Showing results for 
Search instead for 
Did you mean: 

sap security & GRC



Just refreshing on my SAP Security skills and had a question.

With regard to the SAP GRC Solution, when modelling a role, I believe the software highlights any Sod conflicts. Once the conflicts are highlighted, does GRC in anyway assist in redesigning the role? I assume the role has to be split so the conflicts are seperated (unless risk accepted), what approach has to be taken to then map these roles to users ensuring the users do not have any toxic combinations assigned to them? Does GRC assist in this activity?

Thanks in advance,


View Entire Topic
0 Kudos

No it doesn't Tom, it just gives you the conflicts of the tcodes/fiori apps that need to be split out into their own roles....I wish it did what you're looking for 🙂 Users will have toxic combinations as you say, but as long as the role itself is clean, the business can then decide on the risk of the user.

0 Kudos

Cheers Michael, can I ask what you mean as ‘clean’ if the role does include toxic combos?

0 Kudos

For instance, if you have a Time Administrator/PA user, and the role has authorizations to both amend time and run payroll, this would flag as a violation as a user could amend someones time and pay them with the same role, so you would have to split the time evaluation into 1 role and the authorizations to run payroll into another, ultimately if the business want this user to have both roles then its down to them to sign off on this risk, but the roles themselves individually are clean.