Rafael Guimbala

My First Firefighter

Posted by Rafael Guimbala Nov 27, 2015

The main goal of this Screen Personas flavor My First Firefighter, is to provide the GRC Access Control administrator with diagnostic of firefighter configuration. The flavor collects firefighter configuration data and compares to expected value for a correct behavior. This comparison result into a detailed log to assist GRC administrators with a root cause analysis.


Here is an image of the flavor:





First you need to have screen personas in your system, for more information please click on the link below




After the validation of screen personas, follow the steps on the link(Importing Flavors - SAP Screen Personas - SAP Library)  to import the flavor in SAP Note mentioned in the end of this post.



The flavor have the following features:





  1. Press Ctrl + * in order to retrieve system information from many System
    -> Status.




  1. Type the target connector name in order to test the connection through SM59
    (connection and authorization test). The configured integration scenario will
    also be tested:


  • In case of success: Move to the next test
  • In case of failure: Go to SM59 and fix
    the connection error




  1. User type, user password and user timezone are checked


  • In case of success: Move to the next test
  • In case of failure: User type must be of
    type 'Dialog' or 'Service'. Firefighter user must not have initial password and
    his time zone must be the same timezone of the system.




  1. Press the button to check the name of the firefighter role as well as if the
    firefighter workflow will trigger after the session ends:


  • In case of success: Firefighter role and parameter 4007 of SPRO configuration is shown.
  • In case of failure: Parameter 4010 must be adjusted according to the
    Firefighter role




  1. GRC text object must exist in SE75. Press the button to check whether the
    GRC object is inserted in tables TTXOB,TTXOT,TTXID and TTXID.
  • In case of success: Move to the next filed
  • In case of failure: SAP note 2058516 manual steps must be followed to run a
    script which inserts the GRC objects into these tables




  1. Type the firefighter ID in order to compare system and firefighter ID time


  • In case of success: Move to the next test
  • In case of failure: Change the
    firefighter ID time zone to the same as the system time zone




  1. Upon pressing the button, firefighter job schedule is checked in table
    GRACTASKEXECSTMP. Also, the jobs are checked for today in SM37.
  • In case of success: This information will return the firefighter schedule of
    program GRAC_ACTION_USAGE_SYNC. This program must run hourly to avoid
    performance and time out issues.
  • In case of failure: Firefighter background job is not scheduled and must be
    scheduled through SM36 for the target connector (instructions). Check the status
    of the job. If cancelled, provide instructions.



For more information and also a video of the flavor please check SAP Note 2157307 - Screen Personas - Firefighter Log Sync Update [VIDEO]



Feedback and ideas of new flavors are much appreciated!

The main goal of this report is to provide the GRC Access Control administrator with diagnostic of LDAP
connection and configuration. The report collects LDAP configuration data and compares to expected value
for a correct behavior. This comparison result into a detailed log to assist GRC administrators with a root cause analysis.

*This is only a diagnostic tool, the LDAP on GRC can still present other issues even if all the items are checked*


  1. How to Install LADT:
    In transaction se38 create a new Z report named ZLADT_LOG type include.
  2. Copy the file log.txt source code into the report, save and activate.
  3. In transaction se38 create a new z report named ZLADT type executable program.
  4. Copy the file main.txt source code into the report, save and activate.


How to operate LADT:

  1. In transaction se38 choose report ZLADT and execute.
  2. In the field Ldap Connector, insert the LDAP connector that want to test and run the report.


The result log shows 3 types of messages:


1)    A success message will show status “OK” and it means that the step is
correctly configured.


2)    A warning message will show status “Attention” and it means that one or
more optional steps are not configured correctly. This message shows a return
code, which can be interpreted in the next section of this note to implement the
optional steps.


3)    An error message will show status “Error” and it means that one or more
mandatory steps are not configured correctly. This message shows a return code,
which must be interpreted in the next section of this note to implement the
optional steps.


Please refer to the following procedures to correct the error.


CODE 00000 - Check your LDAP configuration according the error message.


CODE 00001 - Set program id equal to RFC ID in SM59 as below:


Code 00002 - Maintain a server for the LDAP Transaction:


CODE 00003 - Assign the LDAP Connector to a connector group:


CODE 00004 - Assign integration scenario AUTH in SPRO for LDAP connector:


CODE 00005 - Assign integration scenario PROV in SPRO for LDAP connector:


CODE 00006 - Assign integration scenario AUTH in SPRO for LDAP connection type:



CODE 00007 - Set application type 12 to LDAP connector:

CODE 00009 - Change the application type of LDAP connector to 12:


7 8 9.jpg


CODE 00010 - Set application type 12 to LDAP connector group:

CODE 00011 - Active LDAP connector group:


CODE 00012 - Change the application type of LDAP connector group to 12:


10 11 12 .jpg


CODE 00014 - Check the ldap field mapping for action 0003, make sure that all fields are set for LDAP connector and SAP:

CODE 00016 - Check the ldap field mapping for action 0004, make sure that all fields are set for LDAP connector and SAP:


14 15 16 17.jpg


CODE 00015 - Maintain field mapping for LDAP connector action 0003




CODE 00017 - Maintain field mapping for LDAP connector action 0004


CODE 00018 - Maintain connector type as LDAP

CODE 00019 - Maintain attributes for LDAP connector


(*This image is only illustrative, please check with your basis team your user path)

CODE 00020 - Maintain LDAP connector as a user search data source (not mandatory).



CODE 00021 - Maintain LDAP connector as a user detail data source (not mandatory).



CODE 00022 - Maintain LDAP connector as user authentication (not mandatory).


CODE  00023 - Maintain LDAP connector as end-user authentication (not mandatory).





Your feedback is welcome! Feel free to share your impressions of the program in the comments box.



The purpose of this blog post is to explain the about the different Access Request tables and how these tables can be utilized in order to prepare reports as per your requirements:


1. Request Reason


Request reason is stored in SAPscript, with Text Object as "GRC" and ID as "LTXT". You can use standard SAPscript Function Module (READ_TEXT) to fetch request reason of a GRC request by passing the "TEXT" value to the Name field. This TEXT value can be fetched from table STXH


e.g: ACCREQ/00155D08DA361ED2A1BD201C710165A5/LONG_TEXT (For access requests ACCREQ/RequestID(GRACREQ Table)/LONG_TEXT





2. Request Comments



Request comments also are stored in SAPscript, with Text Object as "GRC" and ID as "NOTE". You can use standard SAPscript Function Module (READ_TEXT) to fetch comments of a GRC request by passing the "TEXT" value to the Name field in the same way as done above for request reason. This TEXT value can be fetched from table STXH.

e.g: ACCREQ/00155D08C4051ED4BDFDEF53EC12C0D7/20150511151344 (ACCREQ/RequestID(GRACREQ Table)/XXXX)

3.  GRACREQ - Request details table

This table will provide the information about Request ID, Request Type, Request Creation Date and Request Priority

4. GRACREQUSER - GRC Request User details table

This table will provide the information about user for whom GRC request has been raised and provides details about User ID, User First Name, User Last Name and User Email ID

5. GRACREQPROVITEM - GRC Request Line Item Details

This table will provide the information about the request and the below Line Items in the request with their corresponding VALID FROM and VALID TO dates.




Fire Fighter Id



PD Profile

FireFighter Role

6. GRACREQPROVLOG - GRC Request Provisioning Logs

This table will provide the information about the request and the Line Items in the request with their provisioning status (Success or Failure or Warning)


7. GRFNMWRTINST - GRC Request Instance Details

This table will provide the information about the request and its corresponding instance status.

8. GRFNMWRTDATLG - GRC Request Approval Status

Get the details of Instance ID from GRFNMWRTINST table by passing the request number in "EXTERNAL_KEY_DIS" field. Based on the Instance ID you can get the details of each Line Item approval status in the request, Path ID, Stage Sequence Number and Approver User column in this table gives the details of the approvers.

Based on Path ID you can get the stage details by using the tables "GRFNMWCNPATH" and "GRFNMWCNSTG"

9. GRFNMWRTAPPR - Current Approver for Request Line Items

This table will provide the information about the request and current approvers for corresponding Line Items in the request.



These tables will provide the information about the roles and their corresponding role owners maintained in BRM.


11.  HRUS_D2 - Approver Delegation Table

This table will provide the information about the delegated approvers in GRC


These tables will provide the information about the default roles maintained in GRC.



Looking forward for all your inputs in improving this blog by including additional table details (if any missing)


Thanks for reading.


Best Regards,

Madhu Babu Sai

Dear all,


This document will gives you overview about master data (ex:Controls) change workflow in GRC Process Controls


Central controls are created for sub processes under Business Processes



Once controls are created, if you open



If change master data workflow activated, SAVE button will disabled and Request change button will appear



SPRO configuration:

First activate master data object for which you required workflow

SPRO>GRC>Shared master data settings>Activate Workflow for Master Data Changes





If we do changes in central controls then workflow will trigger for change approval and notification

Now maintain Custom Agent Determination Rules for entity: XCONTROL

SPRO>GRC>General Settings>Workflow> maintain Custom Agent Determination Rules




NOTE: Correct role selection is very important for business event and map with correct entity id, select notification business event if notification required.

Now go and change for control in NWBC, once you click on Request Change button, you get error



Reason: Not maintained user in fallback receiver

SPRO>GRC>General Settings>Workflow> Maintain Fallback Receiver




Now try the same from NWBC

  Once you click on Request Change for control, it will ask for change request


Provide details and click OK, will get the below message.



Reference:Master Data Change Request Workflow - Governance, Risk and Compliance - SCN Wiki


pc:No Approver Found. Request Change is not possible.


Hope it helps for others.




Dear all,


This document will give you overview of creation of regulations and how to assign to sub processes.


Regulations and Policies are provides visibility into your compliance framework and access to end-to-end policy management

Regulations are assigned to Sub process, controls, IELC (Indirect Entity-Level Controls), Policies and Ad-Hoc Issues, which are assigned to organizations.

Regulations will be part of master data



We can create Regulation group,Regulation and Regulation Requirement




Creation of Regulation Group




Provide the details and click on SAVE



Once regulation group has been created, then create Regulation

Select the regulation group and click on Regulation to create




Provide the regulation name, description and select the Assign regulation configuration from drop down.

Assign regulation configuration will be maintained in SPRO

SPRO>GRC>Process Controls>Multiple Compliance Framework>configure compliance Initiatives







Select the Assign regulation configuration from drop down, click on save


Now regulation will created under regulation group




Select the regulation and create regulation requirement



Provide the details and Save



Now select the sub process from Business Process to assign the created regulation





go  to regulations tab


click on Add to see and select the regulations and Save the sub process.




Logos 10-1-2015 3-43-36 PM.png

SAP TechEd 2015 in Las Vegas is just two short weeks away. Have you created a personal agenda yet? Mine is still a work in progress, already jammed with double and triple- booked times, but there are some things that I can recommend with certainty. Most importantly, do create a personal agenda. No matter how busy you are, it is worth spending some time browsing the sessions both by the tracks and by some keyword searches. Every year I find some security-related  sessions in other tracks, so it is time well spent. It is also OK to double book your agenda, in case a session cancels or is not what you expected.


So what is in my personal agenda? First, let me back up to something not in my own agenda, but everyone should at least consider: the ASUG pre-conference sessions. Depending on the projects ahead at your organization, there could be something to give you a great deep-dive start to the week. Be sure to check them out in this post by Tammy Powlas :

Jump Start SAP TechEd Las Vegas with ASUG Pre-Conference Hands-on Sessions


OK, back to my own agenda. Here are some recommendations for you to consider adding to your own agenda:


1. GRC Access Control Sessions. I am so pleased to see such a variety of sessions on GRC Access Control at SAP TechEd this year. This has been a quest of mine for several years now, to get more content in this area into the program.  If Access Control is something you are implementing or already support, be sure to consider these presentations:

SEC110 - Upgrading SAP Access Control and other GRC solutions from 10.0 to 10.1. My organization has not yet upgraded to 10.1, so I am very much looking forward to the lessons learned and other content of this ASUG education session.

SEC208 - SAP Access Control Customer Connection: Co-Innovation for the Win. This is my own presentation, so of course I am excited about it. Come to this session to hear about the improvements to SAP Access Control,  some  already delivered and some still in progress, that came out of Customer Connection projects, and learn about what is ahead.

SEC160 Hands-On Lab: An Introduction to using Key Features of SAP Access Control. A hands-on session on GRC Access Control- woo hoo! I have been begging for this for years. Access Control 10 has so much functionality that you may not have implemented all of it yet. This is the perfect opportunity to get hands on-time in several areas. If you have not yet signed up for your Hands-On sessions, get going, they are filling up.

SEC807 Road Map Q&A SAP Access Control. This is our chance to hear about the road ahead for this solution and ask questions of the product owner.


2. Security sessions. The security track covers a lot of ground; depending on the solutions in use at your organization, some of these sessions are likely to be more applicable than others, so be sure to browse both sub tracks of the Security track. Some of the sessions in my agenda:

SEC107 "Access"ing Your SAP Security Data. This session includes an intro to SAP Security, so if you are just starting out in SAP security, this ASUG education session will be great for you. As for me, I am looking forward to hearing about using Microsoft Access to manage security data.

SEC206 Deploying SAP Fiori to meet the Needs of Your Current Security Model.  My organization is not yet using Fiori, but surely it is just a matter of time, so this is another ASUG education session on my list.


3. ASUG education sessions. The ASUG sessions already mentioned are just a sample of the TechEd content brought to you by ASUG's TechEd Design Team: Tammy Powlas, Kristen Dennis, Kevin Comegys, and me, along with our SAP Point of Contact Peter McNulty. We have been hard at work since before ASUG/ SAPPHIRE to bring you the best possible content from ASUG members. You can find it in the session catalogue under the Source filter. Some of the other ASUG sessions in my agenda are:

TEC122 Building the Business Case for SAP Business Suite powered by SAP HANA

INT110 Secure Integration to the Cloud: Connecting On-Prem and Cloud Applications

BA122 It Isn't Only Brain Surgery: SAP HANA and SAP BusinessObject BI Solutions.


4. Expert Networking sessions. These may be the hidden gems of SAP TechEd, your place to meet with SAP Mentors, presenters, product managers, and your peers.  I am hosting two Expert Networking sessions in the SAP Mentors Lounge, EXP 27263 on Tuesday at 1:30 PM, and EXP27262 on Thursday at 10:30 AM, and I hope to see a lot of the regulars from the GRC and Security spaces on SCN as well as ASUG members there. To find the Expert Networking sessions and add them to your personal agenda, do a search with a filter on Session Type> Networking session.


5. Evening Events. After a long day of lectures, labs, road maps, and chatting with the experts, it is great to kick back and network in a more informal way. Be sure to attend the Networking event on Wednesday, starting at 6:00 PM on the show floor. The SAP Fiori Jam Band will once again lead the way and rock out Las Vegas. Come and sing along with us! Photo courtesy of SAP photographers.




Hope to see you all there!

Hello GRC Community,




Some customers are facing a dump when trying to synchronize the authorizations between BRM and PFCG,




And if you check the st22 there is a dump like the one below:




Category                             ABAP Programming Error
Runtime Errors                   SAPSQL_ARRAY_INSERT_DUPREC
Except.                               CX_SY_OPEN_SQL_DB
Program ABAP                   CL_GRAC_MODEL_ROLE============CP
Application Component      GRC-AC
Date and Time                    XX.XX.XXXX XX:XX:XX


|Short Text                                                                                       |
|    The ABAP/4 Open SQL array insert results in duplicate database




To solve this dumps please follow the steps:



For more information please access KBA 2214288


Thanks and Regards,



Rafael Guimbala

Scenario: HR Trigger requests make use of the same workflow notification as other Access Control requests. Customers may want to disable notifications when the request is created by HR Trigger, and all other requests should continue to generate notifications normally.


How can customers disable email notifications for HR Trigger requests only?


Solution: This can be achieved by following the steps below:


1) Create Enhancement Spot/BADi per Note 1589130 or per Note 1727135. You can also apply both notes and merge the code.


2) Thereafter, customized code can be done in method SEND_OVERRIDE of the BADi's implenting class. It is a stable solution and does not get overwritten by SP upgrades.


The customization code attached is a suggestion that has been tested in my internal system as works effectivelly.


In my sample code, I am suppressing e-mail notifications for HR Triggers that create request type 23.




Please note that you need to replace the request type 23 with your own number based on you HR actions maintained in SPRO.


Navigate to SPRO>...>Access Control>User Provisioning>Maintain Settings for HR Triggers,


If you would like to suppress e-mail for more than one action triggered by HR, then you need to slightly modify the sample code to achieve it.


Hope this is useful!

Scenario: all the workflow e-mail notifications should be sent in English, regardlless of the language of the users (approvers, requestors, etc).


If you have such requisite from your business, what is the easiest way to achieve it?


No, you do not need to translate each and every single document in SE63 to English to achieve it.


The easiest way is to customize one of the Enhancement Spot/BADis available for workflow notifications.





1) Create Enhancement Spot/BADi per Notes 1589130 or per Note 1727135. You can also apply both Notes and merge the code.


2) Customize the method SEND_OVERRIDE by adding one line of code, demonstrated in the screen print below. In this example I am customizing the BADi for Delegees, but the customization can also be added to the BADi for Multiuser notification. If you have both BADIs created, you will customize the merged method SEND_OVERRIDE (which will have code for both BADis, merged).





Now, all the GRC Access Control workflow e-mail notifications will be sent in English, regardless of the language of approvers, requestors, users, etc.


Hope this is useful!

Some little tips about Manual test Plans

There was a migration of info types during the transition of GRC support packages to enable multilingual test steps in the test plan.



I started the scenario using a system with the following configuration:


  • GRC 10.1 SP level 06.



The test steps are stored in table HRP5327:




The manual test Plan is stored like any other object in HRP1000:




A system upgrade was performed. Now my system configuration is like below:


  • GRC 10.1 SP level 09.



In NWBC, the test plan is created:




However, my test steps are not there anymore:


test steps.PNG


If I create manually a new test step, it will show up in the grid.


New test step added:


new test step.PNG


Checking again in table HRP5327, the object is not there. However, the object was stored in table HRP5355.



new test step.PNG


Do not add any new items manually before executing the program.



In this case, a copy from the old database must be performed to copy all existing test steps to the new database.


The program GRPC_UPLOAD_HRP5327_TO_HRP5355 must be executed.




The second step is to choose a language. You can run in simulation mode for the first time.




Execution was successful:




After the execution, the record was moved to table HRP5355.





The test steps are shown in the front-end again:


test plan after migration.PNG



The steps mentioned above can be found in SAP note 1949265 - GRC PC: How to enable multilingual test steps in test plan.





After the GRC 10.0 SP-14 / 10.1 SP-07 implementation, the program GRPC_UPLOAD_HRP5327_TO_HRP5355 must be executed only once to copy all existing test steps from old database table HRP5327 to new database table HRP5355.


MDUG is uploading the objects into table HRP5327.

To resolve it, implement the note below:


- 2124607 to use MDUG to upload test step data after 10.0 SP-14 / 10.1 SP-07 upgrade.

Test Steps Missing in a Test of Control Effectiveness:

To resolve it, implement the note below:

2181730 - Test Step missing when user opens the workitem for test control effectiveness

Take a scenario: Where you have a requirement for


1) User Authentication data source is LDAP

2) User Details Data source is HR(for Manager)

3) SAP User ID is stored in physical attribute in LDAP.

4) HR system infotype 0105 subtype 0001 stores SAPID

5) HR system infotype 0105 subtype 9000 stores domain id



Whenever a user is authenticated in LDAP using SAMACCOUNTNAME the same is passed to HR for details data source information and it also gets validated against Infotype 0105 subtype 0001 to obtain manager and other details.


When SAMACCOUNT id is passed and SAP ID in infotype 0105 and subtype 0001 is stored, it will not match.


Hence a development on target system has to be made where it can validate against infotype 0105 subtype 0001 in /GRCPI/CL_GRIA_USR Method is GET_USR_DETAILS

Now the details can be fetched for access request.


Since the requirement is authentication data source is LDAP.

And SAP ID is stored in physical attribute and Manager should come from HR system.

You have to remove Manager mapping for LDAP in maintain mapping for connector and connector group.

And Enable below parameter.


Access request validations           5023            YES     Consider details from multiple data sources for missing user details in access request

In Data Source sequence for User details keep LDAP above HR.


It will fetch all details from LDAP and change the SAP User ID in Access Request form.


Fill other details from HR system including Manager.




Troubleshoot your issue at your own! - Try Component Specific Questions (CSQ) for faster resolution.


CSQs are the set of suggestions which put forward the latest KBA,Notes,WIKI docs, blogs and videos to serve you a quick resolution for the customer. The CSQ section appears right after business Impact section while creating the Incident with the heading 'Questions Specific to the selected application area'.
See below:




When the customer attempts to create an incident at SAP Service Market Place or via Solman and selecting a component, a set of customized recommendations and specific questions are prompted. With this, you will be immediately led towards a potential solution without sending an incident to SAP Support. This way, it helps you finding the resolution of your issues faster minimizing the overall time and effort for both the parties. Therefore, we always encourage customers to ensure that they are mentioning the correct component to get with the right set of CSQs for the specific issue area, else you will not get appropriate results for resolution. These CSQs are specific to each GRC component and their sub-components i.e, Access Control CSQs are different from Process Control/Risk Management and so on, and further they are categorized by their sub-components – Access Request Creation(ARQ), Access

Risk Management(ARA), Business Role Management(BRM), Emergency Access Management(EAM).






It is a generic text which is displayed for a particular component. Now, it becomes the action item for the customer to look for the most appropriate answer as per the business requirement. For example, CSQs for ARQ- there are categories like Notifications, workflow, provisioning, Password self service, Model user, dumps etc. Therefore, customer will have to check the particular area their issue belongs to. If they find a relevant solution and it resolves the issue, they can skip creating the Incident further and leave Incident wizard without saving. Otherwise, please continue with Incident description and add other related things to complete the Incident helping our engineers understand your issue more effectively.


Similarly, there are CSQs for process Control, Risk Management and Sustainability Performance Management. Going forward, Audit Management/Fraud Management CSQs will also be updated in their Incidents.


These CSQs are updated every quarter consisting the details of latest code corrections/hot fixes via Notes/KBAs, WIKI documents, blogs at SCN forum and additional quick updates. This is a really easy and quick way of troubleshooting your issues at your own prior to sending the Incident to SAP Support. This helps finding the solution at a very short span of time.

Dear All,


With continuous to how to create a risk in risk management Creation of Risk in Risk Management GRC V10.0


This document will gives you how to create/use key risk indicators tab in Risk



We can create two types of KRI

Standard KRI Instance

Manuel KRI Instance




Click in create standard KRI instance

It will ask for KRI instance Name and KRI Implementation



How to create KRI Implementations

KRI implementations can be created under Key Risk Indicators link




Click on KRI Implementations to create


To create KRI Implementation we need KRI template

How to create KRI template






Click on create button to create KRI template



Provide the KRI template name and select Value type from drop down



To select other details like system, Business process and Component

We need to go back to SPRO for maintenance

SPRO>GRC>Risk Management>Key Risk Indicators






Click Save to create KRI Template

Now created KRI template will be available in KRI template catalog like below



Now we can select the KRI template in creation KRI implementation



Provide KRI Implementation Name and select the created KRI template from F4




Select the connector type from drop down

Connector types are configured and maintained in SPRO



Maintain the connector names with system in Maintain Connectors and select connector type




Maintain the script for SAP table, where we need to provide the SAP table name.



Once we select the connector type, then connector and script field will be populated



Don’t save now, it will give error



Now go to Implementation details tab

In this tab we can select required fields for output value with options



Now Save

The created KRI implementation will be available in KRI Implementation catalog




Now we can use the created KRI implementation in Risk at Key Risk Indicators tab




Provide KRI Instance name and select the KRI implementation from F4 list

Select monitoring frequency, time frame then only Test Instance button will be enabled.



Now you can Activate KRI Instance, it will be available in Key Risk Indicators tab of Risk




We can create business rules for created KRI instance.

If you click on request localization of KRI instance then we cannot create business rules.

Status will become Localization Requested and Create button will be disabled.



Select the KRI Instance and Open

Click on Complete



Now status will change to Localized



Again Select the KRI Instance and Open

Click on Confirm



Now status will change to Active







Dear all,


We are using GRC system as central system for access request to users from different entities with different composite roles (The roles are created based on Business process and entity)


Approvals based on Functional area, Business Process and Company


Access request type: New


FI (Business Process) - XXXXXXXXXXXXXX (Composite role)-ABC Specific to Company/Entity-Approver A

FI (Business Process) - XXXXXXXXXXXXXX (Composite role)-DEF Specific to Company/Entity-Approver B


Approver Agent rule is based on business process, Functional area and Company in access request






Go to BRF+, select the application click on Activate button



Now close the BRF+

Go back to Generate MSMP Rule for process screen and re execute the same.

Now open tcode BRF+

Select the application, right click on it and select COPY




Click on COPY

Now Application ZAPPROVER_BP_FA101232 is available for us to use which is in inactive status


Now create decision table from application by right click on application




Click on create and Navigate to object


Now select the Result data object as GRFN_MW_T_AGENT_ID


Where T indicates for table


Now go to Condition columns select from context data objects from insert columns



Select Functional area,Business Process and Company


Click on OK




Click on Insert row   to provide values for table contents



Select Direct Input value for Function Area



Select the value from F4 (It will show the values which are maintained in SPRO)


SPRO>GRC>Access Controls>Role Management>Maintain Functional Areas





Function are can be anything it is just for identification of role in BRF+


We can define the companies in SPRO

SPRO>GRC>Access Controls>Role Management>Define Companies


Now the maintained functional areas will be appear in BRF+ to provide direct value input for functional area.



Select the functional area, relevant business process and company with required approver in USER ID field



Now check, Save and activate the decision table.


Now go to Function and select the decision table in Top Expression



Now check, Save and Activate the Function.

Function rule id will used in MSMP for agent rule to approve

  Rule ID: 40A8F0333BE91ED58F82621E018D40D7


Now approval will be triggered based selection of Business Process, Functional area and company (under user details) in access request


Hope this is useful if anyone has same/Similar kind of requirement.





Dear all,


The overview of this document is creation of risk in risk management with basics.

Hope it is helpful for others.


The prerequisites to create a risk we need to create required organization units and relevant risk categories

The organization units and Risk categories as created in master data work center



Risk can be created in Assessment work center.

Click on Risk and Opportunities





Click on Create to select type of risk



Where we can create different types of risks (Operational/Corporate) and Opportunity



We need to provide the risk name, select organization unit, risk category and select drivers and impacts for risk

To select the risk category from list we need to create required risk categories in master data work centers under

Risk and Responses at Risk Catalog



In master data work center we can create Risk Category and Risk Template, after creating, reflects under the classification hierarchy node and Risk Templates are created under risk category.



After providing required values we need to select Allow assignment is YES, then only we can select risk category while creating risk.

Now select the risk category for risk.



Now select, add the Impacts and Drivers


Drivers are nothing but events that could cause the risk to occur

Impacts are nothing but consequences if the risk event were to occur


We need to define Impacts and Drivers in SPRO:SPRO>GRC>Shared Master data Settings





Select Impacts and click on ADD

It will show the category and description which we maintained in SPRO


Repeat the same for drivers also.

We can assign multi drivers and impacts for Risk.


Now go to Roles tab in Risk

Initially roles tab does not show anything in role column to assign the owners



To assign role owner for risk in roles tab we need to maintain role assignment for entity in SPRO

SPRO>GRC>General Settings>Authorizations>Maintain entity role assignment




Click on Maintain entity role assignment, select the required entity with role



Now these role assignments will appear under roles tab of Risk



Now select the role and click on assign button to assign owners (we can assign single owners or multi owners also)


Now we can submit the risk

Once we click on Submit button then Risk status will be changed to active.







Filter Blog

By author:
By date:
By tag: