GRC12 Secrity Guide

Security Guide PUBLIC
Document Version: 1.0.0 – 2018-03-28
Security Guide: SAP Access Control 12.0

Content
1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
4 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
5 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

5.1 Communication Channel Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
5.2 Trusted/Trusting RFC Relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
5.3 Communication Destinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.4 Integration with Single Sign-On Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
5.5 Data Storage Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
5.6 Trace and Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
5.7 Configuring NW VSI in the Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

6.1 User Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Non-SAP Fiori Technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
SAP Fiori Launchpad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7 Application Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
7.1 Business Catalog Roles for FLP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
7.2 Delivered Business Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
7.3 Authorization Object Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
7.4 Authorization Objects and Relevant Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Authorization Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Values for ACTVT Field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Values for GRAC_ACTRD Field. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
7.5 Business Roles and Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Roles Relevant Across All Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Role Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Access Request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Emergency Access Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Access Risk Analysis. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Workflow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
8 Data Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

2 PUBLIC Content
8.1 Information Retrieval Framework (IRF). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
8.2 Read Access Log (RAL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.3 Business Entities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
8.4 Roles and Authorization Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
8.5 Data Archiving. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Archiving GRACTUSAGE Table Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Archiving GRC Requests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Archiving EAM Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Content PUBLIC 3
1 Document History
Note
Before you start the implementation, make sure you have the latest version of this document. You can find the
latest version at: http://help.sap.com.
Version Date Description
1.00 March 2018 Initial Release

4 PUBLIC Document History
2 Introduction
SAP Access Control is an enterprise software application that enables organizations to control access and prevent
fraud across the enterprise, while minimizing the time and cost of compliance. The application streamlines
compliance processes, including access risk analysis and remediation, business role management, access request
management, emergency access maintenance, and periodic compliance certifications. It delivers immediate
visibility of the current risk situation with real-time data.
The security guide provides an overview of the application relevant security information. You can use the
information in this document to understand and implement system security, and to understand and implement
the application security features.
Target Audience
The security guide is written for the following audience, and requires existing knowledge of SAP security model and
of PFCG, SU01, and Customizing tools:
● Technology consultants
● System administrators
About this Document
This Security Guide covers the following main security areas:
Network and system security
This area covers the system security issues and addresses them in the following sections:
● Network and Communication Security

○ Communication Channel Security
○ Communication Destinations
○ Integration with Single Sign-on (SSO) Environments
○ Data Storage Security
○ User Administration
○ Trace and Log Files
● Application Security
○ Delivered roles
○ Authorization objects
● Data Protection
○ Data retention
○ Data deletion
○ Data archiving

Introduction PUBLIC 5
3 Before You Start
Access Control uses SAP NetWeaver, SAP NetWeaver Portal, and SAP NetWeaver Business Warehouse. Therefore,
the corresponding security guides and other documentation also apply.
Refer to the following security guides on http://help.sap.com:
● SAP NetWeaver Application Server for ABAP Security Guide

● SAP BW Security Guide (Business Warehouse)
Important SAP Notes
Make sure that you have the up-to-date version of each SAP Note, available at https://help.sap.com/grc-ac.

6 PUBLIC Before You Start
4 Technical System Landscape
The following is the component diagram for SAP Access Control 12.0.

Technical System Landscape PUBLIC 7
5 Network and Communication Security
You can use the information in this section to understand and implement the network and communication security
for SAP Access Control.
Network
SAP Access Control is based on SAP NetWeaver technology. Therefore, for information about network security,
see the respective sections in the SAP NetWeaver Security Guide at https://help.sap.com/nw75 > Security Guide.
For more information, see the following sections in the SAP NetWeaver Security Guide:
● Network and Communication Security

● Security Aspects for Connectivity and Interoperability
5.1 Communication Channel Security
Use
The following table contains the communication paths, the connection protocol, and the transferred data type
used by the access control solution:
Communication Path Protocol Type of Data Transferred Data Requiring Special Pro
tection
SAP NetWeaver ABAP server DIAG All application data Logon data
using SAP GUI
SAP NetWeaver Portal HTTP/HTTPS All application data Logon data
DS Extraction (application RFC All application data Logon data

server to BI system)
Application server to BI sys HTTP/HTTPS All application data Logon data

tem

8 PUBLIC Network and Communication Security
Communication Path Protocol Type of Data Transferred Data Requiring Special Pro
tection
BI system to application HTTP/HTTPS All application data Logon data

server
BusinessObjects Enterprise TCP/IP All application data Logon data

Server
SAP NetWeaver Business Cli HTTP/HTTPS All application data Logon data
ent
DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPS connections
are protected using the Secure Sockets Layer (SSL) protocol.
More Information
● Transport Layer Security in the SAP NetWeaver Security Guide

● Using the Secure Sockets Layer Protocol with SAP NetWeaver Application Server ABAP
5.2 Trusted/Trusting RFC Relationships
Use
You can set up trusted and trusting Remote Function Call (RFC) relationships between two SAP systems. This
allows secure RFC connections between the systems without sending passwords for logging on. The logon user
must have the corresponding authorization object S_RFCACL in the trusting system. This trusted relationship is
not specific to GRC applications, and is a function of SAP NetWeaver.
More Information
Trusted/Trusting Relationships Between SAP Systems on the SAP Help Portal under RFC Programming in ABAP.

Network and Communication Security PUBLIC 9
5.3 Communication Destinations
The table lists the RFC authorization objects and values you must add to the RFC user to allow Access Control to
communicate with other SAP and non-SAP solutions.
Object Description Authorization Field Value
S_RFC Authorization check for RFC ACTVT 16

Access
N/A RFC_NAME /GRCPI/*
BAPT
RFC1
SDIF
SDIFRUNTIME
SDTX
SUNI
SUSR
SUUS
SU_USER
SYST
SYSU
RFC_TYPE FUGR
S_TCODE Authorization check at trans TCD SU01

action start
S_TABU_DIS Table maintenance ACTVT 3
DICBERCLS &NC&
SC
SS
ZV&G
ZV&H
ZV&N
S_TOOLS_EX Tools Performance Monitor AUTH S_TOOLS_EX_A
S_GUI Authorization for GUI activi ACTVT *

ties

S_USER_AGR Authorizations: role check ACTVT *
ACT_GROUP *
S_USER_AUT User Master Maintenance: ACTVT *

Authorizations
AUTH *
OBJECT *
S_USER_GRP User Master Maintenance: ACTVT *

User Group
CLASS *
S_USER_PRO User Master Maintenance Au ACTVT *

thorization Profile
PROFILE *
S_USER_SAS User Master Maintenance: ACTVT 01

System-Specific Assignments
06
22
ACT_GROUP *
CLASS *
PROFILE *
SUBSYSTEM *
S_USER_SYS User Master Maintenance: ACTVT 78

System for Central User Main
tenance SUBSYSTEM *
S_USER_TCD Authorizations: transactions TCD *

in roles
S_USER_VAL Authorizations: filed values in AUTH_FIELD *

roles
AUTH_VALUE *
OBJECT *
S_DEVELOP ABAP Workbench ACTVT *
DEVCLASS SUSO
OBJNAME /GRCPI/*
OBJTYPE FUGR

P_GROUP *
S_ADDRESS1 Central address management ACTVT 01
02
03
06
ADGRP BC01
PLOG Personnel planning INFOTYP 1000
1001
ISTAT *
OTYPE *
PLVAR *
PPFCODE *
SUBTYP *
P_TCODE HR: Transaction code TCD SU01
5.4 Integration with Single Sign-On Environments
SAP Access Control:
● supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver Application Server ABAP.
● supports the security guidelines for user management and authentication described in the SAP NetWeaver
Application Server Security Guide.
● leverages the SAP NetWeaver ABAP Server and SAP NetWeaver Portal infrastructure.
Secure Network Communications (SNC)
For more information about SNC, see Secure Network Communications (SNC) in the SAP NetWeaver Application
Server Security Guide.

SAP Logon Tickets
For more information about SAP Logon Tickets, see SAP Logon Tickets in the SAP NetWeaver Application Server
Security Guide.
Client Certificates
For more information about X.509 Client Certificates, see Using X.509 Client Certificates on the SAP Help Portal
(http://help.sap.com ).
5.5 Data Storage Security
Master data and transaction data is stored in the database of the SAP system on which the application is installed.
Data storage occurs in Organizational Management, Case Management and in separate tables for this purpose.
In some applications, you can upload documents into the system. The default document management system
(DMS) for storing data is the SAP Content Server and Knowledge Provider (KPro) infrastructure. Once uploaded,
the documents can be accessed using a URL. The application security functions govern authorization for
accessing the URL directly in the portal. To prevent unauthorized access to the document through copying and
sending the URL, a URL is only valid for a given user and for a restricted amount of time (the default is two hours).
If you choose to implement a different document management system, the data storage security issues are
deferred to that particular DMS.
5.6 Trace and Log Files
For information about trace and log files, see the SAP Access Control 12.0 Admin Guide at https://help.sap.com/
grc-ac.
5.7 Configuring NW VSI in the Landscape
Access Control provides the ability to upload documents. We recommend you scan all documents for potential
malicious code before you upload them. You can use the NetWeaver Virus Scan Interface (NW VSI) to scan the
documents. For more information, see SAP Virus Scan Interface in the SAP NetWeaver Library.

6 User Administration and Authentication
SAP Access Control relies on the user management and authentication mechanisms provided with the SAP
NetWeaver platform, in particular the SAP NetWeaver AS for ABAP Application Server. Therefore, the security
recommendations and guidelines for user administration and authentication as described in the SAP NetWeaver
Application Server for ABAP Security Guide also apply to SAP Access Control.
6.1 User Management
6.1.1 Non-SAP Fiori Technology

User management for SAP Access Control uses the mechanisms provided with the SAP NetWeaver Application
Server for ABAP, such as tools, user types, and password concept. For more information, see the Security Guide
for SAP NetWeaver Application Server for ABAP.
User Administration Tools
This table shows the tools available for user management and administration.
Tool Description
User maintenance for ABAP-based systems (transaction For more information about the authorization objects provided
SU01) by SAP Access Control, see the Authorization Objects sec
tions.
Role maintenance with the profile generator for ABAP-based For more information about, see the Delivered Roles sections.
systems (PFCG)
Central User Administration (CUA) for the maintenance of For central administration tasks
multiple ABAP-based systems
User Types
It is often necessary to specify different security policies for different types of users. For example, your policy may
specify that individual users who perform tasks interactively have to change their passwords on a regular basis,

14 PUBLIC User Administration and Authentication
but not those users under which background processing jobs run. These are the user types required for SAP
Access Control:
● Individual users
○ Dialog users - used for SAP GUI for Windows
○ Internet users - used for Web Applications
● Technical users
● Service users are dialog users who are available for a large set of anonymous users
● Communication users are used for dialog-free communication between systems
● Background users are used for processing in the background
6.1.2 SAP Fiori Launchpad
SAP Fiori launchpad is a shell that hosts SAP Fiori apps, and provides the apps with services such as navigation,
personalization, embedded support, and application configuration. SAP Access Conrol 12.0 uses the on-premise
implementation, therefore users and authentication are maintained using the the mechanisms provided with the
SAP NetWeaver Application Server for ABAP.
Fore more information, see the SAP NetWeaver Application Server for ABAP Security Guide.

User Administration and Authentication PUBLIC 15
7 Application Security
The information in this section explains the application authorizations model and concepts.
Access Control leverages the standard SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP
NetWeaver Portal user management and authorization. The security information for SAP NetWeaver, SAP
NetWeaver Application Server ABAP, and SAP NetWeaver Portal also apply.
For information about SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal see
the SAP NetWeaver, SAP NetWeaver Application Server ABAP, and SAP NetWeaver Portal security guides.
Prerequisites
You have knowledge of the following tools, terms, and concepts:
● ABAP Application Server

○ Customizing activities (transaction SPRO)
○ PFCG
○ SU01
● Portal
○ User Administration
○ Content Administration
○ Portal Roles
● Business Client
○ Menu of PFCG roles
● SAP Fiori Launchpad (FLP)
For more information about Access Control concepts and features, see the SAP Access Control 12.0 Application
Help at http://help.sap.com/grc-ac .
Customizing Front-end Screens and Menus
You can configure user-specific front-end screens and menus in the Customizing activities accessed from the
SPRO transaction.
Caution
SAP does not recommend you customize the information architecture because if SAP provides updates to the
content, then such changes update only the standard SAP-delivered repository and Launchpads. The changes
do not directly update any customized versions.

16 PUBLIC Application Security
You carry out the configuration activities from the transaction SPRO, SAP Reference IMG Governance, Risk,
and Compliance General Settings Maintain Customer Specific Menus .
Privacy Concerns
Notify your users as required by your company's privacy policy that user information such as first Name, last
Name, E-mail address, roles, and other personal information is stored by the program
GRAC_REPOSITORY_OBJECT_SYNC.
Maintaining Authorizations
Access Control uses object level authorizations. Authorizations are granted to users based on the authorizations
of specific roles and the authorization objects assigned to those roles. To maintain the authorizations, you use
PFCG and the information in this guide about the delivered roles and authorization objects.
SAP provides a set of sample roles for Access Control, which include recommended authorizations. You can create
your own PFCG roles or copy the sample roles to your customer namespace. Then modify them as needed.
7.1 Business Catalog Roles for FLP
This information relevant for customers who have implemented SAP Fiori Launchpad (FLP). SAP Fiori launchpad
is a shell that hosts SAP Fiori apps, and provides the apps with services such as navigation, personalization,
embedded support, and application configuration.
Role administrators make tile catalogs and groups available on the end user's page by assigning tile catalogs and
tile groups to a PFCG role to which users can be assigned. Users logging on to the launchpad see all assigned
groups on their home page, and when users open the catalog section, they can access all tiles in the assigned
catalogs.
SAP Access Control delivers the following business catalog roles for the FLP.
Roles for SAP Fiori Launchpad

Name Description
SAP_GRC_BCR_CMPLNCMGR_T Compliance Manager
SAP_GRC_BCR_EMPLOYEE_T Access Control Employee
SAP_GRC_BCR_MANAGER_T Request Approver
SAP_GRC_BCR_REQADMINTR_T Access Control Administrator

Application Security PUBLIC 17
Name Description
SAP_GRC_BCR_SCRTYMGR_T Security Manager
For more information, see:
● SAP Fiori Launchpad

● SAP Fiori Launchpad - Security Aspects
7.2 Delivered Business Roles
Access Control leverages the SAP NetWeaver authorization model and assigns authorizations to users based on
roles. The following sample roles are delivered with the application. You must copy them into your own namespace
to use them.
Feature Role Name Description
All AC SAP_GRAC_ALL Super administrator for Access Control.
Note
You must assign this role to the WF-BATCH user.
All AC SAP_GRAC_BASE Gives basic authorizations required for all AC users.

You must assign this role to all AC users.
All AC SAP_GRAC_REPORTS Ability to run all AC reports and have the display ac
cess for all drill-downs.
All AC SAP_GRAC_NWBC Gives the authorizations to launch NWBC. You must

assign this role to all AC users.
All AC SAP_GRAC_SETUP Gives authorizations to set up and customize AC.
SAP_GRAC_DISPLAY_ALL Gives display-only access to all master data and ap

All AC plication data.
Role Management SAP_GRAC_ROLE_MGMT_USER Role management business user
Role Management SAP_GRAC_ROLE_MGMT_DESIGNER Role management designer
Role Management SAP_GRAC_ROLE_MGMT_ROLE_OWNER The Role Management role owner
Access Request SAP_GRAC_ACCESS_REQUESTER The role for the access request end user
Access Request SAP_GRAC_ACCESS_APPROVER The role for the access request approver

Access Request SAP_GRAC_ACCESS_REQUEST_ADMIN The role for the access request administrator
Emergency Access Man SAP_GRAC_SUPER_USER_MGMT_ADMIN This administrator role is for centralized firefighting
agement
Emergency Access Man SAP_GRAC_SUPER_USER_MGMT_OWNER This owner role is for centralized firefighting
agement
Emergency Access Man SAP_GRAC_SUPER_USER_MGMT_CNTLR This controller role is for centralized firefighting
agement
Emergency Access man SAP_GRAC_SUPER_USER_MGMT_USER This firefighter user role is for centralized firefightin
agement
Emergency Access Man SAP_GRIA_SUPER_USER_MGMT_ADMIN This firefighter admin role is for plug-in firefighting
agement
Emergency Access Man SAP_GRIA_SUPER_USER_MGMT_USER This firefighter user role is for plug-in firefighting
agement
Emergency Access Man SAP_GRC_SPM_FFID This service role is for ID-based firefighting. Assign
agement this role to users to create firefigher IDs.
Access Risk Analysis SAP_GRAC_RULE_SETUP This role has the authorization to define access rule
SAP_GRAC_RISK_ANALYSIS This role has the authorization to perform access

Access Risk Analysis risk analysis
SAP_GRAC_ALERTS This role has the authorization to generate, clear an

Access risk analysis delete access risk alerts
SAP_GRAC_CONTROL_OWNER This role has the authorization to create mitigating

Access Risk Analysis controls.
SAP_GRAC_RISK_OWNER This role has the authorization to run access risk

Access Risk Analysis maintenance and access risk analysis.
SAP_GRAC_CONTROL_MONITOR This role has the authorization to run risk analysis,

mitigating control assignment, and assign mitigatin
Access Risk Analysis controls to an access risk.
SAP_GRAC_CONTROL_APPROVER This role is used for control and control assignmen

It has the authorization to run risk analysis, mitigat
ing control assignment, and workflow approval for
Access Risk Analysis access risk alerts.
SAP_GRAC_FUNCTION_APPROVER This role is the delivered agent for workflow in acce

control. It has authorization to approve, create, rea
Access Risk Analysis update, and delete workflow requests.

Workflow SAP_GRC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows
Workflow SAP_GRC_MSMP_WF_CONFIG_ALL Configurator role for MSMP workflows
7.3 Authorization Object Names
Access Control authorizations for roles are maintained by the assignment of authorization objects.
Note
For use with Fiori fact sheets, verify that the following authorization objects are in place: Mitigation Control –
GRAC-MITC, Role – GRAC-ROLED, Risk – GRAC-RISK, User – GRAC-USER
The table lists the authorization objects delivered with the application:
Object Description
1 GRAC_ACTN This object grants the authorization to perform different actions.
2 GRAC_ALERT This object allows you to generate, clean up, and create alerts.
3 GRAC_ASIGN The object allows you to assign owner types to firefighter IDs.
4 The object allows you to create, read, update, and delete business proc
GRAC_BPROC esses, and to assign business processes to risks and functions.
5 GRAC_BGJOB The object allows you to execute background jobs.
6 GRAC_CGRP This object allows to maintain an Access Control Custom Group.
7 The object allows you to create, read, update, and delete SoD critical pro
GRAC_CPROF files.
8 The object allows you to create, read, update, and delete SoD critical
GRAC_CROLE roles.
9 The object allows you to restrict activities based on the following attrib
utes: cost center, department, company, location. You use this object to
GRAC_EMPLY maintain authorization for attributes not in the in the GRAC_USER object.
10 The object allows you to restrict creation of FFID or FFROLE based on

GRAC_FFOBJ system user ID, system, or activity.

Object Description
11 The object allows you to create, read, update, and delete FFID owners
GRAC_FFOWN based on the owner type, user ID, or system ID.
12 The object allows you to maintain authorizations for the SoD function
based on the following attributes: activity, function ID, action (SOD trans
GRAC_FUNC action), and permission.
13 The object allows you to restrict activities for the HR object based on spe
GRAC_HROBJ cific attributes: activity, connector ID, HR object type, HR object ID.
14 GRAC_MITC The object allows you to maintain mitigation controls.
15 GRAC_ORGRL The object allows you to maintain SoD organization rules.
16 GRAC_OUNIT The object allows you to maintain org units for access control.
17 GRAC_OWNER The object allows you to maintain owners in access control.
18 GRAC_PROF The object allows you to maintain the SoD profile.
19 The object allows you to perform risk analysis. You can specify if the user
has authorizations to only execute risk analysis, or has administrator
GRAC_RA rights.
20 GRAC_RCODE The object allows you to maintain the reason code.
21 GRAC_REP The object allows you to excute all reports.
22 GRAC_REQ The object allows you to maintain access requests.
23 GRAC_RISK The object allows you to maintain SoD access risk.
24 GRAC_RLMM The object allows you to perform role mass maintenance.
25 This object allows you to enforce authorizations for accessing roles dur
GRAC_ROLED ing role definition.
26 GRAC_ROLEP This object allows you to control which roles a user can request.
27 GRAC_ROLER This object allows you to perform role risk analysis.
28 GRAC_RSET The object allows you to create, read, update, and delete SoD rule sets.
29 The object allows you to create, read, update, and delete SoD supple
GRAC_SUPP mentary rules.
30 The object allows you authorize access to specific connectors or systems

GRAC_SYS based on application type and system ID.
31 GRAC_SYSTM This object allows system level access to Access Control.

Object Description
32 The object allows you to restrict activities based on the following attrib
GRAC_USER utes: user group, user ID, connector, user group, orgunit.
33 This object allows you to access connectors in CCITS (the GRC integra
GRFN_CONN tion engine).
7.4 Authorization Objects and Relevant Fields
The authorization objects for Access Control use specific authorization fields.
The following table lists the authorization fields that are available for each authorization object:
Object Fields
1 ● GRAC_ACTN
GRAC_ACTN ● GRFNW_PRC
2 ● ACTVT
GRAC_ALERT ● GRAC_ALRTT
3 ● ACTVT
GRAC_ASIGN ● GRAC_OWN_T
4 ● ACTVT
GRAC_BGJOB ● GRAC_BGJOB
5 ● ACTVT
GRAC_BPROC ● GRAC_BPROC
6 ● ACTVT
GRAC_CGRP ● GRAC_CGRP
7 ● ACTVT
GRAC_CPROF ● GRAC_CPROF
8 ● ACTVT
GRAC_CROLE ● GRAC_CROLE
9 ● ACTVT
● GRAC_COMP
● GRAC_COSTC
● GRAC_DEPT
GRAC_EMPLY ● GRAC_LOCTN

Object Fields
10 ● ACTVT
● GRAC_FFOBJ
GRAC_FFOBJ ● GRAC_SYSID
11 ● ACTVT
● GRAC_OWN_T
● GRAC_SYSID
GRAC_FFOWN ● GRAC_USER
12 ● ACTVT
● GRAC_ACT
● GRAC_FUNC
GRAC_FUNC ● GRAC_PRM
13 ● ACTVT
● GRAC_HROBJ
● GRAC_HRTYP
GRAC_HROBJ ● GRAC_SYSID
14 ● ACTVT
● GRAC_MITC
GRAC_MITC ● GRAC_OUNIT
15 ● ACTVT
GRAC_ORGRL ● GRAC_ORGRL
16 ● ACTVT
● GRAC_OUNIT
GRAC_OUNIT ● GRAC_OUTYP
17 ● ACTVT
● GRAC_CLASS
● GRAC_OUNIT
● GRAC_OWN_T
● GRAC_SYSID
GRAC_OWNER ● GRAC_USER
18 ● ACTVT
● GRAC_PROF
GRAC_PROF ● GRAC_SYSID
19 ● ACTVT
● GRAC_OTYPE
● GRAC_RAMOD
GRAC_RA ● GRAC_REPT

Object Fields
20 ● ACTVT
● GRAC_RSCOD
GRAC_RCODE ● GRAC_SYSID
21 ● ACTVT
GRAC_REP ● GRAC_REPID
22 ● ACTVT
● GRAC_BPROC
● GRAC_FNCAR
● GRAC_RQFOR
● GRAC_RQINF
GRAC_REQ ● GRAC_RQTYP
23 ● ACTVT
● GRAC_BPROC
● GRAC_RISK
● GRAC_RLVL
● GRAC_RSET
GRAC_RISK ● GRAC_RTYPE
24 ● ACTVT
GRAC_RLMM ● GRAC_RLMMT
25 ● GRAC_ACTRD
● GRAC_BPROC
● GRAC_LDSCP
● GRAC_RLSEN
● GRAC_RLTYP
GRAC_ROLED ● GRAC_ROLE
26 ● ACTVT
● GRAC_BPROC
● GRAC_OUNIT
● GRAC_RLTYP
● GRAC_ROLE
GRAC_ROLEP ● GRAC_SYSID
27 ● ACTVT
● GRAC_OUNIT
● GRAC_ROLE
● GRAC_ROTYP
GRAC_ROLER ● GRAC_SYSID

Object Fields
28 ● ACTVT
GRAC_RSET ● GRAC_RSET
29 ● ACTVT
● GRAC_RQTP
GRAC_RT ● GRAC_TN
30 GRAC_SUPP ● ACTVT
31 ● ACTVT
● GRAC_APPTY
● GRAC_ENVRM
GRAC_SYS ● GRAC_SYSID
32 ● ACTVT
● GRACSYSACT
GRAC_SYSTM ● GRAC_SYSID
33 ● ACTVT
● GRAC_CLASS
● GRAC_OUNIT
● GRAC_SYSID
● GRAC_USER
GRAC_USER ● GRAC_UTYPE
34
Note
To allow users to view access request data in reports,
you must assign this authorization object and the ac
tivity A5 (display report) to their role.
GRFN_MSMP
7.4.1 Authorization Fields
This section covers the technical names for the authorization fields and their descriptions.
For information about the fields that are relevant for specific authorization objects, see Authorization Objects and
Relevant Fields.
Field Name Description
1 GRAC_ACT Action

2 GRAC_ACTRD Activities
3 GRAC_ALRTT Alert type
4 GRAC_APPTY Application type
5 GRAC_BPROC Business process
6 GRAC_BSUBP Subprocess
7 GRAC_CLASS User group
8 GRAC_COMP Company
9 GRAC_COSTC Cost center
10 GRAC_CPROF Profile name
11 GRAC_CROLE Role name
12 GRAC_CTRID SOD control ID
13 GRAC_DEPT Department
14 GRAC_ENVRM System environment
15 GRAC_FFOBJ Description for user ID or role
16 GRAC_FNCAR Functional area
17 GRAC_FUNC Function ID
18 GRAC_HROBJ HR object ID
19 GRAC_HRTYP HR object type
20 GRAC_LDSCP Connector group
21 GRAC_LOCTN Location
22 GRAC_MITC SOD control ID
23 GRAC_MON Owner description
24 GRAC_OLVL Resource extension
25 GRAC_ORGRL Organization rule ID
26 GRAC_OTYPE Object types for authorization
27 GRAC_OUNIT HR object ID

28 GRAC_OUTYP Object type for assigned organization
29 GRAC_OWN_T Owner type
30 GRAC_PRM SOD resource
31 GRAC_PROF Profile name
32 GRAC_RAMOD Risk analysis mode
33 GRAC_REPID Report name
34 GRAC_REPT Report type
35 GRAC_RISK Access risk ID
36 GRAC_RLMMT Type for role mass maintenance
37 GRAC_RLSEN Role sensitivity
38 GRAC_RLTYP Role type
39 GRAC_RLVL SOD risk level
40 GRAC_ROLE Role name
41 GRAC_ROTYP Role type for risk analysis
42 GRAC_ROWN Owner description
43 GRAC_RQFOR Request for single or multiple user
44 GRAC_RQINF Request Information
45 GRAC_RQSOD SOD option for request
46 GRAC_RQTYP Request type
47 GRAC_RSCOD Title/Short name
48 GRAC_RSET Rule set ID
49 GRAC_RTYPE Access risk type
50 GRAC_SYSID Connector ID
51 GRAC_TN Template Name
52 GRAC_USER User ID
53 GRAC_USRTY Role type for request approver

54 GRAC_UTYPE User type
7.4.2 Values for ACTVT Field
The ACTVT (or Activity) field is used by almost every Access Control authorization object. The values you select
for the ACTVT field controls the actions the role can perform with the authorization object, such as delete or
execute.
Note
The GRAC_ROLED authorization object does not use the ACTVT field; it uses the custom attribute: GRAC_ACTRD.
For more information, see Values for GRAC_ACTRD Field [page 29].
The following table lists the values you can select for the ACTVT field based on the authorization object:
Authorization Object Valid Activity Values
1 GRAC_ALERT Delete, Execute, Archive, Deactivate
2 GRAC_ASIGN Create or generate, Change, Display, Delete, Administer
3 GRAC_BPROC Create or generate, Change, Display, Delete, Execute, Assign
4 GRAC_BGJOB Create or generate, Display, Delete, Administer
5 GRAC_CGRP Create or generate, Change, Display, Delete, Execute
6 GRAC_CPROF Create or generate, Change, Display, Delete, Execute, Assign
7 GRAC_CROLE Create or generate, Change, Display, Delete, Execute, Assign
8 GRAC_EMPLY Create or generate, Change, Display, Delete, Execute, Administer, Assign, Copy
9 GRAC_FFOBJ Create or generate, Change, Display, Delete
10 GRAC_FFOWN Create or generate, Change, Display, Delete, Archive, Administer
11 GRAC_FUNC Create or generate, Change, Display, Delete, Execute, Generate, Assign
12 GRAC_HROBJ Create or generate, Change, Display, Delete, Execute, Assign
13 GRAC_MITC Create or generate, Change, Display, Delete, Assign

Authorization Object Valid Activity Values
14 Create or generate, Change, Display, Delete, Activate or Generate, Execute, As

GRAC_ORGRL sign
15 GRAC_OUNIT Create or generate, Change, Display, Delete, Execute, Assign
16 GRAC_OWNER Create or generate, Change, Display, Delete, Archive, Administer, Assign
17 GRAC_PROF Create or generate, Change, Display, Delete, Execute, Assign
18 GRAC_RA Execute, Administer
19 GRAC_RCODE Create or generate, Change, Display, Delete
20 GRAC_REP Execute
21 GRAC_REQ Create or generate, Change, Display, Administer, Copy
22 GRAC_RISK Create or generate, Change, Display, Delete, Execute, Generate, Assign
23 GRAC_RLMM Perform
24 GRAC_ROLEP Assign
25 GRAC_ROLER Execute, Assign
26 GRAC_RSET Create or generate, Change, Display, Delete, Execute, Assign
27 GRAC_RT Create or generate, Change, Display, Delete
28 GRAC_SUPP Create or generate, Change, Display, Delete
29 GRAC_SYS Create or generate, Change, Display, Delete, Execute, Assign
30 GRAC_SYSTM Execute Access Control reports
31 GRAC_USER Create or generate, Change, Display, Delete, Execute, Assign
32 /GRCPI/001 * (asterisk) or blank (empty)
7.4.3 Values for GRAC_ACTRD Field
The GRAC_ACTRD field is used by the GRAC_ROLED authorization object for role definition.

Use Scenario: Ticket Number in BRM
The Ticket Number functionality in BRM allows you to attach ticket numbers to the workflow for role changes. The
V8 value in the GRAC_ACTRD field enables the user to edit and overwrite the ticket number in all role methodology
steps. Without this value, the user can only enter or change the ticket number when the role is in Create mode or in
Completed status.
Authorization Object Field Value Description
GRAC_ROLED GRAC_ACTRD V8 - Overwrite Ticket The V8 value enables the user

Number to edit the ticket number in all
role methodologies.
7.5 Business Roles and Authorization Objects
This section lists and explains the delivered roles and relavant authorization objects for SAP Access Control 12.0.
Some roles are relevant for all access control capabilities, whereas some roles are only relevant for specific
capabilities. The information in the following sections is divided by capabilities.

7.5.1 Roles Relevant Across All Capabilities
The following table lists the delivered roles that are relevant across all Access Control capabilities, and the relevant
authorization objects:
Role Objects
SAP_GRAC_ALL ● GRAC_ALERT
● GRAC_ASIGN
● GRAC_BGJOB
● GRAC_BPROC
● GRAC_CGRP
● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FFOWN
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_RCODE
● GRAC_REP
● GRAC_RISK
● GRAC_RLMM
● GRAC_ROLED
● GRAC_ROLEP
● GRAC_ROLER
● GRAC_RSET
● GRAC_RT
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER
● GRFN_CONN
SAP_GRAC_BASE ● GRAC_BGJOB
● GRAC_REQ
● GRAC_USER
● S_START

Role Objects
SAP_GRAC_DISPLAY_ALL ● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FFOBJ
● GRAC_FFOWN
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RCODE
● GRAC_REQ
● GRAC_RISK
● GRAC_ROLED
● GRAC_RSET
● GRAC_RT
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER
● GRFN_CONN

Role Objects
SAP_GRAC_REPORTS ● GRAC_ALERT
● GRAC_ASIGN
● GRAC_BPROC
● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FFOBJ
● GRAC_FFOWN
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_RCODE
● GRAC_REP
● GRAC_REQ
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER
● GRFN_CONN
7.5.2 Role Management
The following table lists the delivered roles and the relevant authorization objects for role management.

Role Name Objects
SAP_GRAC_ROLE_MGMT_ADMIN ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_OWNER
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_RLMM
● GRAC_ROLED
● GRAC_RSET
● GRAC_SYS
● GRAC_SYSTM
● GRAC_SUPP
● GRFN_CONN
SAP_GRAC_ROLE_MGMT_DESIGNER ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_OWNER
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_RSET
● GRAC_SYS
● GRAC_SYSTM
● GRAC_SUPP
● GRFN_CONN
SAP_GRAC_ROLE_MGMT_ROLE_OWNER ● GRAC_REP
● GRAC_ROLED
● GRAC_SYSTM
● GRFN_CONN
SAP_GRAC_ROLE_MGMT_USER ● GRAC_ROLED
● GRFN_CONN

7.5.3 Access Request
The following table lists the delivered roles and the relevant authorization objects for access request:
Role Name Objects
SAP_GRAC_ACCESS_APPROVER ● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_RA
● GRAC_REQ
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLEP
● GRAC_RSET
● GRAC_SUPP R
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USE
SAP_GRAC_ACCESS_REQUEST_ADMIN ● GRAC_CPROF
● GRAC_CROLE
● GRAC_EMPLY
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_OWNER
● GRAC_RA
● GRAC_REP
● GRAC_REQ
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLEP
● GRAC_RSET
● GRAC_RT
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER

Role Name Objects
SAP_GRAC_ACCESS_REQUESTER ● GRAC_EMPLY
● GRAC_REQ
● GRAC_ROLED
● GRAC_ROLEP
● GRAC_SYS
● GRAC_SYSTM
● GRAC_USER
7.5.4 Emergency Access Management
Emergency Access Management is available in centralized and decentralized (plug-in) implementations. The role
information is separated by the implementation scenario in the following sections.
Roles for Centralized Firefighting
The following table lists the delivered roles and the relevant authorization objects for centralized emergency
access management:
Role Name Objects
SAP_GRAC_SUPER_USER_MGMT_ADMIN ● GRAC_ASIGN
● GRAC_OWNER
● GRAC_RCODE
● GRAC_REP
● GRAC_ROLED
● GRAC_USER
SAP_GRAC_SUPER_USER_MGMT_CNTLR ● GRAC_ASIGN
● GRAC_OWNER
● GRAC_REP
SAP_GRAC_SUPER_USER_MGMT_OWNER ● GRAC_ASIGN
● GRAC_OWNER
● GRAC_RCODE
● GRAC_ROLED
● GRAC_USER

Role Name Objects
SAP_GRAC_SUPER_USER_MGMT_USER ● GRAC_RCODE
● GRAC_USER
● GRFN_CONN
Roles for Decentralized Firefighting
For decentralized (plug-in) firefighting scenarios, the following roles are delivered.
Role Name Authorizations
SAP_GRIA_SUPER_USER_MGMT_ADMIN /GRCPI/001 - GRAC Authorization Object to extend FF Valid

ity Period
ACTVT field value: 70 or * (asterisk)
SAP_GRIA_SUPER_USER_MGMT_USER Transactions: /GRCPI/GRIA_EAM and SU53

7.5.5 Access Risk Analysis
The following table lists the delivered roles and the relevant authorization objects for access risk analysis:
Role Name Objects
SAP_GRAC_ALERTS ● GRAC_ALERT
● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_ORGRL
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER
● GRFN_CONN
SAP_GRAC_CONTROL_APPROVER ● GRAC_ALERT
● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER

Role Name Objects
SAP_GRAC_CONTROL_MONITOR ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER
SAP_GRAC_CONTROL_OWNER ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_MITC
● GRAC_ORGRL
● GRAC_OUNIT
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER
SAP_GRAC_FUNCTION_APPROVER ● GRAC_FUNC
● GRAC_SYSTM
● GRFN_CONN

Role Name Objects
SAP_GRAC_RISK_ANALYSIS ● GRAC_CPROF
● GRAC_CGRP
● GRAC_CROLE
● GRAC_FUNC
● GRAC_HROBJ
● GRAC_ORGRL
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SYSTM
● GRAC_SUPP
● GRAC_USER
● GRFN_CONN
SAP_GRAC_RISK_OWNER ● GRAC_FUNC
● GRAC_HROBJ
● GRAC_ORGRL
● GRAC_OWNER
● GRAC_PROF
● GRAC_RA
● GRAC_REP
● GRAC_RISK
● GRAC_ROLED
● GRAC_ROLER
● GRAC_RSET
● GRAC_SUPP
● GRAC_USER

Role Name Objects
SAP_GRAC_RULE_SETUP ● GRAC_CPROF
● GRAC_CROLE
● GRAC_FUNC
● GRAC_ORGRL
● GRAC_REP
● GRAC_RISK
● GRAC_RSET
● GRAC_SUPP
● GRAC_SYS
● GRAC_SYSTM
● GRFN_CONN
7.5.6 Workflow
The following table lists the delivered roles and the relevant authorization objects for workflow:
Role Name Object
SAP_GRC_MSMP_WF_ADMIN_ALL GRFN_MSMP
SAP_GRC_MSMP_WF_CONFIG_ALL GRFN_MSMP

8 Data Protection
The following user data from ERP and non-ERP systems is synchronized to, and stored in, the Access Control
system:
● Authorization data (role, user, profiles, HR objects), which contains the user IDs, email IDs, telephone
numbers, address, organizational assignments, etc.
● User logs and activity information
The Access Control solution supports the SAP Information Lifecycle Management (ILM) framework to maintain
data protection. This chapter describes how to use ILM to carryout blocking and destruction of data as required by
data protection policies.
Setting Up ILM
1. Use transaction SFW5 to activate Information Lifecycle Management (ILM).
Note
SAP NetWeaver Information Lifecycle Management is a product that requires its own license. After
licensing, you have to activate this product.
2. Select the components that will use the ILM functionality: GRC, GRC-AC.
Use transaction SPRO, and complete the activity: Global ILM Enablement, under SAP Reference IMG ->
Governance, Risk, and Compliance -> General Settings-> Blocking and Deletion
3. Maintain the fiscal year variant for Access Control.
Use transaction SPRO, and open activity: Maintain Configuration Settings, under SAP Reference IMG ->
Governance, Risk, and Compliance -> Access Control .
Configure parameter 6001: Fiscal Year Variant.
4. Configure the ILM rules for data retention.
Access Control provides ILM objects that enhance archiving objects with information for data retention. An
ILM object contains the settings for the ILM rules. These rules are read by Access Control while data
processing and, based on the rule condition, personal data is blocked and deleted.
Use transaction SPRO, complete the activity: ILM Entity Settings, under SAP Reference IMG -> Governance,
Risk, and Compliance -> General Settings-> Blocking and Deletion
ILM Policy Creation
● To establish the Residence Rules and the Retention rules, use transaction IRMPOL. For any Residence Rule (if
blocking is required), use Audit area GRC.
● To designate objects to be blocked or destroyed (based on business need and legal requirements), use
transaction SPRO, and maintain the activity: Maintain Legal Entity, under SAP Reference IMG -> Governance,
Risk, and Compliance -> General Settings-> Blocking and Deletion.

42 PUBLIC Data Protection
Blocking and Unblocking
● To verify you have configured your data blocking, use transaction GRAC_DATA_BLOCK.
● To unblock data, use transaction GRAC_DATA_UNBLOCK. Select the ILM object, and then click execute.
Select a record and click Unblock.
Objects remain unblocked until the next scheduled execution of the blocking job blocks them again.
Destruction
Use transaction code ILM_DESTRUCTION to verify your destruction policies. Select Data from the Database and
identify the ILM object. Use test mode.
Logs
Use transaction code SLG1 to verify the logs.
Verification
Open Access Control and check the dates to see if your policies and rules are operating as intended. For example,
if you set up the data to be blocked after 2 years, check if any data is shown if you search for dates older than 2
years.
Use ABAP Program GRFN_PI_DBTABLOG_COPY_DES to look at a Simple deletion report to delete contents of
GRC plugin system DB table /GRCPI/GRIA_AM_DBLOG
8.1 Information Retrieval Framework (IRF)
The Information Retrieval Framework (IRF) allows you to search for and retrieve all personal data of a specified
data subject. The search results are displayed in a comprehensive and structured list containing all personal data
of the data subject specified, subdivided according to the purpose for which the data was collected and processed.
For information about IRF, setting up the data model used by IRF, and retrieving personal data using IRF, see the
Information Retrieval Guide attached to SAP Note: 2469325 .

Data Protection PUBLIC 43
8.2 Read Access Log (RAL)
Access Control does not deliver Read Access Logging (RAL) configurations and log conditions.
8.3 Business Entities
The table below lists the business entities for Access Control.
Note
● Blocking Required (RST). End of residence time varies.
● Destruction Required (RTP) after end of retention time. All business entities listed below require
destruction after the end of the retention time.
Business Entities
Business Entity ILM Object Component Blocking Re Archiving Required Legal Entity or
quired (RST) Country Flag
Available
Access Request GRAC_ARQ GRC-AC Yes Yes No
Action Usage GRAC_ACT GRC-AC Yes Yes No
Ad-Hoc Issue GRFN_AI_DE GRC Yes No Yes

STRUCTION
Automated Moni GRFN_AM_JOB_D GRC Yes No Yes

toring Job ESTRUCTION
Background Report GRFN_REP_DATA_ GRC No No No

Data DESTRUCTION
Business Rule GRFN_BR_DE GRC Yes No No

STRUCTION
Datamart GRFN_DATA GRC Yes No No

MART_DESTRUC
TION
Emergency Access GRAC_EAM GRC-AC Yes Yes No

Management
Evaluation: Survey GRFN_SUR GRC Yes No Yes

VEY_DESTRUC
TION

Business Entity ILM Object Component Blocking Re Archiving Required Legal Entity or
quired (RST) Country Flag
Available
Master Data GRFN_MDCR_DE GRC No No No

Change Request STRUCTION
(MDCR)
Notes History GRFN_NOTES_DE GRC Yes No Yes

STRUCTION
Planner - Plan GRFN_PLAN_DE GRC Yes Yes No

STRUCTION
Policy GRFN_POLICY_DE GRC Yes No Yes

STRUCTION
Role Assignment GRFN_ROLE_AS GRC Yes No Yes

SIGN_DESTRUC
TION
User Delegation GRFN_DELE GRC No No No

GATE_DESTRUC
TION
8.4 Roles and Authorization Objects
Verify the end-user can no longer access the personal data stored in blocked process tables. Authorization can be
given to specific users (like auditors) to read the personal data from blocked process tables.
Roles created for ILM administrators and Auditors
Role Description Authorization Ob Authorization Field Value Purpose

ject Field
SAP_GRC_ILM_AD GRC ILM Adminis GRFN_USER ACTVT 5 Blocking

MINISTRATOR trator
69 Destruct
● Assign
SAP_GRC_FN
_ALL (power
user) using
SU01
● Assign role
SAP_GRC_SP
C_CRS_IS

Role Description Authorization Ob Authorization Field Value Purpose
ject Field
SUE_ADMIN 95 Unblocking
(cross regula
tion issue ad
min) at entity
level on any
corporate
node in organi
zation hierar
chy.
SAP_GRC_ILM_AU GRC ILM Auditor GRFN_USER ACTVT 94 To view blocked

DITOR data
● Only the ILM
auditor can
have this ac
tivity to pro
tect the
blocked data.
● If you have
created cus
tom roles with
authorization
object
GRFN_USER
and activity
set to “*” then
it must be re
moved and
specific activi
ties must be
named.
These authorizations must be provided to users for different activities.
Authorization objects and Activities used
Authorization Object Authorization Field Field Value Description
GRFN_USER ACTVT 5 Lock
69 Discard
94 Override
● Only the ILM Auditor can
have this activity to pro
tect the blocked data.

Authorization Object Authorization Field Field Value Description
95 Unlock
8.5 Data Archiving
ILM-enabled Archiving Objects
GRC supports the SAP Information Lifecycle Management (ILM) framework for retention management.
The following table shows the available GRC archiving objects:
GRC ILM-enabled Archiving Objects
Archiving Objects Description ILM Object Condition field Reference field
GRACEAM Archiving for GRC AC GRCAC_EAM FFLOG_ID LOGON_TIME

Emergency Access
Management (EAM)
Logs
GRACACTUS Archiving for GRC AC GRAC_ACT ACTION_USAGE_ID EXECUTION_DATE
Action usage - GRA

CACTUSAGE table re
cords
GRFNMSMP Archiving for GRC AC GRCAC_ARQ PROCESS_ID FINISHED_AT

Requests
8.5.1 Archiving GRACTUSAGE Table Records
Use archiving object GRACACTUS for archiving GRACTUSAGE table records.
Before using the archiving object for the first time, verify if the GRC Customizing activities under Blocking and
Deletion have been completed to enable the Information Lifecycle Management (ILM) capabilities. When you use
the archiving object GRACTUS, data is archived from the following tables:
Table and Programs affected by GRACACTUS
Tables Programs
GRACACTUSAGE GRAC_ACTUSAGE_ARCHIVE_WRITE
GRAC_ACTUSAGE_ARCHIVE_DELETE
GRAC_ACTUSAGE_ARCHIVE_READ

8.5.2 Archiving GRC Requests
Use archiving object GRFNMSMP for archiving GRC AC Requests.
the archiving object GRFNMSMP, data is archived from the following tables:
Tables affected by GRFNMSMP
Tables
GRFNMWRTINST
GRFNMWRTINSTAPPL
GRFNMWRTMSGLG
GRFNMWRTARCHCONF
GRACREQ
GRACREQPROVLOG
GRACREQOWNER
GRACREQUSER
GRACREQUSERADR
GRACREQUSERGROUP
GRACREQUSERPARAM
GRACREQPROVITEM
GRACREVITEM
GRACREQOMOBJITEM
GRACSODREVIEW
GRACFUNUSAGE
GRACSODUSERROLE
GRACUARBUSRLSNAP
Programs Affected by GRFNMSMP

Programs
GRFNMW_ARCHIVE_WRITE

Programs
GRFNMW_ARCHIVE_DELETE
GRFNMW_ARCHIVE_RELOAD
GRFNMW_ARCHIVE_READ
8.5.3 Archiving EAM Logs
Use archiving object GRACEAM for archiving Emergency Access Management (EAM) logs.
the archiving object GRACEAM, data is archived from the following tables:
● GRACAUDITLOG
● GRACACTUSAGE
● GRACSYSTEMLOG
● GRACCHANGELOG
● GRACOSCMDLOG
● GRACROLEFFLOG
● GRACFFLOG
● GRACFFREPMAPP
The following are the programs affected by GRACEAM.
● GRAC_EAM_ARCHIVE_WRITE
● GRAC_EAM_ARCHIVE_DELETE
● GRAC_EAM_ARCHIVE_READ

Important Disclaimers and Legal Information
Coding Samples
Any software coding and/or code lines / strings ("Code") included in this documentation are only examples and are not intended to be used in a productive system
environment. The Code is only intended to better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and
completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, unless damages were caused by SAP
intentionally or by SAP's gross negligence.
Gender-Neutral Language
As far as possible, SAP documentation is gender neutral. Depending on the context, the reader is addressed directly with "you", or a gender-neutral noun (such as "sales
person" or "working days") is used. If when referring to members of both sexes, however, the third-person singular cannot be avoided or a gender-neutral noun does not
exist, SAP reserves the right to use the masculine form of the noun and pronoun. This is to ensure that the documentation remains comprehensible.
Internet Hyperlinks
The SAP documentation may contain hyperlinks to the Internet. These hyperlinks are intended to serve as a hint about where to find related information. SAP does not
warrant the availability and correctness of this related information or the ability of this information to serve a particular purpose. SAP shall not be liable for any damages
caused by the use of related information unless damages have been caused by SAP's gross negligence or willful misconduct. All links are categorized for transparency (see:
https://help.sap.com/viewer/disclaimer).

50 PUBLIC Important Disclaimers and Legal Information
Important Disclaimers and Legal Information PUBLIC 51
go.sap.com/registration/
contact.html
© 2018 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any
form or for any purpose without the express permission of SAP SE
or an SAP affiliate company. The information contained herein may
be changed without prior notice.
Some software products marketed by SAP SE and its distributors
contain proprietary software components of other software vendors.
National product specifications may vary.
These materials are provided by SAP SE or an SAP affiliate company
for informational purposes only, without representation or warranty
of any kind, and SAP or its affiliated companies shall not be liable for
errors or omissions with respect to the materials. The only
warranties for SAP or SAP affiliate company products and services
are those that are set forth in the express warranty statements
accompanying such products and services, if any. Nothing herein
should be construed as constituting an additional warranty.
SAP and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of
SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the
trademarks of their respective companies.
Please see https://www.sap.com/corporate/en/legal/copyright.html
for additional trademark information and notices.

GRC12 Secrity Guide

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

GRC12 Secrity Guide

Caricato da

Copyright:

Formati disponibili

Security Guide PUBLIC

Document Version: 1.0.0 – 2018-03-28

Security Guide: SAP Access Control 12.0

3 Before You Start. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

4 Technical System Landscape. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

5 Network and Communication Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

6 User Administration and Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Security Guide: SAP Access Control 12.0

Security Guide: SAP Access Control 12.0

Version Date Description

1.00 March 2018 Initial Release

Security Guide: SAP Access Control 12.0

About this Document

This Security Guide covers the following main security areas:

Network and system security

● Network and Communication Security

Security Guide: SAP Access Control 12.0

Refer to the following security guides on http://help.sap.com:

● SAP NetWeaver Application Server for ABAP Security Guide

Important SAP Notes

Security Guide: SAP Access Control 12.0

Security Guide: SAP Access Control 12.0

● Network and Communication Security

5.1 Communication Channel Security

SAP NetWeaver Portal HTTP/HTTPS All application data Logon data

DS Extraction (application RFC All application data Logon data

Application server to BI sys­ HTTP/HTTPS All application data Logon data

Security Guide: SAP Access Control 12.0

BI system to application HTTP/HTTPS All application data Logon data

BusinessObjects Enterprise TCP/IP All application data Logon data

● Transport Layer Security in the SAP NetWeaver Security Guide

5.2 Trusted/Trusting RFC Relationships

Security Guide: SAP Access Control 12.0

Object Description Authorization Field Value

S_RFC Authorization check for RFC ACTVT 16

N/A RFC_NAME /GRCPI/*

S_TCODE Authorization check at trans­ TCD SU01

S_TABU_DIS Table maintenance ACTVT 3

S_TOOLS_EX Tools Performance Monitor AUTH S_TOOLS_EX_A

S_GUI Authorization for GUI activi­ ACTVT *

Security Guide: SAP Access Control 12.0

S_USER_AGR Authorizations: role check ACTVT *

S_USER_AUT User Master Maintenance: ACTVT *

S_USER_GRP User Master Maintenance: ACTVT *

S_USER_PRO User Master Maintenance Au­ ACTVT *

S_USER_SAS User Master Maintenance: ACTVT 01

S_USER_SYS User Master Maintenance: ACTVT 78

S_USER_TCD Authorizations: transactions TCD *

S_USER_VAL Authorizations: filed values in AUTH_FIELD *

S_DEVELOP ABAP Workbench ACTVT *

Security Guide: SAP Access Control 12.0

S_ADDRESS1 Central address management ACTVT 01

PLOG Personnel planning INFOTYP 1000

P_TCODE HR: Transaction code TCD SU01

5.4 Integration with Single Sign-On Environments

SAP Access Control:

Secure Network Communications (SNC)

Security Guide: SAP Access Control 12.0

5.5 Data Storage Security

5.6 Trace and Log Files

5.7 Configuring NW VSI in the Landscape

Security Guide: SAP Access Control 12.0

6.1 User Management

6.1.1 Non-SAP Fiori Technology

Application server to BI sys HTTP/HTTPS All application data Logon data

S_TCODE Authorization check at trans TCD SU01

S_GUI Authorization for GUI activi ACTVT *

S_USER_PRO User Master Maintenance Au ACTVT *

SAP_GRAC_DISPLAY_ALL Gives display-only access to all master data and ap