Skip to Content
Author's profile photo Gary Prewett

Detecting cross system SAP ERP and BPC Risk: Mapping BPC Task Profiles to GRC Access Control Rule set functions

Introduction to SAP BPC and SoD Risk

SAP Business Planning and Consolidation is gaining traction as the reporting system of record for many SAP customers. For some customers, BPC-generated reports are used as inputs to 10-Qs and 10-K filings. From a materiality standpoint, a BPC customer in this scenario has one major separation of duty problem: SAP BPC allows the creation of topside journal entries.

Topside journal entries are a standard way to adjust revenue and expense items across company codes or discrete business units, but are definitely considered “riskier” than standard GL transactions. Topside journal entries were at the heart of WorldCom’s financial irregularities (more background in the Wikipedia article on MCI WorldCom here: – the ”unallocated revenue accounts” entries mentioned were entered as topside journal entries). Strictly speaking, in the standard SAP rule set delivered with GRC, topside journal entries would map to the business function “GL01 – Post Journal Entries”.

Detecting Cross System Risk between SAP ERP and SAP BPC

SAP customers with the following deployed:

  1. 1) SAP ECC
  2. 2) SAP BPC 10.x on NetWeaver
  3. 3) GRC Access Controls

…can leverage their GRC Access Control investment to systematically detect, identify, and manage cross-system ECC and BPC SoD risk associated with creating topside journal entries in BPC with the standard GRC Netweaver plugin..

At the heart of BPC access is the concept of task profiles. Task profiles correspond to access levels within the BPC application – and, fortunately for SAP GRC customers running BPC on NetWeaver, map to tasks within the authorization object UJ_BPCTASK (“Task”) – field UJ_TASK (“BPC: Task ID”).

The relationship to task profiles within the BPC application and UJ_BPCTASK for BPC on NetWeaver are complex, but task profile and data access profile assignments to users and teams within the BPC application result in the automatic generation of SAP roles within the ABAP stack and the automatic assignment of those roles to the appropriate user masters within the ABAP stack. These roles follow the naming convention ZBCP__xxxxxxxxxxx, where xxxxxxxxxxxxxxxx contains a randomized numeric value to uniquely map the ABAP role to the BPC task and/or data profile.

The fact that BPC tasks profile assignments immediately generate ABAP stack roles, and make appropriate user assignments within the user masters in the ABAP stack, makes user-based detection of cross system risk for ERP and BPC users feasible with the standard GRC NetWeaver plugin. The basic approach to identifying cross-system risk between SAP leveraging GRC Access Controls is:

  1. Map task profiles to GRC Access Control functions
  2. Modify the GRC functions
  3. Create custom cross-system risks corresponding to the in-scope functions identified
  4. Generate rules, run a GRAC_AUTH_SYNC, run your scheduled GRAC_REP_OBJ_SYNC, and test

Mapping Task Profiles to GRC Access Control Functions

The following table (Table 1) outlines the complete listing of BPC task profiles available (current as of SAP_BW  731 SP 8, BPC 10.1):

Task ID Description
P0001 Edit Documents
P0004 Manage Journals
P0006 Manage Models
P0007 Manage Environments
P0008 Manage Business Rules
P0009 Edit Journals
P0011 Manage Security
P0012 Manage Dimensions
P0017 Use BPFs
P0020 Edit Reports
P0021 Manage Data Locks and Work Status
P0022 Manage Audit
P0023 Edit Book and Distribution templates
P0024 Administer Documents
P0025 Use Offline Distribution
P0027 Manage Templates
P0028 Manage Environment Status
P0029 Post Journals
P0032 Publish Books and Delete Published Books
P0033 Run Documents from EPM add-in
P0034 Use Offline Collection
P0035 View Journals
P0037 Use Work Status
P0038 Use Input Forms and Save Data
P0042 Unpost Journals
P0043 Manage BPFs
P0055 Edit content of Public Folder
P0057 Administer Comments
P0058 Edit Comments
P0060 Run Audit Reports
P0061 Run Comment Reports
P0062 Run Work Status Reports
P0063 Run BPF Reports
P0064 Run Security Reports
P0068 Manage Drill Throughs
P0070 Run Drill Throughs
P0073 Use System When Offline
P0079 View Consolidation Monitor
P0081 Run Consolidation Tasks
P0082 View Ownership Manager
P0083 Edit Ownership Manager
P0084 Run Ownership Calculations
P0085 View Controls definition
P0086 Edit Controls definition
P0087 Run Controls
P0088 View Controls
P0089 Dismiss Blocking Controls
P0091 Run Admin Packages
P0092 Edit Packages
P0093 Edit Transformation Files
P0094 Edit Conversion Files
P0095 Edit Delta Initialization
P0096 Cancel Any User Packages
P0097 Edit Package Schedules for any users
P0098 Run Packages
P0100 Edit Package Links
P0101 Upload Data
P0102 Download Data
P0104 Edit Workspaces
P0105 Lock/Unlock Journal
P0106 Reset Control Dismissal
P0109 Manage Document Types
P0112 Edit Dashboards
P0114 Reopen Journals
P0115 Access BPC from FIM and SSM
P0117 View Models
P0118 View Environments
P0119 View Business Rules
P0120 View Dimensions
P0121 View Data Locks and Work Status

Table 1: UJ_TASK task profiles assignable within BPC 10.1 on NetWeaver

So, which tasks in the table above map to which GRC business functions?  The answer, of course, is: it depends! A classic example would be the task profiles (P0101 and P0102 – Upload and Download Data). In some environments the ability to upload data might be considered and administrative function; it others it might map to Post GLs – in still other environments, it could conceivably map to both business functions.

That said, there are some no-brainers that can be prioritized for SoD risk detection. Here are the task profiles that invariably map to the “Post GL Document” function (function GL01 in the standard rule set):

P0009    Edit Journals

P0029    Post Journals

P0042    Unpost Journals

P0105    Lock/Unlock Journal

P0114    Reopen Journals

P0012 (Manage Dimensions) maps to “Maintain Hierarchies” (EC01 in the standard GRC rule set).

Table 1 is the foundation needed to start gathering the business requirements needed to successfully modify the GRC rule set to detect cross system ERP/BPC risk. For those customers who’ve implemented BPC on NetWeaver or are planning to implement SAP BPC on NetWeaver, this ability to configure their GRC environment to detect cross-system ERP and BPC SoD risk without plugin development is a definite win, and mapping these task profiles to business functions is the key step in gathering business requirements when proceeding first step down that path.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.