Achieving Collaborative GRC Accountability: the Power of Convergence

Check out this article on “Corporate Compliance Insights” written by yours truly!


Here’s a great blog article I found that puts SAP HANA into perspective. For anyone like me who is “lost in all the marketing and technical jargon…”

Every new beginning comes from some other beginning’s end.

Hola amigos!

Long time no hablamos (no talk). Few things to catch you up on…

I spent the last week in Peru with Josh, Allyson and Brian petting llamas, eating alpaca and guinea pig (seriously) and hiking Machu Picchu.

Machu Picchu: La Maravilla del Mundo

Machu Picchu: La Maravilla del Mundo

I recently submitted the second chapter of my book to my publisher for review. You can pre-order the “Beginner’s Guide to SAP Security and Authorizations” on Amazon here.

indexAnd the third and final bit of news… after 4 years at itelligence I decided to take a new position at a large firm. The whole transition has been bittersweet, but ultimately this was the best decision for my family (aka the dog and the cat) and my career. In my new role, I will taking on the position of managing consultant in which I will be leading SAP Security and GRC Implementations teams here in the United States and abroad. Wish me luck! I promise to keep you all satiated with lots of new tips and tricks of the trade that I pick up along the way.

Te amo mucho (I love you lots),


Don’t miss our upcoming webinar “What’s New In SAP GRC 10.1.”

// // <![CDATA[
// to make fancy buttons. Uses noConflict just in case
var $jQ = jQuery.noConflict();

// Use jQuery via $j(…)



// ]]>

This solution can be leveraged to extend and add value to your SAP Access Control investment, including SAP Process Control and SAP Risk Management.

During this webcast, you will have a clear understanding of:

  • Preparing your system landscape and architecture for SAP Access Control 10.x
  • Properly configuring your SAP Access Control 10.x solution
  • Requirements and capabilities of the latest versions of SAP Process Control
  • How to exploit key capabilities of SAP Process Control 10.1 to drive a business-wide compliance and process optimization program

Register today at 

GRC webinar


Hi there world!

Today I wanted to share a few tips and trick with you for remediating your SoD Access Risks using GRC 10.x.

Ok, so you’ve finished your GRC Implementation and now you are able to easily query your SoD and Critical Risks. Frankly, you might be panicking… 100,000 conflicts?!!?!! In the words of my people “OY VEY!” Here’s a quick step-by-step for starting to tackle the impossible.

  1. Start from the bottom up with your roles. It’s impossible to remediate your users’ access without clean roles. For this reason, a task-based role design is the best approach. Roles should be free of inherent SoD conflicts, which you can query via NWBC—>Access Management—> Risk Analysis —> Role Level.
  2. Create a critical action risk for each function that make up your SoD risks. Run Role Level Risk Analysis as above, but this time for Critical Action Risks. Make sure that your roles are free from unintentional access that could have a financial business impact, this again correlates to a task-based role design.
  3. Be wary of assigning users access to roles with a lot of transactions and permissions even if they are only display only. This can cause an issue due to the “borrowed authorization concept” in SAP Security. In that many transactions check for the same authorizations and user access cannot be viewed in a silo within a single role. Transactions can borrow permissions within other roles.
  4. Time to begin remediating access at a user level! NWBC—>Access Management—> Risk Analysis —> User Level. Run User Level Risk Analysis for Critical Actions Risks created previously, first. Because the roles are now clean of inherent conflicts, unnecessary access should be able to be removed via a role removal process, rather than via role mediation.
  5. We can now run User Level Risk Analysis again at the Permission (SoD Risk) Level. It is now possible to remediate user access by removing roles to remove any avoidable SoD conflicts.
  6. Lastly is Mitigating Control assignment for any remainaing and ONLY unavoidable SoD conflicts.

Happy Monday!


Session @ GRC Conference 2015: Achieving collaborative GRC accountability: The power of successful communication between the business and IT

Who else is already excited for GRC 2015 in Las Vegas? I am already counting down the days! This year is going to be especially thrilling for me as I’ve been chosen as a speaker for one of the conference sessions. Read my abstract below and stay tuned for more information!

Achieving Collaborative GRC Accountability:

The Power of Successful Communication Between the Business and IT

This session will highlight the importance of collaboration between the business and IT within the realm of SAP Access Control, SAP Process Control, and SAP Risk Management and provide a better understanding of the communication opportunities within GRC. During this session:
• Learn what steps you can take to eliminate common fractures such as overlapping responsibilities, processes and systems, as well as gaps or other inefficiencies from your GRC processes

• Develop a deeper understanding of the key stakeholders and contributors as part of GRC, including who participates and at what stages, why they participate, and how they perform these tasks

• Walk through common instances of separation of powers within GRC and key examples of how collaboration drives checks and balances within the system

Tips and Tricks for GRC 10.1 Access Risk Analysis : Copying and Updating the GLOBAL Rule-Set

Hi all,

I know it’s been a while! I wanted to key everyone in on my first trick for your GRC Access Control 10.1 Implementation and this one is all about Access Risk Analysis.

Before you implement ARA, it’s best to create a separate connector and connector group for each system. This will allow you to have different role owners across systems and associate risks to different systems as well. Long-term, it will make your GRC maintenance much more manageable.

After completing post-install steps and ARA configuration steps, the generic GLOBAL rule-set will automatically be associated with sap connector group R3. However, you will most likely need to do rule-set updates to massage the generic rule-set a bit and account for any custom transactions, customs critcal actions, critical permissions and critical roles and profiles.

My recommendation is to copy the GLOBAL rule-set by downloading it and re-naming it (the below link is the one I found the most useful for instructions on how to do this). When you download the GLOBAL rule-set you can also make additions and modifications that are befitting to your business. By doing this you can freely make changes while still maintaining the integrity of the SAP standard to refer back to. Multiple custom rule-sets can be created to serve various purposes. Once the rule-set name has been changed and necessary changes have been completed, you can upload the custom rule-set to your system specific connectors via the same too (again refer to the link below).

Downloading and Uploading GRC Access Control Rule-Set Valuable Link

A few additional notes on the issues I found with the SAP generic GLOBAL rule-set:

1. Many transactions do not have account types activated, so false positives can occur unless they are activated if you have your roles broken up by customer, vendor, G/L and Asset account types.

2. Some of the activity types are not set up correctly in the functions. Many activies are set as “1” for instance instead of “01”, 2 instead of “02”, etc. etc. You will get false negatives (THE WORST KIND) if you don’t fix this when uploading the custom version of your rule-set.

2 Go-Lives in 2 weeks.


Your Happy Sleep-Deprived Security & GRC Consultant