Running risk analysis for the SAP S_4HANA and SAP ... - SAP Community

4/2/24, 3:07 PM Running risk analysis for the SAP S/4HANA and SAP ...
- SAP Community
Community
SAP Community  Products and Technology  Financial Management  Financial Management Blogs by SAP
 Running risk analysis for the SAP S/4HANA and SAP ...
Financial Management Blogs by SAP

Get financial management insights from blog posts by SAP experts. Find and share tips on how to increase
efficiency, reduce risk, and optimize working capital.
All community  What are you looking for today?
Running risk analysis for the SAP S/4HANA and SAP Fiori
System.
japneet_singh2
Active Participant

‎01-17-2020 10:14 AM
 14 Kudos
GRC 10.1 SP 22 (Initially introduced with SP 19) / GRC 12 SP 03, made it possible to
include SAP S/4HANA and SAP Fiori applications in the risk analysis. For this purpose,
the authorization object S_SERVICE has been activated in the GRC risk analysis rules
as part of SAP FIORI applications and SAP S/4 HANA integrations.
The blog post explains the steps required to be configured in the GRC system for
running the risk analysis for SAP S/4HANA and SAP Fiori systems. Based on the
landscape, you may have the SAP S/4HANA and SAP Fiori configured on the same
system or you may have separate system for SAP S/4HANA and SAP Fiori. The
connector configurations for the above mentioned scenarios are slightly different.
STEP 1: Connector Configuration
As mentioned above, the SAP Fiori and the SAP S/4HANA system could be on the
same box or they can be set up as separate systems. We will be covering both the
scenarios.
Scenario 1 :SAP S/4HANA & SAP FIORI on Same Box
https://community.sap.com/t5/financial-management-blogs-by-sap/running-risk-analysis-for-the-sap-s-4hana-and-sap-fiori-system/ba-p/13434292 1/15
4/2/24, 3:07 PM Running risk analysis for the SAP S/4HANA and SAP ... - SAP Community
In this case only one connector is to be created. Create connector for SAP S/4HANA
Box. The connection type should be "SAP".
Scenario 2: SAP S/4HANA & SAP FIORI are on Different Boxes
In this case two connector are to be created in GRC. One for SAP S/4HANA and
another for SAP Fiori box. Both the SAP S/4HANA and SAP Fiori connector will be of
type SAP.
The SAP FIORI Connector is to be maintained as Subsequent Connector of SAP

S/4HANA connector.
Once the connector/s are created and maintained, the same needs to be assigned to
the integration scenarios. To maintain connection settings:
1. Enter Transaction SPRO
2. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common
Component Settings > Integration Framework > Maintain Connection Settings.
3. Select the Integration Scenario AUTH for Risk analysis.
4. Add SAP S/4HANA and SAP Fiori connector in the connector list.
5. Click Save.
STEP 2: Creation of Risk and Setting up the Ruleset
The customer might want to use the SAP delivered rules OR would want to use
custom rules along with the standard delivered rule OR the customer might just want
to create custom rule and use the same.
The rule creation and generation process is different, all the 3 scenarios are covered
below.
Scenario 1: The customer wants to use the SAP Standard ruleset

1. Activate BC Sets
2. GRAC_RA_RULESET_COMMON
3. GRAC_RA_RULESET_S4HANA_ALL
4. After activating BC Set, all standard rules will be available for CONNECTOR
Group "SAP_S4A_LG".
5. As SAP Fiori apps are case sensitive, Connector Group "SAP_S4A_LG" &
"S/4HANA Connector" requires to be maintained in Configuration Parameter
1022 & 1046.
6. After maintaining Connector Group "SAP_S4A_LG" under configuration

parameters (1022 & 1046), there is a requirement for downloading and
uploading the same rules again
.
Note- this step is required because Case Sensitive data goes into different
table i.e. GRACFUNCACTEXT.. ... *EXT tables. Follow the steps mentioned
below.
1. Download the rules for SAP_S4A_LG.

SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis
==> SOD Rules ==>Download SOD Rules.
Select system "SAP_S4A_LG" and provide path & names of all files and
download.
2. Upload the same rules again for SAP_S4A_LG.

==> SOD Rules ==> Upload SOD Rules.
Select system "SAP_S4A_LG" and provide path & names of all files and
Upload with Overwrite option.
3. Add the SAP Fiori and SAP S/4HANA connector to the connector group
SAP_S4A_LG
SPRO ==> IMG ==> GRC ==> Common Component Setting ==>
Integration Framework ==> Maintain connectors and connection Types.
Select the connector Group "SAP_S4A_LG" and Add the SAP S/4HANA
and SAP Fiori connector to the connector group.
4. Generate the Rules.

==> SOD Rules ==> Generate SOD Rules.
Note: If you do not wish to perform point number 6 described in Scenario 1, you can
also make use of the new report “GRAC_RULE_CONVERT_TO_EXTOBJ” ,

Delivered via SAP note “2805767”. The note has been created specifically to
populate the data in the extended tables. Before running the report, ensure that the
Connector Group "SAP_S4A_LG" & "S/4HANA Connector" is set in the configuration
parameters 1022 and 1046.
Scenario 2: Customer wants to use SAP provided Standard ruleset and

modify as per their requirements.
1. Activate BC Sets
GRAC_RA_RULESET_COMMON
GRAC_RA_RULESET_S4HANA_ALL
2. After activating BC Set, all standard rules will be available for CONNECTOR
Group "SAP_S4A_LG".
3. Create your own Custom Connector Group (say… C_S4_LG). Add S/4HANA &
SAP Fiori connector in the Connector List.
4. Maintain your Custom Connector Group "C_S4_LG" & "S/4HANA Connector"

under 1022 & 1046 configuration Parameter.
5. Download the rules for SAP_S4A_LG. Select system "SAP_S4A_LG" and

provide path & names of all files and download.
1. SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis
==> SOD Rules==> Download SOD Rules. Select system "SAP_S4A_LG"
and provide path & names of all files and download.
2. Upload the same rules again for "C_S4_LG"

==> SOD Rules ==> Upload SOD Rules. Select system "Custom_S4_ALL"
and provide path & names of all files and Upload with Overwrite option.

==> SOD Rules ==> Generate soD Rules.
Scenario 3: In case the customer wants to create their own custom

rules without having SAP Standard rules
1. Create your own Custom Connector Group (say… C_S4_LG). Add SAP S/4HANA
connector in the Connector List.
2. Maintain your Custom Connector Group "C_S4_LG" & "S/4HANA Connector"

under 1022 & 1046 configuration Parameter.
3. Create your Functions / Risk Manually or Use custom TXT files and upload your
rules against your Connector Group "C_S4_LG".

SPRO ==> IMG ==> GRC ==> Access Control ==> Access Risk Analysis ==>
SOD Rules ==> Generate soD Rules.
Note: While create custom Risk, kindly ensure, proper abbreviations/Prefix are
used for different types of Actions. Refer to the KBA 2655122 for more details on
the same.
Once the above mentioned steps are configured and rules are generated, the entries
in the following extension table will get populated.
GRACACTRULEEXT
GRACFUNCACTEXT
GRACFUNCPRMEXT
GRACPROFACTVLEXT
GRACPROFPRMVLEXT
GRACROLEACTVLEXT
GRACROLEPRMVLEXT
GRACUSERACTVLEXT
GRACUSERPRMVLEXT
Now if the user/role has conflicting actions pertaining to SAP S/4HANA/SAP Fiori
system, the corresponding violations will be flagged in the Risk Analysis result.
Important Information
1. In order to run risk analysis for SAP S/4HANA and SAP Fiori plugin only,
GRCPINW/GRCPIERP package is to be installed on both SAP S/4HANA and SAP
Fiori system. UIGRAC01(For GRC 12)/UIGRC001(For GRC 10.1) package is not
required for running Risk analysis.
2. UIGRAC01(For GRC 12)/UIGRC001(For GRC 10.1) package on SAP Fiori is only

required in case you want to use the GRC Fiori Apps.
List of important notes
2704494 - S4HANA & Fiori Risk Analysis does not show correct violations.
2639161 - S_SERVICE authorization causing huge risk violations results.
2652312 - Enhancement to SAP S/4HANA risk analysis to use same SAP

S/4HANA ruleset even if Fiori Application is rendered from a different system.
2655122 - Prefix / Abbreviation requires with Action for creating & running risk
analysis
SAP Managed Tags:
SAP Access Control
Labels:
Technology Updates
5 Comments

‎01-23-2020 3:38 PM
 0 Kudos
Nice Document Japneet
chris-h
Member

‎04-10-2020 12:09 PM
 0 Kudos
Hi Japneet,
Great document – thanks heaps for posting!
Not sure I agree with the line ‘Add the SAP Fiori and SAP S/4HANA connector to the
connector group SAP_S4A_LG’ though- wouldn't this mean risks that are meant purely
for the S4HANA system may appear against the Fiori Connector? e.g. HR risks,
Finance risks etc.
Totally understand that your role design should not contain HR, Finance etc in Fiori,
but even so, wouldn't it be better to have Fiori connector against basis rule set only?
Do you have a screenshot of what the Fiori & S4 on different box scenario would look
like from a risk results perspective? Are we to only be running these sorts of risk
analysis against the connector group, or will running against S4 automatically pick up
the risks coming from Fiori?
Cheers
hmnsh_grwl
Explorer

‎04-30-2021 11:24 AM
 0 Kudos
Connecter group SAP_S4A_LG should be cross system or logical group only? Also I
have same question raised by Chris Harmour..
Thanks,
Datta
former_member226273
Active Participant

‎11-10-2021 7:42 PM
 0 Kudos
Hello Japneet,
Thank you for the informative blog. Few queries which is affecting the risk setup for
me:
1. Is it okay to have legacy ECC connector and S4 HANA connector in same

connector group (as most of the risks apply for both systems where old t-codes
and objects are still in use) ? We could add additional actions/permissions in
existing functions for S4 HANA system directly. In this case should this
connector group be maintained in 1022 and 1046? Or only S4 connector should

be maintained in these parameters.
2. How the group shall be formed if we have cross system risks between ECC and S4 HANA system, and what values will be there
for parameters 1022 and 1046?
Kind regards,
Yashasvi
pellega0905
Discoverer

‎04-05-2023 2:51 PM
 0 Kudos
Excellent!
 You must be a registered user to add a comment. If you've already registered,

sign in. Otherwise, register and sign in.
Comment
Labels In This Area

Business Trends 145 Business Trends 11 Event Information 35
Event Information7 Expert Insights 8 Expert Insights20 Life at SAP 48
Product Updates 521 Product Updates 50 Technology Updates 196
Technology Updates 8
Related Content
GRC Tuesdays: Hidden Gems – Go from Sample Audit to Full Scope with
Automated Analytics 
in Financial Management Blogs by SAP Tuesday
Margin Analysis: Substitution/Validation 

in Financial Management Blogs by SAP 2 weeks ago
Unveiling the new functionality in 2024 of SAP PAPM Cloud: Welcome to

Universal Model! 
in Financial Management Blogs by SAP 4 weeks ago
Understanding the Basic SAP Revenue Accounting and Reporting (RAR) 

in Financial Management Q&A 02-22-2024
SAP GRC BRM - Impact Analysis 

in Financial Management Q&A 02-21-2024
Popular Blog Posts
Revenue Accounting and Reporting (RAR) | Concept and Configuration
former_member385027
Participant
 135684  33  106
Concepts compared: BPC standard and BPC embedded
gregor_dieckmann
Advisor
 84767  22  68
Top Kudoed Authors
T_Frenehard  2
dianagarcia  2
RISE with SAP: Multi-layer Defense in Depth Architecture of SAP S/4HANA Cloud,
Private Edition
Jana_Cyber
mmabc  1
Advisor
 17076  9  60
Magnus_Metzler  1
Follow
former_member453011  1
Privacy Terms of Use

Trond  1
Copyright Legal Disclosure

View all
Trademark Newsletter
Support Cookie Preferences

Running risk analysis for the SAP S_4HANA and SAP ... - SAP Community

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Running risk analysis for the SAP S_4HANA and SAP ... - SAP Community

Uploaded by

Copyright:

Available Formats

4/2/24, 3:07 PM Running risk analysis for the SAP S/4HANA and SAP ...

Financial Management Blogs by SAP

All community  What are you looking for today?

STEP 1: Connector Configuration

Scenario 1 :SAP S/4HANA & SAP FIORI on Same Box

Scenario 2: SAP S/4HANA & SAP FIORI are on Different Boxes

The SAP FIORI Connector is to be maintained as Subsequent Connector of SAP

1. Enter Transaction SPRO

3. Select the Integration Scenario AUTH for Risk analysis.

STEP 2: Creation of Risk and Setting up the Ruleset

Scenario 1: The customer wants to use the SAP Standard ruleset

6. After maintaining Connector Group "SAP_S4A_LG" under configuration

1. Download the rules for SAP_S4A_LG.

2. Upload the same rules again for SAP_S4A_LG.

4. Generate the Rules.

also make use of the new report “GRAC_RULE_CONVERT_TO_EXTOBJ” ,

Scenario 2: Customer wants to use SAP provided Standard ruleset and

4. Maintain your Custom Connector Group "C_S4_LG" & "S/4HANA Connector"

5. Download the rules for SAP_S4A_LG. Select system "SAP_S4A_LG" and

2. Upload the same rules again for "C_S4_LG"

3. Generate the Rules.

Scenario 3: In case the customer wants to create their own custom

2. Maintain your Custom Connector Group "C_S4_LG" & "S/4HANA Connector"

4. Generate the Rules.

2. UIGRAC01(For GRC 12)/UIGRC001(For GRC 10.1) package on SAP Fiori is only

List of important notes

2639161 - S_SERVICE authorization causing huge risk violations results.

2652312 - Enhancement to SAP S/4HANA risk analysis to use same SAP

SAP Managed Tags:

SAP Access Control

Nice Document Japneet

Great document – thanks heaps for posting!

1. Is it okay to have legacy ECC connector and S4 HANA connector in same

connector group be maintained in 1022 and 1046? Or only S4 connector should

 You must be a registered user to add a comment. If you've already registered,

Labels In This Area

Event Information​7 Expert Insights 8 Expert Insights​20 Life at SAP 48

Product Updates 521 Product Updates 50 Technology Updates 196

Margin Analysis: Substitution/Validation 

Unveiling the new functionality in 2024 of SAP PAPM Cloud: Welcome to

Understanding the Basic SAP Revenue Accounting and Reporting (RAR) 

SAP GRC BRM - Impact Analysis 

Popular Blog Posts

Revenue Accounting and Reporting (RAR) | Concept and Configuration

Concepts compared: BPC standard and BPC embedded

Top Kudoed Authors

Privacy Terms of Use

Copyright Legal Disclosure

Support Cookie Preferences

You might also like

Event Information7 Expert Insights 8 Expert Insights20 Life at SAP 48