SAP GRC 10/10.1/12.0 – Risk Terminator
Risk Terminator provides a framework where Risk analysis can be triggered during User and Role maintenance activities using SU01, SU10 and PFCG directly in the plug-in system.
The Risk Terminator is a service that runs in the SAP ABAP back-end system and triggers automated risk analysis check when defined segregation of duties (SoD) access risks are violated during User or Role maintenance directly in the plug-in system..
Below are the configuration details to configure Risk Terminator.
In GRC system maintain the below configuration settings in the path: SPRO -> IMG -> GRC -> Access Control -> Maintain Configuration Settings
Plug-In System Config
Make sure that below mentioned User Exits exist in the plug-in system in the path: SPRO -> IMG -> GRC (Plug-in) -> Maintain User Exits for Plug-in systems. If they don’t exist, create the entries and save them.
In Plug-In system maintain the below configuration settings in the path: SPRO -> IMG -> GRC (Plug-in) -> Maintain Plug-In Configuration Settings.
- Connector Name maintained in Configuration Parameter 1000 in Plug-In system must be same as the connector name maintained in Configuration Parameter 1080 in GRC system.
- GRC Connector name must be maintained in Configuration Parameter 1001 in Plug-In system as shown below.
The Risk Terminator functionality can be applied to different business cases around user maintenance (creation and modification) and role maintenance (creation and modification). To simulate how risk analysis works for role maintenance and user role provisioning, I used below business scenarios. They are based on the configuration settings defined in the GRC system and the Plug-in system.
Risk Terminator Scenarios
Scenario 1: Testing role creation with conflicting Tcodes using PFCG.
Role Name: RT_TEST_ROLE
Tcodes: Conflicting Tcodes have been added as defined in our Rule set
Since the user exit before profile generation is also maintained, you can see from the below screenshot that “Risk Terminator” is triggered as the message shows “Checking for Access Risk Violations”.
Risk Violations will be shown as below
Risk Terminator Triggers during role assignment using PFCG as well
Scenario 2: Testing SU01 conflicting role assignment to users.
Before you test scenario 2 make sure to implement the below SAP note in your Plug-In system if your Basis Release is 701 as Risk Terminator is not working for SU01 and SU10.
Followed few SCN links in preparing this blog post.
great document - thanks a lot! Very useful.
Thanks Alessandro, actually this was in draft version from quiet sometime, may be I will include more details once I am free.
I have followed your guide and have the connection working and have Risk Terminator enabled for PFCG role creation. I add ME22N and MB01 and the system generates the SOD report correctly
I have enabled parameter 1086 in the plug-in and GRC system and it displays the SOD conflict and I have the pop-up saying "Role Assignment is causing violations" continue or disgard. If I continue I can generate without entering a comment. In an earlier version you were forced to enter a comment and this we stored in a VIRSA table.
Have I missed a step or a configuration option?
does anyone know whether there is an option to stop RT showing 37 times the same risk for 37 derived roles - when there is only ONE change on the parent role?