SAP’s Governance Risk and Compliance (GRC) solution has so much to offer and is so feature rich that I can understand why some SAP customers might be overwhelmed, and I can relate to that. Last year, when I worked on my first SAP GRC project, the solution has so much functionality, it was a lot to take in. However, after several more GRC projects, one of my big lessons learned is that SAP GRC has something for everyone, and you don’t have to deploy the whole enchilada, as we say here in Texas, all at once if you don’t need it.
One of the project teams I was on last year worked with a customer who was migrating from another GRC solution for some of its SAP systems, but other systems in scope were not yet on an SOD tool, so we worked with them to develop custom rule sets, used SAP delivered rules, leveraged our internally developed knowledge base of SOD rules, and various combinations of those options. If you already have SOD rules, great, you can utilize them for designing rules in SAP GRC; if you don’t have any SOD rules yet, it’s OK, too. Use the delivered rules as a basis for your ruleset, or build them up from scratch. Have it your way, as an American burger chain used to say.
Another GRC project team that I was on last year worked on integrating Superuser Privilege Management (SPM) with Compliant User Provisioning (CUP), Yes, it was a GRC 5.3 project. The client had not yet deployed those components, so for them, it made sense to go ahead and leverage the GRC version they already had, and implement the components they needed at the time.
On my current GRC 10.0 project, the client originally thought they would use Business Role Management (BRM) just as a repository of roles for the Access Request module. However, after a demo of the workflow capabilities, they decided to add the workflow functionality for approving changes to the Business Roles to the scope of the project. That component also includes functionality to do the maintenance of the SAP technical roles, basically replacing the Profile Generator (PFCG) tool, but they decided to forgo that functionality, and that’s OK, too. Just because you choose to deploy one of the component modules of GRC does not mean that you must utilize all the functionality. If just some of the functionality is the perfect fit for you, that is OK.
The lesson learned that I hope you take away is that SAP GRC has much to offer, but don’t let that discourage you if you are a smaller SAP installation or don’t need all of the functionality. It’s like the saying, how do you eat an elephant? One bite at a time. You can deploy SAP GRC in the components and functionality that make sense for you.