Real-Time SAP GRC Issues Every Security Consultant Faces (With Examples) - SAP SECURITY

SAP SECURITY

Practical SAP Security & GRC Tutorials | S/4HANA | SU24 | SU25 | Fiori | GRC

Real-Time SAP GRC Issues Every Security Consultant Faces (With Examples)

by

In projects using SAP GRC Access Control, Security consultants often deal with complex authorization and compliance issues. These issues usually arise due to improper role design, emergency access misuse, or Segregation of Duties (SoD) conflicts. Understanding how to identify and resolve them is essential for maintaining a secure SAP environment.

Below are some common real-time SAP GRC issues and how they are handled in projects.

1. SoD Conflict Between Vendor Creation and Payment

Scenario

A user in Finance has access to both:

  • Vendor creation in SAP ERP

  • Vendor payment processing

Transactions

  • FK01 – Create Vendor

  • F110 – Automatic Payment Run

Risk

The user can:

  1. Create a fake vendor

  2. Process payment to that vendor

This is a classic fraud risk.

Resolution

Security team implements:

  • Role separation

  • Vendor creation role assigned to Master Data team

  • Payment role assigned to AP team

If business requires both temporarily, they use Firefighter access.

2. Firefighter ID Misuse

Scenario

A consultant logs in using a Firefighter ID to troubleshoot an issue but performs additional activities unrelated to the task.

System

Emergency access managed through SAP GRC Emergency Access Management.

Risk

Users may perform unauthorized configuration changes.

Resolution

GRC team reviews:

  • Firefighter log reports

  • Activities performed

If misuse is detected:

  • Access is revoked

  • Controller approval becomes mandatory.

3. Access Request Not Triggering Workflow

Scenario

User requests access through SAP GRC Access Request Management, but workflow does not start.

Possible Causes

  • Missing approver

  • Incorrect organizational rule

  • Workflow configuration issue

Example

Role request submitted but stuck in “Pending” status.

Resolution

Consultant checks:

  1. MSMP workflow configuration

  2. Agent rule mapping

  3. Approver assignment

After fixing the rule, workflow triggers correctly.

4. False Positive Risk in SoD Analysis

Scenario

User is flagged with an SoD violation in SAP GRC Access Risk Analysis, but actual risk does not exist.

Example

Risk shows conflict between:

  • ME21N – Create Purchase Order

  • MIRO – Invoice Verification

But the user only has display access.

Cause

Incorrect action maintained in the rule set.

Resolution

Security team updates rule set:

  • Remove display transactions

  • Restrict to create/change activities

After rule update, the false risk disappears.

5. Role Showing High Risk During Provisioning

Scenario

A role being requested shows high SoD risk during access request.

Example

Role contains:

  • FB60 – Vendor Invoice Posting

  • F110 – Payment Processing

Risk

Invoice entry and payment capability together.

Resolution

Security team:

  1. Splits the role into two

  2. Assigns roles based on job function

  3. Maintains mitigation control if necessary

6. Mitigation Control Not Working

Scenario

User has SoD risk but mitigation control is assigned.

However, GRC still reports the risk.

Cause

Mitigation control may be:

  • Expired

  • Not properly assigned

  • Not approved

Resolution

Consultant verifies:

  • Control validity dates

  • Approver status

  • User assignment

Once corrected, risk appears as mitigated instead of active.

7. Role Imported But Risk Not Detected

Scenario

A new role is transported into production but GRC does not detect risks.

Cause

Risk analysis job not scheduled.

Resolution

Run:

  • Repository sync

  • Risk analysis batch job

Once synchronization completes, risks appear in GRC reports.

8. User Not Appearing in Risk Analysis

Scenario

A user with risky roles is not showing in reports.

Possible Reasons

  • User not synchronized

  • Connector issue

  • Incorrect system mapping

Resolution

Consultant performs:

  • User synchronization job

  • Connector validation

  • System landscape check

After sync, the user appears in risk analysis results.

9. Firefighter Log Not Generated

Scenario

User uses Firefighter ID but activity log is missing.

Cause

Logging may not be enabled.

Resolution

Security team checks:

  • Parameter configuration

  • Log collection settings

After configuration, Firefighter logs start recording.

10. Access Request Completed But Role Not Assigned

Scenario

Workflow completed successfully, but role not provisioned.

Cause

Provisioning job may have failed.

Resolution

Consultant checks:

  • Background job logs

  • Connector configuration

  • Provisioning status

Re-running the job assigns the role successfully.

Final Thoughts

Working with SAP GRC Access Control requires strong understanding of both security roles and business processes. Most GRC issues arise due to:

  • Incorrect role design

  • Improper rule set configuration

  • Workflow misconfiguration

  • Synchronization issues

A good SAP Security consultant should not only identify risks but also recommend practical business-friendly solutions.

Understanding these real-time scenarios helps consultants handle SoD conflicts, emergency access, and risk mitigation effectively in live SAP environments.


 

By

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)