SECURITY GUIDE | PUBLIC

Document Version: 1.0.2 – 2019-01-08

Security Guide: SAP Access Control 12.0

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

THE BEST RUN

Content

1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.2 Trusted/Trusting RFC Relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.3 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.4 Integration with Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.5 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.6 Trace and Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.7 Configuring NW VSI in the Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

6 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

6.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Non-SAP Fiori Technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
SAP Fiori Launchpad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

7 Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.1 Business Catalog Roles for FLP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
7.2 Delivered Business Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
7.3 Authorization Object Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.4 Authorization Objects and Relevant Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Authorization Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Values for ACTVT Field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Values for GRAC_ACTRD Field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
7.5 Business Roles and Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Roles Relevant Across All Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Role Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Access Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Emergency Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Access Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

8 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Security Guide: SAP Access Control 12.0

2 PUBLIC Content
8.1 Information Retrieval Framework (IRF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8.2 Read Access Log (RAL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.3 Business Entities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.4 Roles and Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8.5 Data Archiving. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Archiving GRACTUSAGE Table Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Archiving GRC Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Archiving EAM Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Security Guide: SAP Access Control 12.0

Content PUBLIC 3
1 Document History

 Note

Before you start the implementation, make sure you have the latest version of this document. You can find
the latest version at: http://help.sap.com.

Version Date Description

1.00 March 2018 Initial Release

1.01 October 2018 Updated component diagram for Tech­

nical System Landscape.

1.02 January 2019 (SP03) Updated Data Protection prerequisite,

which is AC12, SP01.

Security Guide: SAP Access Control 12.0

4 PUBLIC Document History
2 Introduction

SAP Access Control is an enterprise software application that enables organizations to control access and
prevent fraud across the enterprise, while minimizing the time and cost of compliance. The application
streamlines compliance processes, including access risk analysis and remediation, business role management,
access request management, emergency access maintenance, and periodic compliance certifications. It
delivers visibility of the current risk situation with real-time data.

The security guide provides an overview of the application relevant security information. You can use this
document to implement system security, and the application security features.

Target Audience

The security guide is written for the following audience, and requires existing knowledge of SAP security model
and of PFCG, SU01, and Customizing tools:

● Technology consultants
● System administrators

About this Document

This Security Guide covers the following main security areas:

Network and system security

This area covers the system security issues and addresses them in the following sections:

● Network and Communication Security

○ Communication Channel Security
○ Communication Destinations
○ Integration with Single Sign-on (SSO) Environments
○ Data Storage Security
○ User Administration
○ Trace and Log Files
● Application Security
○ Delivered roles
○ Authorization objects
● Data Protection
○ Data retention
○ Data deletion
○ Data archiving

Security Guide: SAP Access Control 12.0

Introduction PUBLIC 5
3 Before You Start

Access Control uses SAP NetWeaver, SAP NetWeaver Portal, and SAP NetWeaver Business Warehouse.
Therefore, the corresponding security guides and other documentation also apply.

Refer to the following security guides on http://help.sap.com:

● SAP NetWeaver Application Server for ABAP Security Guide

● SAP BW Security Guide (Business Warehouse)

Important SAP Notes

Make sure that you have the up-to-date version of each SAP Note, available at https://help.sap.com/grc-ac.

Security Guide: SAP Access Control 12.0

6 PUBLIC Before You Start
4 Technical System Landscape

The following is the component diagram for SAP Access Control 12.0.

Security Guide: SAP Access Control 12.0

Technical System Landscape PUBLIC 7
5 Network and Communication Security

You can use the information in this section to understand and implement the network and communication
security for SAP Access Control.

Network

SAP Access Control is based on SAP NetWeaver technology. Therefore, for information about network security,
see the respective sections in the SAP NetWeaver Security Guide at https://help.sap.com/nw75 > Security
Guide.

For more information, see the following sections in the SAP NetWeaver Security Guide:

● Network and Communication Security

● Security Aspects for Connectivity and Interoperability

5.1 Communication Channel Security

Use

The following table contains the communication paths, the connection protocol, and the transferred data type
used by the access control solution:

Communication Path Protocol Type of Data Transferred Data Requiring Special Pro­
tection

SAP NetWeaver ABAP server DIAG All application data Logon data
using SAP GUI

SAP NetWeaver Portal HTTP/HTTPS All application data Logon data

DS Extraction (application RFC All application data Logon data

server to BI system)

Application server to BI sys­ HTTP/HTTPS All application data Logon data

tem

Security Guide: SAP Access Control 12.0

8 PUBLIC Network and Communication Security
 Communication Path Protocol Type of Data Transferred Data Requiring Special Pro­
tection

BI system to application HTTP/HTTPS All application data Logon data

server

BusinessObjects Enterprise TCP/IP All application data Logon data

Server

SAP NetWeaver Business Cli­ HTTP/HTTPS All application data Logon data
ent

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPS
connections are protected using the Secure Sockets Layer (SSL) protocol.

More Information

● Transport Layer Security in the SAP NetWeaver Security Guide

● Using the Secure Sockets Layer Protocol with SAP NetWeaver Application Server ABAP

5.2 Trusted/Trusting RFC Relationships

Use

You can set up trusted and trusting Remote Function Call (RFC) relationships between two SAP systems. This
allows secure RFC connections between the systems without sending passwords for logging on. The logon user
must have the corresponding authorization object S_RFCACL in the trusting system. This trusted relationship
is not specific to GRC applications, and is a function of SAP NetWeaver.

More Information

Trusted/Trusting Relationships Between SAP Systems on the SAP Help Portal under RFC Programming in
ABAP.

Security Guide: SAP Access Control 12.0

Network and Communication Security PUBLIC 9
5.3 Communication Destinations

The table lists the RFC authorization objects and values you must add to the RFC user to allow Access Control
to communicate with other SAP and non-SAP solutions.

Object Description Authorization Field Value

S_RFC Authorization check for RFC ACTVT 16

Access

N/A RFC_NAME /GRCPI/*

BAPT

RFC1

SDIF

SDIFRUNTIME

SDTX

SUNI

SUSR

SUUS

SU_USER

SYST

SYSU

RFC_TYPE FUGR

S_TCODE Authorization check at trans­ TCD SU01

action start

S_TABU_DIS Table maintenance ACTVT 3

DICBERCLS &NC&

SC

SS

ZV&G

ZV&H

ZV&N

S_TOOLS_EX Tools Performance Monitor AUTH S_TOOLS_EX_A

S_GUI Authorization for GUI activi­ ACTVT *

ties

Security Guide: SAP Access Control 12.0

10 PUBLIC Network and Communication Security
 Object Description Authorization Field Value

S_USER_AGR Authorizations: role check ACTVT *

ACT_GROUP *

S_USER_AUT User Master Maintenance: ACTVT *

Authorizations
AUTH *

OBJECT *

S_USER_GRP User Master Maintenance: ACTVT *

User Group
CLASS *

S_USER_PRO User Master Maintenance ACTVT *

Authorization Profile
PROFILE *

S_USER_SAS User Master Maintenance: ACTVT 01

System-Specific Assign­
06
ments
22

ACT_GROUP *

CLASS *

PROFILE *

SUBSYSTEM *

S_USER_SYS User Master Maintenance: ACTVT 78

System for Central User
Maintenance SUBSYSTEM *

S_USER_TCD Authorizations: transactions TCD *

in roles

S_USER_VAL Authorizations: filed values in AUTH_FIELD *

roles
AUTH_VALUE *

OBJECT *

S_DEVELOP ABAP Workbench ACTVT *

DEVCLASS SUSO

OBJNAME /GRCPI/*

OBJTYPE FUGR

Security Guide: SAP Access Control 12.0

Network and Communication Security PUBLIC 11
Object Description Authorization Field Value

P_GROUP *

S_ADDRESS1 Central address manage­ ACTVT 01

ment
02

03

06

ADGRP BC01

PLOG Personnel planning INFOTYP 1000

1001

ISTAT *

OTYPE *

PLVAR *

PPFCODE *

SUBTYP *

P_TCODE HR: Transaction code TCD SU01

5.4 Integration with Single Sign-On Environments

SAP Access Control:

● supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver Application Server ABAP.
● supports the security guidelines for user management and authentication described in the SAP NetWeaver
Application Server Security Guide.
● leverages the SAP NetWeaver ABAP Server and SAP NetWeaver Portal infrastructure.

Secure Network Communications (SNC)

For more information about SNC, see Secure Network Communications (SNC) in the SAP NetWeaver
Application Server Security Guide.

Security Guide: SAP Access Control 12.0

12 PUBLIC Network and Communication Security
SAP Logon Tickets

For more information about SAP Logon Tickets, see SAP Logon Tickets in the SAP NetWeaver Application
Server Security Guide.

Client Certificates

For more information about X.509 Client Certificates, see Using X.509 Client Certificates on the SAP Help
Portal (http://help.sap.com ).

5.5 Data Storage Security

Master data and transaction data is stored in the database of the SAP system on which the application is
installed. Data storage occurs in Organizational Management, Case Management and in separate tables for this
purpose.

In some applications, you can upload documents into the system. The default document management system
(DMS) for storing data is the SAP Content Server and Knowledge Provider (KPro) infrastructure. Once
uploaded, the documents can be accessed using a URL. The application security functions govern
authorization for accessing the URL directly in the portal. To prevent unauthorized access to the document
through copying and sending the URL, a URL is only valid for a given user and for a restricted amount of time
(the default is two hours).

If you choose to implement a different document management system, the data storage security issues are
deferred to that particular DMS.

5.6 Trace and Log Files

For information about trace and log files, see the SAP Access Control 12.0 Admin Guide at https://
help.sap.com/grc-ac.

5.7 Configuring NW VSI in the Landscape

Access Control provides the ability to upload documents. We recommend you scan all documents for potential
malicious code before you upload them. You can use the NetWeaver Virus Scan Interface (NW VSI) to scan the
documents. For more information, see SAP Virus Scan Interface in the SAP NetWeaver Library.

Security Guide: SAP Access Control 12.0

Network and Communication Security PUBLIC 13
6 User Administration and Authentication

SAP Access Control relies on the user management and authentication mechanisms provided with the SAP
NetWeaver platform, in particular the SAP NetWeaver AS for ABAP Application Server. Therefore, the security
recommendations and guidelines for user administration and authentication as described in the SAP
NetWeaver Application Server for ABAP Security Guide also apply to SAP Access Control.

6.1 User Management

6.1.1 Non-SAP Fiori Technology

User management for SAP Access Control uses the mechanisms provided with the SAP NetWeaver Application
Server for ABAP, such as tools, user types, and password concept. For more information, see the Security
Guide for SAP NetWeaver Application Server for ABAP.

User Administration Tools

This table shows the tools available for user management and administration.

Tool Description

User maintenance for ABAP-based systems (transaction For more information about the authorization objects pro­
SU01) vided by SAP Access Control, see the Authorization Objects
sections.

Role maintenance with the profile generator for ABAP-based For more information about, see the Delivered Roles sec­
systems (PFCG) tions.

Central User Administration (CUA) for the maintenance of For central administration tasks
multiple ABAP-based systems

User Types

It is often necessary to specify different security policies for different types of users. For example, your policy
may specify that individual users who perform tasks interactively have to change their passwords on a regular

Security Guide: SAP Access Control 12.0

14 PUBLIC User Administration and Authentication
basis, but not those users under which background processing jobs run. These are the user types required for
SAP Access Control:

● Individual users
○ Dialog users - used for SAP GUI for Windows
○ Internet users - used for Web Applications
● Technical users
● Service users are dialog users who are available for a large set of anonymous users
● Communication users are used for dialog-free communication between systems
● Background users are used for processing in the background

6.1.2 SAP Fiori Launchpad

SAP Fiori launchpad is a shell that hosts SAP Fiori apps, and provides the apps with services such as
navigation, personalization, embedded support, and application configuration. SAP Access Conrol 12.0 uses
the on-premise implementation, therefore users and authentication are maintained using the the mechanisms
provided with the SAP NetWeaver Application Server for ABAP.

Fore more information, see the SAP NetWeaver Application Server for ABAP Security Guide.

Security Guide: SAP Access Control 12.0

User Administration and Authentication PUBLIC 15
7 Application Security

The information in this section explains the application authorizations model and concepts.

Access Control leverages the standard SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP
NetWeaver Portal user management and authorization. The security information for SAP NetWeaver, SAP
NetWeaver Application Server ABAP, and SAP NetWeaver Portal also apply.

For information about SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal
see the SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal security guides.

Prerequisites

You have knowledge of the following tools, terms, and concepts:

● ABAP Application Server

○ Customizing activities (transaction SPRO)
○ PFCG
○ SU01
● Portal
○ User Administration
○ Content Administration
○ Portal Roles
● Business Client
○ Menu of PFCG roles
● SAP Fiori Launchpad (FLP)

For more information about Access Control concepts and features, see the SAP Access Control 12.0 Application
Help at http://help.sap.com/grc-ac .

Customizing Front-end Screens and Menus

You can configure user-specific front-end screens and menus in the Customizing activities accessed from the
SPRO transaction.

 Caution

SAP does not recommend you customize the information architecture because if SAP provides updates to
the content, then such changes update only the standard SAP-delivered repository and Launchpads. The
changes do not directly update any customized versions.

You carry out the configuration activities from the transaction SPRO, SAP Reference IMG Governance, Risk,
and Compliance General Settings Maintain Customer Specific Menus .

Security Guide: SAP Access Control 12.0

16 PUBLIC Application Security
Privacy Concerns

Notify your users as required by your company's privacy policy that user information such as first Name, last
Name, E-mail address, roles, and other personal information is stored by the program
GRAC_REPOSITORY_OBJECT_SYNC.

Maintaining Authorizations

Access Control uses object level authorizations. Authorizations are granted to users based on the
authorizations of specific roles and the authorization objects assigned to those roles. To maintain the
authorizations, you use PFCG and the information in this guide about the delivered roles and authorization
objects.

SAP provides a set of sample roles for Access Control, which include recommended authorizations. You can
create your own PFCG roles or copy the sample roles to your customer namespace. Then modify them as
needed.

7.1 Business Catalog Roles for FLP

This information is relevant for customers who have implemented SAP Fiori Launchpad (FLP). SAP Fiori
launchpad is a shell that hosts SAP Fiori apps, and provides the apps with services such as navigation,
personalization, embedded support, and application configuration.

Role administrators make tile catalogs and groups available on the end user's page by assigning tile catalogs
and tile groups to a PFCG role to which users can be assigned. Users logging on to the launchpad see all
assigned groups on their home page, and when users open the catalog section, they can access all tiles in the
assigned catalogs.

SAP Access Control delivers the following business catalog roles for the FLP.

Roles for SAP Fiori Launchpad

Name Description

SAP_GRC_BCR_CMPLNCMGR_T Compliance Manager

SAP_GRC_BCR_EMPLOYEE_T Access Control Employee

SAP_GRC_BCR_MANAGER_T Request Approver

SAP_GRC_BCR_REQADMINTR_T Access Control Administrator

SAP_GRC_BCR_SCRTYMGR_T Security Manager

For more information, see:

● SAP Fiori Launchpad

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 17
● SAP Fiori Launchpad - Security Aspects

7.2 Delivered Business Roles

Access Control leverages the SAP NetWeaver authorization model and assigns authorizations to users based
on roles. The following sample roles are delivered with the application. You must copy them into your own
namespace to use them.

Feature Role Name Description

All AC SAP_GRAC_ALL Super administrator for Access Control.

 Note
You must assign this role to the WF-BATCH user.

All AC SAP_GRAC_BASE Gives basic authorizations required for all AC users.

You must assign this role to all AC users.

All AC SAP_GRAC_REPORTS Ability to run all AC reports and have the display ac­
cess for all drill-downs.

All AC SAP_GRAC_NWBC Gives the authorizations to launch NWBC. You must

assign this role to all AC users.

All AC SAP_GRAC_SETUP Gives authorizations to set up and customize AC.

SAP_GRAC_DISPLAY_ALL Gives display-only access to all master data and ap­

All AC plication data.

Role Management SAP_GRAC_ROLE_MGMT_USER Role management business user

Role Management SAP_GRAC_ROLE_MGMT_DESIGNER Role management designer

Role Management SAP_GRAC_ROLE_MGMT_ROLE_OWNER The Role Management role owner

Access Request SAP_GRAC_ACCESS_REQUESTER The role for the access request end user

Access Request SAP_GRAC_ACCESS_APPROVER The role for the access request approver

Access Request SAP_GRAC_ACCESS_REQUEST_ADMIN The role for the access request administrator

Emergency Access Man­ SAP_GRAC_SUPER_USER_MGMT_ADMIN This administrator role is for centralized firefighting
agement

Emergency Access Man­ SAP_GRAC_SUPER_USER_MGMT_OWNER This owner role is for centralized firefighting
agement

Security Guide: SAP Access Control 12.0

18 PUBLIC Application Security
 Feature Role Name Description

Emergency Access Man­ SAP_GRAC_SUPER_USER_MGMT_CNTLR This controller role is for centralized firefighting
agement

Emergency Access man­ SAP_GRAC_SUPER_USER_MGMT_USER This firefighter user role is for centralized firefighting
agement

Emergency Access Man­ SAP_GRIA_SUPER_USER_MGMT_ADMIN This firefighter admin role is for plug-in firefighting
agement

Emergency Access Man­ SAP_GRIA_SUPER_USER_MGMT_USER This firefighter user role is for plug-in firefighting
agement

Emergency Access Man­ SAP_GRC_SPM_FFID This service role is for ID-based firefighting. Assign
agement this role to users to create firefigher IDs.

Access Risk Analysis SAP_GRAC_RULE_SETUP This role has the authorization to define access rules

SAP_GRAC_RISK_ANALYSIS This role has the authorization to perform access

Access Risk Analysis risk analysis

SAP_GRAC_ALERTS This role has the authorization to generate, clear and

Access risk analysis delete access risk alerts

SAP_GRAC_CONTROL_OWNER This role has the authorization to create mitigating

Access Risk Analysis controls.

SAP_GRAC_RISK_OWNER This role has the authorization to run access risk

Access Risk Analysis maintenance and access risk analysis.

SAP_GRAC_CONTROL_MONITOR This role has the authorization to run risk analysis,

mitigating control assignment, and assign mitigating
Access Risk Analysis controls to an access risk.

SAP_GRAC_CONTROL_APPROVER This role is used for control and control assignments.

It has the authorization to run risk analysis, mitigat­
ing control assignment, and workflow approval for
Access Risk Analysis access risk alerts.

SAP_GRAC_FUNCTION_APPROVER This role is the delivered agent for workflow in access

control. It has authorization to approve, create, read,
Access Risk Analysis update, and delete workflow requests.

Workflow SAP_GRC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows

Workflow SAP_GRC_MSMP_WF_CONFIG_ALL Configurator role for MSMP workflows

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 19
7.3 Authorization Object Names

Access Control authorizations for roles are maintained by the assignment of authorization objects.

 Note

For use with Fiori fact sheets, verify that the following authorization objects are in place: Mitigation Control
– GRAC-MITC, Role – GRAC-ROLED, Risk – GRAC-RISK, User – GRAC-USER

The table lists the authorization objects delivered with the application:

Object Description

1 GRAC_ACTN This object grants the authorization to perform different actions.

2 GRAC_ALERT This object allows you to generate, clean up, and create alerts.

3 GRAC_ASIGN The object allows you to assign owner types to firefighter IDs.

4 The object allows you to create, read, update, and delete business proc­
GRAC_BPROC esses, and to assign business processes to risks and functions.

5 GRAC_BGJOB The object allows you to execute background jobs.

6 GRAC_CGRP This object allows to maintain an Access Control Custom Group.

7 The object allows you to create, read, update, and delete SoD critical pro­
GRAC_CPROF files.

8 The object allows you to create, read, update, and delete SoD critical
GRAC_CROLE roles.

9 The object allows you to restrict activities based on the following attrib­
utes: cost center, department, company, location. You use this object to
GRAC_EMPLY maintain authorization for attributes not in the in the GRAC_USER object.

10 The object allows you to restrict creation of FFID or FFROLE based on

GRAC_FFOBJ system user ID, system, or activity.

11 The object allows you to create, read, update, and delete FFID owners
GRAC_FFOWN based on the owner type, user ID, or system ID.

12 The object allows you to maintain authorizations for the SoD function
based on the following attributes: activity, function ID, action (SOD trans­
GRAC_FUNC action), and permission.

13 The object allows you to restrict activities for the HR object based on spe­
GRAC_HROBJ cific attributes: activity, connector ID, HR object type, HR object ID.

14 GRAC_MITC The object allows you to maintain mitigation controls.

Security Guide: SAP Access Control 12.0

20 PUBLIC Application Security
 Object Description

15 GRAC_ORGRL The object allows you to maintain SoD organization rules.

16 GRAC_OUNIT The object allows you to maintain org units for access control.

17 GRAC_OWNER The object allows you to maintain owners in access control.

18 GRAC_PROF The object allows you to maintain the SoD profile.

19 The object allows you to perform risk analysis. You can specify if the user
has authorizations to only execute risk analysis, or has administrator
GRAC_RA rights.

20 GRAC_RCODE The object allows you to maintain the reason code.

21 GRAC_REP The object allows you to excute all reports.

22 GRAC_REQ The object allows you to maintain access requests.

23 GRAC_RISK The object allows you to maintain SoD access risk.

24 GRAC_RLMM The object allows you to perform role mass maintenance.

25 This object allows you to enforce authorizations for accessing roles dur­
GRAC_ROLED ing role definition.

26 GRAC_ROLEP This object allows you to control which roles a user can request.

27 GRAC_ROLER This object allows you to perform role risk analysis.

28 GRAC_RSET The object allows you to create, read, update, and delete SoD rule sets.

29 The object allows you to create, read, update, and delete SoD supplemen­
GRAC_SUPP tary rules.

30 The object allows you authorize access to specific connectors or systems

GRAC_SYS based on application type and system ID.

31 GRAC_SYSTM This object allows system level access to Access Control.

32 The object allows you to restrict activities based on the following attrib­
GRAC_USER utes: user group, user ID, connector, user group, orgunit.

33 This object allows you to access connectors in CCITS (the GRC integra­
GRFN_CONN tion engine).

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 21
7.4 Authorization Objects and Relevant Fields

The authorization objects for Access Control use specific authorization fields.

The following table lists the authorization fields that are available for each authorization object:

Object Fields

1 ● GRAC_ACTN
GRAC_ACTN ● GRFNW_PRC

2 ● ACTVT
GRAC_ALERT ● GRAC_ALRTT

3 ● ACTVT
GRAC_ASIGN ● GRAC_OWN_T

4 ● ACTVT
GRAC_BGJOB ● GRAC_BGJOB

5 ● ACTVT
GRAC_BPROC ● GRAC_BPROC

6 ● ACTVT
GRAC_CGRP ● GRAC_CGRP

7 ● ACTVT
GRAC_CPROF ● GRAC_CPROF

8 ● ACTVT
GRAC_CROLE ● GRAC_CROLE

9 ● ACTVT
● GRAC_COMP
● GRAC_COSTC
● GRAC_DEPT
GRAC_EMPLY ● GRAC_LOCTN

10 ● ACTVT
● GRAC_FFOBJ
GRAC_FFOBJ ● GRAC_SYSID

11 ● ACTVT
● GRAC_OWN_T
● GRAC_SYSID
GRAC_FFOWN ● GRAC_USER

Security Guide: SAP Access Control 12.0

22 PUBLIC Application Security
 Object Fields

12 ● ACTVT
● GRAC_ACT
● GRAC_FUNC
GRAC_FUNC ● GRAC_PRM

13 ● ACTVT
● GRAC_HROBJ
● GRAC_HRTYP
GRAC_HROBJ ● GRAC_SYSID

14 ● ACTVT
● GRAC_MITC
GRAC_MITC ● GRAC_OUNIT

15 ● ACTVT
GRAC_ORGRL ● GRAC_ORGRL

16 ● ACTVT
● GRAC_OUNIT
GRAC_OUNIT ● GRAC_OUTYP

17 ● ACTVT
● GRAC_CLASS
● GRAC_OUNIT
● GRAC_OWN_T
● GRAC_SYSID
GRAC_OWNER ● GRAC_USER

18 ● ACTVT
● GRAC_PROF
GRAC_PROF ● GRAC_SYSID

19 ● ACTVT
● GRAC_OTYPE
● GRAC_RAMOD
GRAC_RA ● GRAC_REPT

20 ● ACTVT
● GRAC_RSCOD
GRAC_RCODE ● GRAC_SYSID

21 ● ACTVT
GRAC_REP ● GRAC_REPID

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 23
 Object Fields

22 ● ACTVT
● GRAC_BPROC
● GRAC_FNCAR
● GRAC_RQFOR
● GRAC_RQINF
GRAC_REQ ● GRAC_RQTYP

23 ● ACTVT
● GRAC_BPROC
● GRAC_RISK
● GRAC_RLVL
● GRAC_RSET
GRAC_RISK ● GRAC_RTYPE

24 ● ACTVT
GRAC_RLMM ● GRAC_RLMMT

25 ● GRAC_ACTRD
● GRAC_BPROC
● GRAC_LDSCP
● GRAC_RLSEN
● GRAC_RLTYP
GRAC_ROLED ● GRAC_ROLE

26 ● ACTVT
● GRAC_BPROC
● GRAC_OUNIT
● GRAC_RLTYP
● GRAC_ROLE
GRAC_ROLEP ● GRAC_SYSID

27 ● ACTVT
● GRAC_OUNIT
● GRAC_ROLE
● GRAC_ROTYP
GRAC_ROLER ● GRAC_SYSID

28 ● ACTVT
GRAC_RSET ● GRAC_RSET

29 ● ACTVT
● GRAC_RQTP
GRAC_RT ● GRAC_TN

30 GRAC_SUPP ● ACTVT

Security Guide: SAP Access Control 12.0

24 PUBLIC Application Security
 Object Fields

31 ● ACTVT
● GRAC_APPTY
● GRAC_ENVRM
GRAC_SYS ● GRAC_SYSID

32 ● ACTVT
● GRACSYSACT
GRAC_SYSTM ● GRAC_SYSID

33 ● ACTVT
● GRAC_CLASS
● GRAC_OUNIT
● GRAC_SYSID
● GRAC_USER
GRAC_USER ● GRAC_UTYPE

34
 Note
To allow users to view access request data in re­
ports, you must assign this authorization object and
the activity A5 (display report) to their role.
GRFN_MSMP

7.4.1 Authorization Fields

This section covers the technical names for the authorization fields and their descriptions.

For information about the fields that are relevant for specific authorization objects, see Authorization Objects
and Relevant Fields.

Field Name Description

1 GRAC_ACT Action

2 GRAC_ACTRD Activities

3 GRAC_ALRTT Alert type

4 GRAC_APPTY Application type

5 GRAC_BPROC Business process

6 GRAC_BSUBP Subprocess

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 25
 Field Name Description

7 GRAC_CLASS User group

8 GRAC_COMP Company

9 GRAC_COSTC Cost center

10 GRAC_CPROF Profile name

11 GRAC_CROLE Role name

12 GRAC_CTRID SOD control ID

13 GRAC_DEPT Department

14 GRAC_ENVRM System environment

15 GRAC_FFOBJ Description for user ID or role

16 GRAC_FNCAR Functional area

17 GRAC_FUNC Function ID

18 GRAC_HROBJ HR object ID

19 GRAC_HRTYP HR object type

20 GRAC_LDSCP Connector group

21 GRAC_LOCTN Location

22 GRAC_MITC SOD control ID

23 GRAC_MON Owner description

24 GRAC_OLVL Resource extension

25 GRAC_ORGRL Organization rule ID

26 GRAC_OTYPE Object types for authorization

27 GRAC_OUNIT HR object ID

28 GRAC_OUTYP Object type for assigned organization

29 GRAC_OWN_T Owner type

30 GRAC_PRM SOD resource

31 GRAC_PROF Profile name

32 GRAC_RAMOD Risk analysis mode

Security Guide: SAP Access Control 12.0

26 PUBLIC Application Security
 Field Name Description

33 GRAC_REPID Report name

34 GRAC_REPT Report type

35 GRAC_RISK Access risk ID

36 GRAC_RLMMT Type for role mass maintenance

37 GRAC_RLSEN Role sensitivity

38 GRAC_RLTYP Role type

39 GRAC_RLVL SOD risk level

40 GRAC_ROLE Role name

41 GRAC_ROTYP Role type for risk analysis

42 GRAC_ROWN Owner description

43 GRAC_RQFOR Request for single or multiple user

44 GRAC_RQINF Request Information

45 GRAC_RQSOD SOD option for request

46 GRAC_RQTYP Request type

47 GRAC_RSCOD Title/Short name

48 GRAC_RSET Rule set ID

49 GRAC_RTYPE Access risk type

50 GRAC_SYSID Connector ID

51 GRAC_TN Template Name

52 GRAC_USER User ID

53 GRAC_USRTY Role type for request approver

54 GRAC_UTYPE User type

7.4.2 Values for ACTVT Field

The ACTVT (or Activity) field is used by almost every Access Control authorization object. The values you
select for the ACTVT field controls the actions the role can perform with the authorization object, such as
delete or execute.

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 27
  Note

The GRAC_ROLED authorization object does not use the ACTVT field; it uses the custom attribute:
GRAC_ACTRD. For more information, see Values for GRAC_ACTRD Field [page 29].

The following table lists the values you can select for the ACTVT field based on the authorization object:

Authorization Object Valid Activity Values

1 GRAC_ALERT Delete, Execute, Archive, Deactivate

2 GRAC_ASIGN Create or generate, Change, Display, Delete, Administer

3 GRAC_BPROC Create or generate, Change, Display, Delete, Execute, Assign

4 GRAC_BGJOB Create or generate, Display, Delete, Administer

5 GRAC_CGRP Create or generate, Change, Display, Delete, Execute

6 GRAC_CPROF Create or generate, Change, Display, Delete, Execute, Assign

7 GRAC_CROLE Create or generate, Change, Display, Delete, Execute, Assign

8 Create or generate, Change, Display, Delete, Execute, Administer, Assign,

GRAC_EMPLY Copy

9 GRAC_FFOBJ Create or generate, Change, Display, Delete

10 GRAC_FFOWN Create or generate, Change, Display, Delete, Archive, Administer

11 GRAC_FUNC Create or generate, Change, Display, Delete, Execute, Generate, Assign

12 GRAC_HROBJ Create or generate, Change, Display, Delete, Execute, Assign

13 GRAC_MITC Create or generate, Change, Display, Delete, Assign

14 Create or generate, Change, Display, Delete, Activate or Generate, Execute,

GRAC_ORGRL Assign

15 GRAC_OUNIT Create or generate, Change, Display, Delete, Execute, Assign

16 GRAC_OWNER Create or generate, Change, Display, Delete, Archive, Administer, Assign

17 GRAC_PROF Create or generate, Change, Display, Delete, Execute, Assign

18 GRAC_RA Execute, Administer

19 GRAC_RCODE Create or generate, Change, Display, Delete

20 GRAC_REP Execute

Security Guide: SAP Access Control 12.0

28 PUBLIC Application Security
 Authorization Object Valid Activity Values

21 GRAC_REQ Create or generate, Change, Display, Administer, Copy

22 GRAC_RISK Create or generate, Change, Display, Delete, Execute, Generate, Assign

23 GRAC_RLMM Perform

24 GRAC_ROLEP Assign

25 GRAC_ROLER Execute, Assign

26 GRAC_RSET Create or generate, Change, Display, Delete, Execute, Assign

27 GRAC_RT Create or generate, Change, Display, Delete

28 GRAC_SUPP Create or generate, Change, Display, Delete

29 GRAC_SYS Create or generate, Change, Display, Delete, Execute, Assign

30 GRAC_SYSTM Execute Access Control reports

31 GRAC_USER Create or generate, Change, Display, Delete, Execute, Assign

32 /GRCPI/001 * (asterisk) or blank (empty)

7.4.3 Values for GRAC_ACTRD Field

The GRAC_ACTRD field is used by the GRAC_ROLED authorization object for role definition.

Use Scenario: Ticket Number in BRM

The Ticket Number functionality in BRM allows you to attach ticket numbers to the workflow for role changes.
The V8 value in the GRAC_ACTRD field enables the user to edit and overwrite the ticket number in all role
methodology steps. Without this value, the user can only enter or change the ticket number when the role is in
Create mode or in Completed status.

Authorization Object Field Value Description

GRAC_ROLED GRAC_ACTRD V8 - Overwrite Ticket The V8 value enables the

Number user to edit the ticket num­
ber in all role methodologies.

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 29
7.5 Business Roles and Authorization Objects

This section lists and explains the delivered roles and relavant authorization objects for SAP Access Control
12.0.

Some roles are relevant for all access control capabilities, whereas some roles are only relevant for specific
capabilities. The information in the following sections is divided by capabilities.

Security Guide: SAP Access Control 12.0

30 PUBLIC Application Security
7.5.1 Roles Relevant Across All Capabilities

The following table lists the delivered roles that are relevant across all Access Control capabilities, and the
relevant authorization objects:

Role Objects

SAP_GRAC_ALL ● GRAC_ALERT
● GRAC_ASIGN
● GRAC_BGJOB
● GRAC_BPROC
● GRAC_CGRP
● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FFOWN
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_RCODE
● GRAC_REP
● GRAC_RISK
● GRAC_RLMM
● GRAC_ROLED
● GRAC_ROLEP
● GRAC_ROLER
● GRAC_RSET
● GRAC_RT
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER
● GRFN_CONN

SAP_GRAC_BASE ● GRAC_BGJOB
● GRAC_REQ
● GRAC_USER
● S_START

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 31
Role Objects

SAP_GRAC_DISPLAY_ALL ● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FFOBJ
● GRAC_FFOWN
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RCODE
● GRAC_REQ
● GRAC_RISK
● GRAC_ROLED
● GRAC_RSET
● GRAC_RT
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER
● GRFN_CONN

Security Guide: SAP Access Control 12.0

32 PUBLIC Application Security
 Role Objects

SAP_GRAC_REPORTS ● GRAC_ALERT
● GRAC_ASIGN
● GRAC_BPROC
● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FFOBJ
● GRAC_FFOWN
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_RCODE
● GRAC_REP
● GRAC_REQ
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER
● GRFN_CONN

7.5.2 Role Management

The following table lists the delivered roles and the relevant authorization objects for role management.

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 33
Role Name Objects

SAP_GRAC_ROLE_MGMT_ADMIN ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_OWNER
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_RLMM
● GRAC_ROLED
● GRAC_RSET
● GRAC_SYS
● GRAC_SYSTM
● GRAC_SUPP
● GRFN_CONN

SAP_GRAC_ROLE_MGMT_DESIGNER ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_OWNER
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_RSET
● GRAC_SYS
● GRAC_SYSTM
● GRAC_SUPP
● GRFN_CONN

SAP_GRAC_ROLE_MGMT_ROLE_OWNER ● GRAC_REP
● GRAC_ROLED
● GRAC_SYSTM
● GRFN_CONN

SAP_GRAC_ROLE_MGMT_USER ● GRAC_ROLED
● GRFN_CONN

Security Guide: SAP Access Control 12.0

34 PUBLIC Application Security
7.5.3 Access Request

The following table lists the delivered roles and the relevant authorization objects for access request:

Role Name Objects

SAP_GRAC_ACCESS_APPROVER ● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_RA
● GRAC_REQ
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLEP
● GRAC_RSET
● GRAC_SUPP R
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USE

SAP_GRAC_ACCESS_REQUEST_ADMIN ● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_OWNER
● GRAC_RA
● GRAC_REP
● GRAC_REQ
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLEP
● GRAC_RSET
● GRAC_RT
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 35
Role Name Objects

SAP_GRAC_ACCESS_REQUESTER ● GRAC_EMPLY
● GRAC_REQ
● GRAC_ROLED
● GRAC_ROLEP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER

7.5.4 Emergency Access Management

Emergency Access Management is available in centralized and decentralized (plug-in) implementations. The
role information is separated by the implementation scenario in the following sections.

Roles for Centralized Firefighting

The following table lists the delivered roles and the relevant authorization objects for centralized emergency
access management:

Role Name Objects

SAP_GRAC_SUPER_USER_MGMT_ADMIN ● GRAC_ASIGN
● GRAC_OWNER
● GRAC_RCODE
● GRAC_REP
● GRAC_ROLED
● GRAC_USER

SAP_GRAC_SUPER_USER_MGMT_CNTLR ● GRAC_ASIGN
● GRAC_OWNER
● GRAC_REP

SAP_GRAC_SUPER_USER_MGMT_OWNER ● GRAC_ASIGN
● GRAC_OWNER
● GRAC_RCODE
● GRAC_ROLED
● GRAC_USER

Security Guide: SAP Access Control 12.0

36 PUBLIC Application Security
 Role Name Objects

SAP_GRAC_SUPER_USER_MGMT_USER ● GRAC_RCODE
● GRAC_USER
● GRFN_CONN

Roles for Decentralized Firefighting

For decentralized (plug-in) firefighting scenarios, the following roles are delivered.

Role Name Authorizations

SAP_GRIA_SUPER_USER_MGMT_ADMIN /GRCPI/001 - GRAC Authorization Object to extend FF Val­

idity Period

ACTVT field value: 70 or * (asterisk)

SAP_GRIA_SUPER_USER_MGMT_USER Transactions: /GRCPI/GRIA_EAM and SU53

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 37
7.5.5 Access Risk Analysis

The following table lists the delivered roles and the relevant authorization objects for access risk analysis:

Role Name Objects

SAP_GRAC_ALERTS ● GRAC_ALERT
● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_ORGRL
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER
● GRFN_CONN

SAP_GRAC_CONTROL_APPROVER ● GRAC_ALERT
● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER

Security Guide: SAP Access Control 12.0

38 PUBLIC Application Security
 Role Name Objects

SAP_GRAC_CONTROL_MONITOR ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER

SAP_GRAC_CONTROL_OWNER ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER

SAP_GRAC_FUNCTION_APPROVER ● GRAC_FUNC
● GRAC_SYSTM
● GRFN_CONN

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 39
Role Name Objects

SAP_GRAC_RISK_ANALYSIS ● GRAC_CPROF
● GRAC_CGRP
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_ORGRL
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SYSTM
● GRAC_SUPP
● GRAC_USER
● GRFN_CONN

SAP_GRAC_RISK_OWNER ● GRAC_FUNC
● GRAC_HROBJ
● GRAC_ORGRL
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER

Security Guide: SAP Access Control 12.0

40 PUBLIC Application Security
 Role Name Objects

SAP_GRAC_RULE_SETUP ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_REP
● GRAC_RISK
● GRAC_RSET
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRFN_CONN

7.5.6 Workflow

The following table lists the delivered roles and the relevant authorization objects for workflow:

Role Name Object

SAP_GRC_MSMP_WF_ADMIN_ALL GRFN_MSMP

SAP_GRC_MSMP_WF_CONFIG_ALL GRFN_MSMP

Security Guide: SAP Access Control 12.0

Application Security PUBLIC 41
8 Data Protection

User data from ERP and non-ERP systems is synchronized to, and stored in, the Access Control system.

 Note

In order to use this functionality, you must be at SAP Access Control 12.0, SP01.

The following data is synchronized to, and stored in, the Access Control system:

● Authorization data (role, user, profiles, HR objects), which contains the user IDs, email IDs, telephone
numbers, address, organizational assignments, etc.
● User logs and activity information

The Access Control solution supports the SAP Information Lifecycle Management (ILM) framework to maintain
data protection. This chapter describes how to use ILM to carryout blocking and destruction of data as
required by data protection policies.

Setting Up ILM

1. Use transaction SFW5 to activate Information Lifecycle Management (ILM).

 Note

SAP NetWeaver Information Lifecycle Management is a product that requires its own license. After
licensing, you have to activate this product.

2. Select the components that will use the ILM functionality: GRC, GRC-AC.
Use transaction SPRO, and complete the activity: Global ILM Enablement, under SAP Reference IMG
Governance, Risk, and Compliance General Settings Blocking and Deletion
3. Maintain the fiscal year variant for Access Control.
Use transaction SPRO, and open activity: Maintain Configuration Settings, under SAP Reference IMG
Governance, Risk, and Compliance Access Control .
Configure parameter 6001: Fiscal Year Variant
4. Configure the ILM rules for data retention.
Access Control provides ILM objects that enhance archiving objects with information for data retention. An
ILM object contains the settings for the ILM rules. These rules are read by Access Control while data
processing and, based on the rule condition, personal data is blocked and deleted.
Use transaction SPRO, complete the activity: ILM Entity Settings, under SAP Reference IMG
Governance, Risk, and Compliance General Settings Blocking and Deletion .

Security Guide: SAP Access Control 12.0

42 PUBLIC Data Protection
ILM Policy Creation

● To establish the Residence Rules and the Retention rules, use transaction IRMPOL. For any Residence Rule
(if blocking is required), use Audit area GRC.
● To designate objects to be blocked or destroyed (based on business need and legal requirements), use
transaction SPRO, and maintain the activity: Maintain Legal Entity, under SAP Reference IMG
Governance, Risk, and Compliance General Settings Blocking and Deletion .

Blocking and Unblocking

● To verify you have configured your data blocking, use transaction GRAC_DATA_BLOCK.
● To unblock data, use transaction GRAC_DATA_UNBLOCK. Select the ILM object, and then click execute.
Select a record and click Unblock.
Objects remain unblocked until the next scheduled execution of the blocking job blocks them again.

Destruction

Use transaction code ILM_DESTRUCTION to verify your destruction policies. Select Data from the Database
and identify the ILM object. Use test mode.

Logs

Use transaction code SLG1 to verify the logs.

Verification

Open Access Control and check the dates to see if your policies and rules are operating as intended. For
example, if you set up the data to be blocked after 2 years, check if any data is shown if you search for dates
older than 2 years.

Use ABAP Program GRFN_PI_DBTABLOG_COPY_DES to look at a Simple deletion report to delete contents of
GRC plugin system DB table /GRCPI/GRIA_AM_DBLOG

8.1 Information Retrieval Framework (IRF)

The Information Retrieval Framework (IRF) allows you to search for and retrieve all personal data of a specified
data subject. The search results are displayed in a comprehensive and structured list containing all personal

Security Guide: SAP Access Control 12.0

Data Protection PUBLIC 43
data of the data subject specified, subdivided according to the purpose for which the data was collected and
processed.

For information about IRF, setting up the data model used by IRF, and retrieving personal data using IRF, see
the Information Retrieval Guide attached to SAP Note: 2469325 .

8.2 Read Access Log (RAL)

Access Control does not deliver Read Access Logging (RAL) configurations and log conditions.

8.3 Business Entities

The table below lists the business entities for Access Control.

 Note

● Blocking Required (RST). End of residence time varies.

● Destruction Required (RTP) after end of retention time. All business entities listed below require
destruction after the end of the retention time.

Business Entities

Legal Entity or
Blocking Re­ Country Flag
Business Entity ILM Object Component quired (RST) Archiving Required Available

Access Request GRAC_ARQ GRC-AC Yes Yes No

Action Usage GRAC_ACT GRC-AC Yes Yes No

Ad-Hoc Issue GRFN_AI_DE­ GRC Yes No Yes

STRUCTION

Automated Moni­ GRFN_AM_JOB_D GRC Yes No Yes

toring Job ESTRUCTION

Background Re­ GRFN_REP_DATA_ GRC No No No

port Data DESTRUCTION

Business Rule GRFN_BR_DE­ GRC Yes No No

STRUCTION

Security Guide: SAP Access Control 12.0

44 PUBLIC Data Protection
 Legal Entity or
Blocking Re­ Country Flag
Business Entity ILM Object Component quired (RST) Archiving Required Available

Datamart GRFN_DATA­ GRC Yes No No

MART_DESTRUC­
TION

Emergency Access GRAC_EAM GRC-AC Yes Yes No

Management

Evaluation: Survey GRFN_SUR­ GRC Yes No Yes

VEY_DESTRUC­
TION

Master Data GRFN_MDCR_DE­ GRC No No No

Change Request STRUCTION
(MDCR)

Notes History GRFN_NOTES_DE­ GRC Yes No Yes

STRUCTION

Planner - Plan GRFN_PLAN_DE­ GRC Yes Yes No

STRUCTION

Policy GRFN_POL­ GRC Yes No Yes

ICY_DESTRUC­
TION

Role Assignment GRFN_ROLE_AS­ GRC Yes No Yes

SIGN_DESTRUC­
TION

User Delegation GRFN_DELE­ GRC No No No

GATE_DESTRUC­
TION

8.4 Roles and Authorization Objects

Verify the end-user can no longer access the personal data stored in blocked process tables. Authorization can
be given to specific users (like auditors) to read the personal data from blocked process tables.

Security Guide: SAP Access Control 12.0

Data Protection PUBLIC 45
Roles created for ILM administrators and Auditors

Authorization Ob­ Authorization

Role Description ject Field Field Value Purpose

SAP_GRC_ILM_AD GRC ILM Adminis­ GRFN_USER ACTVT 5 Blocking

MINISTRATOR trator
69 Destruct
● Assign
SAP_GRC_FN 95 Unblocking
_ALL (power
user) using
SU01
● Assign role
SAP_GRC_SP
C_CRS_IS­
SUE_ADMIN
(cross regula­
tion issue ad­
min) at entity
level on any
corporate
node in organ­
ization hierar­
chy.

SAP_GRC_ILM_AU GRC ILM Auditor GRFN_USER ACTVT 94 To view blocked

DITOR data
● Only the ILM
auditor can
have this ac­
tivity to pro­
tect the
blocked data.
● If you have
created cus­
tom roles with
authorization
object
GRFN_USER
and activity
set to “*” then
it must be re­
moved and
specific activi­
ties must be
named.

These authorizations must be provided to users for different activities.

Security Guide: SAP Access Control 12.0

46 PUBLIC Data Protection
Authorization objects and Activities used

Authorization Object Authorization Field Field Value Description

GRFN_USER ACTVT 5 Lock

69 Discard

94 Override
● Only the ILM Auditor can
have this activity to pro­
tect the blocked data.

95 Unlock

8.5 Data Archiving

ILM-enabled Archiving Objects

GRC supports the SAP Information Lifecycle Management (ILM) framework for retention management.

The following table shows the available GRC archiving objects:

GRC ILM-enabled Archiving Objects

Archiving Objects Description ILM Object Condition field Reference field

GRACEAM Archiving for GRC AC GRCAC_EAM FFLOG_ID LOGON_TIME

Emergency Access
Management (EAM)
Logs

GRACACTUS Archiving for GRC AC GRAC_ACT ACTION_USAGE_ID EXECUTION_DATE

Action usage - GRA­

CACTUSAGE table re­
cords

GRFNMSMP Archiving for GRC AC GRCAC_ARQ PROCESS_ID FINISHED_AT

Requests

Security Guide: SAP Access Control 12.0

Data Protection PUBLIC 47
8.5.1 Archiving GRACTUSAGE Table Records

Use archiving object GRACACTUS for archiving GRACTUSAGE table records.

Before using the archiving object for the first time, verify if the GRC Customizing activities under Blocking and
Deletion have been completed to enable the Information Lifecycle Management (ILM) capabilities. When you
use the archiving object GRACTUS, data is archived from the following tables:

Table and Programs affected by GRACACTUS

Tables Programs

GRACACTUSAGE GRAC_ACTUSAGE_ARCHIVE_WRITE

GRAC_ACTUSAGE_ARCHIVE_DELETE

GRAC_ACTUSAGE_ARCHIVE_READ

8.5.2 Archiving GRC Requests

Use archiving object GRFNMSMP for archiving GRC AC Requests.

Before using the archiving object for the first time, verify if the GRC Customizing activities under Blocking and
Deletion have been completed to enable the Information Lifecycle Management (ILM) capabilities. When you
use the archiving object GRFNMSMP, data is archived from the following tables:

Tables affected by GRFNMSMP

Tables

GRFNMWRTINST

GRFNMWRTINSTAPPL

GRFNMWRTMSGLG

GRFNMWRTARCHCONF

GRACREQ

GRACREQPROVLOG

GRACREQOWNER

GRACREQUSER

GRACREQUSERADR

GRACREQUSERGROUP

GRACREQUSERPARAM

Security Guide: SAP Access Control 12.0

48 PUBLIC Data Protection
 Tables

GRACREQPROVITEM

GRACREVITEM

GRACREQOMOBJITEM

GRACSODREVIEW

GRACFUNUSAGE

GRACSODUSERROLE

GRACUARBUSRLSNAP

Programs Affected by GRFNMSMP

Programs

GRFNMW_ARCHIVE_WRITE

GRFNMW_ARCHIVE_DELETE

GRFNMW_ARCHIVE_RELOAD

GRFNMW_ARCHIVE_READ

8.5.3 Archiving EAM Logs

Use archiving object GRACEAM for archiving Emergency Access Management (EAM) logs.

Before using the archiving object for the first time, verify if the GRC Customizing activities under Blocking and
Deletion have been completed to enable the Information Lifecycle Management (ILM) capabilities. When you
use the archiving object GRACEAM, data is archived from the following tables:

● GRACAUDITLOG
● GRACACTUSAGE
● GRACSYSTEMLOG
● GRACCHANGELOG
● GRACOSCMDLOG
● GRACROLEFFLOG
● GRACFFLOG
● GRACFFREPMAPP

The following are the programs affected by GRACEAM.

● GRAC_EAM_ARCHIVE_WRITE
● GRAC_EAM_ARCHIVE_DELETE
● GRAC_EAM_ARCHIVE_READ

Security Guide: SAP Access Control 12.0

Data Protection PUBLIC 49
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Security Guide: SAP Access Control 12.0

50 PUBLIC Important Disclaimers and Legal Information
Security Guide: SAP Access Control 12.0
Important Disclaimers and Legal Information PUBLIC 51
www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN