Proper risk management in SAP® is key to ensuring regulatory compliance and secure access. The risk dashboards in SAP® GRC allow clear visualization of risks associated with users, roles, and critical processes. In this article, we explore how they work, how to configure them, and best practices to get the most value from them.
What is a Risk Dashboard in SAP® GRC?
Risk dashboards in SAP® GRC (Governance, Risk and Compliance) enable organizations to analyze, visualize, and mitigate access risks within SAP systems. Through SAP® GRC Access Control, organizations can centrally manage risks related to users, roles, and business processes.
Risk Analysis in SAP®: What Types of Reports Does the GRC Dashboard Offer?
User Analysis Dashboard
This dashboard provides a detailed view of users with active risks in SAP®. You can filter the information by:
- Type of risk: Permission-based or action-based risk
- User group
- SAP® system involved
The report is interactive, meaning you can click on a specific section of the diagram to view detailed information about the users and the associated risks.
Additionally, the report displays the current status of the SAP® systems, indicating users with or without risks and their corresponding percentage.
This report is generated through the scheduling of the GRC Batch Risk Analysis program.
Role Analysis Dashboard
The Role Analysis dashboard identifies roles that present risks within the SAP® systems.
This report is also interactive, similar to the “User Analysis” report.
Furthermore, it provides an overview of the current status of active roles in the system. Ideally, most roles (from a “Single Role” perspective) should be categorized as “Roles with no violations.” If not, a SAP role redesign project may be required.
The analysis is executed via transaction codes SE38 or SA38 by running the following program:
“GRAC_BATCH_RISK_ANALYSIS”.This report also shows the comparison between role-level risks and user-level risks.
Risk Violations Dashboard
As described in the previous dashboards (“User Analysis” and “Role Analysis”), the “Risk Violation” dashboard has the same functionality but from a risk conflict perspective. The report also maintains the same visual structure as the others.
Additionally, these reports detail risk conflicts by business process (inherent from the risk), and are also interactive, allowing users to extract specific information for each business process.
SAP® GRC Batch Risk Analysis
Program Execution
As previously mentioned, the data displayed in the dashboards is based on the execution of the SAP Batch Risk Analysis Program (via SE38/SA38, using the program name “GRAC_BATCH_RISK_ANALYSIS”).
However, there are configuration options that can alter the information shown in the dashboards. The Batch Risk Analysis Program can be filtered by the following criteria:
- User Type (System/Communication users can be excluded)
- User or User Group
- Risk Type:
- Action level
- Permission level (Permissions / Critical Actions / Critical Permissions)
- Critical Roles/Profiles
Additionally, the GRC system allows the definition of exceptions as part of the risk analysis process. This option can be found in transaction SPRO, under: “Maintain Exclude Objects for Batch Risk Analysis”, and allows excluding value ranges by system for:
- Users
- Roles
- Profiles
- User Groups
Parameters
You can also define additional criteria for the Batch Risk Analysis by using the Parameters section in the SAP® GRC system.
Recommended parameters include:
- 1027: Enable Offline Risk Analysis.
- 1028: Include expired users.
- 1029: Include locked users.
- 1030: Include mitigated risks.
- 1031: Ignore critical roles and profiles.
- 1032: Include reference users during user analysis.
- 1033: Include mitigating controls in role/profile risk análisis.
Depending on your organization’s policies and requirements, you can choose “Yes” or “No” for each parameter. It is strongly recommended to activate parameter 1027 (Value: “Yes”).
For example, if you want to run a Batch Risk Analysis excluding locked or expired users, set parameters 1028 and 1029 to “No”.
SAP® Table Information
When your system has parameter 1027 (Enable Offline Risk Analysis) activated, the Batch Risk Analysis results are stored in SAP® system tables.
The main table containing the most detailed Batch Risk Analysis information is: GRACUSERPRMVL.
This table stores all relevant data about:
- Users
- Risks
- Conflicts
Since the previously mentioned dashboards segment the information by users, risks, and conflicts, this table provides a very practical way to extract all the information in a consolidated manner.
However, note that the table stores historical data from all previous batch risk analyses. It is recommended to filter by the “Timestamp” field to avoid displaying outdated users, risks, or conflicts.
Key Points
- Scheduling the Batch Risk Analysis activates all standard SAP® GRC Access Control dashboards.
- Interaction within the GRC dashboards helps identify users and roles generating risks within the SAP® system.
- It is advisable to exclude System-type users from the analysis.
- Use the Excluded Objects option to provide relevant data for stakeholders.
- The Batch Risk Analysis provides monthly data. Therefore, when scheduling the program, the last day of the month will remain visible on the GRC dashboard (though data will update with each monthly execution).
- GRC system parameters allow exclusion of statuses not typically considered, such as expired users.
- Activating parameter 1027 is highly recommended to store all analysis data within the SAP® GRC system.
- . It’s essential to be familiar with the tables “GRACUSERPRMVL” and “GRACROLEPRMVL”, as they contain all relevant data for batch risk analyses.
Optimize your SAP® GRC risk dashboards
If this article about SAP® GRC risk dashboards was useful or if you believe your organization could benefit from more efficient risk and compliance management, we invite you to discover how we can help at Inprosec.
You can take a look at our SAP® GRC or SAP® Security services, or contact us directly by clicking here.