Skip to Content

SAP GRC AC 10.1 Enhancements


GRC consultants might be curious to read and see the new feature that came in GRC AC 10.1. So here comes a glimpse of some key enhancements and its configuration that has been incorporated in SAP GRC AC 10.1.


GRC Access Control version 10.1 look and feel is almost similar to version 10 except few additional options that SAP has included based on customer feedback. The new changes predominantly focus on HANA integration, access request, rule set creation and enhanced remediation process.


1. Disable link functionality in attachment and Links:


This option helps customer to enable or disable link functionality in access request.

In Access request, by default ‘Add file’ and ‘Add Link’ option are enabled (see below):

Unt.png

                     

We can use this disable ‘Add Link” functionality of GRC Access Request to disable the ‘Add Link’ Functionality.

Unt.png

   

Disable the link:

Unt.png

   

Link got Disabled (see below)

   

Unt.png

2. New connection HANA Database Connection Type

GRC AC 10.1 is provided with a new connection type – HDB (HANA Database).


GRC can be integrated with HANA or I would say instead Oracle, GRC AC 10.1 can use HANA as database to store master data. GRC can even do user management for HANA system similar to any other SAP systems. With HANA, GRC can be used for analytic and can provide analytical reports on roles and users.

Unt.png

   

If you are using SAP HANA database, make sure that plug-in SAP GRC 10.1 Plug-In SAP HANA is installed.


3. Maintain Firefighter ID role name per connector

GRC AC 10.1 came up with this new feature to maintain Firefighter ID role name per system/connector. Instead of maintaining the SPM role in configuration parameter we can utilize the new option to map FF ID role per connector.

Unt.png   

4. Organization rule creation wizard

Sometime client’s uses dummy controls or deactivated some risk to avoid false positive, GRC AC 10.1 brings one excellent feature to create organizational role using a wizard to avoid false positive. You can create Org rule using this wizard and can even also download and upload it in other system. No need to bother about the org fields or value which you will use to create org rule. GRC AC 10.1 will guide in all possible way.

To create organizational rule you can use below option under IMG or there is an option available in NWBC as well.

IMG – SPRO:

     

    Unt.png

Later on we can download and upload the organizational rule using Additional rule upload and download option.

NWBC:

Unt.png

   

5. Configure Attributes for Role search criteria in Access requests

This feature I would feel give more benefits to end user who raise CUP request on daily basis.

While raising CUP request, requester has to search for role based on business process, Functional area or some other role attributes. Some of the key search criteria are visible straight away there but some other requestor has to add manually.

Now with this new feature we can customize the search criteria screen and can make only the important search criteria visible in search request so that requester can fill in the details and can search the roles.


We can even set the default values for those criteria.

Role Search screen

Unt.png

IMG (SPRO) Customization      

Unt.png

Unt.png

     Search criteria got changed as per customization done in above screen.

Unt.png

6. Simplified Access Request

Simplified Access Request is one more excellent feature that will give benefits to requester who does the following frequently:


   1. Assign role to user

   2. Remove role from user

   3. Extend the validity of existing role

With this option users does not have fill all the fields which normally appear in normal access request. Simplified access request form will ask for least information to perform the activity.

See below Simplified Access Request Screen:

Unt.png

     

Review and Submit: this button is used to review the request for risk and submit it for approval

Save Draft: you can save the access request and can review and submit it later

Open in advance Mode: Open the request in normal access request screen.

Reset:  Reset the fields

Risk Analysis: Run risk analysis on the role selected for provisioning and can even suggest mitigating.

Unt.png

This is an excellent feature which gives us a detailed risk analysis report (risk/role view) and even provides an option to mitigate the risk before submitting the request.


System added roles: It will bring out the default roles or mapped role added by the system itself if any.

This screen is built on UI5 and can be customized by using below four options:

  Unt.png

We can customize the display section (User details, Request details and Customer info (not visible by default))

Field levels can also be customized.


We can also set some set of request reasons which can be seen and selected during request creation to save time and effort

There is no separate workflow configuration for simplified access request. It follows the same MSMP configuration maintained for normal access request. The request created can be seen under “Work Inbox – Simplified (see below)” in NWBC as well as in normal work inbox request. It follows the same number range. So the processing and working of simplified access request is same only request submission screen is different.

My Inbox:

To check simplified access request

Unt.png

7. Risk analysis on SU01 Attributes


Sometimes business wants to perform risk analysis on SU01 attributes of user for ex: Function, department, parameters etc. GRC AC 10 does have this functionality but we can at max do risk analysis on user group level of users only.


In GRC AC 10.1 With this new enhanced feature we can now create custom group based on SU01 attributes as shown below and can perform risk analysis on the user belongs to that attributes


That GRC AC 10.1 is integrated with some of key attributes of SU01 which we can use a selection criteria to perform risk analysis

 

Unt.png

     Unt.png

     Following are the attributes available:

Unt.png

   

Enter some attributes, search the users and perform the risk analysis.


We can save it as well so that same can be used later.


8. Remediation View


This is one the best feature and would be very much appreciated by business.

The main task or I would say pain start after implementing GRC AC is to make all users SOD free i.e. to be clean. For this we have to download user level detailed report and then analyze the root cause to see whether we can remediate or mitigate to be clean. Business is taking lots of time analyzing the report and deciding the solution.

Now GRC AC 10.1 has come up with a remediation view report where business itself can analyze all aspects of risk and also help business to take decision to be clean. This will save lots of time of business and can effectively guide business to take a decision to be SOD clean.

GRC AC 10.0 was having technical and business view of risk analysis. Now GRC AC 10.1 has come up with a new view called “Remediation View”

Unt.png

  Risk Analysis report:

  Unt.png

This remediation view report will provide us a lot of option to remediate the risk then and there only.

We can mitigate the user on risk and rule from this screen itself. See below:

Unt.png

Or else we can remove the role by selecting remove role option. See below:   Unt.png

The one of the greatest feature of GRC AC 10.1 comes into action when you choose remove role from remediation view screen

and a Change Account Access Request automatically gets created for removal of the role from user. See below:

Unt.png

   

That means we can initiate remediation (removing role) or mitigation (assigning control) for user from this screen. No need to download the report and then analyze the report to take a decision.


This view also provides all sort of detailed information on user, role and risk. To get the information click the user, risk, rule and role (all bold text). See below:

Unt.png

     

Note: GRC AC 10.1 runs smoothly on IE 9 and Chrome. New feature like Remediation view and simplified access request mandatorily need IE9 and Chrome. Remediation View will run in SAP Access Risk Analysis only when an SAP Netweaver Gateway connection is established. Please configure SAP Netweaver gateway as per the GRC AC 10.1 installation guide “ACPCRM_10-1_INSTALL”.

To report this post you need to login first.

32 Comments

You must be Logged on to comment or reply to a post.

    1. Amit Kumar Sharma Post author

      Hello Daniel,

      Once you saved your draft and close the screen, the next time when you go to create a simplified access request you can see the same draft appear again.

      It does not have option to save multiple draft. Only last one would be saved and can be used later on.

      regards,

      Amit

      (0) 
  1. Mayuresh Dhavale

    Hi Amit,

    One of the key enhancements in GRC 10.1 is the Role Search Personalization feature. My question :

    Can we add custom fields which we may create in BRM and the use those as one of the filtration criteria for searching roles?

    E.g. Standard search attributes like Company, Business Process, Sub-Process, Functional area and few others are already available for filtering the roles.

    Can we create additional custom fields like may be Plant or Zone or distribution channel and use these to search roles in the Access Request Management?

    Regards,

    Mayuresh

    (0) 
    1. Amit Kumar Sharma Post author

      Hi Sebastian,


      GRC 10.1 even work on IE8 but new feature like Simplified Access request will not work on IE8.


      Hence its good to have browser which are HTML5 and CSS3 compliant.


      Internet Explorer 9, Chrome, and Firefox are HTML5 and CSS3 compliant browser.

      As of now I have not used IE 10 or higher version but I am sure it will work fine there too because if IE9 is  HTML5 and CSS3 compliant definitely higher version will follow the same.

      Thanks.

      Amit

      (0) 
  2. Mustafa Motalib

    Hi Amit

    Thanks for sharing this.

    I wanted to know on the Access Request for Role Search. Is there an option for multiple Roles? Where is says Role/Profile Name “is” – Is there a drop down for multiple?

    If you can send a screen shot of the drop down would appreciate it.

    Thanks

    Mustafa

    (0) 
  3. Veeresh S

    Hi,

    Thanks for sharing 10.1 features. But in GRC10 can we enable this feature by implementing some notes or upgrade to some Patch/SP?

    Thanks, Veeresh

    (0) 
  4. Mary Howard

    For item 8 the ‘Remediation View’ that comes in as my ‘Report Format’ default value.  While this view might be helpful, I would like change the default value to actually be ‘Technical View’.  Can you please tell me if this can be changed and if so where in the IMG to do this.

    Thanks,

    Mary

    (0) 
    1. Amit Kumar Sharma Post author

      Mary,

      have you tried using report configuration option under GRC in SPRO?

      Please have a look over there, I am sure you will get your report name and its default configuration settings

      (0) 
  5. Tian Song

    Hi Amit,

    This is a great article, thank you!
    I have a question that may I know for GRC 10.1, which HANA version can supported ? Or it is doesn’t matter of HANA version at all.

    Thank you

    Tian

    (0) 
  6. Hery Sitraka Rabenja

    Hello Amit,

     

    Thank you for sharing this useful information.

     

    I wanted to know if it’s possible to enhance the stadanrd report « Consolidated Log Report  – Transaction Log », « Consolidated Log Report – Change Log » and « Reason Code et Activity Report » in order to add some specific fields to them?

    I have tried to do it by standard custo but it seems that it works only for PC and RM , not for AC …

    DO you have some idea?

    Thanks in advance for your help

    Hery

    (0) 
  7. Arpit Tiwari

    Hi Amit,

    Thank you for sharing this useful document on GRC 10.1 enhancement.

    There is one question regarding to the Access request creation –

    “If we want to create a GRC request for more than 100 roles – what is the way forward instead of manually adding 100 roles in request. Is there any way to upload mass roles and then search and add into the request.

    Please suggest, is this functionality available or added into new GRC 10.1 enhancement ?

     

    Thanks in advance

    Arpit Tiwari

    (0) 

Leave a Reply