Hi All,


I need all your help to get me some documents in regard to GRC process control,I went through all the links which was given by all our friends,I am bit confused what to read and what not to read or sequence ,which documents need to go through step by step,can some body guide me on this..





After having worked on GRC Process Controls (PC) 2.5, 3.0 and also with some hands on with 10.0, it’s great to have the opportunity to look at the latest SAP offerings within GRC PC 10.1. Ramp up testing is always great learning experience and I am lucky to have experienced this one.


I’m sure there is curiosity around the new version and therefore I thought I’d share some of my observations.

Although the look and feel seems similar to 10.0, we do have some new features for Process Controls with version 10.1.


1.  Assessments -> Planner


New survey categories introduced within the Planner “Disclosure Survey” which can be conducted at Organization, Sub process and Control level.




2.  Assessments -> Questions Library


Two new Question categories have been introduced:

  • Workshop Survey
  • Disclosure Survey


3.   Assessments -> Survey Library


Two new Survey categories have been introduced:

  • Workshop Survey
  • Disclosure Survey



4.  Assessments -> Reports


There have been 3 introductions within the list of PC evaluation reports.

Assessment Survey Details report provides detailed information in addition to the overview Assessment Survey Results report. Some of these details include Question, Answer, Assessment Processor, Comments, Case ID, etc thus providing a deep dive into the assessment details. Earlier versions had drill down capability to fetch such information about assessments. But with detailed reports mass processing becomes much easier.




With the introduction of Disclosure Surveys, 2 new reports related to this survey category have been introduced:

Disclosure Survey Details as the name suggests, provides a deep dive into the survey results.




Disclosure Survey Status as the name suggests, provides information about the status of the survey.



5.   Side Panel


With PC 10.1 we see the introduction of Side Panels. These provide additional overview information which helps us connect between for example: Organizations and assessments in one go. Although these may require additional configuration.


6.    SPRO changes


Import and export of business rules functionality is new within GRC 10.1. This functionality will enable SAP delivered business rules (configurable / programmed) to be imported into the GRC system and exported to other systems too by converting them to a downloadable format (like XML).


In addition to the above, with 10.1 SAP has also included features like Role-based Entry pages, Google like search and End to End Evaluations using offline Adobe forms which can be configured based on client's requirements.

I'm sure there is still more that I will discover as I spend more time with GRC PC 10.1. I will keep you posted on more findings and experiences!

With this application, you can use the data that you have replicated from your SAP GRC system to SAP HANA, and monitor, analyze, and, in some cases, act on role-centric reports. SAP Role Analytics is an example of how you can create analytical reports and add functionality that allows you to take action on the analytical data.

The application has these reports:

·         Unused Roles

You can take action to de-provision unused roles.

·         Actively Used Roles

·         Orphaned Roles

You can access the application using an HTML5 supported web browser .The application counts the actively used, unused, and orphaned roles on the GRC system, combines it with the business process information, and displays this data in pie chart format. The default date range for the count is the current year. You can adjust the data by changing the date range, or by selecting filters for role type, landscape, criticality level, and sensitivity.

The default report is Unused Roles. You can choose to display the information in different formats: pie chart, bar chart, table. You can drill down by choosing any of the selectable elements in the charts and tables.





From the available options, select “Orphaned Roles.”


From the Sensitivity filter, when selecting “Confidential,” “Restricted,” and “Classified, the filter shows the selected 3 of the possible 10 choices under Sensitivity. Then automatically result gests refreshed graphically based on the selection criteria (pie chart).




From the result set, we can switch the pie chart to bar chart.




By double-clicking on the specific bar say the business process Quality Management roles bar in the graph, it will drill down the list of roles.





          2) UNUSED ROLES



Double click on the “Basis” section of the chart, bringing up a table of the roles and user counts involved.ra9.png


The filters can be applied to check the roles for the specific land scape say SAP R/3





From the list, we can go through each of the roles in the SAP R3 systems that aren’t being used. Even more convenient, we can select to de-provision the role from the affected users. The de-provisioning request is sent directly to the backend Access Control system and the appropriate workflow is used with just one click!

We can continue to use the SAP Access Control Role Analytics application to quickly and easily resolve the remaining unused role issue and addresses Internal Audit’s concerns.

As of Monday, November 11, 2013, SAP Fraud Management is released to customers in Release 1.1, Support Package 01. SAP Fraud Management, powered by SAP HANA, combines an intelligent and efficient infrastructure for detecting fraud and supporting investigation with the speed and power of the SAP HANA database. With SAP Fraud Management, you can detect fraud in big data environments with unprecedented speed and responsiveness, and you can bind real-time online checks for fraud by SAP Fraud Management into your purchasing, claims management, and other business processes.


With Release 1.1 SP01 of SAP Fraud Management, additional content is available for strengthening your compliance efforts with anti-corruption laws and regulations such as the US Foreign Corrupt Practices Act of 1977 or the United Kingdom’s Anti-Bribery Act of 2010.  This content is downloadable and installable from this wiki page: Extended Anti-Corruption Content with SAP Fraud Management Release 1.1 SP01 - Governance, Risk an...


The anti-corruption content includes the following rules for detecting potential fraud, together with the required customizing and detailed information:
ScenarioDetection Technology
Irregularities in AccountingAccounting documents posted on non-working days
Irregularities in PurchasingPerson or organization on a Politically Exposed Persons (PEP) list found in purchase order item
Purchase order overpaid
Purchase invoice receipt greater than goods received receipt
Partner or vendor in a purchase order item comes from a high-risk country
Changes made to a saved purchase order exceed threshold
One-Time AccountsMultiple postings made to a one-time account
Regular vendor postings made to a one-time account
Irregularities in Connection with VendorsInvoice reference number used more than once for the same vendor
Invoice without reference to purchase order
Split invoices exceed purchasing limit
Suspicious keywords found in invoice item texts
Divergent vendor and payment countries
New Business Conflicts of Interest Turnover of new vendor in first year after initial transaction exceeds limit
Turnover of new vendor between first and second years after initial transaction exceeds limit
Turnover of new vendor in excess of threshold approved by a single employee
Irregularities in Vendor Master RecordsVendor master record without bank account details
Flip-flop payee: Alternate payee in vendor master record changed suspiciously (within company code and across company codes)
Flip-flop business: Bank data in vendor master record changed suspiciously


The downloadable anti-corruption content is provided without cost and without service or warranty.

Parts of the US Export Control Reform went into effect on October 15th, 2013.  Are you ready?


The current system has two different control lists administered by two different departments, Commerce and State, and there are three primary export licensing agencies, Commerce, State, and the Treasury.  A multitude of agencies – Commerce, Defense, Homeland Security, Justice, State, and the Treasury – each have authority to investigate and/or enforce some or all of the export controls, each using separate IT systems that do not intercommunicate.


Why reform? There are many reasons. In addition to streamlining the process, it is for economic reasons.  The current export regulations encourage customers to source from non-U.S. suppliers when possible to avoid the U.S. licensing system. This harms U.S. manufacturers, diminishing their sales and driving up costs to the U.S. military for the same items.  According to a Department of Commerce industry survey, U.S. firms estimated that U.S. firms lost in excess of $2.1 billion annually in sales due to export controls and billions more in lost opportunities to even compete for a sale.


The ongoing reforms are forcing companies to re-evaluate how they comply with these regulations. How do you currently control exports of physical goods, digital goods and technical data? Do you rely on painful manual procedures or custom programming? The ongoing export control reform is a good time to pause and re-consider your current approach. SAP GTS, with NextLabs, can help automate export compliance for physical goods, digital goods and technical data.


Click here for more information on export control reform


Click here to attend an SAP-Deloitte webinar on Leading Practices for Global Export Compliance.

From now on you have the chance to explore the High Performance Application SAP Fraud Management completely for free in the cloud. Via the SAP HANA marketplace you can quickly order your free trial access by only pushing a button. Within less than two hours you are able to log on to the system and experience the applications features and great user experience.




Discover how the application supports you with a real time fraud detection to reduce financial loss. Learn how it helps you to minimize false positives through real-time calibration and simulation capabilities on very large volumes of data in order to improve the accuracy of the fraud detection. And see how it combines rules and predictive methods to optimize fraud scenario analysis and adapt measures to changing fraud patterns to better prevent fraud situations from happening.





The free trial version of SAP Fraud Management showcases a preconfigured “basic anti-bribery detection” scenario. In order to get to know all the capabilities of SAP Fraud Management, you have the possibility to start a pilot project running in the SAP HANA Enterprise Cloud. Within the pilot project, you can run the application with your own business data without investments in hardware. The cloud system is ready to use within a couple of days.


Besides the free trial and the pilot projects running in the cloud, SAP Fraud Management is productively available in the cloud as well. Which means that there are two fully supported deployment options for SAP Fraud Management: on-premise or in the SAP HANA Enterprise Cloud.


Sign up for your free trial today and enjoy SAP Fraud Management, powered by SAP HANA.

SAP GRC AC 10.1 Enhancements

GRC consultants might be curious to read and see the new feature that came in GRC AC 10.1. So here comes a glimpse of some key enhancements and its configuration that has been incorporated in SAP GRC AC 10.1.


GRC Access Control version 10.1 look and feel is almost similar to version 10 except few additional options that SAP has included based on customer feedback. The new changes predominantly focus on HANA integration, access request, rule set creation and enhanced remediation process.

1. Disable link functionality in attachment and Links:

This option helps customer to enable or disable link functionality in access request.

In Access request, by default ‘Add file’ and ‘Add Link’ option are enabled (see below):



We can use this disable ‘Add Link” functionality of GRC Access Request to disable the 'Add Link' Functionality.



Disable the link:



Link got Disabled (see below)




2. New connection HANA Database Connection Type


GRC AC 10.1 is provided with a new connection type – HDB (HANA Database).

GRC can be integrated with HANA or I would say instead Oracle, GRC AC 10.1 can use HANA as database to store master data. GRC can even do user management for HANA system similar to any other SAP systems. With HANA, GRC can be used for analytic and can provide analytical reports on roles and users.



If you are using SAP HANA database, make sure that plug-in SAP GRC 10.1 Plug-In SAP HANA is installed.

3. Maintain Firefighter ID role name per connector


GRC AC 10.1 came up with this new feature to maintain Firefighter ID role name per system/connector. Instead of maintaining the SPM role in configuration parameter we can utilize the new option to map FF ID role per connector.


4. Organization rule creation wizard


Sometime client’s uses dummy controls or deactivated some risk to avoid false positive, GRC AC 10.1 brings one excellent feature to create organizational role using a wizard to avoid false positive. You can create Org rule using this wizard and can even also download and upload it in other system. No need to bother about the org fields or value which you will use to create org rule. GRC AC 10.1 will guide in all possible way.


To create organizational rule you can use below option under IMG or there is an option available in NWBC as well.





Later on we can download and upload the organizational rule using Additional rule upload and download option.





5. Configure Attributes for Role search criteria in Access requests


This feature I would feel give more benefits to end user who raise CUP request on daily basis.

While raising CUP request, requester has to search for role based on business process, Functional area or some other role attributes. Some of the key search criteria are visible straight away there but some other requestor has to add manually.


Now with this new feature we can customize the search criteria screen and can make only the important search criteria visible in search request so that requester can fill in the details and can search the roles.

We can even set the default values for those criteria.


Role Search screen


IMG (SPRO) Customization      



     Search criteria got changed as per customization done in above screen.



6. Simplified Access Request


Simplified Access Request is one more excellent feature that will give benefits to requester who does the following frequently:

   1. Assign role to user

   2. Remove role from user

   3. Extend the validity of existing role


With this option users does not have fill all the fields which normally appear in normal access request. Simplified access request form will ask for least information to perform the activity.


See below Simplified Access Request Screen:



Review and Submit: this button is used to review the request for risk and submit it for approval

Save Draft: you can save the access request and can review and submit it later

Open in advance Mode: Open the request in normal access request screen.

Reset:  Reset the fields

Risk Analysis: Run risk analysis on the role selected for provisioning and can even suggest mitigating.



This is an excellent feature which gives us a detailed risk analysis report (risk/role view) and even provides an option to mitigate the risk before submitting the request.

System added roles: It will bring out the default roles or mapped role added by the system itself if any.

This screen is built on UI5 and can be customized by using below four options:


We can customize the display section (User details, Request details and Customer info (not visible by default))


Field levels can also be customized.

We can also set some set of request reasons which can be seen and selected during request creation to save time and effort

There is no separate workflow configuration for simplified access request. It follows the same MSMP configuration maintained for normal access request. The request created can be seen under “Work Inbox – Simplified (see below)” in NWBC as well as in normal work inbox request. It follows the same number range. So the processing and working of simplified access request is same only request submission screen is different.


My Inbox:

To check simplified access request



7. Risk analysis on SU01 Attributes

Sometimes business wants to perform risk analysis on SU01 attributes of user for ex: Function, department, parameters etc. GRC AC 10 does have this functionality but we can at max do risk analysis on user group level of users only.

In GRC AC 10.1 With this new enhanced feature we can now create custom group based on SU01 attributes as shown below and can perform risk analysis on the user belongs to that attributes

That GRC AC 10.1 is integrated with some of key attributes of SU01 which we can use a selection criteria to perform risk analysis




     Following are the attributes available:



Enter some attributes, search the users and perform the risk analysis.

We can save it as well so that same can be used later.

8. Remediation View

This is one the best feature and would be very much appreciated by business.


The main task or I would say pain start after implementing GRC AC is to make all users SOD free i.e. to be clean. For this we have to download user level detailed report and then analyze the root cause to see whether we can remediate or mitigate to be clean. Business is taking lots of time analyzing the report and deciding the solution.


Now GRC AC 10.1 has come up with a remediation view report where business itself can analyze all aspects of risk and also help business to take decision to be clean. This will save lots of time of business and can effectively guide business to take a decision to be SOD clean.


GRC AC 10.0 was having technical and business view of risk analysis. Now GRC AC 10.1 has come up with a new view called “Remediation View”



  Risk Analysis report:



This remediation view report will provide us a lot of option to remediate the risk then and there only.

We can mitigate the user on risk and rule from this screen itself. See below:



Or else we can remove the role by selecting remove role option. See below:   Unt.png

The one of the greatest feature of GRC AC 10.1 comes into action when you choose remove role from remediation view screen

and a Change Account Access Request automatically gets created for removal of the role from user. See below:



That means we can initiate remediation (removing role) or mitigation (assigning control) for user from this screen. No need to download the report and then analyze the report to take a decision.

This view also provides all sort of detailed information on user, role and risk. To get the information click the user, risk, rule and role (all bold text). See below:




Note: GRC AC 10.1 runs smoothly on IE 9 and Chrome. New feature like Remediation view and simplified access request mandatorily need IE9 and Chrome. Remediation View will run in SAP Access Risk Analysis only when an SAP Netweaver Gateway connection is established. Please configure SAP Netweaver gateway as per the GRC AC 10.1 installation guide “ACPCRM_10-1_INSTALL”.

Governance, Risk, and Compliance are some of the terms which almost everyone is afraid of. Process audits can be disastrous if these terms have not been given a deep thought while analysing, designing and operating on various processes running within the organisation. Processes can make or break an organisation, if processes are non-compliant and exposes an organisation to a range of risks, its better to get rid of them as those may cost you and your organisations a fortune.

Processes defines the character of an organisation as those govern behaviour, strategies, future and ultimately the destiny of an organisation very much like values, habits and traits defines the character of an individuals and help in triumphing the journey of life.

For better process governance and to avoid risks, businesses continuously or periodically check the processes. This gives business an opportunity to get insight of the process, its exceptions and verify the input and output data to check if it is compliant.


The Tool: Security Weaver- Process Auditor


Recently, I got the opportunity to work on a GRC tool from Security Weaver. In this blog, I am sharing my implementation experiences on “Process Auditor -PA”.


Process Auditor also called Security Weaver-PA, is a bolt-on solution to SAP and does not need any additional portal/web access. This tool is well integrated with SAP and therefore does not need full range of batch jobs to run to pull data from SAP database, the actual tool can be accessed through SAP GUI once the user logs in. The tool can be called with the help of transaction codes (/n/PSYNG/PA) within SAP. Access to tool can be controlled by SAP authorisations.


Process Auditor- “Controls”:


The Process Auditor tool comes with its own standard “Controls”, which can be easily implemented as per business needs and requirements. The tool gives a perfect platform to further customise and develop these basic standard controls, as per business needs. These controls cover all business areas and SAP modules. Some of the high interest controls which shall pick business attention almost immediately are:


Purchasing controls: (PTP)

  1. Duplicate vendor invoices
  2. Duplicate vendor payments
  3. Employees and vendors with the same bank details
  4. Purchase Req and corresponding Purchase Order approved by same person
  5. Duplicate vendors in the system, having same bank details
  6. Employees and Vendors with Same Name or Address
  7. Changes in Payment Terms for customer or Vendors


Sales controls: (OTC)

  1. Ageing Analysis of Sales Returns
  2. Employees and customers with the same bank details
  3. Changes in Credit Exposure for Customer by Credit Control Area
  4. Credit Check in Sales Order Processing
  5. Sales through One time Customers
  6. Credit Exposure for Customer Risk Category
  7. Changes in Payment Terms for customer or Vendors
  8. Sales Cancellation


Finance controls: (RTR)

  1. GL Account Changes Company Wide
  2. Monitoring Exchange Rate Changes
  3. Employees and Vendors with same Bank accounts
  4. Changes in Bank Details in Vendor Master
  5. Journal Entries Posted and Parked by the same person


System controls: (IT)

  1. Detect Changes Made in Production Client Settings
  2. Detect Unauthorized Changes in Technical Settings of Tables
  3. Detect SAP Data Transport By Unauthorized User
  4. Detect ABAP Programs Not Assigned To Authorization Group


In essence, these controls can cover SAP configuration, master data and transactional data aspects to touch base with every process running in your organisation to identify the potential risks.

The tool further gives an excellent platform to customise these standard controls and help in preparing a framework to run these controls with a logical approach.


Output of a control run:

The outcome of the control run is potential risk “cases” which have got the data records identified. A case may have several data records as per the definition of the control. The control can have the business ownership within the tool and therefore the cases generated will also have the business owner who will take action on these cases or can delegate someone to take action further.

These records within the case generated, are then analysed by the business and appropriate action is taken on data records or cases can be closed with suitable comments without action.

Over a period, the tool can hold full history of these control runs and appropriate actions & comments filled in by the business owners.


An example of control- Duplicate vendor invoice/payment control:

Many people would say that identifying duplicate vendor invoices is an easy task, we can design a report to cross check the SAP invoice reference number (vendor invoice number) and identify if these numbers are same. Its not that simple as this reference number is manually keyed in, there are chances that a space, additional number or fake invoice number has been keyed in. A invoice can be create with or without a PO reference or with different vendor accounts which belongs to the same vendor.

Moreover, a typical SAP system may also have some invoicing tools as interfaces, which are sending invoices into the system like e-invoicing tools OB10, Ariba etc.

Also, there are other payment channels and processes outside accounts payable like direct debit, BACS, CHAPS, Procurement card payments, One time vendor payment, subsequent debit, and advance against PO etc. The duplicate invoice might be a week or 15 months old you are not sure.

We actually need to consider all channels of payments and invoicing, potential vendor master data duplication, invoice amount, currency, invoice date, vendor bank details and finance journal postings etc. There are companies which gives consulting services just to identify duplicate vendor invoices and charge a percentage of identified duplicate amounts for their services.

With the help of Process auditor, we could consider all aspects of vendor invoicing and payments as mentioned above and could easily enhance the controls to our business needs. Now we have a framework covering all aspects to identify vendor duplicate payments. This is protecting the business of paying any duplicate vendor invoice. Also, has reduced a lot of manual work which goes in to identify such duplicates.

Over a period the project costs will be covered by the corresponding savings made by the business.

I hope I could cover all aspects of Security Weaver – Process Auditor controls to give you glimpse of the tool features and how it can help in auditing the processes.



Ravi Pachauri 

To activate the End User Logon screen, To maintain the logon information, do the following: -


  1. Execute transaction SICF.
  2. In the Service Name, enter the name of the service - GRAC_UIBB_END_USER_LOGIN
  3. Click the Execute button.
  4. Under the Virtual Hosts / Services column you will see the service selected service. Double click on this service name.
  5. Click on the Logon Data tab.
  6. Click on the Pencil icon to go to change mode.
  7. Enter the information for the client, shared user, language and password and the user should be select Internet type User.


Note: Create user with below roles and user type is service type


8. Click on save.


Do the same procedure for all the services mentioned below. Maintain same user details in all the services and the user should be of type Internet user












  1. Save the entry and navigate back to the Maintain Service screen.
  2. Right-click GRAC_UIBB_END_USERLOGIN, and then choose Test Service.
  3. The End User Logon screen appears. The http URL displayed in the browser's address window is the End User Logon URL.
  4. To set the links the application displays on the End User Logonscreen, continue with the following steps:
  5. In the URL window of the browser (from step 4), append this to the end of the URL: &SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/123 and press Enter. The Logonscreen appears.
  6. Enter your username and password, and log onto the system. TheEnd User screen appears.

If you getting any Login errors like user ID does not exist, then you need to maintain


“User Authentication Data Sources is SU01(If you have HR System then you select HR) and

set NO in End User Verification” in Maintain Data Sources Configuration.

8. To make a link invisible, right-click the link and select Settings for Current Configuration.

9. Select Invisible, Save the entry, and then close the browser.



Rajesh Srisailapu.

This blog is intended to outline future product direction, and is not a commitment by SAP to deliver any given code or functionality. Any statements contained in this blog that are not historical facts are forward-looking statements. SAP undertakes no obligation to publicly update or revise any forward-looking statements. All forward looking statements are subject to various risks and uncertainties that could cause actual results to differ materially from expectations. The timing or release of any product described in this document remains at the sole discretion of SAP. This blog is for informational purposes and may not be incorporated into a contract. Readers are cautioned not to place undue reliance on these forward-looking statements, and they should not be relied upon in making purchasing decisions.


  • SAP AC on HANA
  • Enhanced User Interface - Corbu Theme
  • Context-Based Side Panels
  • New Access Request and Approval Forms - Simplified & steamlined interface
  • Remediation View – unified remediation processes from one location
  • Custom User Groups
  • Reporting and Dashboard improvements
  • Dashboard Drill Through and Analysis
  • Decentralized Firefighting (SAP Access Control 10.0 and 10.1)
  • Role Search Personalization
  • Business Role Improvements

A common need for many companies is to customize access request and approval ABAP Web Dynpro screens of 10.0 and 10.1 based on the business requirements. Though the IMG customizing in SAP GRC access control provides some alternative to accomplish this, there is another Web Dynpro feature which can be utilized to do additional screen modifications without any additional coding effort for all the users.


Below steps would explain it for access request submission and approval screen:-


Access Request Submission

1. Go to Transaction SE80 and Open package GRAC_ACCESS_REQUEST.


2.  Drill down to Web Dynpro->Web Dynpro Application


3. Select the application GRAC_OIF_REQUEST_SUBMISSION and double click


4. From the menu choose Web Dynpro Application-> Test -> In Browser - Admin Mode


5. Hiding Field/Tab


       i. Place the cursor at the field or the tab that needs to be customized and right click and choose 'Settings for Current Configuration'.


ii. Change the Visibility property to 'Invisible'. Save and Close.



6. Customizing ALV


i. Place the cursor at the ALV to be customized e.g. ALV under User Access tab and right click and choose 'Settings for Current Configuration'.


ii. Add/Remove columns, change sequence etc. Save and Close


8. Above steps can also be done for other UI elements present on pop ups that open through access request submission screen like: Existing Assignments etc.

7. Launch the access request submission through NWBC to see the effects



Access Request Approval

Modifying access request approval screen is little tricky as it requires as GUID to be passed externally in the URL, apart from that the other steps are similar to access request submission explained above.


1. Go to Transaction SE16 and Enter table name as GRACREQ, enter any request number in REQNO field.


2. Click execute button and copy the value of field REQ_ID


3. Select the application GRAC_OIF_REQUEST_APPROVAL and double click


4. From the menu choose Web Dynpro Application-> Test -> In Browser - Admin Mode



5. Below dump screen will be launched initially.


6. Append the string &OBJECT_ID=ACCREQ/<REQ_ID copied in step 2> e.g. &OBJECT_ID=ACCREQ/4CC001105B2A42DCE10000000A421B2B in the URL displayed in Step 5. Approval screen should be launched correctly after that.


7. Customize the UI similar to how it was done for access request submission screen.


The above process can be done for any Web Dynpro application. To find the Web Dynpro application name, right click on any ABAP Web Dynpro screen and choose option More Field Help.



Note: This Blog does not give details about the creation of Business Roles or realted initial activities. It deals only with the functionality that is enhanced, and the new behaviour of Business roles.



The functionality related to Business Role is enhanced in SP13 to support the removal of single roles that are part of business role, based on the validity. Also, the roles which are specific to the business role will be removed from user, when a business role is selected for removal.


Below are more details of the scenarios.

1)  Assign two Business roles to user having two Technical roles each, one of the technical role is common to both business roles (Say BR1 having T1 and T2 and BR2 having T2 and T3).

Till SP12: When trying to remove one Business Role (say BR1), the common technical role (T2) is also getting removed from the backend system which actually was assigned through other Business role (BR2).

2)  Assign one Business Role having two technical roles (say B1 having T1 and T2) to a user, also assign one of the technical roles directly to user (say T1).

Till SP12: When trying to remove the single technical role (T1), the technical role (T1) assigned through business role is also removed from the backend system, irrespective of the validity with which business role and single technical role is assigned.



From SP 13 Onwards:

Validity dates are considered for role removal, below is description of scenarios about how role removal will work.

1) Assign wo Business roles to user having two Technical roles each, one of the technical role is common to both business roles (Say BR1 having T1 and T2 and BR2 having T2 and T3).

SP13 Onwards: When trying to remove one Business Role (say BR1), it will be completely removed without affecting the assignments through Other Business role (BR2), i.e. assignment of T2 and T3 through BR2 will remain unaffected.


2) Assign one Business Role having two technical roles to a user (say B1 having T1 and T2) with validity Period say 01.01.2012 to 31.12.2013. Also assign one of the technical roles (say T1) of business role, directly to user with same validity as of Business role (i.e. 01.01.2012 to 31.12.2013).

SP13 Onwards: When trying to remove the single technical role that is directly assigned.

a)  If parameter 4011 is set to NO only the single technical role (T1) will be removed and assignment of T1 and T2 through Business Role remains unaffected.


b)        If parameter 4011 is set to YES then single role (T1) assigned to user directly as well as the single role (T1) assigned through business role is removed. Since now the business role assignment is now partial, so the other technical role (T2) that was assigned as a part of business role is reflected in existing assignment as if it is directly assigned to user and is no longer a part of business role. Apart from this, at the time of request generation as well as all the approval stages a warning message appears "Role <Role_name> (T1 Here) is a part of Business role of user".



3)  Assign one Business Role having two technical roles to a user (say BR1 having T1 and T2) with a validity period say 01.01.2012 to 31.12.2013. Also assign one of the technical roles of business role (T1), directly to user with different validity as of Business role say 02.02.2012 to 30.11.2015.

SP13 Onwards: Now on removing the single technical role (T1), only the single role assigned directly (T1 with validity dates 02.02.2013 to 30.11.2015) will be removed irrespective of parameter 4011 as the validity for the assignment through business role is different.


4)  Assign one Business role having any number of technical role to a user (say B1 having T1, T2, T3, T4). On trying to remove (say T2) directly via access request:

SP13 Onwards:

a) If parameter 4011 is set to NO then the end user will not be able to create a request and an error message "Role <Role_name> cannot be deleted as it is part of business role of user" will be generated.


b) If parameter 4011 is set to YES then request will be created with a warning message "Role <Role_name> (T2 here) is a part of Business role of user", which will also appear at the time of approving the request.

What is influence?  Do I have influence? How can one customer make a difference?  Is SAP really listening to my requirements? 


These are all questions that you may have.  Speaking from experience, you do have influence.  You could be the one person needed to take an idea from an enhancement request to a functional requirement.  SAP does listen. But to ensure that accepted functional requirements are a collaborative solution, SAP looks for ideas that are supported by a minimum of five installed customers.  And we need your ideas and support – now.


Currently GRC Access Control 10.1 is in ramp up for several SAP customers.  In this period between ramp up and general availability, SAP is requesting feedback on the latest functionality, and has engaged with us to do so.  Although SAP has great ideas, there are always usability improvements that increase the acceptance of an applications design.


If you currently have GRC Access Control 10 installed or you are part of the GRC Access Control 10.1 ramp up process, now is the time for you to provide your ideas to SAP.  If you would like to participate you until have until September 20, 2013 to submit your ideas.  The longer you wait, the less likely you will have four other customers to review and support your enhancement request.


Why does my voice matter?


It’s worth getting your feedback in and your voice heard.  I have found that SAP is moving past just getting the application to work without defects, and instead, is now working on improving its usability.  And now that GRC AC 10 has been in productive use for a couple of years, customers have great ideas for improving the usability of the application.


When I think of usability I pretend to be the user and validate that the application is intuitive.  Can an untrained user launch an application without any training or knowledge transfer?  Is a user required to enter the same data in more than one field?  If one application has performed an update such as deleting a user’s access, are other related master data elements deleted or made inactive?  Does the application have the proper security or change management controls available?  If two different users test an application, are they both happy with the functionality?


One huge way a customer can influence the usability of the application is to participate in user group influence opportunites and customer connection programs.  As my company participated in the GRC 10 ramp up process, I used the influence options to increase usability, reduce complexity, and add missing functionality.


How do I get involved?


Access to the GRC Access Control 2013 Customer Connection process is restricted.  If you would like to participate, send an e-mail to katrin.pietsch@sap.com requesting to participate in the GRC Customer Connection for 2013.  Once you have access to the site you can use this link to go directly to the site: https://cw.sdn.sap.com/cw/community/influence/.  Then you will scroll down and select the “GRC Access Control 2013” link. 

I hope to see you there soon as we can influence change with your help.

In MSMP, Access Controls 10.0 and 10.1 provides extremely flexible and powerful tool to configure Access Control workflows. In this blog we will try to understand some basic concepts about MSMP and BRF+.

Before we can start creating any BRF+ rule for MSMP, we need to understand the difference between MSMP BRF+ rule and BRF+ flat rule ( lineitem by lineitem ). The logic executed in both the rules is same but the difference is in the input, output and the way it is processed.


Following are some of key differences:



1.) MSMP BRF+ flat rule (lineitem by lineitem):

This rule is called flat rule or lineitem by line item rule because this rule is called by MSMP multiple times, once for each lineitem. So if in access request you have added 3 roles/systems, then this BRF rule will be called 3 times. As an input to this rule, MSMP sends detail of one lineitem at a time and this BRF rule provides result for that one lineitem only. BRF+ flat rule is easy to create as no loop is required and only one decision table (or other expression) is required for the logic. For example, consider an access request with 3 roles/system. In this case the BRF flat rule is called 3 times by MSMP with following input and output:


Input provided by MSMP to BRF+ flat rule in first call:

Item NameSystemRole TypeLINEITEM KEY...



Output given by BRF+ to MSMP in first call:  

Lineitem KeyRule Result




Input provided by MSMP to BRF+ flat rule in second call:

Item NameSystemRole TypeLINEITEM KEY...



Output given by BRF+ to MSMP in second call:  

Lineitem KeyRule Result




Input provided by MSMP to BRF+ flat rule in third call:

Item NameSystemRole TypeLINEITEM KEY...



Output given by BRF+ to MSMP in third call:  

Lineitem KeyRule Result



So the flat rule is called once for each lineitem which makes its creation easier as no looping is required which is required in case of BRF+ rule.




2.) MSMP BRF+ rule:

In this case, all the lineitems (roles, systems and FFID...) present in the Access Request are sent to the BRF rule in form of a table. After processing, this rule has to return a table with lineitem key and result. For example, in case of initiator rule the input to BRF rule can be following table. The roles/system shown here are one that are added to access request.



INPUT sent by MSMP to BRF+

Item NameSystemRole TypeLINEITEM KEY...



For the above input, the output of BRF rule will be something like following:

OUTPUT given by BRF+ to MSMP

Lineitem KeyRule Result


Please note that we have not shown the decision table which contains the logic to determine the path in case of initiator rule. Since complete request details are sent by MSMP to BRF+ rule for execution, so this rule is called only once by MSMP. Hence it is required that the logic to loop on all the lineitems has to be done within BRF+ rule. The decision table or other condition is called within the loop so that it is executed for all the lineitems one by one.






Key differences between BRF+ rule and BRF+ flat rule are again summarized below:




BRF+ Flat RuleBRF+ Rule
1.) Executed multiple times, Once for each lineitem1.) Executed only once
2.) Details of one lineitem at a time passed to BRF rule by MSMP2.) Complete request details passed to BRF rule by MSMP in form of a table
3.)Output of flat rule is result of one line item only3.) Output of BRF+ rule is complete table with all lineitems
4.) Easy to create as no loop is required4.) Complex as compared to flat rule as loop is required
5.) Some of business cases not possible in flat rule5.) Almost all business cases can be achieved by BRF+ rule






TIPS for Reviewing your SAP GRC Rule Set for Completeness and Relevance


SAP GRC provides rule is provided out of the box and relevant for most of the companies. The rule has to be reviewed regularly as your business need and functionality in the SAP system changes. Here some tips for reviewing your SAP GRC Rule Set

Industry Specific Rule Set:

SAP GRC Rule set does not cover all the specific industry niches. So you may have transactions which are specific to a specific industry and you may not be analyzing the risk based on your industry specific transactions. 

For example in the Federal Government area most of the risks are not based on Sales but by the funds management.  So some of the risks have to be turned off and new SAP GRC Risks have to be added to the Rule set.


Functionality Specific Rule Set: 

There are two schools of thought here. One option is to turn off the risks if you are not implementing a specific functionality. Other option is keep them ON,  so you can see why people are having the risk when the functionality is not being used.

It is better to keep the risks turned on so you can see if the risks are showing up within the SAP users or SAP Roles.  If you are not using HR Functionality and if 50 % of your users are showing SAP HR Risks then there is a bigger problem.

This indicates that your role design is out of sink and transaction belonging to the functionality which has not been implemented has been included in your roles.


Customer Specific Rule Set:

In this scenario you will have custom SAP transactions or Standard SAP transactions which have been configured to behave differently.  These transactions have to be added or removed based on the situation. 


One of key areas to focus on is the Custom SAP Transactions developed internally which is usually ignored.


Filter Blog

By author:
By date:
By tag: