Skip to Content
Technical Articles
Author's profile photo Madhu Babu #MJ

SAP GRC 10/10.1/12.0 – Risk Terminator


Risk Terminator provides a framework where Risk analysis can be triggered during User and Role maintenance activities using SU01, SU10 and PFCG directly in the plug-in system.


Key Concept

The Risk Terminator is a service that runs in the SAP ABAP back-end system and triggers automated risk analysis check when defined segregation of duties (SoD) access risks are violated during User or Role maintenance directly in the plug-in system..

Below are the configuration details to configure Risk Terminator.

GRC Configuration

In GRC system maintain the below configuration settings in the path: SPRO -> IMG -> GRC -> Access Control -> Maintain Configuration Settings

Plug-In System Config

Make sure that below mentioned User Exits exist in the plug-in system in the path: SPRO -> IMG -> GRC (Plug-in) -> Maintain User Exits for Plug-in systems. If they don’t exist, create the entries and save them.

In Plug-In system maintain the below configuration settings in the path: SPRO -> IMG -> GRC (Plug-in) -> Maintain Plug-In Configuration Settings.

  1. Connector Name maintained in Configuration Parameter 1000 in Plug-In system must be same as the connector name maintained in Configuration Parameter 1080 in GRC system.
  2. GRC Connector name must be maintained in Configuration Parameter 1001 in Plug-In system as shown below.

The Risk Terminator functionality can be applied to different business cases around user maintenance (creation and modification) and role maintenance (creation and modification). To simulate how risk analysis works for role maintenance and user role provisioning, I used below business scenarios. They are based on the configuration settings defined in the GRC system and the Plug-in system.

Risk Terminator Scenarios

Scenario 1: Testing role creation with conflicting Tcodes using PFCG.


Tcodes: Conflicting Tcodes have been added as defined in our Rule set

Since the user exit before profile generation is also maintained, you can see from the below screenshot that “Risk Terminator” is triggered as the message shows “Checking for Access Risk Violations”.

Risk Violations will be shown as below

Risk Terminator Triggers during role assignment using PFCG as well

Scenario 2: Testing SU01 conflicting role assignment to users.

Before you test scenario 2 make sure to implement the below SAP note in your Plug-In system if your Basis Release is 701 as Risk Terminator is not working for SU01 and SU10.


Followed few SCN links in preparing this blog post.

GRC 10 – Risk Terminator

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Alessandro Banzer
      Alessandro Banzer

      great document - thanks a lot! Very useful.

      Author's profile photo Madhu Babu #MJ
      Madhu Babu #MJ
      Blog Post Author

      Thanks Alessandro, actually this was in draft version from quiet sometime, may be I will include more details once I am free.



      Author's profile photo Mark Wilson
      Mark Wilson



      I have followed your guide and have the connection working and have Risk Terminator enabled for PFCG role creation. I add ME22N and MB01 and the system generates the SOD report correctly

      I have enabled parameter 1086 in the plug-in and GRC system and it displays the SOD conflict and I have the pop-up saying  "Role Assignment is causing violations" continue or disgard. If I continue I can generate without entering a comment. In an earlier version you were forced to enter a comment and this we stored in a VIRSA table.

      Have I missed a step or a configuration option?

      Author's profile photo Ines Gawehn
      Ines Gawehn


      does anyone know whether there is an option to stop RT showing 37 times the same risk for 37 derived roles - when there is only ONE change on the parent role?