SAP GRC: Data Structures & Mapping

SAP GRC employs complex relationships among functions, actions, permissions, risks and owners; for instance, BP represents business processes, while ACN represents function actions, and MOA describes risk descriptions.

SAP GRC does a good job of understanding uploaded content by aligning all elements in 10 file templates, using our naming convention as a reference during the setup of files and assigning names based on that convention.

However, SAP GRC doesn’t impose rigid restrictions when assigning names; keeping things intuitive will aid analysis more readily.

Once configured, delete sample entries to ensure a successful upload, review empty templates for potential population, and prepare them for new data population.

SAP GRC: Independent Business Processes

One key benefit of working with SAP GRC is its independence of business processes from any particular system.

Even though only three functions were developed for testing purposes, SAP GRC still collected an abundance of data demonstrating its capacity for independent generation of information.

Step two was crucial to the VP solution, and only two functions emerged; these two functions had been assigned S4 HANA groups in SAP GRC; when we selected our connector group description earlier, this helped narrow our results further down to just those entities.

Rule Generation in SAP GRC

SAP GRC requires each function associated with sensitive access risks to be assigned only one category at a time; otherwise, it would flag it immediately and prevent its updating.

Initially, an extra function was removed by pressing “Save”, and everything updated smoothly afterwards.

For additional insight into new risk rule entries created within GRACACTRULE tables as they became visible, they provided invaluable data analysis opportunities!

Executing the query using the Risk ID initially resulted in no results as SAP GRC had yet generated no rules.

Once opened again and clicked to generate rules again, both action- and permission-level rules were successfully generated and validated through table refreshes.

SAP GRC: Access Risk Configuration

As my exploration of SAP GRC progressed, my attention shifted toward its configuration parameters for risk analysis.

While SAP GRC offers default values for most things, its true power lies in its flexibility – these parameters can be customised to suit specific business needs.

Rule Set in SAP GRC is one of the critical parameters. This set determines which access combinations should be flagged as risky; for instance, if one person functions both as creator and approver across multiple plants, SAP GRC helps detect that subtle segregation-of-duty violation.

SAP GRC also features the option ‘consider all rules for other applications’ to reduce false positives and negatives and sharpen analysis more precisely.

This optional but insightful feature helps decrease false positives/false negatives, allowing more precise analysis in SAP GRC.

SAP GRC: Default Configurations

One of the initial observations made after diving into SAP GRC was its default scan analysis–an easy process.

User Type = Dialogue and same when pulled through the frontend interface; Risk Levels include low, medium, high and critical;

There’s much packed into SAP GRC that may not be immediately obvious at first glance; one such aspect recommended for testing is offline scan analysis.

With offline data selection comes added flexibility if risk analysis needs to run independently of real-time systems.

SAP GRC: Storage & Mount Management

Once a backend analysis job is scheduled in SAP GRC, deciding where the results will be stored will be the next step.

From databases and file paths to cloud solutions, SAP GRC makes this decision straightforward and effortless.

SAP GRC allows me to easily specify an IP path and mount point from within the OS level when I require storage on an independent server, making this feature particularly advantageous in tech environments where flexible storage solutions matter.

I worked closely with our basis team to establish mount points used directly by SAP GRC to store job results safely.

SAP GRC: Connector Grouping

Preference was given in selecting this group to align transaction codes and backend connectors properly, with seamless data loading from TT-0 CLNT-9N when connected through SAP GRC – exactly as anticipated!

These connector groups serve an integral purpose; they connect the SAP GRC interface and backend configuration logic, making setting up permissions much simpler.

By properly using them, the permissions setup becomes much less cumbersome and complex.

SAP GRC: Authorisation Maintenance

Setting up transaction codes like BP via SAP GRC helps maintain permissions directly. When decision sync jobs run successfully, SAP GRC effortlessly compiles this data into action tabs for actionable use.

SAP GRC makes even the authorisation objects related to particular transaction codes readily accessible, further strengthening its depth and capacity to handle complex configurations without manual lookup.

SAP GRC: Function Creation

SAP GRC now includes a function designed to address potential conflicts arising between master data creation and purchase order creation.

This function, named ZPR_02 under business process P2P_S4 with task ‘Maintain Purchase Order,’ appeared to use transaction ME21 but showed as inactive permissions.

Initially, authorisation objects had to be manually activated in SAP GRC for testing purposes to ensure accurate alignment with the functional and testing goals. By clicking ‘Save,’ this configuration was locked in permanently.

Manual entry options were also explored by including B_BUPA_RLT with specific RLTYP and ACTVT values to define further risk conditions related to the user accessing BP for particular activities.

These adjustments helped define risk conditions based on user permission to the platform as well as particular activities within it.

SAP GRC: Technical Role Simulation

Simulation was achieved by inputting system ID TT0, client 900, test user ID and S4 rule set as input values.

SAP GRC then asked users to choose whether to simulate using roles, profiles or actions. Roles were selected based on previous knowledge that adding certain positions may trigger risks.

SAP GRC was used to add the GTEST_BP role and run a simulation. SAP GRC correctly identified that there was an increased risk due to this addition; yet, when simulating a user without a conflicting role previously, there were no violations detected, highlighting the importance of assigning roles accurately.

SAP GRC: Action-Level Simulation

SAP GRC was then used for action-level simulation, simulating transactions BP and M201 directly instead of assigning roles; SAP GRC then identified risks at this level due to these transaction codes as contributing sources for access conflicts.

Next, SAP GRC was used to assess the permissions associated with these actions. By default, all permissions provided through SU24 would be included by GRC.

Permissions such as ACT01 and ACT02 were intentionally removed to see their impact. Without these permissions, SAP GRC displayed risks only at the action level–none were detected at the permission level.

This test demonstrated a necessary SAP GRC behaviour: If transaction codes exist but their respective authorisation objects (ACT01 or ACT02) do not, the system highlights an action level risk as soon as ACT01 or ACT02 objects become unavailable.

SAP GRC: Permission Testing Setup

At this final phase, all default permissions were manually altered by adding specific ones back to rerun the simulation, and SAP GRC flagged any risks depending on how each permission linked with its transaction code.

SAP GRC demonstrated its strength by accurately reflecting risks at both action and permission levels when adding Act 01 and Act 2 under Transaction Code BP, showing just how tightly SAP integrates authorisation objects and transaction codes to assess access risks. This exercise showed how closely integrated authorisation objects and transaction codes were in access risk assessment.

SAP GRC: Role Simulation Risks

Task was assigned: add Transaction Code BP into Role M221, intended for purchase order processors.

Although initially this suggestion appeared unrealistic, SAP GRC Simulation Mode was utilised first to assess any negative ramifications.

SAP GRC revealed why so many trust it for decision support: its instant alert of potential risks proved that SAP GRC makes confident choices without risk.

SAP GRC: Foolproof Role Assessment

SAP GRC serves as the cornerstone of access control strategy, from users and roles, through task roles, which remain risk-free due to SAP GRC alerting if something is out of line.

SAP GRC simulation capabilities ensure task roles remain conflict-free, providing peace of mind knowing roles won’t accidentally gain risky access.

SAP GRC: Sensitive Access Features

At SAP GRC, we identified two key risks related to vendor master maintenance and purchase order maintenance, both critical functions in most organisations.

Master data teams typically handle Vendor Master Maintenance, whereas Procurement teams focus on procurement orders and processing, by repurposing both functions for sensitive access risks in SAP GRC.

By employing similar functions for SOD and sensitive access risks, using SAP GRC allows us to label risks as critical actions or permission-based.

As an example, we established JTTP SA1, a high-risk sensitive access designed for maintaining purchase orders, which SAP GRC recognised as being essential in keeping compliance teams proactive and preventive.

SAP GRC: Sensitive Access Risks

SAP GRC now includes an additional sensitive access risk related to purchase orders–JTTP SA0–that we created ourselves.

When creating sensitive access risks in SAP GRC, its algorithms verify whether an action or permission deserves critical status.

An additional function could cause the system to mark it as a non-SOD risk and require special consideration during configuration.

SAP GRC remains consistent in how it categorises risks. By adding another function to a critical action risk, its characteristics could change; so, proper planning must take place when creating your SAP GRC risk framework.

SAP GRC: User Risk Analysis

Previously, we established a test user in SAP GRC’s user-level risk analysis to identify any sensitive access risks; however, none emerged initially, as critical actions and permissions were left unchecked.

SAP GRC provided me with a detailed risk summary when I enabled critical action analysis and reran my report, along with an option to trace its source by populating fields with solid numbers and permission-level attributes related to individual risks.

SAP GRC provided an in-depth view to clarify why some access risks appeared while others didn’t, especially under critical conditions.

SAP GRC: False Positive Analysis

An important theme I cover during training sessions is identifying false positives and negatives in SAP GRC.

False positives occur when SAP GRC flags risks that don’t exist – for instance, if an action cannot take place because a user lacks permission, yet SAP GRC still reports them due to object conflicts at action levels.

False negatives occur in SAP GRC when there is an actual risk present that doesn’t get reported, often due to incomplete rule definitions or overlooked permissions. Understanding this phenomenon enables us to develop robust rule sets while also avoiding false compliance alerts.

SAP GRC: Risk Reporting Defaults

I spent considerable time discussing the default report types available within SAP GRC, such as permission-level and action-level risk reporting.

By default, SAP GRC uses permission-level risk reports; I demonstrated how easily action-level reports could be switched in as needed.

SAP GRC allows me to select default risk levels–low, medium, high, or critical–from among four levels (low, medium, high).

I adjusted some system parameters to prioritise medium risks using the SAP default coding, where ‘0’ stands for medium.

Establishing the default user type for SAP GRC’s analysis plays a vital role. From dialogue users to technical ones, setting this parameter ensures SAP GRC analyses only relevant groups.

Customisation capabilities make SAP GRC extremely adaptable and suitable for numerous organisational structures.

SAP GRC: Setup Finalisation

Since identifying risk owners was still an outstanding task within SAP GRC, it helped familiarise oneself with its Access Control Owners section and prepare for what lay ahead.

Setup ensures the appropriate individuals are assigned risk for accountability and review purposes, with this section later revisited to secure access control ownership in SAP GRC; ultimately completing initial risk setup.