SAP GRC Access Control 12.0 – Exclude Objects from Risk Analysis with Supplementary Rules

There might be situations in which the Business decides to accept a given Risk but just for a set of users, or a specific User Group, and you might need to exclude them from all Risk Analysis reports.

SAP Access Control provides the ability to exclude objects (Users, Roles, Profiles, User Groups) from Batch Risk Analysis via IMG activity ‘Maintain Exclude Objects from Batch Risk Analysis’:

However, this option will only take effect over Offline Risk Analysis and Dashboards. It will not affect online/ad-hoc Risk Analysis, nor any Risk Analysis simulations. One possible solution to this problem is to create a Supplementary Rule to exclude the desired User IDs or User Groups from any Risk Analysis report.

Excluding User IDs with Supplementary Rules

First, you will need to set parameter 1037 to YES.

Now, go to NWBC, Setup tab, and click on ‘Supplementary Rules’ under Exception Access Rules section.

We could use any custom or standard table, but in our example, we will extend the same table used by the IMG activity to exclude objects from Batch Risk Analysis, GRACEXCLUDEDOBJS.

The following supplementary rule is created and assigned to all Risk IDs, looks for all User IDs in the GRACEXCLUDEDOBJS table which are Object Type User (1) and Active (X), and excludes them for any Risk Analysis report, Online or Offline:

Excluding User Groups with Supplementary Rules

Similarly, let’s say we want to exclude all users from User Group ‘SUPPORT’. In this case, we could just use table USR02, and the field CLASS:

Hope this helps, if you need more information do not hesitate to leave a comment.