GRC V10 Connectors to non sap systems

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Post Reply
Posts: 1
Joined: Fri Oct 25, 2013 5:12 am

GRC V10 Connectors to non sap systems

Post by AToomey » Fri Oct 25, 2013 5:28 am

To use SAP GRC to analyse SoD, Provision / remove access and also Firefighter type provisioning / monitoring.

Firstly - I know that 'GreenLight' can do this ..

But has anyone found any alternative vendors who can do this or as an alternative has anyone made
a custom development and integrated the data themselves. What was involved ?

Posts: 469
Joined: Wed Dec 21, 2005 10:51 am

Re: GRC V10 Connectors to non sap systems

Post by os » Sat Dec 28, 2013 3:18 pm

It depends on whether your vendor provides APIs to such functionality which is also secure.

Few do.... so if one does then it is highly likely to be a hack.

Good ones will provide APIs with switches to turn them on and check their own customizing to validate imported values. Again here... few do.

Gary Morris
Posts: 400
Joined: Sun Oct 20, 2002 10:42 pm
Location: New York

Re: GRC V10 Connectors to non sap systems

Post by Gary Morris » Fri Apr 11, 2014 4:37 pm

Yes. Create transactions and the required authorization object to successfully complete a function and give it an Authorization ID in RSUSR009_NEW. Create Variants to combine these funtional authorization IDs into SOD combinations and then audit for them.
Schedule it to run at night in background and email the report
Maintain a list of authorized FFID users and Log reviewers.
Create a role that will allow a Firefighter on the list to assign themselves a particular role only.
Create an alert to send an email to the Log reviewer if the person assigns themselves the role.
You can keep your company continuously compliant if you spend enough time tweaking the SKRIA tables associated with the RSUSR009_NEW program. It takes a lot of work, but so does configuring GRC or any other 3rd party tool to audit your specific needs. Never tell a client they need to buy a 3rd party tool to stay on top of SOD compliance, it is not true. You can create Web based workflows that can connect to SAP and actually assign a role if approved as well.
Is it faster to just purchase a third party tool? Not really. My experience is that I have configured RSUSR009_NEW and additonal custom programs and alerts in about the same time it takes to get GRC implemented. I have seen more than one client purchase third party tools for SOD compliance and not have it implemented 2 years later for lack of support from all the internal members involved in using it. Not saying GRC is not a good solution, I think it is the best and will continue to get better, but does someone HAVE to implement this to get control? NO!
Gary Morris
SAP Security Consultant

Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: GRC V10 Connectors to non sap systems

Post by Al. » Tue Apr 22, 2014 2:38 am

Hi Gary,

This post was more about connecting SAP GRC to another non-SAP system.


btw, I agree that spending on tools is not mandatory for achieving control and investment does not automatically give control. In your example of customer adoption, the same would apply to 3rd party tools, RSUSR009_NEW and anything in between.

Post Reply