SAP GRC 10/10.1/12.0 – Risk Terminator
Risk Terminator provides a framework where Risk analysis can be triggered during User and Role maintenance activities using SU01, SU10 and PFCG directly in the plug-in system.
The Risk Terminator is a service that runs in the SAP ABAP back-end system and triggers automated risk analysis check when defined segregation of duties (SoD) access risks are violated during User or Role maintenance directly in the plug-in system..
Below are the configuration details to configure Risk Terminator.
In GRC system maintain the below configuration settings in the path: SPRO -> IMG -> GRC -> Access Control -> Maintain Configuration Settings
Plug-In System Config
Make sure that below mentioned User Exits exist in the plug-in system in the path: SPRO -> IMG -> GRC (Plug-in) -> Maintain User Exits for Plug-in systems. If they don’t exist, create the entries and save them.
In Plug-In system maintain the below configuration settings in the path: SPRO -> IMG -> GRC (Plug-in) -> Maintain Plug-In Configuration Settings.
- Connector Name maintained in Configuration Parameter 1000 in Plug-In system must be same as the connector name maintained in Configuration Parameter 1080 in GRC system.
- GRC Connector name must be maintained in Configuration Parameter 1001 in Plug-In system as shown below.
The Risk Terminator functionality can be applied to different business cases around user maintenance (creation and modification) and role maintenance (creation and modification). To simulate how risk analysis works for role maintenance and user role provisioning, I used below business scenarios. They are based on the configuration settings defined in the GRC system and the Plug-in system.
Risk Terminator Scenarios
Scenario 1: Testing role creation with conflicting Tcodes using PFCG.
Role Name: RT_TEST_ROLE
Tcodes: Conflicting Tcodes have been added as defined in our Rule set
Since the user exit before profile generation is also maintained, you can see from the below screenshot that “Risk Terminator” is triggered as the message shows “Checking for Access Risk Violations”.
Risk Violations will be shown as below
Risk Terminator Triggers during role assignment using PFCG as well
Scenario 2: Testing SU01 conflicting role assignment to users.
Before you test scenario 2 make sure to implement the below SAP note in your Plug-In system if your Basis Release is 701 as Risk Terminator is not working for SU01 and SU10.
Followed few SCN links in preparing this blog post.