customer case studies, demos and further details please register to one of our webinars. The first one is german speaking - taking place this friday 14.00 and accessible here. Further englishspeaking webinars will follow.


Hope this info was useful. Please use the comments section to share your feedback and questions.

A high amount of time during a SAP GRC project will be spent on defining processes and responsibilities. My suggestion is to think in lifecycles for getting a better understanding of the processes and who is taking over the responsibilty.


In this post I would like to clarify the lifecycle of Firefighter IDs. I have grouped them into four steps Create, Change, Delete and Review. Please see for each step expected Tasks and who is involved.

I have additionally added the RACI matrix to see who is Responsible, Accountable, Consulted and Informed for each step. Please be aware that this is very much depending on the point of view and can be different in your organization. My considerations are commonsense and pretty much of thinking in smooth processes throughout a global enterprise.



Creation of Firefighter ID


  • Define the necessary access rights of the FFID
  • Define the responsibilities (Ownership, Controller)
  • Create Firefighter ID


Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner



Changing of Firefighter ID



  • Define the necessary changes in access rights
  • Define changes in resonsibilities (Ownership, Controller)
  • Define changes of Firefighter ID (e.g. validity)


Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner



Deletion of Firefighter ID



  • Delete the Firefighter ID
  • Document the decision of the deletion
  • Archive belonging firefighter logfiles


Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible



Reviewing of Firefighter ID



  • Review validity
  • Review firefighter ownership and controller
  • Check proper access rights


Involved functions

  • Firefighter owner
  • SAP authorization team
  • SAP GRC responsible
  • Business role owner



If you want to have further information or contribute in this blog post do not hesitate to contact me or reply to this post directly.

Process Control is totally dependent on the standard frequencies and timeframes provided by SAP in General Settings -> Key Attributes -> Maintain Timeframe frequencies/Maintain Timeframes. When creating custom timeframes, customers need to keep frequencies always active and timeframes always available if any task was previously created with a specific custom timeframe.



When a plan is created, it is dependant of the timeframe chosen. Everytime users open planner, all the tasks are validated according to the timeframe chosen on their creation.



Sometimes, An ASSERTION_FAILED dump is raised by the system highlighting class CL_GRFN_API_TIMEFRAME and method GET_FREQ when accessing planner.


If you face the symptom described above, you can check the following SAP note:



SAP Note: 1970216: ABAP Dump when accessing Planner



If it was not possible to find the missing or inactive timeframe, there is a wiki page which explains how to find it:





Filter Blog

By author:
By date:
By tag: