{"id":8922,"date":"2023-05-10T11:36:18","date_gmt":"2023-05-10T09:36:18","guid":{"rendered":"https:\/\/www.inprosec.com\/?p=8922"},"modified":"2024-05-16T13:30:10","modified_gmt":"2024-05-16T11:30:10","slug":"sap-grc-ara-how-to-improve-access-risk-analysis-results","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/","title":{"rendered":"SAP GRC ARA | How to Improve Access Risk Analysis Results"},"content":{"rendered":"<p><span style=\"font-weight: 400;\">During this article we will review how to improve access risk analysis using certain functionalities within the ARA module of SAP\u00a9 GRC.<\/span><\/p>\n<h2><b>Introduction<\/b><\/h2>\n\n<p><b>Segregation of duties<\/b><span style=\"font-weight: 400;\"> (SoD) is one of the main <\/span><b>principles<\/b><span style=\"font-weight: 400;\"> used by organizations to <\/span><b>reduce the potential fraud<\/b><span style=\"font-weight: 400;\"> and the related impact. To correctly apply this principle to user access management in SAP systems, three main tools must be used:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Define an <\/span><b>Access Risk RuleSet<\/b><span style=\"font-weight: 400;\"> (using the market standard for the system in analysis as a reference).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Role model based on SAP best practices<\/b><span style=\"font-weight: 400;\"> (aligned to business functionalities and the Risk RuleSet).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Risk management system<\/b><span style=\"font-weight: 400;\">, where the Risk RuleSet can be uploaded to <\/span><b>execute user &amp; role risk analysis<\/b><span style=\"font-weight: 400;\"> (for SAP the standard option would be the ARA &#8211; Access Risk analysis &#8211; module within SAP GRC Access Controls).<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The use of these three tools will allow us to <\/span><b>put in place a preventive control<\/b><span style=\"font-weight: 400;\"> to <\/span><b>monitor<\/b><span style=\"font-weight: 400;\"> the <\/span><b>segregation of duties<\/b><span style=\"font-weight: 400;\"> during the assignment of access to users using access risk analysis.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Considering this situation, <\/span><b>this article <\/b><span style=\"font-weight: 400;\">will focus on <\/span><b>explaining how we can improve the technical configuration of our rules in SAP GRC AC ARA<\/b><span style=\"font-weight: 400;\"> to have more refined risk analysis and <\/span><b>avoid false positives<\/b><span style=\"font-weight: 400;\">, i.e., prevent the reporting of positive results when they are not really positive because not all the expected rules are met.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The two standard functionalities of SAP GRC that will allow us to do this risk analysis fine-tuning are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Organizational Rules.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Supplementary Rules.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><b>Organizational Rules<\/b><\/h2>\n<h3><b>Case study<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Imagine a situation where an organization considers that two activities in the purchasing process are not considered as SoD risk if they are executed by the same user for two different companies, below is each functionality and a sample transaction:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Process Vendor Invoices (tcode FB01 &#8211; Post Vendor invoices).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">AR Payments (tcode F110 &#8211; Parameters for Automatic Payment)\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">The combination of the two business tasks mentioned above often poses a business SoD risk as their assignment to the same user could lead to a <\/span><i><span style=\"font-weight: 400;\">risk of creating a fictitious vendor invoice and initiate payment for it<\/span><\/i><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">By creating organizational rules for this SoD risk and for the organizational value Company (BUKRS), the risk analysis could be filtered so that it is only positive for companies that are considered critical.<\/span><\/p>\n<h3><b>Where can this be set up in SAP GRC?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The creation of organizational rules can be done at the following GRC link within the path <\/span><b><i>Setup -&gt; Exception Access Rules -&gt; Organization Rules<\/i><\/b><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-8928\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/exception-rules-SAP-GRC-ARA.png\" alt=\"\" width=\"311\" height=\"168\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/exception-rules-SAP-GRC-ARA.png 311w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/exception-rules-SAP-GRC-ARA-300x162.png 300w\" sizes=\"(max-width: 311px) 100vw, 311px\" \/><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8930\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/organization-rule-SAP-GRC-ARA.png\" alt=\"\" width=\"738\" height=\"302\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/organization-rule-SAP-GRC-ARA.png 826w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/organization-rule-SAP-GRC-ARA-300x123.png 300w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/organization-rule-SAP-GRC-ARA-600x246.png 600w\" sizes=\"(max-width: 738px) 100vw, 738px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Once configured, the following <\/span><b>GRC AC parameters<\/b><span style=\"font-weight: 400;\"> will have to be reviewed and adjusted, depending on the use we want to make of this type of rules:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>1054<\/b><span style=\"font-weight: 400;\"> &#8211; Max number of violations supported in Organization Rule Analysis<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>2060<\/b><span style=\"font-weight: 400;\"> &#8211; Organization Rules -Maximum allowed to be generated in foreground<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>1021<\/b><span style=\"font-weight: 400;\"> &#8211; Consider Org Rules for other applications<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Finally, to apply Organizational Rules to the risk analysis, the option <\/span><b><i>Consider Org rule<\/i><\/b><span style=\"font-weight: 400;\"> has to be ticked during the execution of the risk analysis:<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8912\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/3.png\" alt=\"\" width=\"479\" height=\"60\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/3.png 407w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/3-300x38.png 300w\" sizes=\"(max-width: 479px) 100vw, 479px\" \/><\/p>\n<h2><b>Supplementary Rules<\/b><\/h2>\n<h3><b>Case study<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Two fictitious customer cases are explained to explain the use of the supplementary rules:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Purchase requisition approval: <\/span><span style=\"font-weight: 400;\">Customer 1 wants to eliminate false positives from its analysis for all risks in which the purchase requisition approval functionality is involved. PR Approver users, in addition to having access to transaction ME54, ME54N or ME55, must be maintained in a configuration table (release strategy table). Finally, the risk is only relevant if the user can be an approver for purchasing group <\/span><b><i>PGX<\/i><\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">User maintenance<\/span><span style=\"font-weight: 400;\">:\u00a0 Customer 2 wants positives in risk analysis only if users do not belong to the user group <\/span><b><i>UG_AUTH_TEAM<\/i><\/b><span style=\"font-weight: 400;\">. User belonging to this user group are pre-approved (exceptions).<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">In short, in these two cases, if we consider only the user&#8217;s access level, we will be identifying access risks that are not really access risks (false positives).<\/span><\/p>\n<p><span style=\"font-weight: 400;\">What the Supplementary Rules functionality allows would be to include additional rules to the Business or IT functions that are part of the access risks, adding other conditions that must be fulfilled, to correctly identify which users really have the risk.<\/span><\/p>\n<h3><b>Where can this be set up in SAP GRC?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The creation of Supplementary Rules can be done at the following GRC link within the path <\/span><b><i>Setup -&gt; Exception Access Rules -&gt; Supplementary Rules<\/i><\/b><\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-8926\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/exception-access-rules-SAP-GRC-ARA.png\" alt=\"\" width=\"337\" height=\"148\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/exception-access-rules-SAP-GRC-ARA.png 312w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/exception-access-rules-SAP-GRC-ARA-300x132.png 300w\" sizes=\"(max-width: 337px) 100vw, 337px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">The following screenshot shows an example of case study a), where a Supplementary Rule has been activated in the Purchase Requisition approval function.<\/span><\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-8932\" src=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/suplementary-rule-SAP-GRC-ARA.png\" alt=\"\" width=\"580\" height=\"400\" srcset=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/suplementary-rule-SAP-GRC-ARA.png 580w, https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/suplementary-rule-SAP-GRC-ARA-300x207.png 300w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Once configured, parameter <\/span><b><i>1037 &#8211; Use SoD Supplementary Table for Analysis<\/i><\/b><span style=\"font-weight: 400;\"> will need to be reviewed and adjusted.<\/span><\/p>\n<h2><b>Key points<\/b><\/h2>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">More and more organizations are faced with the concept of <\/span><b>segregation of duties (SoD)<\/b><span style=\"font-weight: 400;\">, with SAP GRC AC being a solution to assist in the technical oversight of such risks using <\/span><b>SAP GRC AC ARA<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>GRC AC ARA<\/b><span style=\"font-weight: 400;\"> module is <\/span><b>very powerful and flexible<\/b><span style=\"font-weight: 400;\"> when it comes to configuring access risks and n<\/span><b>ot only has the simple functionality of executing analysis<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The <\/span><b>main benefit<\/b><span style=\"font-weight: 400;\"> of organizational and supplementary rules is that they <\/span><b>allow us to refine our risk analysis<\/b><span style=\"font-weight: 400;\"> and thus r<\/span><b>educe false positive results<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">It is very important to <\/span><b>understand the process<\/b><span style=\"font-weight: 400;\">, <\/span><b>functions, and access SoD risks in which <\/b><span style=\"font-weight: 400;\">the organizational &amp; supplementary rules <\/span><b>are to be applied <\/b><span style=\"font-weight: 400;\">to validate whether this GRC ARA functionalities meets the customer&#8217;s requirements.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Tech advice (!)<\/b><span style=\"font-weight: 400;\"> &#8211; To <\/span><b>facilitate<\/b><span style=\"font-weight: 400;\"> the <\/span><b>use<\/b><span style=\"font-weight: 400;\"> and <\/span><b>maintenance<\/b><span style=\"font-weight: 400;\"> of these rules, it is important to note that <\/span><b>both can be loaded in bulk from the general GRC configuration<\/b><span style=\"font-weight: 400;\"> in the back-end system (SPRO transaction).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Organizational Rules<\/b><span style=\"font-weight: 400;\">:<\/span>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">It is recommended to apply this type of rules <\/span><b>only on high level risks<\/b><span style=\"font-weight: 400;\"> and those that really add value.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">The proper use of this functionality is to <\/span><b>reduce false positives<\/b><span style=\"font-weight: 400;\">, it is <\/span><b>not recommended to use it to generate risk reports<\/b> <b>filtering<\/b><span style=\"font-weight: 400;\"> by <\/span><b>organizational values<\/b><span style=\"font-weight: 400;\"> (it affects GRC system performance).<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><b>Supplementary Rules:<\/b>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">These rules <\/span><b>will apply to all transactions within the same function<\/b><span style=\"font-weight: 400;\">. If you want them to apply to only one of the transactions, you will have to <\/span><b>create a new risk\/function<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">These rules <\/span><b>can be applied for one or all risks related to the modified function<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"2\"><span style=\"font-weight: 400;\">The information in the fields of the <\/span><b>tables to be validated is always stored in upper case<\/b><span style=\"font-weight: 400;\"> (not case sensitive) and <\/span><b>should contain the SAP USER ID relationship<\/b><span style=\"font-weight: 400;\">.<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>During this article we will review how to improve access risk analysis using certain functionalities within the ARA module of SAP\u00a9 GRC. Introduction Segregation of duties (SoD) is one of the main principles used by organizations to reduce the potential fraud and the related impact. To correctly apply this principle to user access management in&#8230;<\/p>\n","protected":false},"author":6,"featured_media":8919,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[60,52],"tags":[149],"class_list":["post-8922","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sap-grc-en","category-technical-article","tag-access-control-en"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.3 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>SAP GRC ARA | How to Improve Access Risk Analysis Results - Inprosec<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAP GRC ARA | How to Improve Access Risk Analysis Results\" \/>\n<meta property=\"og:description\" content=\"During this article we will review how to improve access risk analysis using certain functionalities within the ARA module of SAP\u00a9 GRC. Introduction Segregation of duties (SoD) is one of the main principles used by organizations to reduce the potential fraud and the related impact. To correctly apply this principle to user access management in...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/\" \/>\n<meta property=\"og:site_name\" content=\"Inprosec\" \/>\n<meta property=\"article:published_time\" content=\"2023-05-10T09:36:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-05-16T11:30:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/sap-grc-ara-mejorar-accesos.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1536\" \/>\n\t<meta property=\"og:image:height\" content=\"768\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fernando Mosquera\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fernando Mosquera\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/\"},\"author\":{\"name\":\"Fernando Mosquera\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"headline\":\"SAP GRC ARA | How to Improve Access Risk Analysis Results\",\"datePublished\":\"2023-05-10T09:36:18+00:00\",\"dateModified\":\"2024-05-16T11:30:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/\"},\"wordCount\":1049,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/sap-grc-ara-mejorar-accesos.jpg\",\"keywords\":[\"Access Control\"],\"articleSection\":[\"SAP GRC\",\"Technical Article\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/\",\"name\":\"SAP GRC ARA | How to Improve Access Risk Analysis Results - Inprosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/sap-grc-ara-mejorar-accesos.jpg\",\"datePublished\":\"2023-05-10T09:36:18+00:00\",\"dateModified\":\"2024-05-16T11:30:10+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/sap-grc-ara-mejorar-accesos.jpg\",\"contentUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2023\\\/05\\\/sap-grc-ara-mejorar-accesos.jpg\",\"width\":1536,\"height\":768},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-grc-ara-how-to-improve-access-risk-analysis-results\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAP GRC ARA | How to Improve Access Risk Analysis Results\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\",\"name\":\"Inprosec\",\"description\":\"Information security is our priority.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\",\"name\":\"Fernando Mosquera\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"caption\":\"Fernando Mosquera\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SAP GRC ARA | How to Improve Access Risk Analysis Results - Inprosec","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/","og_locale":"en_US","og_type":"article","og_title":"SAP GRC ARA | How to Improve Access Risk Analysis Results","og_description":"During this article we will review how to improve access risk analysis using certain functionalities within the ARA module of SAP\u00a9 GRC. Introduction Segregation of duties (SoD) is one of the main principles used by organizations to reduce the potential fraud and the related impact. To correctly apply this principle to user access management in...","og_url":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/","og_site_name":"Inprosec","article_published_time":"2023-05-10T09:36:18+00:00","article_modified_time":"2024-05-16T11:30:10+00:00","og_image":[{"width":1536,"height":768,"url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/sap-grc-ara-mejorar-accesos.jpg","type":"image\/jpeg"}],"author":"Fernando Mosquera","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Fernando Mosquera","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/#article","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/"},"author":{"name":"Fernando Mosquera","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"headline":"SAP GRC ARA | How to Improve Access Risk Analysis Results","datePublished":"2023-05-10T09:36:18+00:00","dateModified":"2024-05-16T11:30:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/"},"wordCount":1049,"commentCount":0,"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/sap-grc-ara-mejorar-accesos.jpg","keywords":["Access Control"],"articleSection":["SAP GRC","Technical Article"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/","url":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/","name":"SAP GRC ARA | How to Improve Access Risk Analysis Results - Inprosec","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/#primaryimage"},"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/sap-grc-ara-mejorar-accesos.jpg","datePublished":"2023-05-10T09:36:18+00:00","dateModified":"2024-05-16T11:30:10+00:00","author":{"@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"breadcrumb":{"@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/#primaryimage","url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/sap-grc-ara-mejorar-accesos.jpg","contentUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2023\/05\/sap-grc-ara-mejorar-accesos.jpg","width":1536,"height":768},{"@type":"BreadcrumbList","@id":"https:\/\/www.inprosec.com\/en\/sap-grc-ara-how-to-improve-access-risk-analysis-results\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inprosec.com\/en\/"},{"@type":"ListItem","position":2,"name":"SAP GRC ARA | How to Improve Access Risk Analysis Results"}]},{"@type":"WebSite","@id":"https:\/\/www.inprosec.com\/en\/#website","url":"https:\/\/www.inprosec.com\/en\/","name":"Inprosec","description":"Information security is our priority.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inprosec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2","name":"Fernando Mosquera","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","caption":"Fernando Mosquera"}}]}},"_links":{"self":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/8922","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/comments?post=8922"}],"version-history":[{"count":2,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/8922\/revisions"}],"predecessor-version":[{"id":8935,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/8922\/revisions\/8935"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media\/8919"}],"wp:attachment":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media?parent=8922"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/categories?post=8922"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/tags?post=8922"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}