Access & Authorization Management
In SAP GRC solution, you can manage authorization objects to limit the items and data that a user can access. Authorization controls what a user can access in regards to work centers and reports in SAP system.
To access GRC solution, you should have following access −
- Portal authorization
- Applicable PFCG roles
- PFCG roles for access control, process control and risk management
The authorization types listed below are required as per GRC components − AC, PC and RM.
| Role Name |
Typ |
Description |
Component |
| SAP_GRC_FN_BASE |
PFCG |
Basic role |
PC, RM |
| SAP_GRAC_BASE |
PFCG |
Basic role(includes SAP_GRC_FN_BASE) |
AC |
| SAP_GRC_NWBC |
PFCG |
Role to run GRC 10.0 in NWBC |
AC, PC, RM |
| SAP_GRAC_NWBC |
PFCG |
Role to run simplified NWBC work centers for AC |
AC |
| GRC_Suite |
Portal |
Portal role to run GRC in 10.0 in portal |
AC, PC, RM |
| SAP_GRC_FN_BUSINESS_USER |
PFCG |
Common user role |
AC*, PC, RM |
| SAP_GRC_FN_ALL |
PFCG |
Power user role; bypasses entity-level authorization for PC and RM |
PC, RM |
| SAP_GRAC_ALL |
PFCG |
Power user role |
AC |
| SAP_GRC_FN_DISPLAY |
PFCG |
Display all user role |
PC, RM |
| SAP_GRAC_DISPLAY_ALL |
PFCG |
Display all user role |
AC |
| SAP_GRAC_SETUP |
PFCG |
Customizing role (used to maintain configuration in IMG) |
AC |
| SAP_GRC_SPC_CUSTOMIZING |
PFCG |
Customizing role (used to maintain configuration in IMG) |
PC |
| SAP_GRC_RM_CUSTOMIZING |
PFCG |
Customizing role (used to maintain configuration in IMG) |
RM |
| SAP_GRAC_RISK_ANALYSIS |
PFCG |
The role grants the authority to run SoD jobs |
AC, PC, RM |
Authorization in Portal Component and NWBC
In SAP GRC 10.0 solution, work centers are defined in PCD roles for the Portal component and in PFCG roles for NWBC (NetWeaver Business Client). The work centers are fixed in each base role. SAP delivers these roles however; these roles can be modified by the customer as per requirement.
The locations of application folders and subordinate applications within the service map are controlled by the SAP NetWeaver Launchpad application. Service map is controlled by user authorization so if user doesn’t have authorization to see any application they will be hidden in NetWeaver Business client.
How to review role assignments in Access Management Work Center?
Follow these steps to review role assignments −
Step 1 − Go to Access Management Work Center in NetWeaver Business Client.
Step 2 − Select business process under GRC Role assignment and go to sub-process role level. Click next to continue to assign role sections.
How to review role assignments in the Master Data Work Center?
Step 1 − Go to Master Data Work Center → Organizations
Step 2 − In next window, select any organization from the list, then click Open.
Step 3 − Note that the triangle next to the organization means that there are suborganizations and the dot next to the organization means that it is the lowest level.
Step 4 − Click on subprocess tab → Assign subprocess. Now select one or two subprocesses and click on Next.
Step 5 − Without making any changes, click Finish on the Select Controls step.
Step 6 − Choose the first subprocess from the list, then click Open. You should see the subprocess details.
Step 7 − Click the Roles Tab. Choose a role from the list, then click Assign.
