7/28/2024

Security Guide: SAP Risk Management

12.0
Generated on: 2024-07-28 19:07:17 GMT+0000

SAP Risk Management | 12.0 SP25

PUBLIC

Original content: https://help.sap.com/docs/SAP_RISK_MANAGEMENT/e8c75d504b36439b908dd233a80d800c?locale=en-

US&state=PRODUCTION&version=12.0.25

Warning

This document has been generated from the SAP Help Portal and is an incomplete version of the official SAP product
documentation. The information included in custom documentation may not re ect the arrangement of topics in the SAP Help
Portal, and may be missing important aspects and/or correlations to other topics. For this reason, it is not for productive use.

For more information, please visit the https://help.sap.com/docs/disclaimer.

This is custom documentation. For more information, please visit the SAP Help Portal 1
 7/28/2024

Document History
 Note
Before you start the implementation, make sure you have the latest version of this document. You can nd the latest version
at:https://help.sap.com/viewer/p/SAP_RISK_MANAGEMENT.

Version Date Description

1.00 March 2018 Initial Release

Introduction
SAP Risk Management enables organizations to balance business opportunities with nancial, legal, and operational risks to
minimize the market penalties from high-impact events. The application allows customers to collaboratively identify these risks
and monitor them on a continuous basis. Stakeholders and owners are provided with such tools as analytic dashboards for
greater visibility in mitigating risks in their areas of responsibility.

This security guide provides an overview of the application-relevant security information. You can use the information in this
document to understand and implement system security, and to understand and implement the application security features.

 Caution
This guide does not replace the daily operations handbook that we recommend customers create for their speci c
productive operations.

Target Audience
The security guide is written for the following audience, and requires existing knowledge of SAP security model and of PFCG,
SU01, SAP Fiori launchpad, and Customizing tools:

Technology consultants

System administrators

About this Document

This Security Guide covers two main security areas:

Network and system security

This area covers the system security issues and addresses them in the following sections:

Technical System Landscape

Network and Communication Security

Communication Channel Security

Communication Destinations

This is custom documentation. For more information, please visit the SAP Help Portal 2
 7/28/2024
Integration with Single Sign-on (SSO) Environments

Data Storage Security

User Administration

Trace and Log Files

Application Security for SAP Risk Management

This section covers the application security information for the SAP Risk Management application.

 Note
For ease of reading, names of applications in the GRC solutions may be abbreviated as follows:

AC is SAP Access Control

PC is SAP Process Control

RM is SAP Risk Management

Before You Start

SAP Risk Management uses SAP NetWeaver, SAP Fiori, and SAP NetWeaver Business Warehouse. Therefore, the corresponding
security guides and other documentation also apply.

Refer to the following security guides on http://help.sap.com:

SAP NetWeaver Application Server for ABAP Security Guide

SAP BW Security Guide (Business Warehouse)

Important SAP Notes

For a complete list of important SAP Notes for the application, see the SAP Risk Management 12.0 Master Guide at
https://help.sap.com/rm under Installation and Migration

Technical System Landscape

For information about the technical system landscapes, see the SAP Risk Management 12.0 Master Guide at
https://help.sap.com/rm under Installation and Migration .

Network and Communication Security

You can use the information in this section to understand and implement the network and communication security for the SAP
Risk Management application.

The network topology for SAP Risk Management is based on the topology used by the SAP NetWeaver platform. Therefore, for
information about network security, see the respective sections in the SAP NetWeaver Security Guide at
https://help.sap.com/nw75 > Security Guide.

This is custom documentation. For more information, please visit the SAP Help Portal 3
 7/28/2024
For more information, see the following sections of the SAP NetWeaver Security Guide:

Network and Communication Security

Security Aspects for Connectivity and Interoperability

Communication Channel Security

Use
The following table contains the communication paths, the connection protocol, and the transferred data type used by the SAP
Risk Management application:

Communication Path Protocol Type of Data Transferred Data Requiring Special

Protection

SAP NetWeaver ABAP server DIAG All application data Logon data
using SAP GUI

SAP Fiori launchpad HTTP/HTTPS All application data Logon data

DS Extraction (application RFC All application data Logon data

server to BI system)

Application server to BI system HTTP/HTTPS All application data Logon data

BI system to application server HTTP/HTTPS All application data Logon data

BusinessObjects Enterprise TCP/IP All application data Logon data

Server

SAP NetWeaver Business Client HTTP/HTTPS All application data Logon data

DIAG and RFC connections can be protected using Secure Network Communications (SNC). HTTPS connections are protected
using the Secure Sockets Layer (SSL) protocol.

More Information
Transport Layer Security in the SAP NetWeaver Security Guide available at
https://help.sap.com/viewer/p/SAP_NETWEAVER_750

Using the Secure Sockets Layer Protocol with SAP NetWeaver Application Server ABAP

Trusted/Trusting RFC Relationships

Use
You can set up trusted and trusting Remote Function Call (RFC) relationships between two SAP systems. This allows secure RFC
connections between the systems without sending passwords for logging on. The logon user must have the corresponding
authorization object S_RFCACL in the trusting system. This trusted relationship is not speci c to GRC applications, and is a
function of SAP NetWeaver.

More Information

This is custom documentation. For more information, please visit the SAP Help Portal 4
 7/28/2024
Trusted/Trusting Relationships Between SAP Systems on the SAP Help Portal under RFC Programming in ABAP.

Communication Destinations
The tables list the various types of Remote Function Calls (RFC) available. These are set up using transaction code SM59.

 Recommendation
For more information about non-SAP applications, see solutions provided by SAP partners.

The table below lists the connection destinations for SAP Risk Management to communicate with other SAP components:

Destination Comments

SAP Risk Management to SAP ERP without GRC plug-in SAP Risk Management can use SAP Query or BI Query data sources. The BI
installed Query is available through Operational Data Provisioning (ODP). For ODP use,
verify your NetWeaver system requirements are met.

Integration with Single Sign-On Environments

SAP Risk Management does the following:

It supports the Single Sign-On (SSO) mechanisms provided by SAP NetWeaver Application Server ABAP.

It supports the security guidelines for user management and authentication described in the SAP NetWeaver Application
Server Security Guide.

It leverages the SAP NetWeaver ABAP Server and SAP NetWeaver Portal infrastructure.

Secure Network Communications (SNC)

For more information about SNC, see Secure Network Communications (SNC) in the SAP NetWeaver Application Server
Security Guide .

SAP Logon Tickets

For more information about SAP Logon Tickets, see SAP Logon Tickets in the SAP NetWeaver Application Server Security
Guide .

Client Certi cates

For more information about X.509 Client Certi cates, see Using X.509 Client Certi cates on the SAP Help Portal
(http://help.sap.com ).

Data Storage Security

Master data and transaction data is stored in the database of the SAP system on which the application is installed. Data
storage occurs in Organizational Management, Case Management and in separate tables for this purpose.

This is custom documentation. For more information, please visit the SAP Help Portal 5
 7/28/2024
In some applications, you can upload documents into the system. The default document management system (DMS) for storing
data is the SAP Content Server and Knowledge Provider (KPro) infrastructure. Once uploaded, the documents can be accessed
using a URL. The application security functions govern authorization for accessing the URL directly in the portal. To prevent
unauthorized access to the document through copying and sending the URL, a URL is only valid for a given user and for a
restricted amount of time (the default is two hours).

If you choose to implement a different document management system, the data storage security issues are deferred to that
particular DMS.

User Administration
The application user administration uses the mechanisms provided by SAP NetWeaver, such as user types, tools, and the
password concept.

User Types
You use user types to specify different security policies for different types of users. For example, your policy may specify that
individual users who perform tasks interactively have to change their passwords on a regular basis, but not those users under
which background processing jobs run.

The following user types are required for the SAP Risk Management application:

Dialog users:

Required for logging on to the SAP GUI, Web Dynpro and SAP Fiori apps

Communication users:

Required for KRI value extractions. (SAP Risk Management application only)

Required for RFC connection to the BI system

This is a user on the target system. Con gure this user according to the security requirements of the target
system.

A communication user (WF-BATCH) is required to run the work ow infrastructure.

User Administration Tools

The applications use SAP NetWeaver Application Server ABAP user and role maintenance. The following lists the tools available
to manage users:

Tool Detailed Description

Transaction SU01 Use SU01 for ABAP user management: create and update users
and assign authorizations.

Transaction PFCG (Pro le Generator) Use PFCG for ABAP role maintenance and creating authorization
pro les.

Customizing Use transaction SPRO to open Customizing. You can use

Customizing to con gure and maintain the application.

SAP Fiori launchpad This is the application front end. Most users can access the
application through the SAP Fiori launchpad.

This is custom documentation. For more information, please visit the SAP Help Portal 6
 7/28/2024

Tool Detailed Description

SAP NetWeaver Business Client (NWBC) This is the application front end. Most users can access the
application through NWBC.

For more information, see Customizing for Governance, Risk, and Compliance under Risk Management.

Trace and Log Files

For information about trace and log les, see the SAP Risk Management 12.0 Operations Guide at https://help.sap.com/rm .

Con guring NW VSI in the Landscape

SAP Risk Management provides the ability to upload documents. We recommend you scan all documents for potential malicious
code before you upload them. You can use the SAP NetWeaver Virus Scan Interface (NW VSI) to scan the documents. For more
information, see SAP Virus Scan Interface in the SAP NetWeaver Library.

Application Security: SAP Risk Management

A user's access to screens and menus on the front-end is determined by the following:

The applications that are installed

The role type

The authorizations granted to the role type

Application Authorizations
The following table lists examples of screens on the front-end you see based on the applications installed and licensed on your
system:

Item Application

My Home Work Inbox All

Global Compliance Structure Indirect Entity-Level Controls SAP Process Control

Assessments Proposed Risks and Risk Evaluations SAP Risk Management

Customizing Front-end Screens and Menus

You can con gure user-speci c front-end screens and menus in the Customizing activities accessed from the SPRO transaction.

 Caution
SAP does not recommend you customize the information architecture because if SAP provides updates to the content, then
such changes update only the standard SAP-delivered repository and Launchpads. The changes do not directly update any
customized versions.

This is custom documentation. For more information, please visit the SAP Help Portal 7
 7/28/2024
You carry out the con guration activities from the transaction SPRO, SAP Reference IMG Governance, Risk, and
Compliance General Settings Maintain Customer Speci c Menus . Modify Maintain Authorizations for Applications Links
and Con gure LaunchPad for Menus according to your users' needs.

Privacy Concerns
Notify your users as required by your company's privacy policy that user information such as rst Name, last Name, E-mail
address, roles, and other personal information is stored by the program GRAC_REPOSITORY_OBJECT_SYNC.

First-Level and Second-Level Authorizations

This con guration ag determines the approach that is used to perform user-role assignments. The default authorization is
First-Level Authorization. You can choose to enable Second-Level Authorization in Customizing. For more information, see
Con guring Second-Level Authorizations.

First-Level Authorizations
When rst-level authorization is active, the users assigned to the Business User role (SAP_GRC_FN_BUSINESS_USER) are the
users available for any entity-user-role assignment. Once a user is assigned to an entity-user-role, the user assigned to the
entity inherits the authorizations associated with the corresponding application role, as con gured in PFCG.

 Example
The gure illustrates that all users are included in the pool of potential users for the subprocess owner and control owner
roles.

This is custom documentation. For more information, please visit the SAP Help Portal 8
 7/28/2024

First Level Authorization Details

Authorizations Entity Data Assignments Delegation

User assignment restricted to business Any business user can be a delegate and
Business user role assignment
users inherit data and authorizations.

For all general users, this

assignment is mandatory to access
the application.

Second Level Authorizations

In second-level authorization, the users available for an entity-user-role assignment are restricted to those users who have that
speci c application role assigned to their user pro le. This allows the pool of business users to be segmented into different
entity-user-role groups.

 Example
The following gure illustrates that, in Process Control, you can de ne that only users assigned to the Subprocess Owner
application role can be considered for subprocess entity-user-role assignments. Similarly, in Risk Management , you can
de ne that only users assigned to the Opportunity Owner application role can be considered for opportunity entity-user-role
assignments.

This is custom documentation. For more information, please visit the SAP Help Portal 9
 7/28/2024

Second-Level Authorization Details

Authorizations Entity Data Assignments Delegation

User assignment restricted to users Any business user can be a delegate and
Business user role assignment
assigned to application roles. inherit data and authorizations.

Application role assignment is

required

Con guring Second-Level Authorizations

You can enable and disable Second-Level Authorizations in the Customizing activity Maintain Authorization Customizing under
Governance, Risk, and Compliance General Settings Authorizations Maintain Authorization Customizing .

 Note

This setting is shared by both the SAP Process Control and SAP Risk Management applications. Therefore,
maintaining the setting for one application affects both applications, if you have licensed both.

This is a global setting and affects all application roles for your application.

Second-Level Authorizations affect only entity-user-role assignments while the feature is enabled. Entity-user-role
assignments maintained prior to enabling Second-Level Authorizations may lose authorizations to perform certain

This is custom documentation. For more information, please visit the SAP Help Portal 10
 7/28/2024
activities in the application if they do not have the appropriate entity user-roles assigned. In this case, you must
assign the additional authorizations to the speci c users.

Delivered Roles

Risk Management Application Roles

The information in this section applies only to SAP Risk Management. The delivered application roles are example roles. You can
use them as is, copy them, or create your own.

SAP Risk Management roles have the following attributes:

Role Role ID Entity Level Assigned by

Activity Owner SAP_GRC_RM_API_ACTIVITY_OWNER Activity, Corporate Unit Risk Manager

Central Risk Manager SAP_GRC_RM_API_CENTRAL_RM Corporate, Organization Power User

CEO/CFO SAP_GRC_RM_API_CEO_CFO Corporate, Organization Central Risk Manager

Incident Editor SAP_GRC_RM_API_INCIDENT_EDITOR Incident Unit Risk Manager

Internal Auditor SAP_GRC_RM_API_INTERNAL_AUD Corporate, Organization Central Risk Manager

Opportunity Owner SAP_GRC_RM_API_OPP_OWNER Opportunity Unit Risk Manager

Organization Owner SAP_GRC_RM_API_ORG_OWNER Corporate, Organization Central Risk Manager

Risk Expert SAP_GRC_RM_API_RISK_EXPERT Risk Unit Risk Manager

Risk Owner SAP_GRC_RM_API_RISK_OWNER Risk Unit Risk Manager

System Administrator SAP_GRC_RM_API_LIAISON Corporate Central Risk Manager

Unit Risk Manager SAP_GRC_RM_API_RISK_MANAGER Corporate, Organization Central Risk Manager

They are assigned through the User Access work set.

They require the following standard roles:

SAP_GRC_FN_BASE

SAP_GRC_FN_BUSINESS_USER

Authorization Objects Contained in Application Roles

The application roles are composed of the following authorization objects:

GRFN_API

This is the most utilized authorization object. It controls access to the master data objects and drives the user
authorizations for the business entities. It includes the following elements: activity, entity, subentity, and datapart.

GRFN_REP

This authorization object controls the access to retrieve data for reports. It has the elements: Activity and Report Name.

This is custom documentation. For more information, please visit the SAP Help Portal 11
 7/28/2024
GRFN_CONN

This authorization object is used to run automated rules testing or monitoring on other systems. It grants Remote
Function Call authority to the user. To assign this authorization to users, use transaction SU01 in the back-end system to
create a new role, add the authorization object to the role, and assign the role to users.

For more information about the possible element values, see Authorization Object Elements.

NWBC Roles
SAP Risk Management delivers the following NWBC role to allow users the authorization to launch NWBC and access menu
items in NWBC. You must copy this role into your own namespace and assign it to all users who need to use NWBC.

Role Description

SAP_GRC_NWBC Gives authorizations to launch NWBC. Assign this role to all NWBC
users.

 Note
Do not assign SAP_GRC_NWBC and SAP_GRAC_NWBC to the same user.

Business Catalog Roles for the SAP Fiori Launchpad

This information is relevant for customers who have implemented the SAP Fiori Launchpad (FLP). The SAP Fiori Launchpad is a
shell that hosts SAP Fiori apps, and provides the apps with services such as navigation, personalization, embedded support, and
application con guration.

Role administrators make tile catalogs and groups available on the end user's page by assigning tile catalogs and tile groups to
a PFCG role to which users can be assigned. Users logging on to the launchpad see all assigned groups on their home page, and
when users open the catalog section, they can access all tiles in the assigned catalogs.

SAP Risk Management 12.0 delivers the following business catalog roles, and customers can create further roles as required.

Business Catalog Roles in SAP Risk Management 12.0

Business Role Role Name Maps To

SAP_GRC_BCR_EMPLOYEE_RM_T Employee SAP_GRC_RM_API_RISK_OWNER - Risk

Owner, and
SAP_GRC_RM_API_RISK_EXPERT - Risk
Expert

SAP_GRC_BCR_RM_T Risk Manager (GRC) SAP_GRC_RM_API_CENTRAL_RM –

Central Risk Manager

SAP_GRC_BCR_RMSPL_T Risk Management Specialist SAP_GRC_RM_API_RISK_MANAGER –

Unit Risk Manager

Users with a given role are authorized to access the corresponding work center. By default, these roles do not have a business
group assigned (when roles are assigned to a group, the related apps appear together on the Launchpad). You can create new
groups, and you can also create customized roles as required.

This is custom documentation. For more information, please visit the SAP Help Portal 12
 7/28/2024
By creating customized roles, and then giving users those roles, you can ensure that users have access to the apps needed to
carry out their work.

Con guring Customized Roles

Introduction
There are three main steps to take to create a customized business role:

1. Create a new catalog, then add tiles and target mapping.

2. Create a group, and link it to the catalog. You can link multiple groups to one catalog, multiple catalogs to one group, and
so on.

3. Create a role for the group, and then add the new role to the user.

These steps are described in more detail in the sections below.

Creating a new catalog

1. Open Display IMG UI Technologies SAP Fiori Con guring Launchpad Content SAP Fiori Launchpad Designer
(Current Client)

2. Click the icon on the Catalog tab to open the Create Catalog dialog box, and then add the appropriate title and ID for
the new catalog.

3. To add a tile, open, for example, the pre-determined catalog for SAP Process Control:

X-SAP-U12-ADCAT: SAP_TC_GRC_PC_BE_APPS:SOHGRPC

Or for SAP Risk Management:

X-SAP-U12-ADCAT: SAP_TC_GRC_RM_BE_APPS:SOHGRRM

Then select the required tile. You might like to note the Semantic Object and Action, as this information will be needed
for the target mapping step.

To add the tile to the new catalog, click Create Reference, and select the catalog you have just created.

4. Find the Semantic Object and Action in the Target Mapping tab, and create a reference to the new catalog as previously.

Creating a group
1. When you have added all the required tiles and the associated target mappings, switch from the Catalog tab to the
Groups tab.

2. Use the icon to create a new group. If you want users to be able to add and remove tiles from the group on their
Launchpad, check Enable users to personalize their group.

3. Find the catalog, and then select which tiles to add for the particular group.

Creating roles for a group

1. Roles are created in transaction PFCG Role Maintenance. Customer-created roles need to begin with 'Z_', as in this
example:

Z_ABC_DEF_GHI_JKL

2. On the Create Roles screen, go to Menu Transaction SAP Fiori Tile Catalog and nd the correct catalog ID in the
Assign Tile Catalog dialog box.

This is custom documentation. For more information, please visit the SAP Help Portal 13
 7/28/2024
3. The catalog will now be visible in the Role Menu. Open the SAP Fiori Tile Group in the same way, and assign the group.

The user can now add the role using SU01 User Maintenance, and will see the con gured tiles in their Launchpad.
General information on the SAP Fiori Launchpad can be found at SAP Fiori Launchpad

Roles for SAP Fiori 1.0 Apps

SAP Risk Management delivers the following backend and frontend roles to allow uses to access the SAP Fiori 1.0 apps. Copy
these roles into your own namespace and assign them to all users who need to access the SAP Fiori 1.0 apps.

SAP Fiori App Role Description

Manage Risk Assessments SAP_GRC_BCR_RM_T Front end role for accessing the Fiori app.

SAP_GRC_SPC_ACCESS_ODATA Back end role for RFC and OData service

access.

Work ow Recipient
The applications determine the agent (or recipient) of a work ow task based on the mapping of business events and roles. You
can override the default con guration and maintain your own agent determination rule in the Customizing activities (using the
SPRO transaction). Carry out the activity Maintain Custom Agent Determination Rules under Governance, Risk, and
Compliance General Settings Work ow

In the Customized Business Events table, you con gure rules for determining the recipient of a work ow task by customizing
the business events, sort, roles, entities, and subentities.

Maintaining Work ow Recipient Rules

Use

 Note
The examples shown in this topic may include references to features of both SAP Process Control and SAP Risk
Management. Features of either of these applications are only available if you possess the corresponding application license.

The following is an overview for maintaining the work ow recipient rules:

The value of the sort number has no numerical signi cance. It is only for grouping. The following gure illustrates that the
Perform Assessment business event for SOX Control Owner is in the same group as the SOX Subprocess Owner.

This is custom documentation. For more information, please visit the SAP Help Portal 14
 7/28/2024

The business event processing starts with the lowest entity-level role and proceeds upwards. In the following example,
control owner is lower than subprocess owner in the entity-level hierarchy, therefore it is processed rst.

This is custom documentation. For more information, please visit the SAP Help Portal 15
 7/28/2024

Entity and subentity are optional. You can leave them empty. You only need to include them in cases to differentiate the
business events. In the following example, Perform Signoff and Perform AOD do not need entities or subentities because
the task can only be performed in one way. Perform Assessment is differentiated so that control owner performs Control
Design assessment (CD) and subprocess owner performs Process Design assessment (PD).

This is custom documentation. For more information, please visit the SAP Help Portal 16
 7/28/2024

For all business events (except for Incident_Validate and Master_Data_Change_Notify), the application processes the
business events on the basis of rst group found. In the following example, the application processes the rst group
found (Sort 1) for the Perf_Assessment business event and stops.

This is custom documentation. For more information, please visit the SAP Help Portal 17
 7/28/2024

The Incident_Validate business event is processed in serial for All Groups Found. The following example illustrates that
the application rst processes the sort 8 group, then the sort 9 group.

This is custom documentation. For more information, please visit the SAP Help Portal 18
 7/28/2024

The MasterData_Change_Noti cation business event is processed in parallel for All Groups Found, The following example
illustrates the noti cation is sent to the control owner, SOX internal control manager, and FDA internal control manager
concurrently.

This is custom documentation. For more information, please visit the SAP Help Portal 19
 7/28/2024

You can specify a backup role to receive the work ow task by placing different roles in the same sort group with the same
business event. The following example illustrates that, because the control owner role is lower in the entity hierarchy, it
is processed rst. However, if there is no user assigned to that role, the task is assigned to the subprocess owner.

This is custom documentation. For more information, please visit the SAP Help Portal 20
 7/28/2024

These business events must be con gured as follows:

0PC_RECE_ISSUE

When the subentity is CO or MO, enter the entity as G_IS. For other all other subentities, enter the entity as
G_AS.

0PC_RECE_REM_PLAN

Enter the entity as G_IS (issue); the entity of the remediation plan creator.

0PC_PERF_SIGNOFF and 0PC_PERF_AOD

Enter the entity as ORGUNIT, not SIGNOFF.

Related Information
SAP Delivered Business Events

Ticket-Based Authorizations
Most users have the authorizations to complete their assigned work item. However, sometimes it is required to pass on a work
item to a user who does not have the required authorizations. Ticket-Based Authorizations provides temporary authorizations
to the user to enable them to complete the work item. Once the work item has been completed, or reassigned to another user,
the ticket expires for this user.

 Note
This is custom documentation. For more information, please visit the SAP Help Portal 21
 7/28/2024
The delivered ticket-based authorizations cannot be modi ed. Further, the functionality is transparent to the user. This
information is provided for explanatory purposes only.

Users Who May Need Ticket-Based Authorizations

Risk Survey Performer

Activity Survey Performer

KRI Survey Performer

Time-Related Aspects
Once a user starts to perform the task from the work inbox, the authorization is given to the user.

The authorization is temporary. A user who no longer holds the ticket is no longer authorized to perform the task.

The authorization expires when the task is submitted. If the time has passed beyond the task due date, but the user has
not submitted the task, the authorization remains active.

The authorization is subject to the SAP Business Work ow escalation functionality.

Authorization Objects Relevant to Security

You must maintain the SAP Risk Management authorizations for application server objects:

Personnel Planning (PLOG) from Organizational Management:

The general object type Organization (orgunit) is used in SAP Risk Management.

 Note

Organizations created in other projects are also available in SAP Risk Management.

Organizations created in SAP Risk Management are available in other projects.

Case Management and Records Management:

The SAP Risk Management analysis, responses, and surveys are stored in Case or Records Management. The
RMS ID for SAP Risk Management is GRRM_RM.

Authorization Objects Relevant to Enterprise Search and ODP

The following authorization objects are relevant to Enterprise Search and Operation Data Provisioning (ODP).

Enterprise Search

GRFN_ES

This authorization object controls the access to enterprise search. It has the element Entity.

Operation Data Provisioning

GRFN_ODP

This is custom documentation. For more information, please visit the SAP Help Portal 22
 7/28/2024
This authorization object checks for access to GRC entities via ODP. The following are the de ned elds:

GRC_ENTITY — The GRC entity (or object type) to which the authorization entry corresponds.

GRFN_OBJ — The IDs of objects which the user can access.

GRFN_ODP_C

This authorization object does an authority check for access to GRC entities with IDs via ODP. The following are the
de ned elds:

GRC_ENTITY — The GRC entity (or object type) to which the authorization entry corresponds.

GRFN_OBJ_C — The Complex IDs of objects which the user can access.

GRFN_ODP_E

This authorization object checks for access to GRC entities via ODP. The following is the de ned eld:

GRC_ENTITY — The GRC entity (or object type) to which the authorization entry corresponds.

GRFN_ODP_R

This authorization object does an authority check for access to GRC regulation-speci c entities via ODP. The following
are the de ned elds:

GRC_ENTITY — The GRC entity (or object type) to which the authorization entry corresponds.

GRFN_OBJ — The IDs of objects which the user can access.

GRPC_REG — Regulation object ID

GRFN_ODPRC

This authorization object does an authority check for access to GRC regulation-speci c entities with complex IDs via ODP.
The following are the de ned elds:

GRC_ENTITY — The GRC entity (or object type) to which the authorization entry corresponds.

GRFN_OBJ_C — The Complex IDs of objects which the user can access.

GRPC_REG — Regulation object ID.

Delivered Roles and Relevant Authorization Objects

These are the delivered back-end roles for SAP Process Control and SAP Risk Management. You assign the roles to con gure
user permissions and authorizations.

 Note
References to SAP Process Control are only relevant if you have implemented and licensed that application in addition to
SAP Risk Management.

Role ID Application Description

This is custom documentation. For more information, please visit the SAP Help Portal 23
 7/28/2024

Role ID Application Description

SAP_GRC_FN_ALL Process Control This is the power user role. The role can access both the front-
end and back-end systems. It does not use entity-level
Risk Management
security and therefore bypasses the authorizations from the
SAP_GRC_FN_BUSINESS_USER role.

 Recommendation
This role provides extensive access. For security purposes,
we recommend you only use the role in emergencies such
as troubleshooting task issues. It includes the following
authorizations:

Administration functions in Process Control and

Risk Management Customizing

Structure setup in expert mode

Data upload for structure setup

Central Delegation — Delegation to any user in the

system.

 Note
The role does not contain the authorizations for
customizing work ows, case management, or Web services
activation. For these authorizations in:

Process Control, use

SAP_GRC_SPC_CUSTOMIZING.

Risk Management, use

SAP_GRC_RM_CUSTOMIZING.

SAP_GRC_FN_BASE Process Control This technical role is required for all users to access the
application.
Risk Management

SAP_GRC_FN_BUSINESS_USER Process Control This is the default role assigned to all users. You must assign
additional entity-level authorizations to users to enable them
Risk Management
to perform activities and act on objects in the application.

 Note
Users who set up master data must be assigned additional
rights to perform uploads using program GRPCB_UPLOAD.

SAP_GRC_FN_DISPLAY Process Control This role can access the SAP NetWeaver ABAP Server. This
role contains the display authorizations for Customizing and
Risk Management
entity level authorizations.

 Recommendation
Assign this role to external auditors to give them display
access throughout the application. This role bypasses the
SAP_GRC_FN_BUSINESS_USER role to grant display
authorizations in the back-end. If you wish to have more
control over what is displayed, use the
SAP_GRC_FN_BUSINESS_USER instead.

This is custom documentation. For more information, please visit the SAP Help Portal 24
 7/28/2024

Role ID Application Description

SAP_GRC_RM_CUSTOMIZING Risk Management This role can access the SAP NetWeaver ABAP Server. This
role contains all authorizations for Customizing settings in the
application. This includes authorization objects for the
following:

SAP Risk Management

Customizing Work ow

Case management

RFC connections

Shared objects monitor

Client comparison with Customizing Cross-system

Viewer

Job scheduling

E-mail noti cation settings

Web service activation

 Note
You may be required to record all your changes in the
Customizing request. Review the client settings in
transaction SCC4 and make sure you have a request
available for you, or you are authorized to create one.

 Note
This role does not have authorizations to perform the
following tasks:

Activating and creating BAdI implementations

SAP NetWeaver Business Intelligence integration

Remote Logon to con gure the RFC connections

SAP_GRC_SPC_CHIP_VIEWER Process Control This role grants the authority to view entry pages and side
panels that are implemented with CHIPs (Collaborative
Risk Management
Human Interface Part).

This is custom documentation. For more information, please visit the SAP Help Portal 25
 7/28/2024

Role ID Application Description

SAP_GRC_SPC_CUSTOMIZING Process Control This role can access the SAP NetWeaver ABAP Server. This
role contains all authorizations for Customizing settings in the
application. This includes authorization objects for the
following:

SAP Process Control

Customizing Work ow

Case management

RFC connections

Shared objects monitor

Client comparison with Customizing Cross-system

Viewer

Job scheduling

E-mail noti cation settings

Web service activation

 Note
You may be required to record all your changes in the
Customizing request. Review the client settings in
transaction SCC4 and make sure you have a request
available for you, or you are authorized to create one.

 Note
This role does not have authorizations to perform the
following tasks:

Activating and creating BAdI implementations

SAP NetWeaver Business Intelligence integration

Remote Logon to con gure the RFC connections

SAP_GRC_SPC_SCHEDULER Process Control This role grants the authority to perform background job
execution.

SAP_GRC_SPC_SETUP Process Control This role grants the authority for system setup and
installation.

For more information, see the individual roles in Customizing.

PFCG Basic Role Authorization Objects

SAP delivers the following authorization objects for the PFCG basic roles:

GRFN_USER

This authorization object is used to separate business users and power users, and controls the access to perform your
own or central delegation. It has only the Activity element.

GRFN_CONN

This is custom documentation. For more information, please visit the SAP Help Portal 26
 7/28/2024
This authorization object is used to run automated rules testing or monitoring on other systems. It grants Remote
Function Call authority to the user. To assign this authorization to users, use transaction SU01 in the back-end system to
create a new role, add the authorization object to the role, and assign the role to users.

SAP Delivered Business Events

 Note
Any references to SAP Process Control features or business events only apply if you have also implemented and licensed the
SAP Process Control application.

Business events are the placeholders for recipient determination in work ow driven scenarios. When the work ow needs to
determine the recipient, it uses the correlated object of the work ow instance and business event.

SAP ships default rules for recipient determination based on the entity, activity, and datapart used in roles. You can overwrite
the default rules with your own rules by using the direct mapping of the business events and their roles.

For information about the delivered business events and where they are used in the application, view the BC Set for the
Customizing activity Maintain Custom Agent Determination Rules, under Governance, Risk, and Compliance General
Settings Work ow .

The following table provides a list of the SAP delivered business events and a description:

Business Event Business Event Name Description

0FN_AHISSUE_DEFAULT_PRC Default processor for Ad hoc issue When an ad hoc issue is reported on an
object, the application enters the default
issue owner. This business event suggests
the default ad hoc issue owner.

0FN_AM_BRFP_NOTIFY CM Event BRFplus noti cation The Continuous Monitor subscenario

EVENT supports sending noti cations.
When users choose the option to nd
recipients by customer agent rule,
this business event supports the
determining the recipient.

0FN_ISSUE_NOTIFY Send noti cation to object owner of Ad-hoc When an ad hoc issue is con rmed, the
Issue application automatically sends a
noti cation to the object owner. This
business event determines the recipient
based on the object owner.

0FN_MDCHG_APPR Get master data change approver who has The business event determines the
the change authority of the object recipient of a change request for master
data changes.

0FN_MDCHG_NTFY Get noti ed person who has the display The business event determines the
authority of the object recipients of a noti cation when a master
data change happens.

0FN_MDCHG_NTFY_L Get noti ed person who has the display The business event de nes the recipients
authority of the object on local object level of a noti cation when a local master data
change happens.

This is custom documentation. For more information, please visit the SAP Help Portal 27
 7/28/2024
Business Event
0FN_POLICY_APPROVE
0FN_POLICY_DEFAULT_APPR
0FN_POLICY_REVIEW
0PC_CONTROL_PROPOSAL_APPR
0PC_PERF_AOD
0PC_PERF_ASSESSMENT
0PC_PERF_CRA
0PC_PERF_CTRL_PERF
0PC_PERF_DISCSVY
0PC_PERF_IELC_ASSESSMENT
0PC_PERF_IELC_TESTING
0PC_PERF_RISK_ASSESSMENT
0PC_PERF_SIGNOFF
0PC_PERF_TESTING
0PC_RECE_ESCALATION
This is custom documentation. For more information, please visit the SAP Help Portal
Business Event Name
Approve policy
Default approver for policy
Review policy
Get control proposal approver who has the
change authority of the object
Perform aggregation of de ciencies
Perform assessment
Perform control risk assessment
Perform Manual Control Performance
Perform Disclosure Survey
Perform indirect Entity-Level Control
Assessment
Perform Indirect Entity-Level Control Testing
Perform risk assessment
Perform Sign-Off
Perform testing
Receive escalations of work ow
Description
This business event determines the
recipients to approve policy, when policy is
sent for approval . Additionally the agent of
0FN_POLICY_DEFAULT_APPR is also in the
recipient list.
This business event determines the
recipients to approve policy, when policy is
sent to approve.
This business event determines the
recipients to review policy.
This business event determines the
approval recipients of the control proposed
from PC & and RM integration scenario.
This business event determines the
recipients of Control Risk Assessment as it
can be scheduled in the planner.
This business event determines the
recipients of several Assessments as it can
be scheduled in the planner.
This business event determines the
recipients of Control Risk Assessments as
it can be scheduled in the planner.
This business event determines the
recipient of Manual Control Performance.
This business event determines the
recipient of Disclosure Survey.
This business event determines the
recipients of Indirect Entity-Level Control
Assessment as it can be scheduled in the
planner.
This business event determines the
recipients of Indirect Entity-Level
Control Testing .
This business event determines the
recipients of Risk Assessment.
This business event determines the
recipients of Sign-Off.
This business event determines the
recipients of Testing.
The user is able to con gure escalation
recipients for overdue work ow items. For
more information, see Customizing for
Work ow E-Mail Noti cation under
Governance, Risk and Compliance
General Settings Work ow .
28
 7/28/2024

Business Event Business Event Name Description

0PC_RECE_ISSUE Default issue owner This business event determines the

recipients of monitoring issues. When
users manually assign the issue owner, this
business event determines the default
issue owner.

0PC_RECE_REM_PLAN Default Remediation Plan Owner When users manually assign the
remediation plan owner, this business event
determines the default one.

0PC_REVIEW_DISCSVY Review Disclosure Survey This business event determines the

recipient to review/perform Disclosure
Survey.

0PC_VALI_ASSESSMENT Review assessment This business event determines the

recipients to review assessments.

0PC_VALI_CAPA_EXEC Review CAPA execution This business event determines the

recipients to review CAPA execution.

0PC_VALI_CAPA_PLAN Review CAPA plan This business event determines the

recipients to review CAPA plans.

0PC_VALI_CRA Review control risk assessment This business event determines the
recipients to review Control Risk
Assessment.

0PC_VALI_CTRL_PERF Review Manual Control Performance This business event determines the
recipient to review Manual Control
Performance.

0PC_VALI_IELC_ASSESSMENT Review Entity-Level Control Assessment This business event determines the
recipients to review indirect Entity-Level
Control Assessment.

0PC_VALI_IELC_TESTING Review Indirect Entity-Level Control Testing This business event determines the
recipients to review Indirect Entity-Level
Control Testing.

0PC_VALI_RISK_ASSESSMENT Review risk assessment This business event determines the

recipients to review Risk Assessments.

0PC_VALI_TESTING Review manual testing This business event determines the

recipients to review testing for manual
controls.

0RM_ACTIVITY_SURVEY Activity Survey This business event determines the

recipients of the activity survey.

0RM_ACTIVITY_VALIDATE Activity Validation This business event determines the

recipients of the activity validation .

0RM_COLLAB_ASSMNT_SUB Contribute to Collaborative Risk This business event determines all

Assessment recipients of the initial work ow or survey to
participate in a collaborative risk
assessment.

This is custom documentation. For more information, please visit the SAP Help Portal 29
 7/28/2024
Business Event
0RM_COLLAB_ASSMNT_TOP
0RM_INCIDENT_VALIDATE
0RM_KRI_LIAISON
0RM_KRI_NOTIFICATION
0RM_KRI_SURVEY
0RM_KRI_VALUE_INPUT
0RM_OPP_ASSESSMENT
This is custom documentation. For more information, please visit the SAP Help Portal
Business Event Name Description
Consolidate Collaborative Risk Assessment This business event determines the
consolidator of a collaborative risk
assessment. This user receives a work ow
item that allows them to track the progress
of the collaborative risk assessment. Once
the assessment is nished they get another
work ow item to start the consolidation of
the results.
Incident Validation After an Incident has been created and
submitted, or posted from outside, the
validation work ow is triggered. This
business event determines multiple groups
of validators for the incident. First a
validation work ow item goes out to all
members of the rst group.
Once a member of the rst group has
approved the incident the members of the
next group receive a validation item, and so
on.
The incident is completely approved after a
member from each group has approved it.
If it is sent to rework by anyone, the
validation cycle begins again with the rst
group again.
KRI Liaison This business event is used to determine
the work ow recipients for KRI
implementation requests and KRI
localization requests.
A KRI implementation request is triggered
after a new KRI implementation request has
been created for a KRI template.
A localization request is triggered when a
localization for a KRI instance is requested
on the risk management front end.
KRI Noti cation This business event determines the
recipients for the noti cation of violated
business rules maintained for one or
multiple KRI instances on the risk
management front end.
Risk Indicator Survey This business event determines the
recipients of the risk indicator survey
KRI Value Input This business event is used to determine
the work ow recipients for KRI value input.
In the Planner, choose Activity as Perform
KRI Manual Entry, to create a work ow task
in the user's inbox to manually update the
KRI value.
Opportunity Assessment This business event determines the
recipients of the opportunity assessment.
30
 7/28/2024

Business Event Business Event Name Description

0RM_OPP_VALIDATE Opportunity Validation This business event determines the

recipients of the opportunity validation.

0RM_PERF_CONSOLIDATION Perform Risk Consolidations This business event determines the

recipients of performing risk consolidation.

0RM_RESP_AHISSUE_UPDATE Response update from issue status change The business event determines the
recipients of an e-mail noti cation when
response completeness reaches 100%
based on related issue closing.

0RM_RESP_CONT_UPDATE Response update from Control's cases The business event determines the
recipients of an e-mail noti cation when
response completeness or effectiveness is
changed based on related control rating
change.

0RM_RESP_POLICY_UPDATE Response update from policy status change The business event determines the
recipients of an e-mail noti cation when
response completeness reached 100%
based on related policy status change.

0RM_RESPONSE_PROPOSE Create response or response template This business event determines the
based on response proposal, or reject the recipients who receive and approve or
response proposal reject response proposals.

0RM_RESPONSE_UPDATE Response Validation This business event determines the

recipients of the response update.

0RM_RISK_ASSESSMENT Risk Assessment This business event determines the

recipients of the risk assessment.

0RM_RISK_PROPOSE Risk Proposal After a risk is proposed in SAP Risk

Management, a work ow is sent to a risk
management expert to validate the
proposal.

If it is accepted, a new risk is created for it.

This business event determines approver.

0RM_RISK_SURVEY Risk Survey This business event determines the

recipients of the risk survey

0RM_VALI_CONSOLIDATION Review risk consolidations This business event determines the

recipient to review risk consolidation.

Authorization Object Elements

You con gure the authorizations for application roles by maintaining the authorization object elements. The following tables list
the descriptions of the authorization object elements.

Activity
 Note
The following information is relevant to both SAP Risk Management and SAP Process Control, depending on which of those
applications you have implemented and licensed.

This is custom documentation. For more information, please visit the SAP Help Portal 31
 7/28/2024
Activity controls the user behavior on the business object.

Activity Authorization Object

CHANGE GRFN_API

CREATE GRFN_API

DELETE GRFN_API

DISPLAY GRFN_API

ANALYZE GRFN_REP

PRINT GRFN_REP

DISPLAY TAKEOVER GRFN_USER

DISTRIBUTE GRFN_USER

EXECUTE GRFN_CONN

Entities
 Note
The following information is relevant to both SAP Risk Management and SAP Process Control, depending on which of those
applications you have implemented and licensed.

The entity speci es the business object. Its values are all the business objects within the application. The following table lists the
authorization-relevant entities for the SAP Process Control and SAP Risk Management applications:

Entity Application Description Central

ACC_GROUP Process Control Account Group X

ACTIVITY Risk Management Activity not applicable

Process Control
not applicable
AM_JOB Risk Management Scheduler

Process Control
not applicable
AM_JOBP Risk Management Job Log

Process Control
not applicable
AM_JOBRESULT Risk Management Job Result

Process Control
not applicable
AM_AHQRY Risk Management Ad-Hoc Query

Process Control
not applicable
AM_EVENT Risk Management Event Monitor

AOD Process Control AOD not applicable

Process Control
not applicable
BR Risk Management Business Rule

This is custom documentation. For more information, please visit the SAP Help Portal 32
 7/28/2024

Entity Application Description Central

Process Control
not applicable
BRA Risk Management Business Rule Assignment

CACTIVITY Risk Management Activity Category X

CAGROUP Risk Management Activity Category Group X

COBJECTIVE Process Control Control Objective X

COGROUP Risk Management Opportunity Category X

Process Control
not applicable
CONTROL Risk Management Control

COPP Risk Management Central Opportunity X

CPROPOSAL Process Control Control Proposal not applicable

Process Control
X
CRGROUP Risk Management Risk Category

Process Control
X
CRISK Risk Management Central Risk

Indirect Entity-Level Control

not applicable
ECGROUP Process Control Group

ECONTROL Process Control Indirect Entity-Level Control not applicable

Process Control
not applicable
EO Risk Management Data Source

EVENT Process Control Event X

EVENT_D Process Control Dispatched Event X

EXEC Process Control Scheduler X

G_AS Process Control Assessment not applicable

G_CP Process Control CAPA Plan not applicable

G_IS Process Control Issue not applicable

G_PL Process Control Remediation plan not applicable

G_TL Process Control Test Log not applicable

INCIDENT Risk Management Incident not applicable

JOBLOG Process Control Job log from Scheduler X

JOBRESULT Process Control Job Result X

KRIIMPL Risk Management KRI Implementation X

KRIIMPLREQ Risk Management KRI Implementation Request X

KRIINST Risk Management KRI Instance not applicable

KRIRULE Risk Management KRI Business Rule not applicable

This is custom documentation. For more information, please visit the SAP Help Portal 33
 7/28/2024

Entity Application Description Central

KRITMPL Risk Management KRI Template X

OBJECTIVE Risk Management Objectives X

OLSP Process Control OLSP X

OPP Risk Management Opportunity not applicable

Process Control
not applicable
ORGUNIT Risk Management Organization

Process Control
not applicable
PLANNER Risk Management Planner

PRISK Risk Management Risk Proposal not applicable

PROCESS Process Control Process not applicable

QSURVEY Risk Management Question Survey X

Process Control
X
REGULATION Risk Management Regulation/Policy

Process Control
X
REG_GROUP Risk Management Regulation/Policy Group

Process Control
X
REG_REQ Risk Management Regulation/Policy Requirement

RESPONSE Risk Management Response not applicable

Process Control
not applicable
RISK Risk Management Risk

RULCR Process Control Rule Criteria X

RULE Process Control Rule X

SAPQUERY Process Control SAP Query X

SCRIPT Process Control Rule Script X

SIGNOFF Process Control Sign-Off not applicable

Process Control
X
SRV_QUESTION Risk Management Survey Question

SUBPROCESS Process Control Subprocess not applicable

Process Control
X
SURVEY Risk Management Survey Template

TESTPLAN Process Control Testplan X

XCONTROL Process Control Central Control X

Central Indirect Entity-Level

X
XECGROUP Process Control Control Group

This is custom documentation. For more information, please visit the SAP Help Portal 34
 7/28/2024

Entity Application Description Central

Central Indirect Entity-Level

X
XECONTROL Process Control Control

XPROCESS Process Control Central Process X

XSUBPROCESS Process Control Central Subprocess X

Subentities
 Note
The following information is relevant to both SAP Risk Management and SAP Process Control, depending on which of those
applications you have implemented and licensed.

Subentities are the subgroup of objects related to an entity. Not all entities have subentities. The following table lists the
subentities and related entities:

Entity Subentity Description

G_AS CD Control Design Assessment

G_AS CE Self Assessment

G_AS CR Control Risk Assessment

G_AS MCOU Indirect ELC Assessment

G_AS PD Sub Process Assessment

G_AS RISK Risk Assessment

G_CP CE CAPA plan for Self Assessment

G_CP CO CAPA plan for Compliance Test

G_CP MO CAPA plan for Monitoring Test

G_CP TE CAPA plan for Manual Test

G_IS CD Control Design Assessment Issue

G_IS CE Self Assessment Issue

G_IS CO Compliance Test Issue

G_IS MCOU Indirect ELC Assessment Issue

G_IS MO Monitoring Test Issue

G_IS MTOU Indirect ELC Test Issue

G_IS PD Sub Process Assessment Issue

G_IS TE Manual Test Issue

G_PL CD Control Design Assessment Plan

G_PL CE Self Assessment Plan

G_PL CO Compliance Test Plan

This is custom documentation. For more information, please visit the SAP Help Portal 35
 7/28/2024

Entity Subentity Description

G_PL MCOU Indirect ELC Assessment Plan

G_PL MO Monitoring Test Plan

G_PL MTOU Indirect ELC Test Plan

G_PL PD Sub Process Assessment Plan

G_PL TE Manual Test Plan

G_TL CO Compliance Test Test Log

G_TL MO Monitoring Test Test Log

G_TL MTOU Indirect ELC Test Test Log

G_TL TE Manual Test Test Log

PLANNER PERF-AOD Perform Aggregation of De ciencies

PLANNER PERF-CDASS Perform Control Design Assessment

PLANNER PERF-CEASS Perform Self Assessment

PLANNER PERF-CRISK Perform Control Risk Assessment

PLANNER PERF-ETEST Perform Indirect ELC Test

PLANNER PERF-MCAOU Perform Indirect ELC Assessment

PLANNER PERF-PDASS Perform Sub Process Assessment

PLANNER PERF-RISK Perform Risk Assessment

PLANNER PERF-SOFOU Perform Sign-Off

PLANNER PERF-TEST Perform Test

PLANNER PERF-PLCA Perform Policy Acknowledgement

PLANNER PERF-PLCQ Perform Policy Quiz

PLANNER PERF-PLCS Perform Policy Survey

PLANNER GRRM_ACT Perform Activity Validation

PLANNER GRRM_ANAL Perform Risk Assessment

PLANNER GRRM_OPP Perform Opportunity Assessment

PLANNER GRRM_OPPVA Perform Opportunity Validation

PLANNER GRRM_RESP Perform Responsible Validation

PLANNER GRRM_RISK Perform Risk Validation

PLANNER GRRM_SACT Perform Activity Survey

PLANNER GRRM_SKRI Perform Risk Indicator Survey

PLANNER GRRM_SRISK Perform Risk Survey

Dataparts
This is custom documentation. For more information, please visit the SAP Help Portal 36
 7/28/2024

 Note
The following information is relevant to both SAP Risk Management and SAP Process Control, depending on which of those
applications you have implemented and licensed.

Entity Datapart Description Relevant Application

ACTIVITY DATA Activity Details SAP Risk Management

ACTIVITY VALIDATE Activity Validation SAP Risk Management

SAP Process Control

BR STATUS Business Rule Status SAP Risk Management

CONTROL CDATA Additional data of control SAP Process Control

CONTROL DATA Basic data of control SAP Process Control

CONTROL RISK Assignment of control to risk SAP Process Control

CONTROL RULE Assignment of control to rule SAP Process Control

CONTROL TDATA Test attributes of control SAP Process Control

Basic data of indirect Entity-

ECONTROL DATA Level Control SAP Process Control

Test attributes of indirect

ECONTROL TDATA Entity-Level Control SAP Process Control

INCIDENT DATA Maintain Incident Draft SAP Risk Management

Rework Incident (resubmit or

INCIDENT REWORK refuse) SAP Risk Management

Validate Incident (validate or

INCIDENT VALIDATE send to rework) SAP Risk Management

KRITMPL DATA KRI Template Data SAP Risk Management

KRITMPL LIAISON KRI Liaison SAP Risk Management

OPP DATA Opportunity Details SAP Risk Management

OPP VALIDATE Opportunity Validation SAP Risk Management

SAP Risk Management

ORGUNIT DATA Orgunit Data SAP Process Control

Assignment of Indirect Entity

ORGUNIT ECONTROL Level Control SAP Process Control

ORGUNIT INSCOPE Orgunit Scoping Information SAP Process Control

Risk Assessment on
ORGUNIT RISK_ASSESSMENT Organizations SAP Risk Management

SAP Risk Management

Role Assignment on
ORGUNIT ROLES Organizations SAP Process Control

Role Assignment on Processes,

ORGUNIT ROLES_PC Subprocesses, and Controls SAP Process Control

This is custom documentation. For more information, please visit the SAP Help Portal 37
 7/28/2024

Entity Datapart Description Relevant Application

Role Assignment on Risks and

ORGUNIT ROLES_RM Activities SAP Risk Management

ORGUNIT SIGNOFF Sign-Off SAP Process Control

ORGUNIT SUBPROCESS Assignment of Subprocess SAP Process Control

RESPONSE DATA Response Data Part SAP Risk Management

RESPONSE VALIDATE Response Validation SAP Risk Management

SAP Process Control

RISK DATA Risk Details SAP Risk Management

RISK VALIDATE Risk Validation SAP Risk Management

Assignment of global control to

subprocess, control objective,
SUBPROCESS COR_GLOB and risk SAP Process Control

Assignment of referenced
control to subprocess, control
SUBPROCESS COR_ORG objective and risk SAP Process Control

SUBPROCESS DATA Local subprocess attributes SAP Process Control

Subprocess Scoping
SUBPROCESS INSCOPE Information SAP Process Control

XCONTROL DATA Basic data of control SAP Process Control

XCONTROL TDATA Test attributes of control SAP Process Control

Basic data of indirect Entity-

XECONTROL DATA Level Control SAP Process Control

Test attributes of indirect

XECONTROL TDATA Entity-Level Control SAP Process Control

Data Protection and Privacy

 Note
The following information relates to both SAP Risk Management and SAP Process Control, depending on which of those
applications you have implemented and licensed.

In the SAP governance, risk and compliance solutions (GRC), the synchronization of the authorization data (role, user, pro les,
HR objects) from the ERP and non-ERP systems to the GRC system contain the User IDs, email IDs, telephone numbers,
address, organizational assignments etc. The logs and activities done by the users from different connected ERP systems will be
stored in the GRC system and these contain the personal information. This chapter describes how the SAP Process Control and
SAP Risk Management solutions support the SAP Information Lifecycle Management (ILM) framework. Look at the chart below
to see how each business entity must be handled.

Blocking Required (RST) after end of residence time varies.

Destruction Required (RTP) after end of retention time. All business entities listed below require destruction after the
end of the retention time.

This is custom documentation. For more information, please visit the SAP Help Portal 38
 7/28/2024
Business Entities

Business Entity ILM Object Component Blocking Archiving Legal Entity or

Required Required Country Flag
(RST) Available

Ad-Hoc Issue GRFN_AI_DESTRUCTION GRC Yes No Yes

Aggregation of GRPC_AOD_DESTRUCTION GRC-PC Yes No No

de ciency

Attachments and GRFN_DOCUMENT_DESTRUCTION GRC Yes No Yes

Links

Automated GRFN_AM_JOB_DESTRUCTION GRC Yes No Yes

Monitoring Job

Background GRFN_REP_DATA_DESTRUCTION GRC No No No

Report Data

Business Rule GRFN_BR_DESTRUCTION GRC Yes No No

Business Rule GRFN_BRP_DESTRUCTION GRC Yes No No

Parameter

Change History GRFN_CHNG_HISTORY_DESTRUCTION GRC Yes No Yes

Datamart GRFN_DATAMART_DESTRUCTION GRC Yes No No

Evaluation: GRPC_ASSESSMENT_DESTRUCTION GRC-PC Yes No Yes

Assessment

Evaluation: GRPC_DISCSVY_DESTRUCTION GRC-PC Yes No No

Disclosure
Survey

Evaluation: GRPC_CONTROL_PERF_DESTRUCTION GRC-PC Yes No Yes

Manual Control
Performance

Evaluation: GRFN_SURVEY_DESTRUCTION GRC Yes No Yes

Survey

Survey Library GRFN_SURVEY_LIB_DESTRUCTION GRC Yes No No

Evaluation: GRPC_TESTING_DESTRUCTION GRC-PC Yes No Yes

Testing (Test of
Effectiveness)

HR Master Data GRFN_MASTER_DATA_DESTRUCTION GRC No No No

KRI Instance GRRM_KRIINST_VALUE_DESTRUCTION GRC-RM Yes No Yes

Value

Legacy GRPC_LEGACY_AM_JOB_DESTRUCTION GRC-PC Yes No No

Automated
Monitoring Job

Manual Control GRPC_CTR_PERFORMER_DESTRUCTION GRC-PC Yes No Yes

Performer

Master Data GRFN_MDCR_DESTRUCTION GRC No No No

Change Request
(MDCR)

Notes History GRFN_NOTES_DESTRUCTION GRC Yes No Yes

This is custom documentation. For more information, please visit the SAP Help Portal 39
 7/28/2024

Business Entity ILM Object Component Blocking Archiving Legal Entity or

Required Required Country Flag
(RST) Available

Planner - Plan GRFN_PLAN_DESTRUCTION GRC Yes Yes No

Policy GRFN_POLICY_DESTRUCTION GRC Yes No Yes

Response GRRM_RESPONSE_DESTRUCTION GRC-RM Yes No Yes

Risk Analysis GRRM_ANALYSIS_DESTRUCTION GRC-RM Yes No Yes

Role Assignment GRFN_ROLE_ASSIGN_DESTRUCTION GRC Yes No Yes

Sign-off GRPC_SIGNOFF_DESTRUCTION GRC-PC Yes No No

User Delegation GRFN_DELEGATE_DESTRUCTION GRC No No No

Validation GRRM_VALIDATION_DESTRUCTION GRC-RM Yes No Yes

Setting Up the System

1. Use transaction SFW5 to activate Information Lifecycle Management (ILM).

 Note
SAP NetWeaver Information Lifecycle Management is a product that requires its own license. After licensing, you
have to activate this product.

2. Use transaction SPRO, ensure that the activity under SAP Reference IMG Governance, Risk, and Compliance
General Settings Blocking and Deletion Global ILM Enablement is completed. Select the GRC components that will
use the ILM functionality. The options are GRC, GRC-AC, GRC-PC, GRC RM or a combination of these components.

 Note
To activate personal data blocking and deletion for GRC-PC or GRC-RM, the shared component GRC must be active.

3. Use transaction SPRO, ensure that the activity under SAP Reference IMG Governance, Risk, and Compliance
General Settings Blocking and Deletion ILM Entity Settings is completed. For SAP Process Control and SAP Risk
Management, you can con gure how the SAP ILM component interacts with these products. GRC provides ILM objects
that enhance archiving objects with information for data retention. An ILM object contains the settings for the ILM rules.
These rules are read by GRC while data processing and, based on the rule condition, personal data is blocked and
deleted.

 Note
For more information about GRC Archiving objects, see Data Archiving.

Transaction ILMARA
1. Use transaction ILMARA to de ne if SAP Process Control and/or SAP Risk Management are using delivered ILM
Residence Rules (RST) and/or Retention Rules (RTP). An audit area groups ILM objects from a business aspect,
according to common criteria for storage and for queries (such as tax audits). You can de ne the rules for ILM objects
only in active audit areas.

 Note
For any Residence Rule (if blocking is required), always use Audit Area GRC.

2. De ne which ILM objects SAP Process Control and SAP Risk Management interact with (see table above
GRFN_AI_DESTRUCTION etc.)

Select Block to hide the information from all except for designated administrators after a certain period of time.

This is custom documentation. For more information, please visit the SAP Help Portal 40
 7/28/2024
Select Destroy to destroy the information after a certain period of time.

Select LE ag if the ILM object is de ned as a Legal Entity. Legal Entities are de ned in the Maintain Legal Entity
customizing activity (maintenance view GRFNVLEGALENT). This ag indicates if the condition eld Legal Entity is
used to de ne the ILM Policy for the ILM object. The value of the legal entity eld is picked from the UI eld Legal
Entity from the General tab of the Org Unit. They can be assigned to the Organization Unit from the Org Unit
View. Do not select if it is not required by the rule de nition as it could negatively impact performance.

 Note
Select either Legal Entity or Country as needed. Do not select both.

Select Country if the object is de ned for a particular Country and this is used as a selection parameter for the
ILM rule. The Country designation is established in the Organization Hierarchy for SAP Process Control and SAP
Risk Management. This ag indicates if the condition eld Country is used to de ne the ILM policy for the ILM
object. Do not select if it is not required by the rule de nition as it could negatively impact performance.

 Note
There can be some objects that are independent of Org Unit, such as Business Rule, or MDCR. For these, do
not select Legal Entity or Country. Select either Legal Entity or Country as needed. Do not select both.

ILM Policy Creation

Use transaction IRMPOL to establish the Residence Rules and the Retention rules. For any Residence Rule (if blocking is
required), always use Audit area GRC.

Use transaction SPRO and ensure that the activity under SAP Reference IMG Governance, Risk, and Compliance
General Settings Blocking and Deletion Maintain Legal Entity is completed. For SAP Process Control and SAP Risk
Management, you can group organizations as Legal Entities in the Organization Hierarchy. This allows you to write one
rule that will be applied to all of the organizations. You can designate objects to be blocked or destroyed based on your
business need and legal requirements.

Blocking and Unblocking

Use transaction code GRFN_BLOCK to verify you have con gured your blocking of data in the manner suitable to your
business.

To unblock data, use transaction code GRFN_UNBLOCK. Select the ILM object and choose Execute. Select a record and
choose Unblock. Con rm the action by chooseing Yes in the con rmation window. Objects remain unblocked in the
system until the next scheduled execution of the blocking job blocks them again.

Destruction
Use transaction code ILM_DESTRUCTION to verify your destruction policies. Select Data from the Database and identify the
ILM object. Use test mode.

Logs
Use transaction code SLG1 to verify the logs.

Veri cation
Access the GRC product’s user interface and check the dates to see if your policies and rules are operating as intended. For
example, if you set up the data to be blocked after 2 years, check if any data is shown if you search for dates older than 2 years.

Use ABAP Program GRFN_PI_DBTABLOG_COPY_DES to look at a Simple deletion report to delete contents of GRC plugin
system DB table /GRCPI/GRIA_AM_DBLOG

This is custom documentation. For more information, please visit the SAP Help Portal 41
 7/28/2024

Introduction

Generic Fields

Glossary

Consent

Read Access Logging

For the following con gurations, elds are logged in combination with additional elds in the following buiness contexts:

Con guration Fields Logged Business Context

<Name of Con gurations 1> <Fields 1> <Describe business context 1>

<Name of Con gurations 1> <Fields 2> <Describe business context 1>

<Name of Con gurations 2> <Fields 1> <Describe business context 1>

<Name of Con gurations 2> <Fields 1> <Describe business context 2>

Information Retrieval

Deletion of Personal Data

Simpli ed Blocking and Deletion

Deletion of Personal Data

This SAP product might process data (personal data) that is subject to the data protection laws applicable in speci c countries
as described in SAP Note 1825544 .

Deletion

End-of-Purpose Check

Blocking

Where-Used Check

Change Log

Change Log

This is custom documentation. For more information, please visit the SAP Help Portal 42
 7/28/2024

De ning Fields to be Logged

Displaying Change Logs in <SAP Product>

In the worklist of SAP Product, you can access a change log for each change request and activity.

 Note
Change logs can only be displayed if the user is assigned the authorization role SAP_AUTH_MOC_ADMIN.

Under Evaluate New Audit Trail Enhancement Mode (transaction S_AUT10), you can see all changes that have been
processed for the change document objects in SAP product, S_/IAM/ACT (activity) and /IAM/ISSUE (change request).

See Also

For more information on change documents see the documentation at http://help.sap.com/netweaver. Choose the relevant
SAP NetWeaver version and open the following documentation:

Under Application Help, go to SAP NetWeaver Library: Function-Oriented View Application Server ABAP Other
Services Services for Application Developers Change Documents .

Open the SAP NetWeaver Security Guide and go to Security Aspects for Lifecycle Management Auditing and
Logging .

Read Access Logging

The SAP governance, risk and compliance solutions (GRC) do not deliver Read Access Logging (RAL) con gurations and log
conditions, since there is no sensitive personal data stored.

Personal Data Information

SAP Risk Management provides one report, User Authorization Analysis, to allow customers to retrieve user information and
related data objects.

 Note
The User Authorization Analysis report does not cover all entities in SAP Risk Management but it covers the majority of
them.

Activities
To open the report, perform the following steps:

1. Log on to NWBC.

2. Choose the Reports and Analytics tab.

3. Under Access Management, choose User Authorization Analysis.

4. In the report, enter the user ID, select the related regulations, and choose Go to execute it.

The role assignment and related data objects information are shown according the user ID entered.

5. You can hide or show related column information by choosing Personalize Personalize Fields .

This is custom documentation. For more information, please visit the SAP Help Portal 43
 7/28/2024

Roles and Authorization Objects

Roles and authorization objects for data protection.

You must verify that the end-user can no longer access the personal data stored in blocked process tables. Authorization can be
given to speci c users (such as auditors) to read the personal data from blocked process tables.

Roles Created for ILM Administrators and Auditors

Role Description Authorization Authorization Field Value Purpose

Object Field

SAP_GRC_ILM_ADMINISTRATOR GRC ILM GRFN_USER ACTVT 5 Blocking

Administrator
Assign SAP_GRC_FN_ALL (power
user) using SU01
69 Destruct
Assign role
SAP_GRC_SPC_CRS_ISSUE_ADMIN
(cross regulation issue admin) at
entity level on any corporate node in 95 Unblocking
organization hierarchy.

SAP_GRC_ILM_AUDITOR GRC ILM GRFN_USER ACTVT 94 To view

Auditor blocked
Only the ILM
data
auditor can
have this
activity to
protect the
blocked
data.

If you have
created
custom roles
with
authorization
object
GRFN_USER
and activity
set to “*”
then it must
be removed
and speci c
activities
must be
named.

These authorizations must be provided to users for different activities.

Authorization Objects and Activities Used

Authorization Object Authorization Field Field Value Description

GRFN_USER ACTVT 5 Lock

69 Discard

This is custom documentation. For more information, please visit the SAP Help Portal 44
 7/28/2024

Authorization Object Authorization Field Field Value Description

94 Override

Only the ILM Auditor can

have this activity to
protect the blocked
data.

95 Unlock

Data Archiving
ILM-enabled archiving objects in GRC

The SAP governance, risk and compliance solutions (GRC) support the SAP Information Lifecycle Management (ILM) framework
for retention management.

The following table shows the available GRC archiving objects for SAP Risk Management:

GRC ILM-Enabled Archiving Objects

Archiving Objects Description ILM Object Condition eld Reference eld

GRFNPLAN Archiving for GRC GRFN_PLAN_DESTRUCTION TASK COMPLETION_DATE

Planner and Planner
Monitor

Archiving Planner and Planner Monitor (GRFNPLAN)

Archiving object GRFNPLAN for archiving GRC Planner and Planner Monitor

Before using the archiving object for the rst time, verify if the GRC Customizing activities under Blocking and Deletion have
been completed to enable the Information Lifecycle Management (ILM) capabilities. When you use the archiving object
GRFNPLAN, data is archived from the following tables:

Tables Affected by
GRFNPLAN

Tables

GRFNPLANRCPT

GRFNTASKPLANGRP

GRFNPLANREG

GRFNPLANRESULT

GRFNTASKPLAN

Programs Affected by GRFNPLAN

Programs

GRFN_PLANNER_ARCH_REL

This is custom documentation. For more information, please visit the SAP Help Portal 45
 7/28/2024

Programs

GRFN_PLANNER_ARCH_WRI

GRFN_PLANNER_ARCH_READ

GRFN_PLANNER_ARCH_DEL

This is custom documentation. For more information, please visit the SAP Help Portal 46