Skip to Content
Technical Articles
Author's profile photo Japneet Singh
Japneet Singh
January 17, 2020 6 minute read

Running risk analysis for the SAP S/4HANA and SAP Fiori System.

GRC 10.1 SP 22 (Initially introduced with SP 19) / GRC 12 SP 03, made it possible to include SAP S/4HANA and SAP Fiori applications in the risk analysis. For this purpose, the authorization object S_SERVICE has been activated in the GRC risk analysis rules as part of SAP FIORI applications and SAP S/4 HANA integrations.

The blog post explains the steps required to be configured in the GRC system for running the risk analysis for SAP S/4HANA and SAP Fiori systems. Based on the landscape, you may have the SAP S/4HANA and SAP Fiori configured on the same system or you may have separate system for SAP S/4HANA and SAP Fiori. The connector configurations for the above mentioned scenarios are slightly different.

STEP 1: Connector Configuration

As mentioned above,  the SAP Fiori and the SAP S/4HANA system could be on the same box or they can be set up as separate systems. We will be covering both the scenarios.

Scenario 1 :SAP S/4HANA & SAP FIORI on Same Box

In this case only one connector is to be created. Create connector for SAP S/4HANA Box. The connection type should be “SAP”.

Scenario 2: SAP S/4HANA & SAP FIORI are on Different Boxes

In this case two connector are to be created in GRC. One for SAP S/4HANA and another for SAP Fiori box. Both the SAP S/4HANA and SAP Fiori connector will be of type SAP.

The SAP FIORI Connector is to be maintained as Subsequent Connector of SAP S/4HANA connector.

 

 

Once the connector/s are created and maintained, the same needs to be assigned to the integration scenarios. To maintain connection settings:

  1. Enter Transaction SPRO
  2. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connection Settings.
  3. Select the Integration Scenario AUTH for Risk analysis.
  4. Add SAP S/4HANA and SAP Fiori connector in the connector list.
  5. Click Save.

STEP 2: Creation of Risk and Setting up the Ruleset

The customer might want to use the SAP delivered rules OR would want to use custom rules along with the standard delivered rule OR the customer might just want to create custom rule and use the same.

The rule creation and generation process is different, all the 3 scenarios are covered below.

Scenario 1: The customer wants to use the SAP Standard ruleset

  1. Activate BC Sets
  2. GRAC_RA_RULESET_COMMON
  3. GRAC_RA_RULESET_S4HANA_ALL
  4. After activating BC Set, all standard rules will be available for CONNECTOR Group “SAP_S4A_LG”.
  5. As SAP Fiori apps are case sensitive, Connector Group “SAP_S4A_LG” & “S/4HANA Connector” requires to be maintained in Configuration Parameter 1022 & 1046.
  6. After maintaining Connector Group “SAP_S4A_LG” under configuration parameters (1022 & 1046), there is a requirement for downloading and uploading the same rules again
    .
    Note- this step is required because Case Sensitive data goes into different table i.e. GRACFUNCACTEXT.. … *EXT tables. Follow the steps mentioned below.

    1. Download the rules for SAP_S4A_LG.
      SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis ==> SOD Rules ==>Download SOD Rules.
      Select system “SAP_S4A_LG” and provide path & names of all files and download.
    2. Upload the same rules again for SAP_S4A_LG.
      SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis ==> SOD Rules ==> Upload SOD Rules.
      Select system “SAP_S4A_LG” and provide path & names of all files and Upload with Overwrite option.
    3. Add the SAP Fiori and SAP S/4HANA connector to the connector group SAP_S4A_LG
      SPRO ==> IMG ==> GRC ==> Common Component Setting ==> Integration Framework ==> Maintain connectors and connection Types.
      Select the connector Group “SAP_S4A_LG” and Add the SAP S/4HANA and SAP Fiori connector to the connector group.
    4. Generate the Rules.
      SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis ==> SOD Rules ==> Generate SOD Rules.

 

Note: If you do not wish to perform point number 6 described in Scenario 1, you can also make use of the new report “GRAC_RULE_CONVERT_TO_EXTOBJ” , Delivered via SAP note “2805767”. The note has been created specifically to populate the data in the extended tables. Before running the report, ensure that the Connector Group “SAP_S4A_LG” & “S/4HANA Connector” is set in the configuration parameters 1022 and 1046.

 

Scenario 2: Customer wants to use SAP provided Standard ruleset and modify as per their requirements.

  1. Activate BC Sets
    GRAC_RA_RULESET_COMMON
    GRAC_RA_RULESET_S4HANA_ALL
  2. After activating BC Set, all standard rules will be available for CONNECTOR Group “SAP_S4A_LG”.
  3. Create your own Custom Connector Group (say… C_S4_LG). Add S/4HANA & SAP Fiori connector in the Connector List.
  4. Maintain your Custom Connector Group “C_S4_LG” & “S/4HANA Connector” under 1022 & 1046 configuration Parameter.
  5. Download the rules for SAP_S4A_LG. Select system “SAP_S4A_LG” and provide path & names of all files and download.
    1. SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis ==> SOD Rules==> Download SOD Rules. Select system “SAP_S4A_LG” and provide path & names of all files and download.
    2. Upload the same rules again for “C_S4_LG”
      SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis ==> SOD Rules ==> Upload SOD Rules. Select system “Custom_S4_ALL” and provide path & names of all files and Upload with Overwrite option.
    3. Generate the Rules.
      SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis ==> SOD Rules ==> Generate soD Rules.

Scenario 3: In case the customer wants to create their own custom rules without having SAP Standard rules

  1. Create your own Custom Connector Group (say… C_S4_LG). Add SAP S/4HANA connector in the Connector List.
  2. Maintain your Custom Connector Group “C_S4_LG” & “S/4HANA Connector” under 1022 & 1046 configuration Parameter.
  3. Create your Functions / Risk Manually or Use custom TXT files and upload your rules against your Connector Group “C_S4_LG”.
  4. Generate the Rules.
    SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis ==> SOD Rules ==> Generate soD Rules.

Note: While create custom Risk, kindly ensure, proper abbreviations/Prefix are used for different types of Actions. Refer to the KBA 2655122 for more details on the same.

Once the above mentioned steps are configured and rules are generated, the entries in the following extension table will get populated.

  • GRACACTRULEEXT
  • GRACFUNCACTEXT
  • GRACFUNCPRMEXT
  • GRACPROFACTVLEXT
  • GRACPROFPRMVLEXT
  • GRACROLEACTVLEXT
  • GRACROLEPRMVLEXT
  • GRACUSERACTVLEXT
  • GRACUSERPRMVLEXT

Now if the user/role has conflicting actions pertaining to SAP S/4HANA/SAP Fiori system, the corresponding violations will be flagged in the Risk Analysis result.

 

Important Information

  1. In order to run risk analysis for SAP S/4HANA and SAP Fiori plugin only, GRCPINW/GRCPIERP package is to be installed on both SAP S/4HANA and SAP Fiori system. UIGRAC01(For GRC 12)/UIGRC001(For GRC 10.1) package is not required for running Risk analysis.
  2. UIGRAC01(For GRC 12)/UIGRC001(For GRC 10.1) package on SAP Fiori is only required in case you want to use the GRC Fiori Apps.

List of important notes

  • 2704494 – S4HANA & Fiori Risk Analysis does not show correct violations.
  • 2639161 – S_SERVICE authorization causing huge risk violations results.
  • 2652312 – Enhancement to SAP S/4HANA risk analysis to use same SAP S/4HANA ruleset even if Fiori Application is rendered from a different system.
  • 2655122 – Prefix / Abbreviation requires with Action for creating & running risk analysis

 

Assigned Tags

      4 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Vijayakumar Suthanthiran
      Vijayakumar Suthanthiran

      Nice Document Japneet

      Author's profile photo Chris Harmour
      Chris Harmour

      Hi Japneet,

      Great document – thanks heaps for posting!

      Not sure I agree with the line ‘Add the SAP Fiori and SAP S/4HANA connector to the connector group SAP_S4A_LG’ though- wouldn't this mean risks that are meant purely for the S4HANA system may appear against the Fiori Connector? e.g. HR risks, Finance risks etc.

      Totally understand that your role design should not contain HR, Finance etc in Fiori, but even so, wouldn't it be better to have Fiori connector against basis rule set only?

      Do you have a screenshot of what the Fiori & S4 on different box scenario would look like from a risk results perspective? Are we to only be running these sorts of risk analysis against the connector group, or will running against S4 automatically pick up the risks coming from Fiori?

      Cheers

      Author's profile photo Himanshu Agrawal
      Himanshu Agrawal

      Connecter group SAP_S4A_LG should be cross system or logical group only? Also I have same question raised by Chris Harmour..

       

      Thanks,
      Datta

      Author's profile photo Yashasvi Sanvaliya
      Yashasvi Sanvaliya

      Hello Japneet,

      Thank you for the informative blog. Few queries which is affecting the risk setup for me:

      1. Is it okay to have legacy ECC connector and S4 HANA connector in same connector group (as most of the risks apply for both systems where old t-codes and objects are still in use) ? We could add additional actions/permissions in existing functions for S4 HANA system directly. In this case should this connector group be maintained in 1022 and 1046? Or only S4 connector should be maintained in these parameters.
      2. How the group shall be formed if we have cross system risks between ECC and S4 HANA system, and what values will be there for parameters 1022 and 1046?

       

      Kind regards,

      Yashasvi