With the availability of defining Business roles within GRC AC 10.0, provisioning initial access to users across multiple landscapes with a single combined role is possible.


However, there have been questions raised by many in regards to how you update/synchronise actual technical role assignments embedded within the Business Role assigned to users via GRC.


For example;  If a new R/3 role has been added to the Business role definition, how do you update the assignment to the 55 users already assigned to the Business role? It is impractical to raise a new change request via Access Request Management for all the assigned users for the same role again, as it would create unnecessary requests (and maybe agitate the approvers involved).


Thankfully, within GRC 10.0/1, it is possible to synchronise the technical role assignments via the Role Maintenance screen in NWBC, but it requires a few tweaks within the GRC system.


Part 1 Enable the hidden Methodology step “Provisioning”


Note - These steps needs to be done on both 10.0 and 10.1, as the SAP BC-set delivered Default Methodology is missing the required Step definition.


1. Go to SPRO and open the following node menu: Governance, Risk and Compliance > Access Control > Role Management > Define Methodology Processes and Steps


2. Click “Define Steps” and then “New Entries” – By default, the BC set delivered methodology steps is missing “Provisioning” from the defined list.


3. Select the action “Provisioning” and enter is as “Active” and enter the Phase text details “Provisioning”


4. Save any transport prompt

5. Under “Define Methodology”, select the methodology to update and then click “Methodology Process Step”


6. Ensure the final step “Provisioning” is added to the methodology



7. The new methodology step should be visible now within the “Role Maintenance” functionality of BRM (on NWBC side)




The button will be enabled when:

     • The Business role has already been provisioned at least once
      • The Business role has changed and technical roles have been added or removed

The button will be disabled when:
      • The Business role has not been provisioned via request yet
      • The Business role has already been provisioned at least once, but there are no users currently assigned (the Business role has been later removed from     the users)



Part 2 Updating Cluster class


A runtime error has been  observed within GRC AC 10.0 (not 10.1, as it seems the cluster class has been delivered correctly) when clicking the “Update Assignment” button. The error appears as follows: Parameter has invalid value: Parameter SYST_DATE/SYST_TIME has invalid value 00000000/000000.


The cause of the issue is that the correct configuration is missing in the view cluster: GRFNVC_PLUSG for the provisioning background job.

To fix this, implement the steps provided in SAP note 1837416 (described below)


1. Go to transaction code SE54


2. Click on the button “Edit view Cluster”, followed by “Test”


3. Enter the Table/view “GRFNVC_PLUSG” and click "Test"


4. Select the Node “Plan Activity for Access Management”  under the  Dialogue structure


5. Select Plan Usage GRAC_BRLP and double click on it.

6. Enter the correct ABAP class as "CL_GRAC_ERM_BROLE_BG". (This value may have been set up/delivered incorrectly before, hence the error).


NOTE: If the entry “GRAC_BRLP” does not exist, you can create it as per SAP note 1837416

    1. Click on New Entries
    2. Enter the following fields and save:

     Plan Usage: GRAC_BRLP

     Activity Name: Access Control Business Role Provisioning Background Job

     App-component: GRC-AC.

     ABAP class: CL_GRAC_ERM_BROLE_BG (note SAP note 1837416 mentions CL_GRAC_BROLE_BG, but this does not work)


With this fix, you should now be able to successfully maintain and provision Business role updates to all users via the Role Maintenance screen.

SAP Notes in relation to this topic



Business Role Methodology contains multiple steps including “Provisioning” and under “Provisioning” steps there is “Update Assignment” button. When customer clicks on “Update Assignment” button, notification is triggering to all the end users whom this business role is assigned and notifying the access changing. But there is no way to control this notification.

The SAP note provides  correction instructions that introduces a new configuration parameter ID to control if emails are sent out to users during the "provisioning update" scenario (param ID 3029 - Send Notification to End User on Update Assignment)




It seems there is a program issue in 10.1 whereby the updates are not working correctly when a new derived role is added or a existing role is removed from the business role definition. Seems to state the note is part of SP08 for 10.1. No clear indication of if this behavior is reported or fixed for 10.0.




I presume that the fact there is no "Mass assignment" feature available for Business Roles from BRM means that there is no "Mass Update Assignment" feature available at all either (i.e. running a "Provision update assignment" job for many business roles in a single attempt. SAP suggest utilising the "Multiple User Request" option to control mass assignments of business roles.


SAP TechEd && dcode image.pngWhat I like best about SAP TechEd && d-code is the variety of learning experiences available to attendees. SAP Security and GRC professionals might be surprised to learn that there is a good variety of sessions for us if you look for them.


My location: definitely Las Vegas. Not that I am a huge fan of Vegas excess, but the ASUG customer-driven content makes that the right choice for me, besides the travel time and expense being much less.


My plan: I like to fill my personal agenda with as much security and GRC Access Control content as possible, then fill in the blanks with samplings of other topics. I also plan to attend Demo Jam and do lots of networking. My agenda is still a work in progress, but here are some highlights:


ITM113 Overview of Security Features, Functions, and Services in SAP Products. You can't go wrong with a session presented by Gerlinde Zibulski , who leads the Security Product Management team at SAP. This session covers both security *and* GRC Access Control, making it a winner for me.


SEC104 Security Notes, System Recommendations, and Business Process Change Analyzer. Speaker Frank Buchholz has been presenting an excellent web cast series for ASUG on topics related to security patching, so I know he is expert on this topic, and I look forward to learning about BPCA.


SEC260 Security Control Center by SAP Active Global Support. This session is related to SEC104. We have not yet used the Configuration Validation application at my current organization, so I hope to be able to give it a test drive in this hands-on session.


SEC834 Road Map Q&A SAP Product Security, Strategy, Features, and Functions. This road map and Q&A session is a follow up to ITM113, and Gerlinde can be counted on to answer questions with frankness and expertise, so don't miss this session for the real scoop on security, GRC Access Control and more.


SEC200 Security in Different SAP HANA Scenarios. I attended speaker Mark Hourani 's  overview presentation on SAP HANA Security at the ASUG Annual Conference, and I look forward to this more technical dive into it.


SEC107 SAP Access Control On Going Management and Lessons Learned. The speaker, my SAP Mentor colleague Greg Capps has been working on GRC 10 Access Control since his organization was in ramp-up, so he already has years of lessons learned to share. This ASUG education session is a don't miss whether you have already implemented GRC Access Control or are still thinking about it.


SEC201 Implementing LDAP within SAP Access Control. Greg is also presenting this session, which will give you some ideas for improving your GRC Access Control user experience. We have already implemented LDAP with Access control, but Greg's real-world tips for making our users' experience even better will be worth hearing.


SEC203 SAP HANA Security - How Newell Rubbermaid Simplified Security Administration. Speaker Gautam Patel is Newell Rubbermaid's SAP Lead Technical Architect, and his lessons learned and leading practices are sure to be informative.


Advice to first-timers: Plan a personal agenda, but don't worry if it has scheduling conflicts. In fact, that can be a good thing: if a session you are attending is not what you expected, you can slip out quietly and head over to your alternate session. If a session is offered twice, put both of them into your agenda. Be sure to visit the Community Clubhouse and the evening events; even if you are not a developer, Demo Jam is great fun. If attending in Las Vegas, be sure to include some ASUG content in your agenda for real world case studies and lessons learned. Try to eat healthy foods and stay hydrated; it is easy to get run down with the hectic schedule and late nights, and you don't want to be so exhausted by Thursday that you miss the Huey Lewis and the News concert. You might spot some people in SAP Mentors shirts, leading networking sessions, assisting in hands-on workshops, and just chatting in the Community Clubhouse; don't be shy, come up and join the conversation. Most of us are SAP customers or partners, dealing with the same challenges at work as you are. We don't necessarily have all the answers but we look forward to meeting you and sharing your TechEd && d-code experience.

SAP recently conducted a survey on transforming internal audit management at the Institute of Internal Auditors International Conference 2014 held at London. The purpose of this survey was to explore the current status, business impact and potential future of technology in transforming internal audit. Around 150 respondents provided their inputs to this survey providing some key insights:

  • 81% consider Integration with Risk and Control management systems and/or the underlying ERM as the key capability needed in the future
  • Only 15% use integrated audit management solutions with analytical capabilities and only 14% say that current audit management/analysis tools meet all/most needs
  • 54% believe that Technology will fundamentally change how audit services are performed and how the value of those services is measured


Here is the link to a blog post as well as an infographic depicting the key findings.

If you attended Alan Jackson's performance at the 2013 ASUG/ SAPPHIRE Now Celebration Night, or if you are a fan of his, you might be familiar with his hit ballad "I'd love you all over again."

Now that we have gone live with our Governance, Risk and Compliance (GRC) 10 system, I thought I might look back over several years of such projects to ask myself, if I had it to do all over, which choices would I love all over again.


Pilot or big bang?

One choice, to do an Access Control pilot, was the option selected by one of my previous GRC 10 projects. It allowed us to get the system configured, build the Business Roles, and do a pilot of the custom request workflows, in a few short months. The downside to that choice is that everyone else stayed on the 5.3 system, so both systems had to be maintained, and presumably audited, until all the business units were brought onboard the 10.0. It was a trade-off, but they were willing to make that choice.


On the other hand, my recent project took the "big bang" approach, bringing all the systems connected to our 5.3 GRC over and going live with everyone at once. The upside was that we were able to shut down our 5.3 system soon after the go-live, reducing the dual maintenance period. The downside was that testing identified many issues, particularly with provisioning to the SAP Portal, many corrections were implemented, one connection never did work and had to be taken out of scope, and it all took much longer than planned. Now, just a few weeks after go-live, we are already living on borrowed time: the APO system was upgraded to a NetWeaver release requiring a plug-in higher than our SP level. Everything is working for now, but sooner or later, another connected system upgrade will force us to upgrade, too.


Business roles or technical roles?


The GRC 10 project I was on back in early 2012 included implementation of Business Role Management (BRM), and I blogged about that here. BRM was, unfortunately, still pretty buggy back then. I think it was a good choice given their technical role design and their access request process, but waiting for a later support pack might have made it easier.


In that client's process, anyone could submit an access request; in contrast, the process at my current organization has access requests submitted by key users  trained on SAP security reporting and other tools. In theory, these folks are knowledgeable enough of the business processes at their location for the users they support, and with the tools and training, can make informed role choices. While Business Roles would probably add value to our process, we chose to continue with requesting technical roles for now, with some role mapping to ease the process, and consider implementing BRM later.


Another option is to do a security re-write- concurrently, before, or after the GRC project? If you decide to do it concurrently, be sure you have enough resources for the multiple work streams. My first GRC 10 project went that path; in my view, having a small army of experienced internal and external resources was one of the good decisions, along with ensuring good executive support.


If your rule set is in good shape, maybe you want to do your security rewrite ahead of the migration to GRC 10, either with a pilot or big bang. If you lean towards a pilot, be certain that your pilot group is onboard with the project approach; trust me, you don't want to be in the position of having the business unit for the pilot getting cold feet midway through the project, leaving you in a tough spot.


between a rock and a hard place3.jpg


Change management decisions


How much of a change is GRC 10? It all depends. If you are implementing Access Request Management, does your current access request process have a lot of manual hand-offs and detours to be automated in the new process? It may delight your users, but they still have to be trained on the new user interface and get used to the automation. On the other hand, if you are just going live with Access Risk Analysis, you probably have a smaller user community to train.


The big project I mentioned above included a team of experienced change management consultants, and I think that was a smart choice for such a huge undertaking. My much smaller recent project had excellent internal support for communications and our web page, but we were pretty much on our own for developing and delivering training. We offered live training, step-by-step video recordings, and Quick Reference Cards that were jointly produced. All were well received; however, by business decision the training was not mandatory, so you can probably guess the outcome: the users who took the training are doing pretty well and are happy with the new system, especially the new request templates and more efficient workflows, and those who opted out of training.... Enough said.


Now we are working on resolving non-showstopper issues, problems identified during testing that were not urgent enough to risk breaking something else with a possibly buggy correction before go-live. It never really ends, does it?

And what about you? If you are already live on GRC 10, what would you do all over again and what might you do differently? I invite you to share your perspectives.

In the last 9 months, more than 250 consultants from partners attended the Fraud Management Partner Workshops to receive training on how to develop rules for SAP Fraud Management. Since then, many partners have decided to develop content for SAP Fraud Management for such industries as utilities, insurance or banking.


For SAP and its customers, this is a perfect match as it complements SAP’s offering with specific domain expertise and helps customers to implement faster and with lower effort, based on predefined content.


With the SAP HANA market place, SAP now provides a simple way for partners to list and sell content for SAP Fraud Management. The SAP HANA market place is the one-stop location to learn, try out, and buy SAP HANA applications. After a certification, partners can load any kind of collaterals and can then launch their content via the SAP HANA marketplace.


For more details, please see contact Narayan Sundareswaran or see the materials on the SAP Fraud Management wiki page.

Sign Up Now To Summer Training - Partner Workshop on SAP Fraud Management

August 26-28th, 2014 SAP Campus – Walldorf, Germany



With the continuing momentum around SAP Fraud Management, we will be offering partners the opportunity to attend another Partner workshop on SAP Fraud
in AugustIt will take place from Tuesday, August 26 to Thursday, August 28, 2014 at the SAP Campus in Walldorf. This workshop is free of charge and for selected partners and SAP employees, however, you will need to cover your own travel costs.


Objective of the workshopThis workshop offers deep-dive training into SAP Fraud Management and would enable attendees to be able to take customer data and build customer-specific rules with the solution. 


  • Day 1: Business Overview for Fraud Investigators & Deep Dive Detection
  • Day 2: Programming of Detection Rules & Overview of Predictive Capabilities
  • Day 3: Self-Guided Programming
  • Optional: Day 4: (Self-Guided Programming)



Note: There may also be an option for attendees to continue their programming on the SAP Fraud Management development system after
the workshop until the end of the training week.  Subject to availability.



Workshop Pre-requisite & Commitment


In order to maximize the value for you please be prepared to:


    • Bring a data model and data sample from either a customer or industry, plus a set of rules that can be implemented in the development system during the training.
    • Send a mixture of both technical and functional people (HANA and solid SQL knowledge, together with forensic or fraud knowledge).


What should I do now?

Please let us know that you will be attending as soon as possible as space is limited. To reserve your place click REGISTER to confirm your registration (first come first serve).


For each attendee, please include:


      • Name
      • Job Title
      • Full Company Address
      • E-mail Address
      • Contact Phone Number




We look forward to seeing you in Walldorf.



Gerhard Hafner   Genaro Pena
Chief Product OwnerVP Sales, EMEA
HANA Based Applications



Dear all,


I am wondering if one of you join the SAPinsider GRC conference in Singapore from October 13th till October 15th. As I am travelling to Singapore around that date I might attend.


For more information please visit the homepage: BI 2014, HANA 2014, GRC 2014, and Financials 2014


Looking forward to meet you there


Best regards,


With the go-live of our Governance, Risk, and Compliance (GRC) version 10 Access Control finally past us (hallelujah!), I have been thinking about the learnings, from my previous GRC 10 projects as well as from this one. Last year at SAP TechEd, I hosted an Expert Networking session , discussed hereThe rest of the story: what else I learned at #SAPTechEd , where the most common response to my question about GRC 10 was that customers  were still thinking about it.  Maybe you, too, are still thinking about it, working on a roadmap, or planning your project. Even if your project is already underway, here are some readiness questions to consider.


What are the pain points of your current GRC related processes?


Be sure to get input from your key users. Pain points could include these:

  • Too many manual hand-offs in the access request process
  • User access reviews tedious due to manual processes, and not particularly value added besides
  • User interfaces for access requests confusing to requesters and approvers
  • Confusing/ inconsistent role names making it difficult to know what role to request
  • Roles not well aligned with either tasks or jobs, leading to a need  to make a big security change, such as complete security rewrite or implementation of Business Roles
  • Manual security team processes like maintaining organizational segregation with manual reviews and hit or miss efforts to manage critical sensitive authorizations
  • Confusing/ inadequate information in firefighter logs, so they are not reviewed timely


What is your long range plan?


If yours will be a brand new GRC implementation, do you have a company policy for Segregation of Duties and critical access rules that can be the basis of your new GRC rule sets, are you planning to start with the rules out of the box, or will you take the time to customize them? If you are on GRC 5.3 (or earlier release), have you been maintaining your ruleset all along with the updates from SAP and custom transactions? A “lift and shift” of your current rules can be fine if they have been maintained; otherwise, it is like bringing dirty, threadbare rugs from your old house into your brand new one. The sooner you get them cleaned up, the better.


Have you thought about your long term roadmap and identified which components you plan to implement? Some customers start out by just implementing Access Risk Analysis, to get the system up and running, and then take on Access Requests and more later. With all the shared master data across Access Control and Process Control, decisions you make early on could come back to haunt you later down the road. If you are planning to use your current GRC system as the model for the new one, has all the master data been maintained, or are there obsolete mitigation monitors who have left the organization, mitigations configured for risks that do not exist, and other bad data that will not work in the new, better integrated, system? It can be a real challenge if you have no “golden” client to use to validate the configuration of the new one.


Do you have the right resources for your project and enough of them?


Colleen Lee wrote an excellent blog about all the friends who helped her on her own GRC projects.

Depending on which components you plan to implement and the architecture, the resources needed for your project could include some who may not have come to mind. Of course you will need security, GRC, and Basis expertise, but you may also need LDAP expertise if your user master data resides there, or HR expertise if you plan to use your SAP HR as the user data source and/or implement HR triggers. But are all your users, including contractors, even in SAP HR? Are you sure? If you plan to use your LDAP, has it been properly maintained, or does it need clean up before you can rely on the data fetched? For implementing Access Request Management, workflow expertise including MSMP and BRF+  is a must , and if an Identity Management system performs your user creation, count those experts in, too.  How will the users access your system - Enterprise Portal, NWBC, something else? Whatever you plan to utilize, be sure to budget for skilled resources on your project team for that, too. If a new rule set is needed, expertise from the business and internal controls will be key.


Then there are the ABAP resources.  As I mentioned in a comment on Colleen’s blog, on my current project we badly underestimated the demands we would make on ABAP resources, needed for implementing the hundreds of corrections into our system. Better to budget for them and not need them than be wishing you had the funds.


And about those hundreds of corrections:  someone needs to stay on top of those issues.  If the people managing the fixes and corrections are also project managers, and also doing system configuration, configuring the workflows, migrating master data from the old GRC system, creating documentation, designing testing and training,  and leading the change management effort – well, good luck with that.  Yes, two resources can wear 8 or 10 different hats, but your project timeline will need to be adjusted accordingly.  If your project management tool tells you that your project’s resources are way over committed, a six month project could run on with slipped deadlines and missed go lives, possibly impacting other projects that they were expected to be working.


On top of that, the longer your GRC project drags on, the likelier that the systems connected to your GRC will be upgrading. If a connected sytem goes to a new NetWeaver release, you may have to install new plug-ins and start testing all over again.


I hope I have provided some food for thought for anyone considering or planning an implementation of GRC 10.  Time spent now in considering these questions will pay off in the long run.

Hi All,


We are currently on GRC SP13. I could see lot of community members also working on same SP. There are lot of issues in GRC SP13. I am just updating the issues with relevant SAP notes here just to make it easy for the guys who come across the issues just like mine


There are still lot of issues which we are working on and will update this blog regularly based on our issues and fixes.


Access Request (ARQ)

Password Self Service (PSS) - Issues

In Password Self Service (PSS) when the user clicks on “Register Security Questions”. Users can add questions using either Admin defined or User defined option.


As shown below “User Defined Questions” has spelling mistake where “DEFINED” is spelled as “DEFINDED” and this can be fixed using SAP note

1907848 - UAM: Incorrect text for User Defined Questions



1600374 - CUP: Admin and user questions option not configuration


EUP Issues

Below SAP notes are implemented for issues regarding EUP.


1897794 - UAM: Request for value not coming from EUP in model user

1842378 - Default roles are getting added though they don’t exist in BE

Role Mapping Issues

Below SAP notes are implemented for issues regarding role mapping.


1900076 - UAM: Role mapping not working based on parameter 2015

2014524 - Common mapped role deleted on removing one of parent


Provisioning Settings Issues

Below SAP notes are implemented for issues regarding provisioning settings.


1966404 - UAM: System level provisioning settings not considered correctly


Role and Function Approval Workflows

During Role and Function approvals, below SAP notes are implemented for resolving comments pop up issue.


2044309 - During role and function approval, Comments popup is opening in case of approval and rejection without checking the configuration

1906672: Removed Function apprear in Risk Approval Request


Risk Approval Workflow - Issues

In case of risk approval workflows, Title was not coming in header while opening the risk for approval as shown below.


Fix the issue using SAP note 1921318 - Risk Approval Screen - Title is not coming in header

2049421 - Forward with Return for Risk Approval WF issue

Mitigation Control Maintenance Workflow - Issues

In case of mitigation control workflows,no message is shown to the approver if one approver forwards the request to another approver.


Fix the issue using SAP note 2050047 MIC Upon Forward no successful message


Business Roles - Issues

Before discussing about business roles issues, please go through below SAP note on business roles which explains all Pros and Cons of business roles


1981001 - Recommendations: Using business role provisiong in access request


Business roles are not supported in GRC with “RETAIN” provisioning action. But in SP13 users are able to submit access requests with business roles having “RETAIN” provisioning action.


To fix this please implement the SAP note 1982339 - UAM: End user is able to submit request for business role with retain provisioning action

In case of Business roles having common technical roles, role de-provisioning is not happening correctly.


To fix this please implement the SAP note

1930923 - UAM:-Business role removal is not working correctly in Access Request
1922082    UAM: Rejected business roles are getting provisioned

1951749    UAM: Business role not provisioned correctly in language other than English

Role Import - Issues

Role Import in GRC SP13 is not showing all roles in the preview and as well as not importing all roles based on role range.

To fix this issue please implement the SAP note 1897975 - Role import does not show roles in the preview

Firefighter Login - Issues

When FF user is logging in with the assigned FF ID system is throwing dumps.

To fix this issue please implement the SAP note 1800347 - Short Dump on FF Login

Risk Analysis - Access Request - Issues

1938722 - Risk analysis icon incorrect in access request

Default Roles - Access Request - Issues

2056035 - UAM: Role descrip not displayed for default Roles

1842378 - Default roles are getting added though they dont

2061875 - UAM: Role description for default roles not displa

Mitigation Control – Issues


Create Mitigation control and assign Risk and Approver/ Monitor to that control.

Click on Save/Submit button.

Error comes: "Saving Note Failed"


To fix this issue please implement SAP note 1890058 - "Saving note failed" error comes while saving Mitigation Control

Create Mitigation control and assign Risk and Approver/ Monitor to that control. The AC Reports are not displayed in the "Reports" tab of a mitigation control

Error message Action is inconsistent with system is displayed when you add a new AC report to a mitigation control and save/submit.


To fix this issue please implement SAP note 1902129 - Unable to save Mitigation control after adding AC Report

Mitigation control assignments which are already deleted are still showing up in GRC system.


To fix this issue please implement SAP note 1873361 - Performance issue with GRAC_REPOSITORY_OBJECT_SYNC


LDAP Issues

2025895 - UAM: Users not searched from HR/LDAP connectors if real-time search parameter 2050 is YES

1867742 UAM: Manager information is missing in request submission


Access Request - MultiUser Request - Issues


1864399 and 1886411 - Incorrect Template - Multiuser Request

User Access Review (UAR) - Issues

UAR Requests are being generated for expired users or locked users though excluded in the filter criteria. Also UAR requests contains indirectly assigned roles like Child roles of Composite roles.


To fix this issue implement below SAP notes


GRC System

1970118 - UAM: Expired and locked Users and indirect role assignment are also display in UAR request

1988134 - UAM: Dump on executing UAR job for user group and indirect assignments displayed in UAR request

1917837 - UAM : Connector based brf + rule is not working

1997960 - Unable to generate request for UAR/SOD.

2103409 - UAR: UAR approved request shows in work inbox util refresh.

1988128 - UAM: Missing line items with forward and return in UAR



UAR Requests are still showing up even after approval in work inbox until click on refresh button

2103409 - UAR: UAR approved request shows in work inbox until refresh.



User Defaults - Issues

2020712 - UAM: User group not provisioned after approval

Delegated Approver - Mail Issues

1589130 - GRC AC 10.0 - MSMP Notification Override BADi - En

1915928 - Delegated approver is not visible in instance status

1887512 - Incorrect approver list shown in instance status

Enterprise Portal Integration with GRC - Issues

1889792 - UAM: Portal sync results in time out/ Portal Object

Synchronization Jobs – Issues

We are facing an issue related to the roles assigned to the users in the target system. When roles have been removed from users in the backend. They are still visible with existing assignments overview in GRC system (even after sync).


This results in provisioning error when requesting a "retain role" request. Plug-In system then gives error message that the role is invalid (because it was not assigned anymore to the user).


Once the roles are removed in the target system, they should not appear again under the existing assignments in GRC.


If this kind of issue is happening then the Synch jobs are not working fine and there is some issue with these.


To fix this issue implement below SAP notes


Target (Plug-In) System


1970532 - Audit log gives wrong information about role removal, the validity of the role is not getting changed in the backend systems


GRC System


1934813 - UAM: Incorrect audit log message for role assignment and provisioning error for multiuser request


Missing Notification Variables and Notifications Issues - GRC SP13

Notification variables like Request Reason, Comments, Approver First Name, Approver Last Name and Approver Full Name are missing.


To enable these variables please implement below SAP notes.


1971842 - Request reason notification variable is not available in Access Request workflow

1917639 - UAM: Adding Comments and approver name variables in Access Request approval mail




Symptom 1: Validity dates and user id are not shown in the submission notification for the system entry.

Symptom 2: In submission notification, some text available in English and not able to translate in any other language.

Symptom 3: Provisioning variable shown roles whose Allow Auto-provisioning value is No and which have not been provisioned to the user.

Symptom 4: Create an access request to assign roles to an existing user in CUA child system. The closing notification contains wrong message of user creation.

Symptom 5: Notification variable %submission% for EAM/FF access approval does not contain System level information and validity dates information like FF_XXX Superuser access added to the request for action assign.


To fix this issue implement below SAP notes


1907911 - UAM: Incorrect text in submission & provisioning variable


Email Notifications - Issues

SAP Note 2018395 - E-mail Notifications cannot use HTML

Unlock Account - Valid To Date Issue

2069094 - For Unlock Action type Valid To Date for user is coming from

Escalation Notifications - Role Owner Stage - Issues

2008881 - Approved request items are also escalated

2000779 - UAM: Escalation on roleowner stage not working

There are multiple issues related to this solution and in fact SAP has released a knowledge article to the topic that it is not allowed citing security reasons - SAP KBA: 1622881 - Approve by E-mail and Reject by E-mail functionality but there are certainly workarounds available.


The security issues, mainly, are:

• Validating correct approver and delegate approvers

• Emails could be sent with From option in mails making it even more difficult to validate


However, I did try to implement the process and succeeded in doing so with few (not recommended) workarounds.


My main motivation came from this link where a similar solution is suggested but for SAP Workflow:



The BASIS configurations remain the same as given in the above link: The steps are as follows:

1) Create Offline User in SAP (It could be a new user if the approver will forward the mail to approve or reject requests, in case of reply back it has to be      WF-BATCH)

2) Configure the SAP-Connect node via SICF Transaction

3) Configure and activate the SMTP Service via SMICM transaction

4) Configure and set the Inbound E-Mail Exit Configuration


Even the next few steps remain the same, only the actual approval process has to be changed. In the 4th step, we need to provide a class name to process emails. In this example, I named the class as: Z_PROCESS_INBOUND_WORKFLOW. Add Interface to the class: IF_INBOUND_EXIT_BCS. You will see 2 methods added from the interface.


Add the code in the methods:


Here, we need to create an instance of the class to be used for further processing.
Sample Code below:

  DATA: lo_ref TYPE REF TO z_process_inbound_workflow.

* check if the instance is initial

  IF lo_ref IS INITIAL.

    CREATE OBJECT lo_ref.


* Return the Instance

  ro_ref = lo_ref.



This method will be called automatically for the processing the message when it is received by the SAP system.

Sample Code Below:

* Declare for Inbound E-Mail processing
  DATA: lo_document     TYPE REF TO if_document_bcs,
        l_mail_attr     TYPE bcss_dbpa,
        l_mail_content  TYPE bcss_dbpc,
        lv_reqno        TYPE grac_reqno,
        lv_approve_reject TYPE char1,
        lt_cont_text    TYPE soli_tab,
        ls_cont_text    TYPE soli,
        lo_reply        TYPE REF TO cl_send_request_bcs,
        sender          TYPE REF TO if_sender_bcs,
        sender_addr     TYPE string,
        lv_email        TYPE ad_smtpadr,
        send_request    TYPE REF TO cl_bcs,
        lo_approval     TYPE REF TO z_grac_approbation_by_email.
*- Get a pointer to the reply email object -*
      lo_reply = io_sreq->reply( ).
    CATCH cx_send_req_bcs.
**** Check to make sure this is from an approved Sender
  sender = io_sreq->get_sender( ).
  sender_addr =  sender->address_string( ).
  lv_email = sender_addr.
**** Only reply if this message came from within our mail system or domain
**** SPAMMERS Beware, your e-mails will not be processed!!!
IF sender_addr CS '@xxx.COM'.
**** send reply and inbound processing
*- Get email subject -*
      lo_document = io_sreq->get_document( ).
      l_mail_attr = lo_document->get_body_part_attributes( '1' ).
*Get the request number from the desired position of the subject
      lv_reqno = l_mail_attr-subject+12(10).
    CATCH cx_document_bcs.
*- Get mail body-*
      l_mail_content = lo_document->get_body_part_content( '1' ).
      lt_cont_text = l_mail_content-cont_text.
      DELETE lt_cont_text WHERE line IS INITIAL.
      READ TABLE lt_cont_text INTO ls_cont_text INDEX 1.
      IF sy-subrc EQ 0.
        TRANSLATE ls_cont_text-line TO UPPER CASE.
        IF ls_cont_text-line+0(7) = 'APPROVE'.
          lv_approve_reject = 'A'.
        ELSEIF ls_cont_text-line+0(6) = 'REJECT'.
          lv_approve_reject = 'R'.
    CATCH cx_document_bcs.

  IF lv_approve_reject IS NOT INITIAL
    AND lv_reqno IS NOT INITIAL
    AND lv_email IS NOT INITIAL.

    CREATE OBJECT lo_approval
        i_reqno          = lv_reqno
        i_email          = lv_email
        i_approve_reject = lv_approve_reject.

    CALL METHOD lo_approval->process_request .




Now, I have created another class to validate approvers from their email addresses, process emails in case of any errors and finally start the approval process which is being called from above class method - Z_GRAC_APPROBATION_BY_EMAIL


First save the values in attributes of this class in the CONSTRUCTOR method.


Create a method PROCESS_REQUEST to do the processing.


In this method, the steps followed are:

  • First get the SAP user ID for the email ID of the sender
  • Validate by the SAP user ID, if the sender is actually the approver from checking tables GRFNMWRTINSTWI, GRACREQUSER
  • If not, check if the sender is a delegate approver. You can user Function Module SAP_WAPI_SUBSTITUTIONS_GET
  • If validated, create a background job using FM JOB_OPEN


The reason we need a background job is because the SY-UNAME in the system will be either WF-BATCH or a new user created by BASIS in the 1st step and that user is not the actual approver. So we create a background job and then change the user ID with the actual approver.

So, after the JOB_OPEN is called:

  • Change the user ID in Job Head and call FM BP_JOB_MODIFY
  • We will have to create a new Report Program to approve or reject the request (Z_REP_APPROBATION_BY_EMAIL) and SUBMIT the program


Now, the main logic is in the report program Z_REP_APPROBATION_BY_EMAIL.

I added 3 selection screen parameters to accept Request Number, BNAME(SAP User ID) of the approver and a field to identify Approve or Reject (A or R)

  • First step is to fetch Request ID from Request Number from table GRACREQ. Concatenate 'ACCREQ/' and the Request ID togeather.
  • Next is to fetch Work Item IDs for the Request Number from the table GRFNMWRTINSTWI
  • After collecting data, we will call standard methods that GRC system uses to do the processing, Code Snippets are shown below:

  go_session  =  cl_grfn_api_session=>open_daily( ).

  TRY .

      go_api ?= go_session->get( gv_reqid ).


      gv_bname = p_bname.


      CALL METHOD go_api->if_grac_api_access_request~retrieve
          iv_editable      = abap_true
          it_wi_id         = gt_wi_id
          iv_admin_mode    = lv_bool
          iv_approver_user = gv_bname.


      IF p_aprj EQ 'A'.


        ls_user_range-sign = 'I'.
        ls_user_range-option = 'EQ'.
        ls_user_range-low = gv_bname.
        APPEND ls_user_range TO lt_user_range.


        lv_user = gv_bname.

        CALL METHOD cl_grac_user_rep=>retrieve_realtime_user
            iv_user          = lv_user
            es_real_userinfo = ls_real_userinfo.

        CALL METHOD cl_grac_user_rep=>retrieve_user_systems
            it_user      = lt_user_range
*           it_user_name =
*           iv_max_rows  = 1000
            rt_user      = lt_user.


        ls_val-val1 = ls_real_userinfo-department.
        ls_val-val2 = ls_real_userinfo-location.
        ls_val-val3 = ls_real_userinfo-company.
        ls_val-val4 = ls_real_userinfo-costcenter.
        ls_val1-val1 = ls_real_userinfo-userid.
        ls_val1-val2 = ls_real_userinfo-user_group.
        ls_val1-val3 = ls_real_userinfo-orgunit.


        IF lt_user IS NOT INITIAL.

          LOOP AT lt_user INTO ls_user.

            ls_val1-val4 = ls_user-connector.

            IF cl_grac_auth_engine=>authority_check(
                  iv_auth_obj   =  graca_c_emp-auth_obj
                  iv_field1     =  graca_c_actvt-actvt
                  iv_value1     =  graca_c_actvt-change
                  iv_field2     = graca_c_emp-dept
                  iv_value2     = ls_val-val1
                  iv_field3     =  graca_c_emp-location
                  iv_value3     =  ls_val-val2
                  iv_field4     =  graca_c_emp-company
                  iv_value4     =  ls_val-val3
                  iv_field5     =  graca_c_emp-cost_centre
                  iv_value5     =  ls_val-val4
              ) EQ abap_true AND
                     iv_auth_obj   =  graca_c_user-auth_obj
                     iv_field1     =  graca_c_actvt-actvt
                     iv_value1     =  graca_c_actvt-change
                     iv_field2     = graca_c_user-userid
                     iv_value2     =  ls_val1-val1
                     iv_field3     =  graca_c_user-usergroup
                     iv_value3     =  ls_val1-val2
                     iv_field4     =  graca_c_user-org_unit
                     iv_value4     =  ls_val1-val3
                     iv_field5     = graca_c_user-connector
                     iv_value5     = ls_val1-val4
                 ) EQ abap_true.
              lv_flg = 'X'.
          ls_val1-val4 = ls_user-connector.
          IF cl_grac_auth_engine=>authority_check(
                iv_auth_obj   =  graca_c_emp-auth_obj
                iv_field1     =  graca_c_actvt-actvt
                iv_value1     =  graca_c_actvt-create
                iv_field2     = graca_c_emp-dept
                iv_value2     = ls_val-val1
                iv_field3     =  graca_c_emp-location
                iv_value3     =  ls_val-val2
                iv_field4     =  graca_c_emp-company
                iv_value4     =  ls_val-val3
                iv_field5     =  graca_c_emp-cost_centre
                iv_value5     =  ls_val-val4
            ) EQ abap_true AND
                   iv_auth_obj   =  graca_c_user-auth_obj
                   iv_field1     =  graca_c_actvt-actvt
                   iv_value1     =  graca_c_actvt-create
                   iv_field2     = graca_c_user-userid
                   iv_value2     =  ls_val1-val1
                   iv_field3     =  graca_c_user-usergroup
                   iv_value3     =  ls_val1-val2
                   iv_field4     =  graca_c_user-org_unit
                   iv_value4     =  ls_val1-val3
                   iv_field5     = graca_c_user-connector
                   iv_value5     = ls_val1-val4
               ) EQ abap_true.
            lv_flg = 'X'.

        IF lv_flg = 'X'.

          PERFORM f_fill_approving_details CHANGING ls_req_data

          lo_api ?= go_session->get( gv_reqid ).

          CALL METHOD lo_api->if_grac_api_access_request~update
              is_request_data = ls_req_data
              it_requser      = lt_requser
              it_reqlineitm   = lt_item
              it_reqsys       = lt_reqsys.

          CALL METHOD go_session->save.

      ELSEIF p_aprj EQ 'R'.

        CALL METHOD go_api->if_grac_api_access_request~reject .

        CALL METHOD go_session->save.


    CATCH cx_grfn_exception INTO go_grfn_exp.


*&      Form  f_fill_approving_details
*       text
*      -->LS_REQ_DATA  text
FORM f_fill_approving_details CHANGING   ps_req_data TYPE grac_s_api_req_data
                                        pt_item     TYPE grac_t_api_reqlineitem
                                        pt_requser  TYPE grac_t_api_user_info
                                        pt_reqsys   TYPE grac_t_api_reqsys.

  TYPES: BEGIN OF ty_gracreq,
          req_id          TYPE grfn_guid,
          req_created     TYPE grac_req_created,
          duedate         TYPE grac_duedate,
          reqtype         TYPE grac_reqtype,
          funcarea        TYPE grac_funarea,
          msmp_process_id TYPE grfn_mw_process_id,
        END OF ty_gracreq,

        BEGIN OF ty_gracitem,
          itemnum         TYPE grac_seq,
          connector       TYPE grac_reqsystem,
          prov_item_id    TYPE grfn_guid,
          prov_item_type  TYPE grac_prov_item_type,
          prov_action     TYPE grac_actiontype,
          prov_item_name  TYPE grac_prov_item_name,
          approval_status TYPE grac_approval_status,
          valid_from      TYPE grac_valid_from,
          valid_to        TYPE grac_valid_to,
          prov_type       TYPE grac_prov_type,
        END OF ty_gracitem,

        BEGIN OF ty_systems,
          systems TYPE grfn_connectorid,
        END OF ty_systems.

  DATA: lv_reqid TYPE grfn_guid,
        ls_gracreq TYPE ty_gracreq,
        lt_gracitem TYPE STANDARD TABLE OF ty_gracitem,
        ls_gracitem TYPE ty_gracitem,
        lt_gracuser TYPE STANDARD TABLE OF gracrequser,
        ls_gracuser TYPE gracrequser,
        ls_reqsys   TYPE grac_s_api_reqsys,
        lt_systems  TYPE STANDARD TABLE OF ty_systems,
        ls_systems  TYPE ty_systems,
        ls_requser  TYPE grac_s_api_user_info,
        ls_item     TYPE grac_s_api_reqlineitem.

  lv_reqid = gv_reqid+7.

    FROM gracreq
    INTO ls_gracreq
    WHERE req_id = lv_reqid.
  IF sy-subrc EQ 0.
    ps_req_data-req_id = ls_gracreq-req_id.
    ps_req_data-req_created = ls_gracreq-req_created.
    ps_req_data-req_approved = ls_gracreq-duedate.
    ps_req_data-reqtype = ls_gracreq-reqtype.
    ps_req_data-msmp_process_id = ls_gracreq-msmp_process_id.
    ps_req_data-funcarea = ls_gracreq-funcarea.

    SELECT itemnum
      FROM gracreqprovitem
      INTO TABLE lt_gracitem
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_gracitem INTO ls_gracitem.
        ls_item-itemnum   = ls_gracitem-itemnum.
        ls_item-item_name   = ls_gracitem-prov_item_name.
        ls_item-connector   = ls_gracitem-connector.
        ls_item-prov_item_id   = ls_gracitem-prov_item_id.
        ls_item-prov_item_type   = ls_gracitem-prov_item_type.
        ls_item-prov_action   = ls_gracitem-prov_action.
        ls_item-approval_status   = 'AP'.
        ls_item-valid_from   = ls_gracitem-valid_from.
        ls_item-valid_to   = ls_gracitem-valid_to.
        ls_item-prov_type   = ls_gracitem-prov_type.

        APPEND ls_item TO pt_item.

    SELECT * FROM gracrequser
      INTO TABLE lt_gracuser
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_gracuser INTO ls_gracuser.
        ls_requser-userid = ls_gracuser-userid.
        ls_requser-provuser = ls_gracuser-provuser.
        ls_requser-snc_name = ls_gracuser-snc_name.
        ls_requser-unsec_snc = ls_gracuser-unsec_snc.
        ls_requser-accno = ls_gracuser-accno.
        ls_requser-empposition = ls_gracuser-empposition.
        ls_requser-empjob = ls_gracuser-empjob.
        ls_requser-personnelno = ls_gracuser-personnelno.
        ls_requser-personnelarea = ls_gracuser-personnelarea.
        ls_requser-email = ls_gracuser-email.
        ls_requser-emptype = ls_gracuser-emptype.
        ls_requser-logon_langu = ls_gracuser-logon_langu.
        ls_requser-dec_notation = ls_gracuser-dec_notation.
        ls_requser-date_format = ls_gracuser-date_format.
        ls_requser-time_zone = ls_gracuser-time_zone.
        ls_requser-manager = ls_gracuser-manager.
        APPEND ls_requser TO pt_requser.


    SELECT systems
      FROM gracrequsersys
      INTO TABLE lt_systems
      WHERE req_id = lv_reqid.

    IF sy-subrc EQ 0.
      LOOP AT lt_systems INTO ls_systems.
        ls_reqsys-systems = ls_systems-systems.
        APPEND ls_reqsys TO pt_reqsys.


ENDFORM.                    "f_fill_approving_details


Transport BRF+ Application from $Temp packge




I am not sure if you have already come across the phase associate with Copy the BRF+ application from $Temp package in order to make it transportable.


At the start of my implementaion project on GRC V:11 and SAP:04, I had created one BRF+ application and saved it to a $Temp package so as to avoid to capture it into a Transport Request, as I had to do some more configurations with the never ending requirements. So, when I completed all the configurations, I tried to put into TR which But couldn't fo that as I had saved it into $Temp so, got stucked.


So; to make an application transportable you have to follow these below steps:


1) Copy the application from $Temp package to SAP Development package


Execute BRF+ transaction code --> Navigate to the application which is saved into $Temp package



2) Right click on the application --> Copy



3) On the new screen, enter the New-Application name (target application name), description and short text.

You need to make sure to uncheck the box for "Create Local Application". Missing in doing it, you would agai end up copying the targer application into $Temp package.





If you have created a package specifically for BRF+ then you can mention the package name under "Development package" . If not, then you can create with transaction code: SE21 as below:





Fill in all the required details and confirm.


Now, after putting the development package, mention the Softwarre component and make sure to confirm the check box for "include contained objects". Click Copy.


It will ask to enter the TR, but you would see the error screen as below:



This is due to a bug within the GRC V:11 which would get resolved after implementin SAP Note# 2029700



Thanks to SAP to provide this note, and now I am able to copy the application from $Temp package to SAP Development package to make it Transportable.

Thought of to share this experience with SCN-Community members to help them if they came across with this issue.








Here i would like to share my experience to Create Transportable BRF+ Rules in GRC AC 10.0. Please follow witha attached file.




Thanks & Regards,


Rajesh Srisailapu

This document talks about the challenges organizations face when upgrading Support pack/ Net weaver for SAP GRC 10.0. Organizations that upgrade support pack with Net weaver version for SAP GRC 10.0, might face many challenges at different stages of project. Here we are discussing some of the challenges faced in real time environment while upgrading GRC 10.0 to SP13 from existing SP07 and SAP Net Weaver 7.31 SPS 8 from existing SAP Net Weaver 7.02.

  • Backend Plugin Upgrade
    • If organization is planning to upgrading GRC 10.0 from SP level below SP10, they are require to plan and coordinate for GRC Plugin upgrade in backend systems also. GRC is normally connected to most of the system in any organization for user provisioning, risk analysis and emergency access…, which are at difference NW version and plugin level.
    • To avoid product compatibility issues, suggested to plan plugin upgrade before GRC system upgrade.
  • SU25 and Web dynpro components upgrade
    • It is tough for Security consultant to understand effect for authorization updates in SU25 steps 2a, 2b, 2c on GRC front end, as it don’t provide details for change in authorization check for  GRC front end application.
    • Suggested detail planning for testing strategy and scenario testing to cover all Authorization check changes and role charge requirement


  • Mass user locking
    • Normally in any ECC, BI… systems total number of user are in thousands, but in GRC system number of user is high, depending on number for systems connected to it and how user’s data is updated. While upgrade to avoid user to login, it is recommend to lock users.
    • In general SU10 is used for mass locking but for locking users in Lakhs via SU10 is not a suitable approach.


  • Agent not found access requests ending into error or completing without role owner approval
    • Post upgrade roles with approvers not defined in GRACOWNER table or not defined as owner in “Access control owner” in from end, will not be able to approve request. Post upgrade GRC started checking for approvers in GRACOWNER table. 
    • Before go live update all role approvers as Role Owners in Access control owner list.


  • Dumps in system while clicking on link in email received from GRC
    • Post NW and SP upgrade for GRC 10.0, users might start getting below ABAP dump in system

               ASSERTION FAILED

               Category           ABAP Programing Error

               Runtime Errors Assertion Failed

               ABAP Program  CL_GRFN_API_IDENT================CP

               Application Component GRC

    • Please check for OSS note 1888486 if applicable for your system to fix issue

On one of my first projects as the lead architect I needed to prototype GRC. I had supported GRC components before (albeit 5.3 version), attended the GRC300 training course and passed my certification. I was excited: finally a GRC 10.0 implementation. I was at a client and they had a need for it. I had the skill and enthusiasm to see it implemented. The client accepted my business case of lowering user administration and support cost, and I had the confidence to see this project through. Fantastic!! Woo-hoo GRC implementation here I come!!!!!!!!


Before I got my hands on the system, the business-process minded part of me had mapped out the strategy and approach. I put pen to paper and drew up my view of the access control processes: who would approve and what would they approve. My design integrated as much of Access Controls as possible.  I found my Internal Controls buddy to assist me in keeping this business orientated: yes I found my first friend. I realised at the beginning, this implementation would not be possible if my team did not include a business stakeholder who could define business requirements and help design what an unacceptable risk to the business is and what the business was prepared to do about it. This friend of mine came from an Audit background (yes, auditors are friends too!) and could provide valuable input on compliance requirements we needed to adhere to.


We were able to work together to not only define the process but identify the roles and responsibility (in the form of a RACI model). In doing this, we identified organisational changes which then led me to another group of friends known as the Change Managers.  We have not even got the system built and I am now spending more time with an ex-Auditor/Internal Controls expert and a Change Manager to properly define how the business would use GRC.  The Change Manager then asks ‘Will end users be impacted’? Well, of course they will be as we are trying to automate user access provisioning and we have segregation of duties and risk and so on. My next group of friends became the Trainers. Internal Controls, Change Managers and Trainers oh my! And still no system!


It came time to submit the high level design for approval. My awesome pretty crap process designs were too high level. What I thought was three or four business processes were rebuilt by my next friend: The Business Analyst. This friend knew how to model business processes and took my diagrams (really PowerPoint slides) and broke them down to a much lower level. The business analyst identified logical gaps and incorrect assumptions without even knowing what GRC is (that soon changed).  Had this friend not stepped in at the beginning I would have been in a world of pain with the workflow configuration and ultimately resulted in rework, project delay and additional cost.


Finally my system was built by my friend Basis. This team became my first-and-best-techy-friend (hey they always are). Until I started GRC, I had never raised a SAP message incident (I did not even know how to).  SAP Marketplace and SCN contained my answers so it was never necessary. However, solution to most of SAP incidents I raised was in the form of a heap of notes and support stacks to apply and Basis were there for every step of the way. In addition, I had them assist me with appropriate system settings: system parameter; RFC connections; trusted systems; LDAP connections and NWBC. Yes, I could go configure them myself but if this was an ERP system would a Functional Consultant be allowed to do the same?


As I started to prototype the solution and came across the business workflow I learned more about the flexibility and powerfulness of GRC. I was able to configure MSMP (I’m quite a fan of it) but then I realised, it would be great to make friends with the Workflow and ABAP Developers, especially if they have the BRF+ skills and pick their brains. These developers would know how best to configure the workflow rules (do I use a decision table or a case statement?); build new launch pads and customise screen layouts. They would have a great naming convention for custom objects. They would also allow me to sit and help debug to find why I am getting that short dump (i.e. confirm I need to raise a SAP incident).


I continued to prototype and refine some of the design as we all discovered what the system would be capable of. It then dawned on me how best to document the configuration and build. I reached out to a new group of friends and they were Functional Consultants who worked on the ERP system. My view was: we might be configuring different systems but we’re both doing configuration via IMG and maybe there is something I can leverage from them (via our Solution Architect).


So before I even go to the development system, I became friends with Internal Controls; Change Managers; Trainers; Basis; Workflow and ABAP developers; and Functional Consultants. Most of my friends were included on my project plan so that management knew up front the true effort and people necessary for a GRC implementation to be successful. Management knew that GRC was not a support tool but enabled business process. Internal Controls was my key business representative who had their own set of friends to determine business requirements that I could translate to technical deliverables.


My motivation in finding friends was a concern I had: if I relied only on my own skills we may deliver a workable solution but it may not be the most effective and efficient solution. Without calling on all friends here, I might have a solution that works for day one but what happens next year or the year after? What happens when business requirements change? What happens when support stack and enhancement packs are necessary?


I’m sure there are more friends. Had I continued on this project I would have met up with Change and Release Managers to migrate changes and thinking through planning for enhancement packs, system refreshes and overall landscape design in conjunction with Basis. Oh, and if you’re wondering why no security - I did not forget them as that was me.


My advice – depending on the size of your project you may not need all these friends. Consider them in your planning based on your own strengths and weaknesses. Leverage where you can as it will benefit your solution in the long term.


Do you have any recommendations for who’d you make friends with and leverage for a successful GRC implementation?  I would love to hear your thoughts in the comments below.





P.S. I would like to make a special thank you to Gretchen Lindquist for all your valuable feedback and encouragement to me for this blog.

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC

Since GRC 5.3 was on Java stack, customization of GRC screen was not possible on greater extend. As GRC 10.0 is on ABAP stack we have the flexibility of Customization of NWBC as the per the client requirement and you can customize the NWBC to provide access which are not delivered through SAP GRC ABAP Roles.


“Whatever you want see in NWBC choice is yours to enable it”


With this customization of NWBC launch pad we can do the followings provided for you:


  1. We can access all SAP systems
  2. Execute  all backend system reports ex: SUIM, SE16 reports
  3. Customize the GRC screens (SPRO) from NWBC itself, no need to login to ABAP and use SPRO T-code
  4. Create users & roles, develop and configure MSMP by using NWBC.
  5. BI related reports and queries  and many mores …….


Hence you might not need to use SAP GUI since we can customize the NWBC.


Below NWBC customization can be achieved from web based NWBC (internet explorer). You need to make sure that you have one alias name created for each SAP system (ECC/Portal) from SAP Enterprise Portal (SAP EP) as a portal administrator.


Below are  few examples of customization of NWBC:


  1. Accessing Backend systems
  2. Table Access
  3. MSMP Access
  4. BRF Plus Access
  5. Merging NWBC and SAP Login Screen in internet explorer




Step 1.

   Go to SPRO --> Governance, Risk and Compliance --> Configure LaunchPad for Menus

               Image 1.JPG

You can see below launch pad and GRC (AC, PC & RM) related Roles and Description. Before customizing, we need to decide in which work center we have to put customized menus/links in NWBC. I have chosen My Home work center in NWBC. For My Home work center choose GRACHOME role (see below).


Select GRACHOME Role and double click or choose edit button.

               Image 2.JPG

Step 2:


Select New Folder to create Main Menu in Work center and enter text which ever you need.
Here I have given the text My Company Access (showed in screen) and the same will show in NWBC as Main menu. System will provide default Icon for our customized menu. Save the screen.

Note: You can change the folder name whenever you wish to change.

              Image 3.JPG

               Image 4.JPG


Step 3:


Choose newly create Folder name (My Company Access) and select New Application button.


Provide the name of Menu/Link which can be execute from NWBC. Ex Table Access


Select any one of Application Category based on your requirement and find below few of SAP provided Application Categories


BEx Analyzer
BI Enterprise Report
BI Query
BI Webtemplete
Cristal Report
Infoset query
KM Document
Managers Desktop
Portal Page
Webdynpro ABAP


I have selected Application Category as Transaction, once you select Application Category as Transaction, system will request for transaction code. See below:


Note: For one application, you can select only one transaction or one application category.


As mentioned above, please select System Alias and in this example System Alias is SAP-GRC-AC or Local.


               Image 5.JPG

Click on Advanced Parameters tab


GUI TYPE: This is optional and you can select which ever you need.


               Image 6.JPG

Step 4

Link to a Repository Application


To add existing SAP Repository objects to our newly created custom folder, kindly follow the process mentioned below:


Select My Company Access (newly created one) and click Link to a Repository Application, system will prompt a launch pad window (marked in green color) to select existing role. See below example where I have selected GRCIAREPOS.


Double click on Role GRCIAREPOS


Once you link your Custom folder with SAP Repository Application, you can also add SAP standard links to our Custom Folder.

               Image 7.JPG

Once you double click Role GRCIAREPOS, you can see below screen:

               Image 8.JPG

Drill down the GRC_AccessControl Menu and select the relevant role which you want to have in the customized screen and drag in into our custom folder “My Company Access”.


This option gives us to restrict the access from NWBC apart from authorizations.

               Image 9.JPG


Add Separator if you wish to differentiate Custom objects and SAP objects.


Select folder My Company Access and select button Add Separator. Now you can move the links/menu and separator wherever you need.


               Image 10.JPG

You can see the below screens for NWBC with customizing and without customizing



NWBC without Customizing

               Image 11.JPG


NWBC Customizing with custom menus


               Image 12.JPG


Example 1: Access SAP system from NWBC

Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER


               Image 13.JPG


  1. Save and execute NWBC. Go to My Home --> click link SAP Backend system


               Image 14.JPG

One new window will open for SAP backend system and click start SAP Easy Access. This SAP will open in internet explorer


               Image 15.JPG


You can see the SAP screen in Internet Explorer/NWBC


               Image 16.JPG


Example 2: Accessing SAP Backend Tables & Reports from NWBC

Same steps you need follow : Create New Application --> Provide link name as Table acces --> select Transaction in Application Category ---> Provide T-Code SE16

Save--> Refresh NWBC and execute


               Image 17.JPG

               Image 18.JPG    


Example 3: Opening MSMP from NWBC


Same Steps we need follow for this example also

               Image 19.JPG

    Example 4: Opening BRF + application from NWBC

               Image 20.JPG


               Image 21.JPG

               Image 22.JPG


If you select MSMP Configuration link you will redirect to below screen without any internet explorer link option


Most important customization: Merging NWBC and SAP Screen in internet explorer


Configuring SAP screen and NWBC in one page


As explained in above (already given in example 1)

Select newly created folder (My Company Access) and create new application
In Application Category choose Transaction, in Application parameter provide SESSION_MANAGER and System alias is               SAP-GRC-AC

               Image 13.JPG

Go to Advance Parameters

In advance parameters select GUI Type : SAP GUI for HTML

Select Initial Screen in Entries Once started Option

Portal parameter: select  INPLACE Inplace

               Image 23.JPG

Save and execute in NWBC


Once you refresh NWBC, you can see the link "SAP Backend system"


               Image 28.jpg

Click SAP Backend system link and you will find below screen:

Here you can execute all SAP transactions


               Image 24.JPG

Click Start SAP SAP Easy Access button

You will see below SAP screen similar to SAP GUI Screen.

In this screen every thing is same as SAP GUI however you can also see the NWBC menus. Both SAP screen and NWBC are merged in the same screen.


Even if we do not have SAP GUI, we can login to SAP backend system by using this customization. This customizing will be useful for small devices such as smart phones & Tablets. In soon we can able to execute SAP from small devices based on accessibility and Network (Already SAP launched Android App for FF ID approve)

               Image 25.JPG

Executing SAP transactions from NWBC.

In this example I have executed PFCG and whatever transactions you execute, you can able to see NWBC work centers in the same screen.


               Image 29.jpg




In this way we can customize the NWBC without any ABAP and Java knowledge and whenever we need, we can design and change the screens without taking much time


SAP has provided flexibility to do the customization of NWBC based on the client requirement.


Filter Blog

By author:
By date:
By tag: