Skip to Content

Introduction


Risk Terminator provides a framework where Risk analysis can be triggered during User and Role maintenance activities using SU01, SU10 and PFCG directly in the plug-in system.


Key Concept

The Risk Terminator is a service that runs in the SAP ABAP back-end system and triggers automated risk analysis check when defined segregation of duties (SoD) access risks are violated during User or Role maintenance directly in the plug-in system..


Below are the configuration details to configure Risk Terminator.

GRC Configuration


In GRC system maintain the below configuration settings in the path: SPRO -> IMG -> GRC -> Access Control -> Maintain Configuration Settings


Plug-In System Config


Make sure that below mentioned User Exits exist in the plug-in system in the path: SPRO -> IMG -> GRC (Plug-in) -> Maintain User Exits for Plug-in systems. If they don’t exist, create the entries and save them.


In Plug-In system maintain the below configuration settings in the path: SPRO -> IMG -> GRC (Plug-in) -> Maintain Plug-In Configuration Settings.

  1. Connector Name maintained in Configuration Parameter 1000 in Plug-In system must be same as the connector name maintained in Configuration Parameter 1080 in GRC system.
  2. GRC Connector name must be maintained in Configuration Parameter 1001 in Plug-In system as shown below.


The Risk Terminator functionality can be applied to different business cases around user maintenance (creation and modification) and role maintenance (creation and modification). To simulate how risk analysis works for role maintenance and user role provisioning, I used below business scenarios. They are based on the configuration settings defined in the GRC system and the Plug-in system.

Risk Terminator Scenarios


Scenario 1: Testing role creation with conflicting Tcodes using PFCG.


Role Name: RT_TEST_ROLE

Tcodes: Conflicting Tcodes have been added as defined in our Rule set


Since the user exit before profile generation is also maintained, you can see from the below screenshot that “Risk Terminator” is triggered as the message shows “Checking for Access Risk Violations”.

Risk Violations will be shown as below

Risk Terminator Triggers during role assignment using PFCG as well

Scenario 2: Testing SU01 conflicting role assignment to users.

Before you test scenario 2 make sure to implement the below SAP note in your Plug-In system if your Basis Release is 701 as Risk Terminator is not working for SU01 and SU10.


Followed few SCN links in preparing this blog post.

GRC 10 – Risk Terminator

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

    1. Madhu Babu Sai Post author

      Thanks Alessandro, actually this was in draft version from quiet sometime, may be I will include more details once I am free.

      Regards,

      Madhu.

      (0) 

Comments are closed.