SAP Community - Governance, Risk, Compliance (GRC), and Cybersecurity

SAP Governance

2025-08-22T08:04:08.114000+02:00

How to add dynamically options to choice field using script task in process governance process section

Need Best Practices of ABAP Access to Production Environment

2025-08-25T19:46:54.255000+02:00

Dear SAP Support Team

Our external auditors have raised a concern that they will not rely on SAP for the financial audit. The issue identified is that the ABAP user currently has access to the production environment, which they consider a violation of control.

In light of the above, I request your support in providing the relevant SAP standards or best practices on this matter, preferably referenced in an SAP Note. This is critical, as the system was implemented primarily for financial controlling, and the auditors’ non-reliance on SAP for financials would undermine its purpose.

Your prompt response will be highly appreciated.

Thanks

GRC access control - update user role assignment after backend role deletion

2025-09-01T13:57:12.936000+02:00

Hello,

we have implemented ARQ/ARM and BRM to provision business role in backend system.

how to align or reconcile Access Control User role assignment, if we delete a technical role assigned directly in the backend system for user A?

program GRAC_UPDATE_BR_ASSIGNMENT do not display any data for this user A( so on the Access Control Business Role Mass Update Background Job job).

program GRAC_CHECK_BROLE_ASSIGNMENT till display all business role/technical role.

kind regards

Skip Role Owner Stage Approval if Manager is same as Role Owner

2025-09-15T23:44:50.037000+02:00

Hi,

I have a requirement where I need to skip Role Owner stage approval if Manager is same as Role Owner. However, it is important that if there are 5 roles, and if Manager is same as Role Owner for only one of the roles, then the approval should be skipped for that one role only. Kindly provide ideas on how this can be achieved, by perhaps using BRF+ decision rules.

Thanks,

[DRC] Venda produtor Rural CPF - Erro 227

2025-09-18T14:26:25.658000+02:00

Bom dia Pessoal,

Estamos com um problema para validar o certificado digital ( msg 227) para venda produtor Rural CPF, saindo pelo DRC, todas verificações em relação ao certificado, cadastro e outros foram feitas, o mesmo cenário funciona corretamente sendo enviado pelo GRC.

Algum colega já passou por algo semelhante que possa compartilhar a experiencia e solução?

GRC 12.0 Standard role to provisional

2025-09-24T15:38:54.610000+02:00

All of a sudden we see that several standard roles across multiple sap instances have gotten turned to provisional Y in GRC with random role owners getting mapped to these roles . Why would this happen ? And how to fix it ?

SAP GRC 2026 - Assurance & Compliance Solutions - New features

2025-10-17T15:11:55.076000+02:00

SAP GRC 2026 - Assurance & Compliance Solutions - New features

Organizations today face increasing regulatory demands and operational risks.
SAP continues to evolve its Assurance & Compliance solutions to help businesses stay ahead. Here’s a look at the latest enhancements designed to optimize user experience, streamline processes, and leverage AI for smarter compliance.

✅ SAP Business Integrity Screening
A) Fiori Apps for Detection Runs
Reimplemented using Fiori Elements for a modern, consistent user experience.
Key Benefit: Enhanced efficiency through streamlined interfaces and advanced filtering for precise detection runs.

B) Improved Performance for Managing Alerts App
Optimized for high-volume alert scenarios and large datasets.
Key Benefit: Increased responsiveness in high-demand environments.

✅ SAP Tax Compliance
A) Bulk Edit User Group Attributes
Edit multiple user groups and attributes in a single operation with flexible update options.
Key Benefit: Efficient, flexible bulk updates for better governance.

✅ SAP Audit Management
A) Import Master Data from PC/RM in Same System
Simplifies data management and integration without RFC setup.
Key Benefit: Reduces complexity and maintenance.

B) Consolidate Email Notifications for Multiple Actions
Groups related notifications for streamlined communication.
Key Benefit: Reduces email clutter and enhances focus.

C) Audit Coverage Overview Page
Provides a comprehensive visual view of audit coverage.
Key Benefit: Improves transparency and strategic planning.

D) Share Recommendations by Different Findings
Enables targeted recommendations and collaborative problem-solving.
Key Benefit: Enhances relevance and customization of audit feedback.

E) Integrate Audit Process with SAP Workflow
Track audits via Fiori apps and workflows.
Key Benefit: Streamlines processes and reduces manual tasks.

F) Enhanced Survey Capabilities
Supports more question types and score mapping.
Key Benefit: Improves flexibility and depth of audit surveys.

G) AI-Supported Audit Report Summary
Leverages AI to generate tailored audit summaries using prompts.
Key Benefit: Enhances report relevance and utility.

🌟 Why This Matters
These innovations empower compliance teams to:
Improve operational efficiency
Reduce manual effort
Gain actionable insights through AI
Ensure robust governance across processes

💬 What do you think about these new SAP Assurance & Compliance features?
Drop your thoughts in the comments or reach out if you’d like to explore these capabilities further.

🚀 SAP GRC 2026 Risk Management - New Features

2025-10-17T16:28:01.138000+02:00

🚀SAP GRC 2026 Risk Management - New Features -

SAP is redefining risk management with a new version focused on efficiency, flexibility, and intelligence. Here’s what’s coming:

✅New Risk Analysis Type
A smarter way to assess corporate and operational risks across multiple horizons with flexible customization.

✅Multi-Stage Multi-Path Workflow
Configurable workflows tailored to business needs, supporting complex multistage and multipath scenarios.

✅Asset Entity Enhancements
New entity for BCM and Cyber Intelligence with API integration options, enabling seamless linkage to risk objects.

✅Improved User Experience with Fiori Apps
Enhanced and new Fiori apps for risk validation, activity management, and personalization—delivering consistent, user-friendly design across devices.

✅NIST Content Integration
Align with global standards through risk taxonomy provisioning based on the NIST framework.

✅AI Support – Joule Integration into KRI
Empowering businesses to identify data sources for Key Risk Indicators using AI-driven automation.

💡Why it matters:
These updates strengthen resilience, streamline processes, and bring intelligence into risk management—helping organizations stay ahead in an evolving risk landscape.

👉What feature excites you the most? Share your thoughts below!

SAP Access Management Use Cases can be enabled by SAP Gen AI

2025-10-17T16:39:58.752000+02:00

SAP Access Management Use Cases can be enabled by SAP Gen AI

1. Real-Time SoD Conflict Detection
Use Case: Instantly identify Segregation of Duties (SoD) conflicts for any user.
Example: “What conflicts exist for user Jacob?”
Benefit: Immediate, accurate conflict analysis.

2. Risk-Based Role Review
Use Case: Review roles based on actual risk exposure and usage.
Example: “Show me users with SOD risk conflicts”.
Benefit: Prioritize remediation based on real impact, not theoretical risk.

3. Usage-Based Role Optimization
Use Case: Identify unused roles or transactions to streamline access.
Example: “Who has Z_FB02 but never used FB02?”
Benefit: Reduce access footprint and license cost by removing unused permissions.

4. Impact Simulation for Role Changes
Use Case: Simulate the effect of removing a transaction or role.
Example: “If I remove FB02 from Z_FB02, who else is affected?”
Benefit: Avoid unintended disruptions by previewing changes.

5. Alternative Role Suggestions
Use Case: Recommend safer role alternatives.
Example: “What alternative roles could work instead of Z_FB02?”
Benefit: Accelerate remediation with validated, low-risk role options.

6. Executive Risk Reporting
Use Case: Explain access risks in business terms to leadership.
Example: “Explain our P2P risks to the CFO”
Benefit: Translate technical risks into business impact scenarios (e.g., fraud potential).

7. Visual Risk Mapping
Use Case: Generate visualizations of risk across business processes.
Example: “Create a visualization of the risk in the process flow”
Benefit: Improve stakeholder understanding and audit readiness.

8. Automated Audit Response
Use Case: Generate audit-ready reports and remediation plans.
Example: “Generate a slide deck for our SoD remediation progress”
Benefit: Save time and ensure completeness in compliance reporting.

9. Access Governance Across Hybrid Landscapes
Use Case: Manage access across on-premises and cloud SAP systems.
Example: “Show SoD violations across Cloud SAP S4 Hana systems and ECC systems”
Benefit: Unified view of access risks across environments.

10. Token-Efficient AI Conversations
Use Case: Enable deep AI reasoning without exceeding context limits.
Example: “Summarize top 5 risks by transaction volume”
Benefit: Fast, cost-effective AI interactions using pre-analyzed data.

🧭 Strategic Shift for Security Teams
Instead of being data gatherers, teams become strategic risk managers:
Focus on decision-making, not data extraction.
Use AI to triage, simulate, and remediate access risks.
Maintain audit readiness with minimal manual effort.

XPORG and XEORG authorization fields are not being restricted to assigned values

2025-10-24T08:56:47.475000+02:00

Hello,

I am currently working on a project where the customer has made XPORG (Purchasing Organization) and XEORG (Planning and Execution Organization) organizational authorization fields. However, end users are able to see values outside of what is assigned to them in these fields.

When I checked user trace, I found that a user going into a transaction that would have an authority check for these fields is not passing an authority check or at least it is not being logged by user trace. Does anyone know what I can do to make sure users do not access values beyond those assigned to them for these two specific fields?

To give some additional information:
- Correct authorization has been given to users and roles do not contain the values they are able to access
- There are no XPGRP (Purchasing Group) and XEGRP (Planning and Execution Group) values added to the system

IAS-IPS (SAP Security)

2025-11-07T15:28:51.630000+01:00

IAS & IPS

Content :

SAP Identity Authentication Service (IAS)
SAP Identity Provisioning Service (IPS)
Real World Scenario

SAP Identity Authentication Service (IAS)

IAS is SAP’s cloud-based authentication service.

Its core job is to make sure “the right user logs in securely to the right SAP application.”

Think of IAS as the gatekeeper.

What IAS Does

Authenticates Users (Login / Sign-in)

IAS verifies user identity when they try to log in to:

SAP BTP
SAP SuccessFactors
SAP Ariba
SAP Analytics Cloud
SAP S/4HANA Cloud
Any custom application connected to IAS

It checks:

Username + Password
Multi-Factor Authentication (OTP, SMS, Email, Authenticator App)
Certificates
Biometrics (via device IdP)

Single Sign-On (SSO)

IAS supports:

SAML 2.0
OAuth 2.0
OpenID Connect (OIDC)

So your users log in once and access all SAP apps without logging in again.

Acts as an Identity Provider (IdP)

IAS can serve as

Primary IdP

IAS handles authentication directly

Proxy IdP

IAS redirects authentication to:

Microsoft Azure AD
ADFS
Okta
Ping Identity
Any SAML-based IdP

IAS becomes the bridge between SAP systems and corporate identity providers.

Conditional Authentication Policies

IAS can decide:

Who can log in
From where
Under what conditions

Examples:

Allow MFA only when user logs in from outside office
Block login from certain countries
Force password reset for risky accounts
Apply SSO only for trusted devices

User Store (Identity Directory)

IAS stores user accounts, including:

Username
Email
First Name / Last Name
Groups
Password (if local authentication)

Note : BUT IAS does NOT create users automatically — IPS usually does provisioning.

Authorization Pre-Processing (via Groups → Mappings)

IAS can assign groups, and these groups can be mapped in target apps (like SAP BTP) to give role collections.

IAS Group = “FinanceUsers”

→ Mapped to

BTP Role Collection = “Finance App Access”

But IAS itself does NOT assign app roles.

Note : IAS group can only be mapped to BTP role collections, not to PFCG Role etc.

Branding & Custom Login Pages

IAS allows full customization of login screens:

Company logo
Color theme
Background
Messages
Terms & conditions

Security Enforcement

IAS applies:

Password policies
MFA rules
Account lockout rules
Device trust
Risk-based authentication

What IAS Does NOT Do

IAS does NOT create users(IPS or external IdP does)
IAS group does NOT assign roles in S/4, SAC, Ariba, etc.
IAS does NOT do provisioning(IPS does)
IAS does NOT perform GRC / SoD checks(IAG does)

SAP Identity Provisioning Service (IPS)

IPS is SAP’s central user provisioning and synchronization service.

It moves users from one system to another, ensuring that user accounts, attributes, and group/role assignments stay consistent across:

SAP BTP
IAS (Identity Authentication Service)
SAP S/4HANA Cloud
SAP Ariba
SAP SuccessFactors
SAP Analytics Cloud
Azure AD, Okta, Ping, etc.

Think of IPS as the “delivery service” for user accounts.

What IPS Does

Creates Users in Target Systems

IPS automatically provisions users into multiple systems.

Example:
SuccessFactors → IPS → IAS → BTP → S/4HANA

IPS can create user accounts in:

IAS
SAP BTP
S/4HANA Cloud
SAP Ariba
SAP Concur
SAP Analytics Cloud (via SCIM)

Updates User Attributes

If an employee changes department, email, manager, etc., IPS updates the data in all connected systems.

Example:
SuccessFactors updates → IPS sync → IAS/BTP/S4/Ariba update

Deletes / Deactivates Users

When an employee leaves the company, IPS can mark them inactive or delete their user account.

Maps and Transforms Attributes

IPS allows:

Attribute mapping
Attribute transformation
Conditional provisioning

Example:
IF user.department = "Finance" → assign group “FIN_USERS”

Assigns Groups / Roles (but not everywhere)

IPS can assign:

IAS Groups
BTP Role Collections
S/4HANA Business Roles
SAP Ariba groups
SAC roles (via SCIM)

But only where system supports it.

Connects to Many Identity Sources

IPS can read users from:

Azure AD
SuccessFactors
IAS
LDAP
Okta
On-premise systems (via Cloud Connector)

What IPS does NOT do

IPS does NOT Authenticate Users (IAS does)

Real World Scenario

Company:

A global manufacturing company using:

SAP SuccessFactors (HR system of record)
SAP BTP (custom apps, Integration Suite)
SAP S/4HANA Cloud (ERP)
SAP Ariba (Procurement)
SAP IAS (Authentication)
SAP IPS (Provisioning)
SAP IAG (Access Governance)

Scenario 1: A New Employee Joins the Company

Step 1 — Employee is Hired in SuccessFactors

HR creates a new employee: Rohan Sharma with below details

Department: Finance
Location: India
Manager: Priya Singh
Job: Accounts Payable Analyst

SuccessFactors stores all HR attributes.

Step 2 — IPS Reads Rohan’s Data from SuccessFactors

IPS acts as the "provisioning engine."

Flow: SuccessFactors → IPS → IAS

IPS automatically:

Reads new user
Maps attributes
Creates user in IAS
Assigns IAS group “Finance_Employees”
Pushes email, username, and department

Step 3 — IAS Creates User Entry + Prepares Authentication

IAS now has user:

Username: rohan.sharma
Email: rohan.sharma@company.com
Group: Finance_Employees
Status: Active

IAS does NOT assign roles.

IAS only sets up login policies:

MFA required
Corporate SSO allowed
Conditional rule: India region → allow password login

Step 4 — IAG Triggers Access Request Workflow

Rohan needs access to:

SAP BTP Finance App
S/4HANA Finance Business Roles
Ariba Buyer Role

In large companies, users cannot get access automatically,they must request access via IAG.

Flow:

Rohan goes to IAG Access Request Portal
Selects: "Finance Analyst Access Package"
Request goes to Manager (Priya Singh)
IAG performs SoD checks  No conflicting roles  No risk
Manager approves

Step 5 — IAG Sends Provisioning Action to IPS

After approval:

IAG → IPS → Target Systems

IPS now provisions the approved roles

In SAP BTP: Assigns BTP Role Collection:

Finance_Analyst_RoleCollection

In S/4HANA Cloud: Assigns Business Roles:

AP_STANDARD

FIN_POSTING

FIN_DISPLAY

In SAP Ariba: Assigns Ariba group:

Buyer_Professional

Step 6 — Rohan Logs In to SAP Systems

Rohan logs in to:

SAP BTP App

IAS checks login
IAS → BTP trusts IAS
BTP picks up role collection assigned via IPS

S/4HANA Cloud

Login route:
Browser → IAS → S/4
S/4 checks Business Role assignments provisioned via IPS

Ariba

IAS federates login → Ariba validates user groups

Step 7 — Rohan Changes Department (Employee Movement)

After 1 year, Rohan moves from Finance to Supply Chain.

HR updates this in SuccessFactors.

IPS reads update
IPS updates IAS + BTP + S/4HANA + Ariba
IAG dynamically checks if old roles must be removed.
Roles get de-provisioned: Finance roles removed & New Supply Chain roles added

Step 8 — Employee Exit

When Rohan leaves company:

HR marks employee as terminated in SuccessFactors
IPS deactivates him in IAS
IPS removes roles in BTP, S/4, Ariba
IAS blocks login

User access fully revoked

How to move standalone GRC historical data be made available in the new S/4HANA embedded GRC system.

2025-11-19T04:43:33.409000+01:00

Dear Team,

We have recently completed migration from the standalone GRC system to the S/4HANA embedded GRC system. Here the historical logs and table data from the earlier standalone environment are not available in the current S4HANA embedded setup.

Customer has requested that this historical data be made available in the new S/4HANA embedded GRC system. As per our analysis- it is not technically feasible to move or replicate data from the old standalone system to the new embedded system due to system architecture and compatibility constraints.

Would like to request your kind guidance on above ask, please suggest!

Seeking Advice on Tools & Methodology for Legacy RFC User Permissions Cleanup

2026-01-06T03:45:52.366000+01:00

Hello SAP Security & Basis Experts,

We are embarking on a critical security remediation project to address over-privileged RFC users across our SAP landscape with 600+ systems. Many of these users and connections are years old, lack clear ownership, and serve various backend tasks.

Our goal is to understand what business operations each RFC user/interface actually performs and then redesign brand new ones following the principle of least privilege without disrupting genuine business processes.

There are several key challenges we meet:

1) Many RFC users were created long ago with no clear current responsible person.

2) Activities are often triggered by background jobs, making them less visible.

3) We must not miss crucial but infrequent operations (e.g., year-end financial closing), which short-term monitoring would fail to capture.

We are seeking practical advice on the following specifically:

1) Tool Recommendation: beyond native SM19/SM20 and STUSOBTRACE, what commercial or open-source tools have you successfully used for cross-system RFC user discovery, permission analysis, and activity monitoring? What are their pros/cons for this use case?

2) Methodology for business need collection: How do you practically identify the business purpose behind legacy technical RFC accounts? Are there effective techniques for correlating job schedules (SM37), interface configurations (BD64/WE20), and log data to reverse-engineer their function?

3) Capturing low-frequency activities: What is the best practice to ensure yearly/quarterly critical processes are identified? Are there technical methods to trace such execution history?

We greatly appreciate any insights, war stories, or links to useful resources you can share. Thank you for helping us!

How to handle OR logic in SAP GRC rules for SuccessFactors when actions contain many fields

2026-01-15T02:10:58.316000+01:00

Hi Experts,

I am working on building GRC ruleset for SuccessFactors, and I am facing challenges related to rule design limitations.

In GRC, the rule framework does not support OR logic between fields or objects, this is standard functionality. However, this limitation becomes difficult to handle in SuccessFactors, where a single action (for example, Employee Central data) contains a very large number of fields.

Our requirement is to define rules where OR logic is needed between multiple fields within the same action (for example, access to any one of several EC data fields should trigger the rule). Without OR logic, this leads to an explosion of rules and makes maintenance complex and inefficient.

Has anyone faced a similar challenge while building GRC rules for SuccessFactors?

What approaches or best practices are recommended in such scenarios?

Are there any design patterns, workarounds, or SAP-recommended solutions to handle this effectively?
Any guidance or real-world experience would be greatly appreciated.

Thank you in advance for your support.

Should Financial Platforms Assume User Understanding — or Technically Prove It Before Execution?

2026-01-16T22:25:49.594000+01:00

Across financial, enterprise, and transactional systems, most platforms still rely on a critical assumption:

That a user’s identity verification and acceptance of terms implies understanding.

From a systems-design perspective, this assumption feels increasingly fragile.

In high-impact workflows — payments, financial commitments, contract execution, irreversible actions — identity alone does not establish comprehension, intent, or informed consent. Yet most platforms treat it as sufficient.

My question is architectural, not philosophical:

• Should platforms remain passive recorders of identity and clicks?
• Or should they actively enforce verified comprehension before allowing execution?
• If so, where should that verification live — UI layer, middleware, or as a system-of-record?
• How would such a model integrate with existing enterprise identity, audit, and compliance frameworks?

I’m interested in how SAP architects and enterprise developers think about this tradeoff as systems move toward higher automation, AI-driven decisions, and irreversible digital actions.

Is “assumed understanding” still defensible at scale — or is it a design gap waiting to be formalized?

GRC Process (Governance Risk Compliance)

2026-01-17T12:32:24.541000+01:00

Hi Experts ,

I have a GRC process requirement where in i have to automate the planner system in NWBC Tcode.

while creating the plan, Workflow is triggering and object id is also generating but unable to create the plan. can anyone know about the class which has to be to use for saving the data or table where we can see?

GRC process requirement where in i have to automate the planner system in NWBC

2026-01-28T11:32:11.598000+01:00

Hi Experts ,I have a GRC process requirement where in i have to automate the planner system in NWBC Tcode.while creating the plan, Workflow is triggering and object id is also generating but unable to create the plan. can anyone know about the class ...

Custom Fiori Apps hosed in Workzone are not compatible with GRC 12 EAM (Firefighter)

2026-02-09T12:26:26.504000+01:00

How do others manage logging of Custom App usage in S/4HANA using a EAM Firefighter approach given that Workzone is not compatible with GRC EAM?

Are you using IAG to bridge this gap or getting around it with a workaround that the auditors are happy with?

Password self service in GRC Access control is not working for the lower case user ids.

2026-02-18T08:18:31.387000+01:00

Hello - We have an issue where password self service in GRC Access control is not working for the users who are having their user ids in the lower case. It gives error after selecting the target system for password "User ID xxxx does not exist". Our GRC system is recently upgraded to SP29 and post that this issue has occurred.

Can someone please help here.

Facing issue with Decentralized FFID

2026-02-25T12:34:12.831000+01:00

Hi Folks,

I am logging into the SAP system using my user ID and ran the transaction /GRCPI/GRIA_EAM.

I could see the list of Firefighters assigned to me, so I clicked the Logon button for one of the Firefighter IDs.

I then entered the reason code and activity details, and clicked the checkmark to open the Firefighter session.

After this, FFID remote window is not opening at all. Could you anyone please help here.