Skip to Content

SAP Access Control – Useful Documents, Blogs, Resources, etc.

This document is a collection of the most useful SAP GRC Access Control documents, blogs, resources, links, etc. here in SCN.



Getting Started with SAP Governance, Risk and Compliance Solutions (GRC)

GRC Processes, Lifecycles and Responsibilities

GRC Systems Compatibility

/wp-content/uploads/2014/08/wiki_523916.png FAQ related to GRC Access Control 10.x Installation, Upgrade and Compatibility – Governance, Risk and Compliance – SCN W…

/wp-content/uploads/2014/08/wiki_523916.png Customer Influence – SAP Access Control 2015



General opinion and thought-leadership

Are you ready to implement GRC 10?

A lot of help from my friends

If I had it to do all over: looking back on GRC 10 projects

Lessons learned from SAP GRC projects

Remediating Access Control SoD Risks

Internal Controls – a step towards strong controls

Defining Mitigating Controls / Compensating Controls

IT Control Testing – SOX Compliance

A #GRC tool is just part of the solution

It’s Just a Few GRC Ideas….Place



GRC General

Helpful transactions, tools, programs, tables, etc. for a SAP GRC Consultant

NWBC screen layout options for GRC

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC

Configure LaunchPad for Menus

Customizing Access request and approval screens in GRC Access Control

Issues, Bugs in GRC SP13 – Related Fixes

/wp-content/uploads/2014/08/wiki_523916.png General tips to help in troubleshooting scenarios

/wp-content/uploads/2014/08/wiki_523916.png Access Control Debugging tips

SAP GRC AC 10.1 – Enhancements

How to delete roles, mitigation controls, users, and other informations from one connector



Product Support

GRC Product Support Monthly Newsletter

/wp-content/uploads/2014/08/wiki_523916.pngGRC Weekly News – Governance, Risk and Compliance – SCN Wiki

/wp-content/uploads/2014/08/wiki_523916.pngTop Ten – 2015 – Governance, Risk and Compliance – SCN Wiki


HR Triggers

/wp-content/uploads/2014/08/wiki_523916.png Understanding HR Triggers in Access Control 10.0 – Governance, Risk and Compliance – SCN Wiki

/wp-content/uploads/2014/08/wiki_523916.png GRC 10.0 – HR Trigger configuration – Governance, Risk and Compliance – SCN Wiki

Example of decision table for GRC 10 HR Trigger rule, using BRF+ tool

GRC Access Control – Compliant User Provisioning: HR Triggers

/wp-content/uploads/2014/08/wiki_523916.png Debugging HR Trigger – GRAC_HR_TRIGGER_EVENT_RECIEVER

/wp-content/uploads/2014/08/wiki_523916.png Debugging HR Trigger – Simulation

/wp-content/uploads/2014/08/wiki_523916.png Debugging HR Trigger – PA40 changes to infotypes



MSMP Workflows

AC 10.0 – Customizing Workflows for Access Management

MSMP – Multi Step Multi Process – GRC’s answer to Workflow Configuration Flexibility

Escalation only on workdays in the MSMP workflow



BRF+ Configuration

Determining the Logic behind Decision Tables




Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control

LDAP Group parameter mapping.. what does it mean?

Connecting SAP GRC AC 10.X to Microsoft Active Directory

GRC 10.x and LDAP management

GRC 10.x and LDAP management 2.



Mobile Apps in SAP GRC

Administrator guides for Access Approver, Policy Survey, etc.

Fiori apps in GRC – Install two applications in 5 easy steps



Access Control with Identity Management (IdM)

SAP BusinessObjects GRC 10.0 Integration Guide – Access Control 10.0 and NetWeaver Identity Management

SAP Access Control 10.0 Interface for Identity Management




How to Assign SAP Business Planning and Consolidation Authorizations via the SAP Governance, Risk, and Compliance (GRC) Access Control Compliance User Provisioning Product



Access Risk Analysis (ARA)

ARA – For the new kid on the block

Rule set – Rules & Rule Types

Business Risks / Rule Set

Download, Modify and Upload the Access Risk Analysis Rule Set in SAP Access Control 10.x.

How to set up a Configurable Business Rule

Online vs. Offline Risk Analysis

Creation of Mitigation Controls in GRC 10.0

Organizational Rules in GRC Access Control

Mass change of Mitigation Assignments

SAP GRC AC 10.0 Alerting

/wp-content/uploads/2014/08/wiki_523916.png The Action Usage Sync job in technical details – GRC Access Control 10.0

/wp-content/uploads/2014/08/wiki_523916.png The Repository – GRC Access Control 10.0 



Access Request Management (ARM)

ARM – For the new kid on the block

AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls

Approve/Reject Own Requests

How to Change Subject Line in SAP GRC Email notification

Recommendations for using Business roles provisioning in access request

Configure Manager Look-Up in ARM for GRC 10

Role Search Screen Enhancement – GRC 10

Terminate Account – Request Process – GRC 10

Creating Access Request: Template Based Requests and Configuring End User Personalization forms for use with Access Requ…

GRC Request with both System and Role Line Items

Access Control 10 (ARM) – Risk Analysis Report Type is editable in Access Request.

Access Control: – Create Access Request Using Web Service in GRC10

Design Considerations to reduce Password Self Service (PSS) Intruder Risk

/wp-content/uploads/2014/08/wiki_523916.png User Access Review(UAR) Workflow Configuration and Description – Governance, Risk and Compliance – SCN Wiki

Direct vs. Indirect Role Assignment

EUP – Common Issues and Solutions, Important tables and takeaways

PSS – Common Issues and Solutions, Important Take Aways

SNC Name in Access Request



Business Role Management (BRM)

BRM – For the new kid on the block

Maintain Default Roles in BRM GRC AC 10.1

Role Import – GRC 10

Import Role from ECC to GRC system

/wp-content/uploads/2014/08/wiki_523916.png Business Roles concept and usability in GRC AC10

Enabling Business Role updates to existing assigned users

BRM Default Approvers via Condition Groups

BRM Role Methodology via Condition Groups



Emergency Access Management (EAM)

EAM – For the new kid on the block

Usage of EAM

EAM – Provisioning Strategies

EAM Utilisation and Log Review Process 

ID-Based Firefighting vs. Role-Based Firefighting

AC 10.0 – Centralized Emergency Access

Configure Emergency Access (EAM) in GRC 10

De-centralized EAM GRC 10.0

EAM – Approve through Wrokflow

Emergency Access Management Reporting

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

EAM: Requesting emergency access via access request workflow in SAP GRC – step by step.



See also

SAP Process Control – Useful Documents, Blogs, Resources, etc.

SAP Risk Management – Useful Documents, Blogs, Resources, etc.

SAP Fraud Management – Useful Documents, Blogs, Resources, etc.





/wp-content/uploads/2014/08/document_523869.png SAP SCN Documents
/wp-content/uploads/2014/08/blog_523870.png SAP SCN Blogs
/wp-content/uploads/2014/08/wiki_523916.png SAP Wiki
Newly added document (Contributors: please select from Emoticons )



Please help in updating the collection so that new users can get a well structured overview for their information.


Best regards,


You must be Logged on to comment or reply to a post.
  • Hey Alessandro,

    Nice.. would you please add HR trigger as well.

    and There might be some other like integration to JAVA system for provisioning.

    Like Portal, BPC, LSO .Pleas einclude or else lets create.

    I have integrated to BPC,LSO,SPM(spend performance Mangement) and EP.

    And Integration with LDAP and how you map different field.

    Can we have Derived role in BRM.

    And i real time scenario how we connect so system when we have BRM in place . 


    Prasant K Paichha

  • G'Day Alessandro,

    I just stumbled upon your documents and seriously you are a legend mate!!

    The sheer wealth of information you've got here is just unbelievable. I would like to sincerely thank you for taking the time to gather all this information and putting out here for the benefit of people like myself.

    I so wish there are more people like you out there who would share their knowledge rather than keeping it to them self. As Colleen pointed out in one of your blogs, the way you explain, esp using real life examples helps you stand out from others and makes it so much more easier for us to understand.

    Once again I truly appreciate what you are doing mate and Thank you.



    • Dear Leo,

      wow.. many thanks for your great feedback. I am definitely not a legend I just believe that "sharing is caring" and what you give you will get back one day.

      Appreciate that you like my posts and hope you will enjoy reading my stuff also in the future 🙂

      Best regards,


        • hehe... now i learnt how to pay compliment in Australian way..Never been to that part may be coming vacation . i always dream to spend vacation at New Zealand.. may be this december Australia and New Zealand.

          I really liked the thought of AB( Alessandro Banzer) when i first worked on GRC 10.. i was not sure what i was going to do.. in fact first saw screen  at Switzerland at my client side. then posted few question and realized its not stable.. and SCN & Sap Support team helped me lot.. now learning new thing from reading peoples query.

          you may have done many implementation but every implementation may be different when it comes to client's requirement.

          till today everyday is learning and SCN has everything in fact faster then SAP Support.

          AB: lets add more ..


          Portal integration.

          Colleen: Do you have BRM stuff?



        • Spot on Colleen! Its fair Dinkum Ozzie slang alright!

          Just finished reading your 'NWBC screen layout options for GRC' and I totally agree with you in regards to the layout. I like the 5.3 layout way better as everything is structured (All 4 modules are separate) and in a particular order, just the way I like things.

          However 10.x is all over the place. Having said that there are a few good things about the new layout too, so I was pondering how to get the best of both the worlds and thanks to your article and a couple of others I might just know how to go about it.



      • Liking your 'posts' is an understatement Alessandro and yes I am enjoying reading your posts. In fact I've got the next week or so sorted thanks to all the documents you've got here.



  • Hi Alessandro,

    this is a great collection!

    Can I ask for some additions: I was researching access configuration to mobile apps last week, and this was really hard to find (it's in a post somewhere). Maybe you can add links to those as well as the official product dosumentation, which seems to have moved around as well.



  • Great job Alessandro!!

    Next step is creating a document for Process Control. 🙂 We have also a wiki page in GRC space just with debugging tips for technical people. It would be interesting to add it.

    Again, great work.


    • Fernando... you could add that to our project 😉

      As well as Risk Management and Fraud Management 🙂

      I forgot you had the debugging tips - that is definitely worth advertising!

  • Hello Alessandro,

    I've got no idea why my previous message here went kaput but thought I'll try again.

    Considering how often this document is getting updated and given its importance, I was wondering if it would help to put a time stamp and the change, at the end of the document every time something is changed/added.

    Most of the time it is glaringly obvious what has changed however there are times we have to go through the entire document a couple of times to figure out what was changed/added.

    The version comparison isn't working either because of the sheer size of the document. Thought I'll put it out there.



    • Hi Leo,

      thanks for your feedback. It's a pity that version comparison is not working as the document isn't large either.

      I will come back to your query.



        • Hi Mustafa

          I have just added the blog: SAP GRC AC 10.1 - Enhancements

          This one was written by Amit and goes through the differences between 10.0 and 10.1. Most of the other documents here are GRC 10.0 but for most parts capture 10.X.

          The list is a living document. If you discover new documents then please let us know. I think everyone has edit rights to this document. If not, add it to the comments and we can incorporate it.



          • Hi Prasant

            I was under the impression that there were quite a few differences to 10.1 (such as simplified user access forms).

            BRF+ differences would be due to the change in Basis Stack (731 to 740) since BRF+ is not specific to GRC



      • Awesome Ale. It will definitely help scanning the document. Also looking forward to your document on Direct/Indirect role assignment. We've had quite a few problems with indirect roles being pulled into Model User, so I'll send you the notes that fixed the issue. Maybe you can add it in your document so it could help others!!

        P.S: Just noticed you already added that document, so let me go through it and get back to you.



  • Hi Alessandro,

    Thanks you so much for accumulating all GRC documents in a single place.

    It's really saving time in looking for GRC documnet in SCN and keep me more focus going through it.

    I'm also going through your firefighter blog which is awesome.I have actually became fan of yours in SCN.



    Girish Almiya

  • Dear all,

    I have added a symbol ➕ to newly added documents (the symbol is selected from the smileys). For everyone contributing please attach the "plus" symbol to the new link so that it can easily be identified.

    Thanks for your contribution.

    Best regards,


  • Dear Alessandro,

    It is always fresh look and inspiring more to learn with your collection and thoughts in your Blog

    really it is an wonderful idea.



  • Dear Alessandro,

    Can you also add here Howto guide "How to Assign SAP Business Planning & Consolidation Authorizations via the SAP GRC Access Control Compliance User Provisioning Product"? This is regarding BPC and GRC integration.



    • HI Pradeep

      Before its' added to the list could you consider putting a bit of an introduction to the article and explain some of the steps. Right now this seems more of a Wiki step by step configuraiton guide.

      For example, in Step 11 are you able to explain where you got the field mappings from in case someone needs to map it differently or trying to solve an issue similar to what you are doing (just a guess there). This would add a lot more substance to your content



  • Thank you very much Allesandro for all the documents,

    Its really helpful and informative and as always SDN site is awesome with the experts like you, Colleen, Prashant , Madhu ... in providing the expert guidance to resolve.

    I have resolved most of the issues just by browsing SDN site .



  • Thank you for the list of articles. This is a really helpful guide, and has enabled me to quickly find much needed information. I hope you can continue to add to this already expansive list. 



  • Dear All,

    Is there recommended sizing in terms of memory, disk storage and CPU for GRC Access Control 10.1 based on an actual running system?

    We're planning to integrate 10 ABAP systems plus 1 portal system.

    We have performed initial sizing analysis based on the GRC sizing guideline from SAP.

    Any inputs from your actual experience is most welcome.

    Thanks a lot,


    • Jen,

      thanks for reaching out. What was the outcome from the sizing? Why you don't trust it? The memory, disk and CPU is calculated in regard to the numbers of users, roles, etc. and what you are going to use. Having 10 ABAP sytstems connected doesn't increase the sizing much if you just use provisioning. If you analyze roles and users on all systems connected this will require additional resources. I recommend to check what you are going to use (ARA; EAM; BRM; ARM) and for how many users/roles per connected system.



      • Thanks Alessandro for the feedback. It's not that we don't trust. 🙂

        We just wanted to validated with those who have actual experience with implementing and running a GRC AC 10.1 system if the guideline is really sufficient and if there's no surprise in the long run in terms of storage and performance.

        Thank you.

        Best Regards,


  • Hi Experts.


    Can any body tell what is procedure/ Steps should we follow to Decommission SAP GRC Access Control 10.0 System.


    Any info is greatly appreciated.