Skip to Content
Technical Articles
Author's profile photo Madhu Babu #MJ

SAP GRC 10.1/12.0 integration with HANA DB for User Access Provisioning

Purpose of the Document

The purpose of this blog is to explain how User Access Provisioning to HANA DB is handled by GRC system.

The details discussed below will be more on the technical setup which will include DB Connection Setup from GRC to HANA DB, Deployment of Delivery Unit in HDB, Synching the Users and Roles of HANA DB to GRC, Importing the HANA DB roles into GRC BRM and then user access provisioning to HANA DB through GRC.

GRC can provisioning following different types of roles to users in HANA DB:

  1. HANA Analytic Privileges
  2. Repository Roles
  3. Catalog Roles

Let’s see how you can setup this functionality and can test in GRC 12.0 system (End to End).

Required Configuration to enable ARQ provisioning for HANA DB

HANA Database Connector Setup

Create HANA database connector in GRC system using transaction code DBCO (Database Connection Maintenance)

DB Connection: Fill in the DB Connection name. This name will be used in the connector setup so name it accordingly.

DBMS: Select the type of Database Management System as “HDB” (HANA Database)

User Name and Password: Valid user authentication details to connect to HANA DB. User should have been already created in HANA DB and assigned with required privileges.

Since the RFC user (GRC_FF in this case) is used for integration between GRC and HANA DB and not for interactive use or manual login to database, it is recommended that password of this user is disabled (i.e. no change required for the password).

You can do this using following SQL command:


Connection Info: HANA database system details (Hostname details along with Port Number)

Save the database connection after entering all required details as mentioned above.

Testing HANA DB Connection created in GRC

HANA database connection can be tested using ABAP report “ADBC_TEST_CONNECTION”

Execute transaction SE38 and run report “ADBC_TEST_CONNECTION”

HANA DB connection can also be verified using the transaction “DBACOCKPIT” .

HANA Database Connector in SM59

Create a connector in SM59 with connection type as “L” (Logical Destination) and connector name same as the connection created in DBCO.

HANA Connector Config Setup in GRC

Define connectors in the following IMG path

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types -> Define Connectors

Define connector groups in the following IMG path and assign HANA DB connectors to this connector group

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types ->Define Connector Groups

Maintain Connection Settings

Connectors must be assigned to the all integration scenarios (AM, ROLMG, SUPMG, AUTH, PROV) available as it is a good practice.

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings

Maintain Connector Settings

Maintain connector settings in the following path:

SPRO -> IMG -> GRC -> Access Control -> Maintain Connector Settings

Delivery Unit deployment in HANA DB

Delivery Unit deployment into HANA DB and activating the SQL procedures under AC folder in HANA DB is a prerequisite and must be followed according to the steps mentioned in following SAP Note:

GRC Procedures Activation

For details on how the corresponding SQL procedures under ARA and ARQ folders are required to be activated are available in SAP Note 1869912.

SQL Procedures under ARA folder – Just execute in any sequence

SQL Procedures under ARQ folder – Execute procedures starting with ‘IS’ or ‘INS’ first followed by procedures starting with GRANT and REVOKE and finally remaining procedures.

“GET_USERS_SYNC” procedure has an updated version released through the following SAP Note. Hence, download this from the note and activate it as it is not updated in the latest version by default.

2451688 – Repository sync job not syncing back user validity dates from HANA

However, there are few errors which you will come across during SQL procedures activation like mentioned below. Please go through the note and then implement the corresponding procedures attached in the note to resolve the errors:

2671192 – GRC HANA Plugin enablement for HANA 2.0 SPS 03

Get_action_permissions_info.sql procedure may still throw error. Please fix with code as shown below:


Manual steps mentioned in the below note must be also executed in HANA studio or Web IDE even though you are in latest version 12.0 as there are some updates to procedures in ARQ folder which need to be manually updated in HANA DB.

2482955 – Redesign of logging and messaging in HANA Plugin

If the manual steps mentioned in the above note are not completed then the ARQ provisioning will fail with following errors:

Execute “Repository Object Sync” program once all the above configuration is completed which should successfully sync the USERS and ROLES from HANA DB to GRC system

HANA Roles Import to GRC BRM

Following roles can be provisioned to users in HANA database and while importing these roles into BRM, please use the role types as mentioned below:

  1. Repository Roles – Role type “SIN” for importing into BRM
  2. Catalog Roles – Role type ‘SIN’ for importing into BRM
  3. Analytic Privileges – Role type ‘HAP’ for importing into BRM

GRC Request Provisioning Logs (For HANA Analytic Privileges or Repository/Catalog roles)

Once the above mentioned steps are completed, you can raise GRC access request and can provision HANA DB roles.

I have attached access request provisioning logs screenshots for HANA DB roles provisioning below for your reference.

Repository or Catalog roles provisioning

Analytic Privileges provisioning

Thanks for reading.

Looking forward for your inputs in improving this blog with additional details or scenarios ?

Best Regards,

Madhu Babu Sai

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Sam GRC
      Sam GRC

      Excellent Blog as always!


      We had uploaded the role and ran the full sync, but role is coming as does not exist

      Author's profile photo Madhu Babu #MJ
      Madhu Babu #MJ
      Blog Post Author

      Hi Sam,

      What is the "Role Exists" flag value in BRM? Is it YES or NO.

      Does your role exists in GRACRLCONN table?

      R u getting this error in the ARQ role search screen?



      Author's profile photo Sam GRC
      Sam GRC

      Hi Madhu,

      The role exists in GRACRLCONN  table, the role does not appear in ARM search and comes as does not exist after import as attached

      Author's profile photo Madhu Babu #MJ
      Madhu Babu #MJ
      Blog Post Author

      Hi Sam,

      Can you just try updating status as YES using program “GRAC_OBJ_MANUAL_SYNC” and check if you are able to provision the roles?

      Author's profile photo Alfredo Murguia
      Alfredo Murguia

      Thank you very much for this detailed explanation!  I will do it in my GRC 12 installation.


      Alfredo Murguía

      Author's profile photo Shivendra Kumar Pandey
      Shivendra Kumar Pandey

      Hi Madhu,

      What is role type for a custom role e.g. ZXXX and also can we import the packages into GRC.

      Could you elaborate on this.




      Author's profile photo Akash Parekh
      Akash Parekh

      Hi Madhu,

      Excellent Blog, minor changes to do as I see Path for Maintain Connector Settings is incorrect as path should be as below


      SPRO -> IMG -> GRC -> Access Control -> Maintain Connector Settings



      Author's profile photo Madhu Babu #MJ
      Madhu Babu #MJ
      Blog Post Author

      Hey Akash,

      Thanks for highlighting. Corrected it.

      Author's profile photo Narayana swamy Yanikapati
      Narayana swamy Yanikapati

      Hi Madhu,

      Excellent Blog,Great work and keep it up!


      Narayana S

      Author's profile photo Divya Bondu
      Divya Bondu

      Thanks a lot. This is very useful.

      And below SNOTE is the latest one available for “Delivery unit deployment in HANA DB” (for GRC 12.0)

      2589878 – Installing or upgrading HANA GRC Plug-in

      Author's profile photo Subhradeep Saha
      Subhradeep Saha

      Hi Madhu,

      Thanks for sharing the information 🙂

      For HANA GRC Provisioning, i am done with all the steps. Now, while uploading the roles into GRC BRM getting the below error.

      And the role template that i''ve used,

      Can you please help me with a descriptive documentation of the process or let me know what needs to be changed here?



      Author's profile photo Madhu Babu #MJ
      Madhu Babu #MJ
      Blog Post Author

      Hi Subhradeep,

      Business process is assigned based on the roles you have created in HANA DB. For example, if you role is used by Basis team then you will assign Business Process as Basis. If it is used by Functional tracks, then based on the purpose of the role the corresponding business process will be tagged to the role.

      Business Process helps to group the roles that belong to same functional process so that when you want to use them for any reporting it will be easy to extract from the system.



      Author's profile photo shashi kandari
      shashi kandari

      Dear All,

      Recently I have integrate HANA 2.0 system with GRC 12.0 & all the configuration done and the provision is working fine except below two Open Issue.

      1) Assigned User privileges in HANA are not synched with GRC, due to this the assignment is not coming in existing assignment & while raising an Privilege removal from user, we are getting an Error that: Currently not privilege assigned to user in HANA, So removal access request cant be raised.

      Please Note-: Privilege assignment is working fine.


      2) While Creating an User group in HANA 2.0 is not getting synched with GRC & also those User group is not coming in Access Request.

      Author's profile photo Srinivasa Paupuleti
      Srinivasa Paupuleti

      Hi Shashi,

      SAP confirmed that User Group field mapping is not supported by default. So, it is possible to get this done through customizing in both GRC and HANA side.

      Author's profile photo simmi sharma
      simmi sharma

      Thanks Madhu for sharing the blog .
      could you please suggest if there any kind of Length Limit while doing the role import .

      Reason is my roles are successfully imported but they are not searchable while creating ARM request?