SAP GRC (AC) Cheat Sheet

ABHISHEK KUMAR SHARMA – SAP S4 SECURITY, GRC CONSULTANT, MENTOR

SAP GRC Overview
SAP GRC Modules
SAP
GRC is a strategy and structure that helps organizations manage risk,
Access Control (AC) Process Control (PC) - Risk Management (RM)
comply with regulations, and achieve their goals.
- To mitigate risk in Used for managing - Allows to manage risk
SAP GRC solution enables organizations to manage regulations and
an organization, it is compliance and management activities,
compliance and remove any risk in managing organizations’ key
required to perform policy management, advance planning to
operations.
risk control as part allow organizations to identify risk in business
Responsibilities should be clearly defined, managing role provisioning
of compliance and manage and monitor and implement
and managing access for super user is critical for managing risk in an
regulation practice. their internal control measures to manage
organization.
environments. risk.

SAP GRC Access Control Modules

ARA (Access Risk Analysis) ARM (Access Request EAM (Emergency Access BRM (Business Role
Management) Management) Management)
Help identify, monitor, and mitigates Streamlines and automates user Manage and control temporary, high- Streamlines the process of creating,
access and segregation of duties (SoD) access requests, approvals, and privilege access to critical SAP systems. managing, and maintaining business
risks in SAP environments to ensure provisioning processes in SAP systems, It allows authorized users to perform roles within SAP systems. BRM helps
compliance and reduce security ensuring secure, compliant, and emergency tasks in a controlled and organizations define, model, and
vulnerabilities. efficient access control management. monitored environment, often referred control access roles, ensuring that they
to as "firefighter" access meet compliance requirements and
Types of Risks: SOD Risk, Critical ARA provides automatic workflow for reduce risks (SOD)
Action, Critical Permission access request form Firefighter Concept based on
SOD Risk: If user having 2 or more MSMP is to build a workflow for granting/providing access: Key Features of BRM:
conflicting actions which allows to access request management ID based Centralized Role Management
commit a fraud Normal user id will be linked to FF ID Role Modelling and Design
Critical Action: T-Code itself is risk (like Request types for short duration – 1 to 5 days Workflow-Based Role Approval
SCC5, SM01 etc) New User Request Role Based Role Versioning and History Tracking
Critical Permission: Risk at field and Change user Request FF role will be assigned to User ID Segregation of Duties (SoD) Analysis
values level (S_Develop, S_User_GRP Delete User Request based on the request for short
Lock Account Role Types:
with activity 02) duration
Unlock Account SIN – Single Role
Remediation: Preventive
FF ID Access FF ID Concept based on Login: COM – Composite Role
Control
Centralized FF - Login from GRC system BUS – Business Role
Mitigation: By passing SOD violations Important Tables: – GRAC_SPM or GRAC_EAM (T-codes) DRD – Derived Role
for specific period. Detective control
Decentralized FF – Login from Plug In
Important Tables: GRACREQUSER - Contains user- system and execute T-code Important Tables:
GRACFUNC – Functions specific information for access /n/GRCPI/GRIA_EAM GRACROLE - Roles Available in GRC
GRACACTRULE – It store SOD Action request. GRACROLEAPPRVR - Role Approver
GRACACTRULE - Contains activity Important Tables: GRACROLERELAT - Role Relationship
Rule detail data
rules related to ARM specifying GRACFFOWNER - FF Owners List (Business Role - Composite Role - Single
GRACFUNCACT – Rule Set Function
actions for each workflow step. GRACFFUSER - FFID’s Users Role)
Action Mapping
GRACCHANGELOG - Logs changes and GRACFFUSERT - Details about FFID GRACROLEREQ - Role Request Details
GRACSODRISKOWN – SOD Risks owner
updates to access requests. assignment to FF GRACROLESTATUS - Role Status Table
GRACOWNER – Master table for
GRACREQUESTERLOG - Keeps a log of GRACOBJECTT - Text table for FFID & GRACROLETYPE - Role Type Table
central owner Admin
requester information for each access Role details
GRACUSERCONN – Connector Specific
request. GRAC_FFSESSION (Tcode) – To check Parameters Related to BRM:
User (relation between users and
GRACUSERROLE - Maintains data on FF log Review Workflow status
systems)in System
Parameters related to ARA: roles assigned to users through ARM. 3004 – PRD - Default Role Status
1007 – Enable Rule Set change log GRACREQITEMS - Stores line items or Parameters related to EAM: 3005 – No - Reset Role Methodology
1008 – Enable role change log specific actions in an access request. 4000 Series is related to EAM/FF when Changing Role Attributes
1027 – Enable Offline risk analysis GRACREQSTAGE - Maintains 4010: FF ID role 3014 – Yes - Allow role generation with
(Batch process) information on the stages and 4000: ID based or Role based Permission Level violations
1028 – Include expired users workflow steps of each request. 4001: Default Firefighter Validity
1029 – Include locked users GRACREQPROVITEM - Logs Role for Role Owner -
Period (Days)
1030 – Include mitigated risk provisioning actions taken for each SAP_GRAC_ROLE_MGMT_ROLE_OWNER
4015: Activate Decentralized
request.
Roles Assigned in GRC AC (Default Role + Mentioned Roles) GRC AC Ruleset Components: Default Roles to users:
Role for Access Request Approver - SAP_GRAC_ACCESS_APPROVER Ruleset: A collection of risk IDs that defines potential SAP_GRC_FN_Base - Base role to run
(Anyone approving request – Owner/Manager)
risks within an SAP system. GRC applications
Risk Owner - SAP_GRAC_RISK_OWNER
Risk ID: Identifies specific risks, each linked to actions SAP_GRC_FN_Business_User – For
MITIGATION APPROVER - SAP_GRAC_CONTROL_APPROVER
that could lead to SoD conflicts. Business User
MITIGATION CONTROL MONITOR - SAP_GRAC_CONTROL_MONITOR
SAP_GRC_NWBC – For Governance,
Create AC MITIGATION CONTROL - SAP_GRAC_CONTROL_OWNER Function: A grouping of critical actions or permissions
Risk, & Compliance
Role for Access Request Administrator - that, when paired may lead to conflicts.
SAP_GRAC_ACCESS_REQUEST_ADMIN Action: Transactions in functions, causing Critical Background Jobs Related to GRC:
Role for End user - SAP_GRAC_ACCESS_REQUESTER Action Risk or SOD Risk
Ability to Perform Risk Analysis - SAP_GRAC_RISK_ANALYSIS Permission: Specific authorizations required to GRAC_Repository_Object_Sync
FF Owner: SAP_GRAC_Super_User_Mgmt_Owner GRAC_Action_Usage_Sync
execute actions within a function, influencing the risk.
FF Controller: SAP_GRAC_Super_User_Mgmt_Cntlr GRAC_PFCG_Authorization_Sync
SOD Risk: Segregation of Duties risk arises when
FF USER: SAP_GRAC_Super_User_Mgmt_User GRAC_BATCH_Risk_Analysis
FFID USER: Service User conflicting functions are assigned to the same user,
GRAC_SPM_LOG_SYNC_Update
SAP_GRAC_SPM_FFID + Provided relevant FF roles breaching compliance. GRAC_SPM_SYNC