Skip to Content
Author's profile photo Former Member

Download, Modify and Upload the Access Risk Analysis Rule Set in SAP Access Control 10.x.

A common problem for SAP Access Control customers migrating to Access Controls 10.1 is that they want to take advantage of rule set changes made since their last rule set update, but they don’t want to lose the customizations they’ve made to their existing rule set. The business may also require a copy of the rule set for review by an external auditing firm or for backup purposes.

These tasks can be accomplished via two (2) Access Control transactions: GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

This blog will define the contents of the GRC rule set and will demonstrate how to download/upload the Access Risk Analysis Rule Set. Once downloaded, the rule set can be modified using Excel and functions such as CONCATENATE, COUNTIF, and VLOOKUP to add rule sets>risks>functions to a new namespace, such as “Z_”.

SAP delivers a canned SoD rule set to run Risk Analysis reports against users, roles, profiles and HR objects. Companies are encouraged to modify the base rule set to meet their unique needs. Rule Set customization is accomplished via three (3) means:

  1. Direct modification of functions and risks in NWBC via WorkCentre: Setup>Function/Access Risks/Rule Sets
  2. Mass modification of functions in NWBC via WorkCentre: Setup>Function>Mass maintenance.
  3. Mass modification of functions and risks via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES.

The rule set is created during configuration, via BCSET activation using t_code SCPR20. This table lists the canned rules in SAP Access Control 10.x.


BC Set description


Rule Set for Common rules


BC Set for AC Rules for JDE


BC Set for AC Rules for ORACLE


BC Set for AC Rules for PeopleSoft


BC Set for AC Rules – SAP APO


BC Set for AC Rules – SAP BASIS


BC Set for AC Rules for SAP CRM


BC Set for AC Rules for SAP ECCS


BC Set for AC Rules for SAP HR


BC Set for AC Rules for SAP R3 less HR Basis


BC Set for AC Rules for SAP R3


BC Set for AC Rules for SAP SRM

The only mandatory BC set for activation is GRAC_RA_RULESET_COMMON. GRAC_RA_RULESET_SAP_R3 contains both HR and BASIS rule sets (SAP note 1033326)

All BC sets listed above, once activated will be automatically combined into the “Global” rule set

BC Set Example.jpg

SAP provides download and upload functionality via two (2) transactions:




The rule set is exported and imported via nine (9) individual files. The files can be named anything; however naming the files after its contents is useful for organizational purposes.

The following section lists a brief description, the format of the file exports and the NWBC screens associated with the file.


Business Process:

Business Process defines the business process, language, and business process description.


NWBC Business Process correlation:



Function defines the function, language, function description and single or cross system reference.


NWBC Function correlation:


Function Business Process:

Function to Business Process associates functions to business processes.


NWBC Function to Business Process correlation:


Function Actions:

Function to Actions associate’s functions to t_codes and if the function is active or inactive.


NWBC Function to Actions correlation:


Function Permissions:

Function to Permissions associates functions to t_codes, the perspective authorization objects, field values, operators and active or in-active status.


NWBC Function to Permissions correlation:


Rule Set:

Rule Set defines the rule set, language and rule set description.


NWBC Rule Set correlation:



Risk associates risks to functions, business processes, defines the priority of the risk, what type of risk, and active vs non-active status.


NWBC Risk correlation:


Risk Description:

Risk Description defines the risk, language and risk description.


NWBC Risk Description correlation:


Risk Rule Set Relationship:

Risk Rule Set Relationship associates risks to a rule set.


NWBC Risk Rule Set Relationship correlation:


Demo of how to download a rule set in SAP Access Control 10.1:


Downloading the Access Control Rule Set via GRAC_DOWNLOAD_RULES. Choose format and accept pop-ups.

Demo of how to upload a rule set in SAP Access Control 10.1:


Uploading the Access Control Rule Set via GRAC_UPLOAD_RULES. Choose format and accept pop-ups.

Merging Rule Sets:

I struggled with writing this section, because the details of the GRC rule set are proprietary SAP information. I would have loved to have done a demo here but any concrete examples shown merging rule sets could be  viewed as divulging this proprietary information.

That said, the Excel COUNTIF,CONCATENATE, and VLOOKUP functions are key to helping you identify records not contained in one of the rule sets you’re working on merging. Here are some key takeaways for those of you engaged in rule set merging:

Key takeaways for mass modification of rule set:

    1. When downloading the rule set, please note that function to actions and function to permissions are dependent on the logical group selected. Example:
      1. If you select the APO logical group. Only APO FUNCTION_ACTIONS and APO FUNCTION_PERMISSIONS are contained in the FUNCTION_ACTIONS and FUNCTION_PERMISSIONS downloaded file.
    2. When downloading the rule set, please note that selecting a connector i.e. (ECDCLNT100) FUNCTION_ACTIONS and FUNCTION_PERMISSIONS will have no data.
    3. Active and Non-Active status in RISK, FUNCTION_PERMISSIONS, and FUNCTION_ACTIONS key:






The primary method of updating the Access Control rule set is through NWBC and the Setup WorkCentre. Updating the Access Risk Analysis rule set via GRAC_DOWNLOAD_RULES and GRAC_UPLOAD_RULES is still viable and should be considered during migrations, mass maintenance or to meet business requirements.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Madhu Babu #MJ
      Madhu Babu #MJ

      Hi Jonathan,

      Nice document with good explanation.



      Author's profile photo Former Member
      Former Member

      Thank you Jonathan, very informative and helpful for the beginners  learning grc 10.



      Author's profile photo Former Member
      Former Member

      hi Jonathan really helpful information and for sure its going to help us. thanks for putting it together.



      Author's profile photo Former Member
      Former Member

      Hi Jonathan,

      Good article. I would love to hear about the merging rule sets.

      Can you drop me a message?

      Author's profile photo Former Member
      Former Member

      Hi Jonathan.  Nice document - just one observation.  When downloading the ruleset, it is best to download it in .txt format. When opening in Excel, ensure you define the value fields (especially in the Function Permission file) as text fields otherwise you loose the leading zeros on fields like activity.  This leads to the Risk analysis giving false positives when you run risk reports. 

      Author's profile photo Former Member
      Former Member

      well documented and helpful information.

      Author's profile photo Rafi Ahmed Syed
      Rafi Ahmed Syed

      Hi Jonathan ,

      This article is very helpfull ,

      However i have a question ?

      When i download SOD rules in XLS or TXT file

      Function permissions and Function actions files are empty

      any idea why ?

      reason no changes are in effect when i upload it

      Author's profile photo Siva Charan Reddy
      Siva Charan Reddy

      Hi Syed,

      Please select System filed as Connector Group/Logical Group(SAP_R3, SAP_APO, SAP_CRM etc.) when downloading Ruleset then only you can get Functon to Actions and Function to Permissions data.




      Author's profile photo Former Member
      Former Member

      Hi Syed,

      While downloading the rules you need to select the system as SAP_NHR_LG and SAP_BAS_LG, so you will get the required information for Function to Permissions and Functions to actions in the file.



      Author's profile photo Former Member
      Former Member

      I do not see these systems in my list. Is there somewhere I am able to add these?

      Author's profile photo Former Member
      Former Member

      Hi, Is there a table for change log if we use the Upload process ?

      Author's profile photo Shankar Chinnapappain
      Shankar Chinnapappain

      Hi All,

      I have few queries about creating Custom Rule Set (should be copied from SAP Standard GLOBAL ruleset). It is fresh implementation and activated Global ruleset. I have downloaded Global rule set 9 files with selecting logical system SAP_R3_LG.

      1. Is this logical system correct to download Standard GLOBAL ruleset?
      2. Now I believe need to change all standard names (function id / risk id / ruleset) with custom names 'prefix with Z'
      3. Then upload updated 9 files with selecting System name as ECC logical system.

      Please correct me if I am wrong.



      Author's profile photo Radhakrishnan R
      Radhakrishnan R

      Dear All,

      As per my experience many situation leading zeros lost due to some file format when we copy paste to excel files in function permission table.

      Rather using excel i would suggest to use MS Access DB and you can import from .txt file to table where all values will be imported exact same way without any issue.

      After you reconcile the file then you can export to .txt file will work superb.