Risk terminator is a ‘hidden’ feature of SAP GRC Access Control that can be used to analyze roles and users assignments on access risks in the backend system. Depending on the GRC configuration risk terminator can work both detective (report on access violations) or preventive (the system will prevent violations from being introduced in roles).
Whenever a change is made to an existing SAP role or a new role is created the content of the role is first checked by the access rules established in the GRC rule set (that resides in the GRC environment). By using risk terminator the role administrator can immediately remediate access violations in development and play an important role in making sure that the system will stay clean (by avoiding violations being introduced in production).
Risk terminator can also be used when assigning roles to users as well, which can be a powerful feature in production.
Now let’s take a closer look at risk terminator
The role ztestriskterminator is created in PFCG (profile generator) by the role administrator.
The role administrator adds the Purchase order maintenance transaction codes ME21N and ME22N and ME29N PO approval transaction code to the role.
The authorization objects ‘Document type in purchase order’ and the release code and group in the role, that are required to create/change a purchase order and release a purchase order, are not restricted.
When generating the profile of the role the GRC rule set is called and the role is analyzed for possible access violations.
One access risk is detected as is shown above. The assignment of the conflicting activities maintain the purchase order and release purchase order is called a SoD-conflict (segregation of duty conflict). With the detailed information the role administrator can take proper action and remediate the violation if he or she think it is necessary.
Other views such as management view are available as well just as in standard GRC.
Depending on the risk terminator’s configuration the role administrator can chose to discard the changes, continue with the simulation or generate the profile of the role with the violations
Risk terminator can also be used when assigning roles to users. In the example below the ztestriskterminator role will be assigned to user ZTEST.
As a result ZTEST user will be assigned the conflicting activities maintain PO and release PO which is a SoD-conflict.
The user administrator can chose to abort the role assignment or continue.
Most organizations use the function – task role concept. This means that a (business) function is build out of one or more tasks. In SAP this is called the composite – single role approach. Risk terminator adds value here as well.
The role administrator sets up a composite role named Master Data Officer and adds two task roles. The first task role grants access to vendor master data maintenance and the other one to confirming sensitive vendor changes (such as bank details/alternative payee)
The ability to change the vendor master record (FK02) and confirm sensitive vendor master record changes (FK08) should be seperated. This SoD-conflict is detected by the risk terminator tool.
The role administrator chooses to assign the vendor confirmation role to another function in finance instead of assigning this role to the master data officer.
Especially in the development area risk terminator proves to be a valuable asset to the role administrator in preventing SoD-conflict and sensitive access violations from being introduced in roles.