One of the new capabilities in SAP Access Control 10.1 is the enhancement of how a custom user group works. I provide a concise description of the custom user group functionality and how to harness this capability for efficient and optimized user risk analysis and simulation.
A custom user group brings efficiency to running risk analysis reports as you are able to execute the report for a set of users all at once instead of selectively for each user. It can also enhance system performance as you can restrict the selection criteria optimally.
It allows you to define a grouping of users based on their corresponding values in SU01. For example, you may need to create a custom user group for all users in the IT department who belong to the Basis function area with the intent of fast tracking selection criteria definition in user risk analysis. In my example, I make this group a high risk. Once these attributes are maintained in the user master record of the user, you can progress with creating such a custom user group or variant in the SAP Access Control system.
The custom user group and custom variant functionalities support for SU01 attributes is limited to the following user master record attributes:
- User group
- User type
- Security policy
Note that custom user group capability is applicable only to User Level and User Level Simulation risk analysis (Figure 1).
Access Risk Analysis
You access Figure 1 via menu path NWBC > Access Management > Access Risk Analysis. I discuss these enhanced functionalities under the following subtopics:
- Authorization requirement for custom user group maintenance
- Creation and maintenance of custom user group and execution of user risk analysis
- Creation of custom variants based on SU01 attributes and execution of user risk
To use these functionalities, Access Risk Analysis (ARA) functionality has to be properly configured and the repository jobs must have been executed to synchronize the back-end systems repository data (authorizations, roles, profiles, and users) with the SAP Access Control system.
The new authorizations object GRAC_CGRP is used to control who can maintain custom user groups. The authorization object has two authorization fields (Figure 2):
Create a custom user group
The possible values for the ACTVT authorization field are:
- 01 - Create or generate
- 02 - Change
- 03 - Display
- 06 - Delete
- 16 - Execute
Creation and Maintenance Process
You can create a custom user group via:
- The application (SAP NetWeaver Business Client [NWBC])
Creating Custom User Groups via NWBC
To create a custom user group in NWBC, access the User Level or User Level Simulation quick link via menu path NWBC > Access Management > Access Risk Analysis > User Level or User Level Simulation. In the screen that appears, choose the selection icon beside the field in the Custom Group row (Figure 3).
Initial screen of user level risk analysis
In the next screen click the Create button (Figure 4).
Custom group search initial screen
In the next screen enter the following required values in the fields shown in Figure 5:
- Custom Group Name
Define values for custom user group identifier and SU01 attributes
Then define the SU01 attributes of the custom user group. Note that the custom user group must be associated with a specific system. In this case it is GRC.
Click the Search button.
In my example the search is for users in the back-end system (ERP, Supplier Relationship Management [SRM], GRC) who meet the defined SU01 attributes in the selection criteria. In this article, my back-end system is GRC, but it should not be confused with a typical GRC system. It can be any back-end system.
In the next screen highlight the users you want to add. Notice that the Selected Users radio button provides the number of changes. When you have selected the users you want to add, click the Save button (Figure 6).
Highlighted users in the result area
Figure 7 displays the users assigned to the custom group you created. Click the OK button.
Custom group summary
The next screen is the one in which you can run your risk analysis. In the Report Options section of this screen select the option for Technical View, as shown in Figure 8.
Technical View report option
Click the Run in Foreground button to run risk analysis based on the defined user attributes. In the next screen a dialog box appears asking you to continue the risk analysis. Click the OK button (Figure 9).
Confirmation screen for continuing to run user risk analysis in the foreground
The next screen displays a user risk analysis report based on the custom user group (Figure 10).
User risk analysis report based on custom user group as analysis criteria
(Note: Risk classification is not applicable here as it is not an entry in SU01. I assume that risk analysis functionality has been well configured and I am not focusing on that capability.)
Maintain Custom User Groups Via Customizing
Custom user groups can be maintained in customizing by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Access Control > Maintain Custom User Group (Figure 11). Notice that the custom user group that you created in NWBC is visible here. This allows you to make changes to the description and the assigned users. To create a new entry in the custom group table, click the New Entries button.
The initial screen for custom user group maintenance
In the next screen enter the name of your custom group and a description. In my example I entered ZCGRP2 and Custom User Group 2 (Figure 12).
Define a custom group name
Highlight the custom group name entry as shown in Figure 13. Double-click the folder Maintain user id for the Custom Group.
Highlighted custom group name
Now click the New Entries button (Figure 14).
Initial screen for the assignment of a user ID to a custom group
In the initial screen to define a user ID (Figure 15), assign a user ID for the user you intend to add to the custom user group. Click the save icon.
Assign a user ID to your custom group name
The next screen (Figure 16) displays a status message.
Status message for saving a user ID assignment to a custom group
Create Custom Variants Based on SU01 Attributes and Execution of User Risk Analysis
A variant allows a user to define user-specific criteria that can be used to run reports repeatedly without having to define the selection criteria every time the report is needed. Simply select the saved criteria (in the form of a saved variant). This offers the end users the ability to personalize their risk reporting options without necessarily having access to the administrator-controlled custom user groups.
In some cases, it can be used to improvise if a custom user group does not exist for a user’s specific use case. The laudable capability here in SAP Access Control 10.1 is that you can create the variants based on the SU01 attributes of users.
To define a custom variant and consequently run risk analysis with the defined custom variant, follow menu path NWBC > Access Management > Access Risk Analysis > User Level or User Level Simulation. In the NWBC screen (not shown) click the User Level quick link.
In the next screen populate the fields as shown in Figure 17. In the User row choose Multiple Selections from the pull-down list of options and then click the Add Selections button.
Multiple Selections condition for User criteria option
In the next screen click the Search SU01 button (Figure 18).
Multiple Selection screen for User criteria
In the next screen the System criteria option is mandatory in defining the properties of the variant. Enter values for other attributes based on your business needs as shown in Figure 19. Click the Search button.
Definition of criteria values based on SU01 attributes
You can view the search results based on selection criteria for SU01 attributes in the next screen (Figure 20). Highlight the users you want to consider in the variant. The numbering in the Selected Users radio button changes. In my example the Selected Users number is now 2. Click the Copy button.
Highlighted users in User search
In the next screen you can view the variant values and operator summary for the users in your search (Figure 21). Click the OK button.
Variant values and operator summary
The next screen displays user level risk analysis based on previously configured criteria (Figure 22). (I do not show how to configure this risk analysis as this not my focus in this article.) In the Save Variant as field enter a name. In my example it is MyCustomGroup. Click the Save button.
Define a variant name for user level risk analysis
A status message appears in the next screen (Figure 23).
A status message for user risk analysis
In the Saved Variants field choose the name of the variant that you just created from the pull-down list of options and change the report option to Technical View as shown in Figure 24. Click the Run in Foreground button.
Define a saved variant and reporting option
Click the OK button in Figure 25 to continue running the risk analysis in the foreground.
The confirmation screen for executing risk analysis in the foreground
Figure 26 displays the results of your user level risk analysis report using variants based on SU01 attributes.
User level risk analysis report using saved variants (based on SU01 attributes)