9 Simple yet effective tips for SAP GRC Access Control 10x/12
Here are the 9 simple, but effective tips that you can quickly implement in your SAP GRC Access Control application.
SAP GRC TIP # 1 – Improving the performance of Role Import
If you are experiencing performance issues during Role Import, simply indexing the table GRACFLDSYST on the below fields, which will increase the performance by 60-70%
SAP GRC TIP # 2 – Quick Report on Business Roles vs Single Roles
Do you have very little time to generate a report on the active Business Roles vs Single Roles? Then try the standard program GRAC_CHECK_BROLE_ASSIGNMENT.
This program not only gives you a quick report of the business roles that are assigned to users along with the single roles in it, but also identifies the inconsistencies in them along with the validation on the assignments.
GRC TIP # 3 – Ruleset Deletion
When you delete transaction codes from the Ruleset, you cannot transport the deleted values from DEV to PRD. This is as per the Design. Hence SAP recommends to deactivate the objects instead of delete.
In case if you still prefer to transport, delete the existing ruleset in QA and PRD, transport and ensure you regenerate the rules.
GRC TIP # 4 – Unable to create a BRF+ Initiator rule on UAR & SOD review workflow??
Don’t worry, it’s by design and this is because the grouping and agent detection is automatically done through the standard function modules – GRAC_USERACCRVW_INITIATOR (UAR) and GRAC_RISKREVIEW_INITIATOR (SOD Review). But you can copy them as Z objects and customize them to fit your requirement.
SAP GRC TIP # 5: Change Default search criteria options in Access Request search screen.
Did you know? You can change the default search options/criteria in the AR form by enhancing the BAdi GRAC_ACCREQ_SEARCH_CRITERIA.
With this BAdI you can default Role type, and other fields in your Access Request form. Note that the Enhancement Spot is:
This will help your users to define the criteria quickly.
SAP GRC TIP # 6 – Validation of Transaction codes entered in the actions text box of EAM (Firefighter)
If your users are entering irrelevant information or incorrect tcode list In the actions field (text box) while initiating the FireFighter session, here is a tip for you.
You can now validate whether users are entering the right tcodes list or not by enhancing an SAP delivered BADI. Refer the SAP notes – 2404934 (GRC AC : FireFighter Logon Custom Validation for reason code and Activity) for a detailed enhancement and the steps.
SAP GRC TIP # 7 – Archiving EAM (Firefighter) logs
You can archive the SPM/EAM/Firefighter logs either from SARA (selecting the archiving component for EAM) or by using the program GRAC_EAM_ARCHIVE_WRITE. When archived thru the program, the archived content is stored in the Archive File Browser (AFB) which can be accessed using AS_AFB transaction code.
SAP GRC TIP # 8 – Hide “Update Firefighter Log Report” button for Firefighter controllers
Controllers can update the Firefighter logs by using the “Update Firefighter Log Report” from NWBC- Reports & Analytics- Consolidated Log report.
To remove this button, Just ensure that the activity 70 (Administer) in GRAC_ASIGN object is not assigned to the Controller.
SAP GRC TIP # 9 – Want to disable the Request for multiple users option in ARM?
Here is a quick solution. Simply remove the value M from the auth object GRAC_REQ in the role assigned to the end user. If you with to remove others, remove value O.
The values S is for Self, O is for Others and M is for Multiple.