I will confess that I am one of the people who have been eagerly awaiting SAP’s GRC 10.0, primarily for the move back to the ABAP platform, but also for other anticipated improvements. For several months I have been working on a GRC 10 ramp up deployment of Access Controls, and it has been a very interesting project. Since it is not yet in general availability, there are not very many specifics I can share. However, I do suggest that if your organization has taken a wait-and-see approach, there are still things you could be doing to get ready for a GRC 10 Access Controls deployment. My suggestion is to consider doing some advance work for your deployment; thinking ahead could get you a good jump on this important effort.
Unless you are a brand new SAP shop, chances are good that you already have some kind of compliance/ rule tool in use. Even if it is just a spreadsheet of conflicting and/or sensitive transaction codes, it is a place to start. Whatever kind of compliance solutions you are using, you’ve got something to build on, so don’t stress about starting over at ground zero, unless audit findings have suggested taking a clean slate approach. The project that I have been working on took a mixed approach that included leveraging the segregation of duties (SOD) and sensitive access (SA) rules that were in the solution in use for some of the SAP systems, and leveraging the SAP delivered rules along with rule recommendations from the implementation partner for other systems. If leveraging a controls solution already in use is a possibility, be sure to ask your potential implementation partners about their experience in this area.
One of the keys to good SOD and SA rules is ensuring that they are based on the processes in your SAP landscape, and that is likely to require input from your process experts. Out-of-the-box rules from SAP and recommendations from your implementation partner are not going to account for customizations and unique situations such as cross-system processes. The good news is that GRC 10.0 can accommodate such processes, but the rules must be designed accurately. Are the process experts easily identified in your organization? If not, identifying the people who understand the processes and roles might be a good place to do some advance work.
If you have been keeping up with your SU24 maintenance, including your custom transactions, congratulations, you are in a better position for building accurate rules at the permission (authorization value) level. On the other hand, if you have been doing manual inserts in your security roles and not keeping up with SU24, you are going to have some extra work ahead of you. Advance work you can get done on SU24 clean up particularly on SOD and sensitive transactions will pay off later, both for your GRC build and for future role maintenance.
With some advance planning, you can be ready for your deployment or upgrade to GRC 10, so start thinking about where you are now and what you might need to do in order to be in a better position for a smooth GRC project.