One of the new capabilities in SAP Access Control 10.1 is the enhancement of how a custom user group works. I provide a concise description of the custom user group functionality and how to harness this capability for efficient and optimized user risk analysis and simulation.

A custom user group brings efficiency to running risk analysis reports as you are able to execute the report for a set of users all at once instead of selectively for each user. It can also enhance system performance as you can restrict the selection criteria optimally.

It allows you to define a grouping of users based on their corresponding values in SU01. For example, you may need to create a custom user group for all users in the IT department who belong to the Basis function area with the intent of fast tracking selection criteria definition in user risk analysis. In my example, I make this group a high risk. Once these attributes are maintained in the user master record of the user, you can progress with creating such a custom user group or variant in the SAP Access Control system.

The custom user group and custom variant functionalities support for SU01 attributes is limited to the following user master record attributes:

• System
• Department
• Function
• User group
• User type
• Parameters
• Security policy
• Groups

Note that custom user group capability is applicable only to User Risk Analysis and User Risk Analysis Simulation (Figure 1).

Figure 1

Access Risk Analysis

You access Figure 1 via menu path NWBC > Access Management > Access Risk Analysis. I discuss these enhanced functionalities under the following sub topics:

• Authorization requirement for custom user group maintenance
• Creation and maintenance of custom user group and execution of user risk analysis
• Creation of custom variants based on SU01 attributes and execution of user risk

To use these functionalities, Access Risk Analysis (ARA) functionality has to be properly configured and the repository jobs must have been executed to synchronize the back-end systems repository data (authorizations, roles, profiles, and users) with the SAP Access Control system.

Authorization Requirements

The new authorizations object GRAC_CGRP is used to control who can maintain custom user groups. The authorization object has two authorization fields (Figure 2):

• ACTVT
• GRAC_CGRP

Figure 2

Create a custom user group

The possible values for the ACTVT authorization field are:

• 01 - Create or generate
• 02 - Change
• 03 - Display
• 06 - Delete
• 16 - Execute

Creation and Maintenance Process

You can create a custom user group via:

• The application (SAP NetWeaver Business Client [NWBC])
• Customizing

Creating Custom User Groups via NWBC

To create a custom user group in NWBC, access the User Level or User Level Simulation quick link via menu path NWBC > Access Management > Access Risk Analysis > User Level or User Level Simulation. In the screen that appears, choose the selection icon beside the field in the Custom Group row (Figure 3).

Figure 3

Initial screen of user level risk analysis

In the next screen click the Create button (Figure 4).

Figure 4

Custom group search initial screen

In the next screen enter the following required values in the fields shown in Figure 5:

• Custom Group Name
• Description
• System

Then define the SU01 attributes of the custom user group. Note that the custom user group must be associated with a specific system. In this case it is GRC.

Figure 5

Define values for custom user group identifier and SU01 attributes

Click the Search button.

In the next screen highlight the users you want to add. Notice that the Selected Users radio button provides the number of changes. When you have selected the users you want to add, click the Save button (Figure 6).

Figure 6

Highlighted users in the result area

Figure 7 displays the users assigned to the custom group you created. Click the OK button.

Figure 7

Custom group summary

The next screen is the one in which you can run your risk analysis. In the Report Options section of this screen select the option for Technical View, as shown in Figure 8.

Figure 8

Technical View report option

Click the Run in Foreground button to run risk analysis based on the defined user attributes. In the next screen a dialog box appears asking you to continue the risk analysis. Click the OK button (Figure 9).

Figure 9

Confirmation screen for continuing to run user risk analysis in the foreground

The next screen displays a user risk analysis report based on the custom user group (Figure 10).

Figure 10

User risk analysis report based on custom user group as analysis criteria

Maintain Custom User Groups Via Customizing

Custom user groups can be maintained in customizing by following menu path SPRO > SAP Reference IMG > SAP Customizing Implementation Guide > Governance, Risk and Compliance > Access Control > Maintain Custom User Group (Figure 11). Notice that the custom user group that you created in NWBC is visible here. This allows you to make changes to the description and the assigned users. To create a new entry in the custom group table, click the New Entries button.

Figure 11

The initial screen for custom user group maintenance

In the next screen enter the name of your custom group and a description. In my example I entered ZCGRP2 and Custom User Group 2 (Figure 12).

Figure 12

Define a custom group name

Highlight the custom group name entry as shown in Figure 13. Double-click the folder Maintain user id for the Custom Group.

Figure 13

Highlighted custom group name

In the next screen click the New Entries button (Figure 14).

Figure 14

Initial screen for the assignment of a user ID to a custom group

In the initial screen to define a user ID (Figure 15), assign a user ID for the user you intend to add to the custom user group. Click the save icon.

Figure 15

Assign a user ID to your custom group name

The next screen (Figure 16) displays a status message.

Figure 16

Status message for saving a user ID assignment to a custom group

Create Custom Variants Based on SU01 Attributes and Execution of User Risk Analysis

A variant allows a user to define user-specific criteria that can be used to run reports repeatedly without having to define the selection criteria every time the report is needed. Simply select the saved criteria (in the form of a saved variant). This offers the end users the ability to personalize their risk reporting options without necessarily having access to the administrator-controlled custom user groups.

In some cases, it can be used to improvise if a custom user group does not exist for a user’s specific use case. The laudable capability here in SAP Access Control 10.1 is that you can create the variants based on the SU01 attributes of users.

To define a custom variant and consequently run risk analysis with the defined custom variant, follow menu path NWBC > Access Management > Access Risk Analysis > User Level or User Level Simulation. In the NWBC screen (not shown) click the User Level quick link.

In the next screen populate the fields as shown in Figure 17. In the User row choose Multiple Selections from the pull-down list of options and then click the Add Selections button.

Figure 17

Multiple Selections condition for User criteria option

In the next screen click the Search SU01 button (Figure 18).

Figure 18

Multiple Selection screen for User criteria

In the next screen the System criteria option is mandatory in defining the properties of the variant. Enter values for other attributes based on your business needs as shown in Figure 19. Click the Search button.

Figure 19

Definition of criteria values based on SU01 attributes

You can view the search results based on selection criteria for SU01 attributes in the next screen (Figure 20). Highlight the users you want to consider in the variant. The numbering in the Selected Users radio button changes. In my example the Selected Users number is now 2. Click the Copy button.

Figure 20

Highlighted users in User search

In the next screen you can view the variant values and operator summary for the users in your search (Figure 21). Click the OK button.

Figure 21

Variant values and operator summary

The next screen displays user level risk analysis based on previously configured criteria (Figure 22). (I do not show how to configure this risk analysis as this not my focus in this article.) In the Save Variant as field enter a name. In my example it is MyCustomGroup. Click the Save button.

Figure 22

Define a variant name for user level risk analysis

A status message appears in the next screen (Figure 23).

Figure 23

A status message for user risk analysis

In the Saved Variants field choose the name of the variant that you just created from the pull-down list of options and change the report option to Technical View as shown in Figure 24. Click the Run in Foreground button.

Figure 24

Define a saved variant and reporting option

Click the OK button in Figure 25 to continue running the risk analysis in the foreground.

Figure 25

The confirmation screen for executing risk analysis in the foreground

Figure 26 displays the results of your user level risk analysis report using variants based on SU01 attributes.

Figure 26

User level risk analysis report using saved variants (based on SU01 attributes)

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management.
 

You may contact the author at eseyinok@gmail.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.