Real Time Problem Resolution: GRC AC User Provisioning

Problem: Unable to create a user in GRC Access Control (AC) 10.0 without assigning any roles.

8-21-2013 2-38-29 PM

Solution: Configuration setting for this can be modified in the IMG.

SPRO–> Governance, Risk and Compliance–> Access Control–> User Provisioning–> End User Personalization

“Maintain EUP Fields” and scroll until the EUP description “Roles” is present. The “Mandatory” field needs to be changed from “Yes” to “No”.

8-21-2013 2-44-44 PM

Bring it to the next level: These settings can also be made client-specific.

Kudos to Brian Merkel (@SAPMerk) and Brandon Myers (@b_donmyers) for tracking down the answer.

Got a problem? Tweet at us! @PostGradSAP #readysetsolve Home girl never backs down from a challenge.

There’s no I in TEAM,



Ongoing Legislature: Surviving an SAP Security Audit (Part 3)

Ok, so here’s the deal:

1. We’ve got a “clean slate.” Our roles are “SoD free” or compensating controls (manual or automated) have been implemented for unavoidable risks.

2. Documented policies and procedures have been put in place for user administration and role remediation activities. .

3. Roles are being managed based on functional business processes.

What we need now is to start thinking ahead of the curve. Channel Steve Jobs, Al Gore, Martin Luther King. Forward motion my friends. We are all in need of a scalable system that can handle growth and will aid the organization in compliance efforts long-term. Stage 1 and Stage 2 will get you through your audit, but they won’t help you survive the next one or the one after that. As for scalability, no one ever implemented a software solution such as SAP without the intention or will to grow (last time I checked money doesn’t grow on trees and ERP costs a pretty penny).

Stage 3 provides the organization with the tools and strategies to aid in securing vital business data and upholding system stability and compliance long-term.

For organizations that do not deploy GRC, it is essential to have a central repository to manage approvals and changes that have been executed in the SAP landscape. A repository can be used as an in-house audit tool to track change logs or actions that have been taken against mitigating controls. However, risk-monitoring methods are only valuable if companies have been able to appropriately assess not only risk priority levels but also the effectiveness of controls that are in place.

Another growing concern for savvy organizations is the need for information in real time. Many companies have employed detective controls, which do not allow for a proactive approach to SAP security risks. Detective controls are valuable with regard to reporting and analytics, but with the onset of competition in the environment via cloud and mobility comes an increased need for preventive measures and risk-monitoring efforts.

Through the use of GRC access controls, organizations can preemptively identify risk events by integrating mandatory SoD analysis efforts into the automated workflow process. The same functionality can also apply to business role management, when making any modifications to an existing role or when creating new roles that may have inherent violations. The utilization of Emergency Access Management will securely provision users “firefighter” capabilities via an automated workflow complete with audit trails. Furthermore, user access review functionality dictates the periodic review of user security and puts the responsibility of user access back into the hands of the business. All of the above allow for a greater ease of collaboration between business and IT and makes all parties, key stakeholders within the process.

The most critical aspect of surviving SAP Security Audits is the following: Take ownership of your SAP Security Landscape. No one should be losing sleep over an SAP security audit, but a lack of transparency can lead to uncertainties surrounding the business. The greatest concern, understandably, is a need for increased visibility into the cumulative nature of a user’s access in business terms. All big businesses have unavoidable risks, they key is being able to demonstrate knowledge in this realm and articulate the action plan which minimizes reintroduction to risk exposure.

The above information is not comprehensive, but rather a brief overview of the general approach in order to survive an SAP Audit. For questions, comments or knowledge on how we can make this a reality for your organization, please reach out to me directly…

Living the dream,



Where in the World is PostGradSAP?

Where in the world is PostGradSAP?

Every working girl needs a vacation. It’s great to be back to the blog, but also bittersweet, as I spent the last week touring Israel and celebrating JJ’s cousin’s nuptials. HUGE Mazel Tov to T&D! When in Rome (or Jerusalem)… L’Chaim! To Life!

Left to Right: View of the Mediterranean from the hotel in Tel Aviv, Handmade artwork at the open market, The BEST chocolate ruggalah, Old City tunnels in Jerusalem, The city streets, Traditional Israeli salads on our first night.

Bought myself my first DSLR camera! Nikon D3100… hoping to share many more memories with you in the years (and posts) to come!

Political Reform: Surviving an SAP Security Audit (Part 2)

The second step in surviving an SAP Security Audit requires the organization to use the information collected in Step 1 to created a collaborative action plan per the pre-determined remediation requirements.


It’s at this time when we have to start asking those tough questions… the ones no one likes to hear. You’ve gotten to the point in your SAP romance where someone’s going to seek you out, “I think it’s time we had a little chat,” which quickly turns into “What are your intentions with my daughter?” The hard stuff, so-to-speak. “SON, IT’S TIME TO MAKE A COMMITMENT.” 

Stage 2: Political Reform requires that one be able to not only answer the tough questions, but be able to provide a suitable approach, which is well defined and documented in order to clean up the blaring deficiencies identified in Stage 1.

We all know one-too-many politicians who have made un-fulfilled promises. Well my friends, the time for action is nowThe Tough Questions, The Answers, and the Systematic Approach to Reformation:

Political reform refers to the need to make modifications to the current role design, role management methodologies, or user provisioning process. This can lead to a need for clearer definition of jobs and responsibilities in the SAP landscape. Additionally, it may require previously grouped tasks to be separated across individuals within an organization to avoid inherent SoD conflicts. For some companies, the greatest challenge in prioritizing SAP security is the need for increased collaboration between the business and IT. This collaboration can lead to more defined requirements regarding ownership of SAP roles and critical permissions across functional areas within the organization.

Political reform allows the organization to right the wrongs of the past by doing an overhaul that mirrors the concerns of the auditors. There are many proprietary tools in the SAP ecosystem that will highlight SoD violations inherent in your role design and by user master record. Furthermore, the use of automated (GRC AC) or manual controls that are embedded within the functional business processes will allow for a greater ease of use in regards to compensating controls for unavoidable risks, user provisioning and role management.

Stage 2 Steps:

1. Task-based role design approach

2. Remove avoidable risks that are inherent in any given role

3. Restructure job responsibilities and assign access based on the “rule of least privilege” to avoid risks in individual User Master Records

4. Assign compensating (mitigating) controls to unavoidable SoD risks

5. Automate the user provisioning process and provide traceable workflow capabilities for Role changes and User Master Record changes

6. Protect the SAP Security Landscape further by securing critical transactions and permissions and by utilizing industry standards for securing custom tables and codes, SAP default users, etc. Remediation efforts from a system-wide settings standpoint, including password rules and default parameters is just as vital as minimizing SoD risks.

Stage 2  provides the organization with a clean, controlled environment, around which we can outline the objectives and the corresponding procedures to maintain control long-term. In the final installment of this series, I will provide an overview of ongoing legislature that will enable an organization to take ownership of their SAP environment and protect themselves from reintroduction to risk exposures.

The above information is not comprehensive, but rather a brief overview of the general approach in order to survive an SAP Audit. For questions, comments or knowledge on how we can make this a reality for your organization, please reach out to me directly…

I got 99 problems but commitment isn’t one,