Expand +



Enhance User Access Risk Reporting in SAP Access Control 10.1 with User Master Data Attributes

by Kehinde Eseyin, Security Architect

March 12, 2014

Learn how to enhance user risk analysis and user risk simulation analysis by leveraging a custom user group based on user master data (transaction code SU01) attributes. You will also learn how to improvise with custom variants (based on SU01 attributes) when defined custom user groups are not available for your business case or you need to bring in more flexibility to user risk reporting.

One of the new capabilities in SAP Access Control 10.1 is the enhancement of how a custom user group works. I provide a concise description of the custom user group functionality and how to harness this capability for efficient and optimized user risk analysis and simulation.

A custom user group brings efficiency to running risk analysis reports as you are able to execute the report for a set of users all at once instead of selectively for each user. It can also enhance system performance as you can restrict the selection criteria optimally.

It allows you to define a grouping of users based on their corresponding values in SU01. For example, you may need to create a custom user group for all users in the IT department who belong to the Basis function area with the intent of fast tracking selection criteria definition in user risk analysis. In my example, I make this group a high risk. Once these attributes are maintained in the user master record of the user, you can progress with creating such a custom user group or variant in the SAP Access Control system.

The custom user group and custom variant functionalities support for SU01 attributes is limited to the following user master record attributes:

  • System
  • Department
  • Function
  • User group
  • User type
  • Parameters
  • Security policy
  • Groups

Note that custom user group capability is applicable only to User Level and User Level Simulation risk analysis (Figure 1).

Figure 1
Access Risk Analysis

You access Figure 1 via menu path NWBC > Access Management > Access Risk Analysis. I discuss these enhanced functionalities under the following subtopics:

  • Authorization requirement for custom user group maintenance
  • Creation and maintenance of custom user group and execution of user risk analysis
  • Creation of custom variants based on SU01 attributes and execution of user risk

To use these functionalities, Access Risk Analysis (ARA) functionality has to be properly configured and the repository jobs must have been executed to synchronize the back-end systems repository data (authorizations, roles, profiles, and users) with the SAP Access Control system.

Authorization Requirements

The new authorizations object GRAC_CGRP is used to control who can maintain custom user groups. The authorization object has two authorization fields (Figure 2):


Figure 2
Create a custom user group

The possible values for the ACTVT authorization field are:

  • 01 - Create or generate
  • 02 - Change
  • 03 - Display
  • 06 - Delete
  • 16 - Execute

Creation and Maintenance Process

You can create a custom user group via:

  • The application (SAP NetWeaver Business Client [NWBC])
  • Customizing

Creating Custom User Groups via NWBC

To create a custom user group in NWBC, access the User Level or User Level Simulation quick link via menu path NWBC > Access Management > Access Risk Analysis > User Level or User Level Simulation. In the screen that appears, choose the selection icon beside the field in the Custom Group row (Figure 3).

Figure 3
Initial screen of user level risk analysis

In the next screen click the Create button (Figure 4).

Figure 4
Custom group search initial screen

In the next screen enter the following required values in the fields shown in Figure 5:

  • Custom Group Name
  • Description
  • System

Figure 5
Define values for custom user group identifier and SU01 attributes

Then define the SU01 attributes of the custom user group. Note that the custom user group must be associated with a specific system. In this case it is GRC.

Click the Search button.

In my example the search is for users in the back-end system (ERP, Supplier Relationship Management [SRM], GRC) who meet the defined SU01 attributes in the selection criteria. In this article, my back-end system is GRC, but it should not be confused with a typical GRC system. It can be any back-end system.

In the next screen highlight the users you want to add. Notice that the Selected Users radio button provides the number of changes. When you have selected the users you want to add, click the Save button (Figure 6).

Figure 6
Highlighted users in the result area

Figure 7 displays the users assigned to the custom group you created. Click the OK button.

Figure 7
Custom group summary

The next screen is the one in which you can run your risk analysis. In the Report Options section of this screen select the option for Technical View, as shown in Figure 8.

Figure 8
Technical View report option

Click the Run in Foreground button to run risk analysis based on the defined user attributes. In the next screen a dialog box appears asking you to continue the risk analysis. Click the OK button (Figure 9).

Figure 9
Confirmation screen for continuing to run user risk analysis in the foreground

The next screen displays a user risk analysis report based on the custom user group (Figure 10).

Figure 10
User risk analysis report based on custom user group as analysis criteria

(Note: Risk classification is not applicable here as it is not an entry in SU01. I assume that risk analysis functionality has been well configured and I am not focusing on that capability.)

Maintain Custom User Groups Via Customizing

Custom user groups can be maintained in customizing by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Access Control > Maintain Custom User Group (Figure 11). Notice that the custom user group that you created in NWBC is visible here. This allows you to make changes to the description and the assigned users. To create a new entry in the custom group table, click the New Entries button.

Figure 11
The initial screen for custom user group maintenance

In the next screen enter the name of your custom group and a description. In my example I entered ZCGRP2 and Custom User Group 2 (Figure 12).

Figure 12
Define a custom group name

Highlight the custom group name entry as shown in Figure 13. Double-click the folder Maintain user id for the Custom Group.

Figure 13
Highlighted custom group name

Now click the New Entries button (Figure 14).

Figure 14
Initial screen for the assignment of a user ID to a custom group

In the initial screen to define a user ID (Figure 15), assign a user ID for the user you intend to add to the custom user group. Click the save icon.

Figure 15
Assign a user ID to your custom group name

The next screen (Figure 16) displays a status message.

Figure 16
Status message for saving a user ID assignment to a custom group

Create Custom Variants Based on SU01 Attributes and Execution of User Risk Analysis

A variant allows a user to define user-specific criteria that can be used to run reports repeatedly without having to define the selection criteria every time the report is needed. Simply select the saved criteria (in the form of a saved variant). This offers the end users the ability to personalize their risk reporting options without necessarily having access to the administrator-controlled custom user groups.

In some cases, it can be used to improvise if a custom user group does not exist for a user’s specific use case. The laudable capability here in SAP Access Control 10.1 is that you can create the variants based on the SU01 attributes of users.

To define a custom variant and consequently run risk analysis with the defined custom variant, follow menu path NWBC > Access Management > Access Risk Analysis > User Level or User Level Simulation. In the NWBC screen (not shown) click the User Level quick link.

In the next screen populate the fields as shown in Figure 17. In the User row choose Multiple Selections from the pull-down list of options and then click the Add Selections button.

Figure 17
Multiple Selections condition for User criteria option

In the next screen click the Search SU01 button (Figure 18).

Figure 18
Multiple Selection screen for User criteria

In the next screen the System criteria option is mandatory in defining the properties of the variant. Enter values for other attributes based on your business needs as shown in Figure 19. Click the Search button.

Figure 19
Definition of criteria values based on SU01 attributes

You can view the search results based on selection criteria for SU01 attributes in the next screen (Figure 20). Highlight the users you want to consider in the variant. The numbering in the Selected Users radio button changes. In my example the Selected Users number is now 2. Click the Copy button.

Figure 20
Highlighted users in User search

In the next screen you can view the variant values and operator summary for the users in your search (Figure 21). Click the OK button.

Figure 21
Variant values and operator summary

The next screen displays user level risk analysis based on previously configured criteria (Figure 22). (I do not show how to configure this risk analysis as this not my focus in this article.) In the Save Variant as field enter a name. In my example it is MyCustomGroup. Click the Save button.

Figure 22
Define a variant name for user level risk analysis

A status message appears in the next screen (Figure 23).

Figure 23
A status message for user risk analysis

In the Saved Variants field choose the name of the variant that you just created from the pull-down list of options and change the report option to Technical View as shown in Figure 24. Click the Run in Foreground button.

Figure 24
Define a saved variant and reporting option

Click the OK button in Figure 25 to continue running the risk analysis in the foreground.

Figure 25
The confirmation screen for executing risk analysis in the foreground

Figure 26 displays the results of your user level risk analysis report using variants based on SU01 attributes.

Figure 26
User level risk analysis report using saved variants (based on SU01 attributes)

An email has been sent to:


Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!