In  GRC10 – ARM  Access Request approver have the choice to do Risk analysis at “Action Level”, “Permission Level”, “Critical Action”, “Critical Permission” and “Critical Role/Profile”.  But In 5.3, Approver didn’t have choice to decide while using from CUP.

When approver open access request in AC10 under Risk Violation tab Permission Level is always selected .Selection is fine as this is configured this way (Parameter in SPRO 1023 -Default Report Type for Risk Analysis).  But the approver also has an option to deselect “Permission Level”.

If you want to ensure that approver always keep “Permission Level” as an option, in other words option should be grayed out with permanent tick mark. This is to make sure that CUP enforce “Permission Level” check, otherwise if approver deselect then they can always skip the risk analysis by clicking different report types. Also possibility at times all the approver doesn’t understand the meaning of each option.  Both accidental / intentional ways skipping Risk Analysis is possible.

As you can see Permission level is always selected but editable. Approver can deselect and submit the request with no violation. This way unmitigated risks can be submitted.


We have achieved this by deploying SAP NOTE 1796838 – UAM Risk analysis at permission level set to non editable and following below steps.

1. Go to transaction se80.

Select Package as ‘GRAC_ACCESS_REQUEST’.

Click on Web Dynpro -> Web Dynpro Application


2  .Drill down to application ‘GRAC_OIF_REQUEST_APPROVAL’. Right click on it and click Test.


3. Now, the following screen will appear.


Go to the URL of the above screen and add the following string to it.

Go to Transaction  SE16 and Enter table name as GRACREQ, enter any request number in REQ_ID field.

Click execute button and copy the value of field REQ_ID

Below is String to add in URL-

&SAP-CONFIG-MODE=X&OBJECT_ID=ACCREQ/<REQ_ID  checked from above step>

Below is example for string to add in above screen dump URL..



Observe that the dump will now get removed and an access request will be opened.

4. Go to the Risk Violation Tab and right click on the Type check boxes and choose ‘Settings for Current Configuration’


5. Now, the following pop up window will appear.


In this, you can go to each of the type of result options and click on ‘read only access’ check box.


6 For example, If you click on Permission Level and set Read-Only Access as ‘Yes’, permission level will appear as non editable on approval screens for all requests.


Click on ‘Save and Close’.

Please see that the Permission level check box is now disabled.


Hope this will help you if you meet such a kind of requirement. and prevent from submit unmitigated Risk.


Dilip Jaiswal.

GRC – IDM Consultant.

To report this post you need to login first.


You must be Logged on to comment or reply to a post.

  1. Muthu Kumaran

    Hi Dilip,

    Thanks for posting this. I tried this in my system, it didn’t work as given in your post. Firstly when I added the string you mentioned it opened the page but still it gave an error (“error occurred during processing)

    When right clicked its doesn’t gave me option for “Settings for Current Configuration”

    My question.,

    – Is the string to add, the same for all the systems

    – is there a way to find the string for each of the web dynpro application

    Thanks again.



    1. Dilip Jaiswal Post author


      I got this string from developer who helped me in debugging. I updated the document how you can create string.

      “Settings for Current Configuration”  – this may be some system specific setting. it was enabled in my system.



  2. Pranjal Garg

    Hey ,

    Great source of Info…I have some doubt is their any way to display the email address of the user in the user level analysis report.

    1. Dilip Jaiswal Post author

      HI Pranjal ,

      — i think email will no be available . but i seen you have posted in common forum so if any one come accross this will update you soon.

      Reg, Dilip

      1. Pranjal Garg

        Thanks Dilip,

        Ok we can wait for it..??

        I have one more question to ask..??

        Is their any way to download the files form the dashboard as in my case i have around 20000 users and out of which only 8 having risk but as the data comes in pie chart so its tough to download i mean not able to find in the pie chart where to click as for this small amount is users is invisible to see in the pie chart.

  3. Mansoor GRC

    Hi Dilip

    Firstly, your article is an excellent step by step demonstration of Risk Analysis.

    Secondly, Please do keep up this great job and I am looking forward to learn a lot from you



  4. S A

    G’Day Dilip,

    Thank you for taking the time to post this blog. After reading the following blog:

    Customizing Access request and approval screens in GRC Access Control

    I thought I could do the same for the rest however as you pointed out here, the web pages used to throw a dummy fit. Well thanks for clearing it up that I have to append something to the end of the URL link.

    I do have a couple of queries though and I would appreciate it if you could answer them.

    1) Why does it show the error in the first place and why only for some links?

    2) How do we know what needs to be added to the URL?

    • In your example, we had to add the REQ_ID, so what about the rest? lets say for template based etc



  5. Fernando Diaz Colodrero


    I’m trying to do something similar with checkbox “offline data” but it doesn’t work. After refreshing the screen it remains grayed but unchecked.

    Has anyone tried this? Any ideas?





Leave a Reply