GRC PC: Customization of Controls
GRC Process Controls is a very interesting subject and is widely gaining visibility due to it’s reach on more wider areas of Security Governance.
Controls play a pivotal part in many GRC PC applications, such as Assessments. And not all fields are suitable or sufficient to represent the organization’s requirement or assessments.
This article outlines the high-level steps for adding Custom fields to Controls. which are as below.
1. Custom fields to be encapsulated in Structure.
a. Create Data Domains in SPRO > Governance Risk and Compliance > General Settings > > User defined fields> HR-User defined fields > Create Data Elements in the ABAP Dictionary. Select Radio button as Domain, provide a name and click Create.
Developer Key will be required during creation of Data Domain. Custom package will be required for transport. And Value ranges need can be given, so that the fields associated to these domains inherit these values. Attributes such as Data Type and Length are to be provided as required.
b. Create Data elements in the same above path in SPRO. Choose Data and assign them the respective Data Domain(created above). Filed label needs to be provided as required.
2. The data elements need to be assigned to a structure. Structure contains the no. of the InfoType
a. In the same above path, select Data Type, and then enter the name as HRI9nnn, for example, HRI9101. Choose Create. Select Structure. Assign the fields created in tab Components
3. Assignment of Infotypes to Control
a. Navigate to the path and select the below Node. Enter the Infotype number and click Create
b. This Structure has the Infotype 9101. This Infotype needs to be tagged to entity Control. The table entry T777I
c. Select New Entries and provide the Infotype number and provide P2(Local Control) and P5(Central Control), in Time Constraint and Infotypes per Object type.
d. Assign SubTypes to InfoType created. Eg. SOX and FDA as Regulation.
4. Entities such as Organization, Subprocess, Control are maintained through GRFN_STR_CHANGE and GRFN_STR_DISPLAY. The Custom fields are made available by making the Infotype available as one of the tabs in these 2 transactions.
Select ‘Scenario Definition(Hirerachy Framework) and GRCP0’.
b. Select ‘Tab Page in Scenario for each Object Type’. And click New Entries. Add the Tab page (eg. ZIT9101) with a sequence number.
c. Next, the Custom fields can be checked for necessary correction through the program GRFN_CHECK_CDF . This is available in the below node
5. The Custom fields can be included in Reports through below steps
a. Fields are added to structure CI_GRPC_CONTROL
b. Fields are added to the particular report, through SE11. Enter the structure name of the report and add the fields
Add the custom fields in the reports through the below steps
c. Select the report and double-click on Columns. Click on new entries and add the Custom fields.
Summary: This completes the addition of custom fields in entities such as Controls; and their appearance in Standard Reports.
Values for these Custom attributes can be added as similar to Standard fields in SPRO>..> Process Control > Edit attribute values.
This concept can be applied to other entities, such as Organizations and Subprocesses.
Looking for your feedback: There can be many variants to the customization of entities. This blog provides the concept and associated reports that are impacted. Please share your experience on scenarios that you have faced. This will help everyone in our community gain experience on multiple solutions from GRC PC.
Hope you find this article useful. Please provide your comments and queries
I will try to provide more conceptual articles on GRC PC. Looking forward to your insights. Please tag your Q&A on GRC PC to SAP Process Control. More details on tags is available at https://answers.sap.com/tags.html
SAP Security, GRC and SAP IDM Consultant