SAP Community - Governance, Risk, Compliance (GRC), and Cybersecurity

Mass Maintenance of Mitigation Control Owners - Invalid Old Owner Error

2024-02-07T22:21:01.842000+01:00

Hello,

I am trying to perform mass maintenance in GRC using Mass Maintenance of Mitigation Control Owners. I am getting an "invalid old owner" status message when I import the XML file.

I have verified the old owner and new owner are setup appropriately within Access Control Owners and are assigned to the organization. The old owner is still an active user.

Could you please help me with this?

Thanks

Is there anyway where we can see the user license details from GRC to the connected systems ?

2024-02-12T19:36:49.165000+01:00

Upload format for BPC ARA Ruleset in SAP GRC

2024-02-21T23:29:16.114000+01:00

We want to connect our BW/BPC system with GRC in order to be able to assign roles from GRC. However, right now we are doing risk analysis manually wherein go forward we want to include BPC risks as well in our GRC ARA ruleset but unable to find out the way to do this.

------------------------------------------------------------------------------------------------------------------------------------------------
Learn more about the SAP Support user and program here.

Advanced Technologies in TBML Detection

2024-04-03T12:00:30.180000+02:00

The battle against Trade-Based Money Laundering (TBML) is ongoing, with criminals continuously devising new methods to exploit loopholes and disguise illicit funds within legitimate trade transactions. However, advancements in technology are offering significant advantages in detecting and deterring TBML activities. Here's an exploration of some of the latest advancements:

Graph Neural Networks (GNNs): Untangling the Web of Deceit

Graph Neural Networks (GNNs) are tailored to analyze complex networks, making them instrumental in TBML detection:

Identifying Shell Companies: GNNs analyze the network of companies to detect unusual connections that may indicate shell company activity.
Unveiling Money Laundering Networks: By analyzing financial transactions, GNNs help map out TBML networks and identify key players.
Predicting Risky Trade Routes: GNNs analyze historical data to predict high-risk trade routes, aiding authorities in focusing their resources effectively.

Explainable AI (XAI) for TBML Detection: Trust and Transparency

Explainable AI (XAI) techniques provide transparency into AI models' decisions, ensuring trust and fairness:

Identifying Biases: XAI helps identify biases in AI models, ensuring fairness in flagging suspicious activities.
Improving Model Performance: By understanding why a transaction is flagged, analysts can refine AI models for better accuracy.
Building Trust: XAI fosters trust by offering clear explanations for AI model decisions, instilling confidence in stakeholders.

Natural Language Processing (NLP) with a Focus on Deception Detection

NLP analyzes communication between parties involved in trade transactions to identify deception:

Sentiment Analysis: NLP detects suspicious communication patterns through sentiment analysis of trade communications.
Identifying Obfuscation Techniques: NLP identifies linguistic patterns indicative of attempts to obfuscate transaction details.
Deception Detection in Trade Narratives: Advanced NLP analyzes trade narratives for inconsistencies or emotionally charged language signaling TBML.

The Future of TBML Detection: A Collaborative Ecosystem

These technologies represent advancements in TBML detection, but success requires collaboration:

Data Sharing: Secure data sharing between financial institutions, law enforcement, and regulatory bodies is crucial.
Global Collaboration: International cooperation is vital to effectively combat TBML across borders.
Continuous Learning: Continuous research and training are necessary to stay ahead of evolving TBML tactics.

While these technologies offer promising avenues for TBML detection, they must be balanced with considerations of accuracy, privacy, and ethical use. By harnessing the power of advanced technologies and fostering collaboration, we can create a more secure financial ecosystem, making it increasingly challenging for criminals to exploit trade for illicit purposes.

pls share the t code for update invoice no and date

2024-04-03T15:38:45.926000+02:00

pls share the t code for update invoice no and date

Access Request role search restriction using GRAC_ROLP and Rolename

2024-04-03T17:42:30.139000+02:00

Hi All, We have a business requirement where we are trying to restrict the roles a requestor can select while submitting an access request. In order to achieve this I'm trying to restrict the role selection using the auth object GRAC_ROLEP and Role name. In BRM we have Business roles named as ***** DENMAK , *** SWEDEN. I'm trying to use a string in the Role name however I'm getting the error- Unsuitable generic input for authorization changed. I came across sap note -3195139 regarding the error. Could someone assist me to know how can I achieve this?

Many Thanks,

Regards,Nandita

Common Master data and Master data for access control, access analysis in IAG

2024-04-05T22:14:09.627000+02:00

I am implementing IAG for one of my clients. I have most of the configuration but am stuck at maintenance of common master data and master data separately for access analysis, access control and PAM. I am not sure where do I have to maintain that data. Any help will be highly appreciated.

Security Activities to be performed in GRC system as we have migrated to S/4 HANA from ECC

2024-04-08T12:57:49.926000+02:00

Hello All,

Can anyone please explain the Security activities to be performed in GRC system as we have upgraded our system to S/4 HANA from ECC.

BR,

Lokesh T

access risk analysis

2024-04-08T16:24:07.825000+02:00

Hi Governance, Risk, Compliance (GRC), and Cybersecurity

We have a requirement from client where he wants to use ARA component. However the backend system is very old and uses only Profiles instead of Roles. Could you please confirm whether it is possible to implement ARA for only Profiles and if yes any idea about what things we need to take care or what issues we may face ?

Thanks in advance.

GRC Process Control: How CCM can be leveraged to monitor HANA Databases

2024-04-09T22:09:36.164000+02:00

Introduction:

HANA databases often serve as repositories for organization's critical financial data, making them subject to stringent regulatory requirements such as SOX. Leveraging SAP GRC Process Control Continuous Controls Monitoring (CCM) module provides an effective solution to record and monitor database activities in real-time. This article comprehensively covers the steps to setup an automated control in GRC PC for HANA database. I am taking the below real time use case and creating an automated ITGC control in PC to monitor HANA Database and report the exceptions.

Use case:

The HANA Database administrators often make configuration changes in HANA DB such as parameters related to memory allocation, disk storage, network settings, security configuration, etc. Such changes are generally allowed to be happened using SYSTEM account. In this case, there's a need to have a control to review who actually used the SYSTEM account and made the changes to meet the SOX compliance objectives. GRC PC can be leveraged to automate the control monitoring and reporting by following below steps.

I am using the standard view "SYS.M_INIFILE_CONTENT_HISTORY" that stores the database global parameters (refer below screenshot). The field USER_NAME shows the actual database user id who made the change and APPLICATION_USER_NAME is the one who used the DB user (USER_NAME) to make the change and APPLICATION_NAME shows the application where the change is initiated from like HDBStudio, HANa Cockpit or from OS level etc.

Let's say only the SYSTEM user is allowed to make configuration changes. The control requirement is to review the logs at the end of each month and report any changes made by the users other than SYSTEM.

Let's define a control in PC and automate monitoring. To achieve it, perform below steps.

Create a calculation view in HANA database to list the configuration changes and send it to process control.
Establish a connection between PC and HANA Database and assign the connector to Integration scenario "AM"
Create a Data source in PC
Create a Business Rule in PC
Create an automated Control in PC and assign the owner (agent)
Assign business rule to the control.
Schedule an automated monitoring job

Pre-requisites:

GRC system - At least on 10.1 (Please refer to SAP Product Availability Matrix for more information)
GRC Plugin to be installed on HANA Database - Delivery Unit Deployment (Ref: 2589878 - Installing or upgrading HANA GRC Plug-in - SAP for Me)

Create a calculation view in HANA database:

GRC process control can read only the calculation view result returned from the Hana data base. So, you need to create a calculation view in Hana database by including the columns from the view to be returned. (Best practice is to minimize the amount of data to be passed to PC by applying conditions and calculations at HANA database side rather than passing large chunk of data to PC and apply the filters and calculations there).

Limitations:

PC supports only "SQL Script" type calculation view.
PC supports only four datatypes - DATE, INTEGER, NVARCHAR and DECIMAL. If any fields of other datatype, their type to be converted to one of the supported data type.
Calculation view must have at least a measure field.

Here's a sample script for calculation view.

Note: Customers who have Enterprise HANA is in place (do not allow development on HANA tenant databases) can achieve this by creating virtual tables. (I am going to cover this with another use case very soon)

Establish a connection between PC and HANA Database:

Create HANA Database connector in GRC system using the transaction code DBCO
Create a connector using SM59 (type: "L")
Define Connector and Connector group in GRC and assign the connector to connector group.
Maintain Connection settings - assign the Hana DB connector to the integration scenario (AM - automated monitoring")

The remaining steps are common for all automated controls. I am going to cover those steps in a separate blog.

Hope you enjoyed reading this blog. In case of any queries, let me know in comment or get in touch with me at LinkedIn or email.

Access Request Completion on Wrong System

2024-04-15T16:51:11.856000+02:00

Hello,

Scenerio:

Creating a access request in our development system, should assign the requested role(s) in our development system, instead, it assigns it in our Production environment.

We have global provisioning settings as we connect to more then one system but only use access request for one.

Correct default connector assigned to connector group (production system is not even configured here).

In our access request form, we can select by system and it provides all the roles available in our development environment, System and system description fields properly state development environments.

Can anyone tell me how SAP determines where to provide the roles, perhaps a workflow I am not finding or BRFplus? I figure I can just use system specific provisioning and it will assign the access in the correct system.

How to use 2 IAS tenants in single GRC-IAG bridge for access provisioning in Nonprod and prod system

2024-04-17T15:22:43.486000+02:00

Is it possible to use 2 different IAS (Non-Prod & Prod) tenants in single GRC-IAG bridge setup.

If yes, how GRC system will identify which IAS to check if single GRC-IAG Bridge system is used for access provisioning to both Non-Prod or Production cloud systems as both cloud systems will have different IAS tenants as source for user data.

Mass Upload for Access Control Owners

2024-04-30T11:58:39.518000+02:00

Dears,

Is it possible to mass upload or mass management for access control owners ?

I have over one hundred user for need to be select as a role owner but it is takes too long made one by one, i want to mass change if it possible user-role owner assignment.

Please share comments,

Best Regards,

Send E-Mail When Cancel Access Request

2024-04-30T15:41:28.814000+02:00

Dears,

We want to send an email to related user when cancel the access request.

Cancel option does not exist in msmp notification settings:

Please share your comments for solitions, Is it possible ?

Best Regards,

TRM(Treasury management ) risks and functions for SAP IAG or GRC

2024-04-30T21:43:55.370000+02:00

Hi Guys, can anyone share TRM(Treasury management ) risks and functions for SAP IAG or GRC.I have to implement it but have not idea. I saw a post by madhusap by he didn't give the risks or functions. Would really appreciate any help

Risk is not appearing in Risk analysis Screen

2024-05-03T08:20:35.716000+02:00

Hello Experts,

Good day.

In Access risk analysis (ARA)If two different transactions given to the user wontedly , user having risk . But when doing risk analysis to the user risk is not appearing in the Risk analysis screen what is the reason.

Regards

Abhiram

Mitigation issue in Access Risk analysis

2024-05-06T09:14:44.993000+02:00

In Access Risk Analysis , In Mitigation I Removed the risk from the user but while doing Risk analysis still risk is appearing what is the issue?

Can any one give reply to the above issue.

Regards,

Abhiram

Provisioining Profiles through GRC 12

2024-05-09T09:21:54.293000+02:00

Hi Team,

We have a requirement by client where we need to provision Profiles ( since backend system does not have roles) through GRC 12 ARM. Any idea how it can be implemented.

Thanks

Governance, Risk, Compliance (GRC), and Cybersecurity

What is the function of "Show All Objects" within the GRC ARA user level risk analysis?

2024-05-15T08:36:11.277000+02:00

Under the section Report Options within the User Level risk analysis it is possible to select Show All Objects.

However when running the analysis with or without the Show All Objects selected, the outcome at my side seems the same.

Can anyone explain what this function of Show All Objects should do?

No Audit logs for access request

2024-05-20T12:12:32.131000+02:00

Hi,

We are facing issue while submitting access request for FFID there is no rule execution and hence no audit trail is available for request. Request is just showing in pending status without moving forward. Screenshot is attached. Kindly suggest.

Governance, Risk, Compliance (GRC), and Cybersecurity SAP GRC Firefighter for SAP NetWeaver SAP GRC Access Approver