Have you installed one of SAP GRC Systems? Here you are 10 helpful tips on how to improve the usage of the SAP Governance suite.

Different systems are covered by the SAP GRC area (Governance, Risk and Compliance). The main ones are:  

• SAP GRC Access Control
• SAP GRC Process Control
• SAP GRC Risk Management
• SAP Global Trade Services (GTS)
• SAP Environment, Health and Safety (EHS)
• SAP Cloud Identity Access Governance

10 focus points that you might want to apply! 

1. Expands the system in stages, not carry out everything immediately

Especially for systems as Access Control, Process Control e Risk Management   In particolare per i sistemi Access Control, Process Control e Risk Management it is useful to start with a few business processes involved. Managing from the beginning to the end, in the case of Access Control, the definition of Access Risk (SoD Risks, Critical Actions or Critical Permission), risk analysis/remediation and particularly the mitigation and continuous compliance part. 

In the case of Process Control, creates a PoC (Proof of concept) in order to understand whether it is applicable to your reality and what could be any limitations or problems.

2. Do you use SAP GRC Access Control EAM? Check how it is used

Using this module of the SAP GRC Access Control (Emergency Access Management or Firefighter), allows management of emergency access by users; without then reviewing the effective use.

In what cases/scenarios could it be used?

• External Users (i.e. Consultants) that in production access in "read only" mode. When needed they can use a super user (with complete transparency, running a particular transaction, without entering credentials) which is empowered to carry out a set of actions (SAP transactions). Every action performed during the firefighting session are tracked in the system. Attention, the use of any custom transactions that do not contain at the level of ABAP code the necessary statements for the modifications' tracking, may not be recorded in the logs.
• ICT Users falling in the same scenario above
• Final users who must carry out operations that go beyond their normal operation.
• SAP GRC EAM could be used from version 12 also to manage administrative or emergency IT access to the HANA database (read here how to secure/hardening the HANA database)

Super-utilities can be requested through an approved workflow (using SAP GRC Access Control Access Request Management - ARQ module) or could be assigned or pre-assigned from an administrator for a certain period of time.

What are the focus points after activating the use of the super-utility in SAP? 

• Verify and eventually modify the reason code used
• Calculate the percentages of use of super-utilities
• Intervenes on the roles associated with super users
• Monitors what is done during the firefighting session
• Revise the descriptions inserted during the use of the super user making staff aware of what to insert (i.e. Reference ticket or transactions used) 

3. Do you use SAP GRC Access Control ARA? Add more risks or systems!

The Access Risk Analysis module, part of the Access Control suite, allows to define a segregation matrix of duties (SoD) containing standard or custom functionality.

If you activate new processes, you should adjust the SoD matrix.

The matrix is not static, it must be constantly updated every time that a custom transaction or a new SoD relevant process is defined.

4. Do you use SAP GRC Access Control ARA? Include legacy systems in risk analysis

Through this tool some legacy systems (not SAP) may be included in the risk analysis. Owner or third-party systems.

You can define rules (using SAP data structures) that allow SAP GRC to analyze non-SAP systems.

5. Do you use SAP GRC Access Control ARA? Include cross system analysis

If you have different systems, especially if a SoD process is divided in various systems, establish Cross System rules might be useful. 

Imagine that the suppliers are defined in SAP SRM System (SAP Supplier Relationship Management) while the suppliers' payments are carried out in SAP ECC or S/4HANA.

In the above case a user analyzed on the single system may not represent a risk. By analyzing access to both systems, it could represent a risk.

6. Create control testing scripts

Once you have defined the compensatory controls, these must be "tested". The testing phase of the controls (testing controls audit) allows the control to be effectively carried out. Procedures must be established to indicate who, how and when this phase is to be carried out. 

7. Activate the GRC Process Control module for automated monitoring

The management of mitigation controls is an expensive phase, in terms of implementation time but especially during their execution.

If you have configured GRC Process Control, control the activation of the automated monitoring component (SAP GRC Process Control AM)

8. Avoid associating roles manually in SAP (ARQ o IDM)

If you activate the Access Request Management system, you can automate the provisioning of SAP roles and utilities in the various systems involved.

Remember that this component has overlaps with identity management systems.

In most cases, where these systems are present, the GRC is used only for the verification of compliance SoD while IDM is used for provisioning in various SAP and non-SAP systems.

9. Activate User Access Review and SoD review workflows

They are standard workflows within the SAP GRC Access Control that allow to validate again:

• The link User - Role (UAR - User Access Review)
• The Role content - Role Review
• The risk for each user (SoD Review)

10. Adapt the SoD matrix for SAP S/4HANA processes

Have you migrated from SAP ECC to SAP S/4HANA?

Remember that, depending on how you use it, the used transactions or applications must be adapted. Consequently, the risk matrix also needs to be adapted.  

Blog post originally translated from: https://www.aglea.com/blog/10-suggerimenti-dopo-aver-installato-sap-grc