SAP Security Governance Risk and

Compliance- Basics of Access Risk

Analysis Rule Sets

a Security CoE Initiative

Gautam Shetti
26 June 2015

1 | Page
Process 1: identify which Risk IDs and Function IDs are mapped as SODs/
Critical Actions
On the NWBC screen, click on Setup and under Access Rule Maintenance hit
on Access Risks

If you filter on Risk Type, we can identify the SOD / Critical Actions and their
associated Risk IDs and Function IDs.
You can further click on these Function IDs to identify the transactions that
are mapped to it.

2 | Page
Process 2: Identify if a role has Critical Actions:
Under Access Management in NWBC, go to Role Level and you find the
below screen popping:

Enter the system that is required: ECPCLNT200 (always in CAPS)

Role type always remain Technical Role
Enter the role for which you need to identify the Critical Actions.
We can select Risk by Process as this will give you the associated Risk ID if
there are any Critical Actions found.
Risk Level input is based on the person as which risk level he/she is
interested to see.
Rule set is always GLOBAL for Atwood.
Format selected here is Technical. This can also be run in Business View
which gives even more detailed analysis.
(Note: There are option available for boxes marked in blue.)

3 | Page
Here we have taken as example for role: ZS_FI_ACCOUNTANT_P1: (Technical
View)

Once executed in Foreground, the result is shown as below:

4 | Page
The above shows the Crtical Actions present in the role:
ZS_FI_ACCOUNTANT_P1 in ECP-200 system and its associated Risk IDs and
Risk Level.

The below snapshot gives the Business View:

Process 3: identify if role has Permission Level violations:

Follow the same steps above and instead of Critical Action, please select
Permission Level as shown:

This will give violations if any found on this role at the Permission Level.
This can also be performed in BOTH Technical and Business View.

5 | Page
Process 4: Identify Users with a particular Risk ID:
Go to Access Management in the NWBC screen and click on User Level for
below screen:

Here after entering the System, user type, Rule set and risk level, take the
drop down option in the boxes to select: Access Risk ID

6 | Page
Do see that this result is being executed in the BACKGROUND as there shall
be MANY users and the foreground execution can much longer time and can
even hang up!
How to check BACKGROUND JOBS:
In Access Management screen, scroll down to see the Scheduling heading
as shown:

Click on background jobs and you will see all jobs scheduled/ completed in
background:

7 | Page
The status Active indicates that the JOB is still running. You can refresh the
screen at the link provided in the page to check until the status moves to
Finished.
You can now click on the job and analyze the results.

Process 5: Similarly under User Level, you can identify users associated to
a Business Process

Process 6: Identify Functions in the Rule Set:

Go to Setup in the NWBC screen and hit on FUNCTIONS under the Access
Rule Maintenance:

Here you find all the Function in the Rule set and its associated Business
Process.

8 | Page
To search for a specific Function ID, click on Filter in the screen and type in
the Function ID to search:
Here we are searching for Function ID: BS15, so type in BS15 once you click
on Filter. The result will show you only the Function ID BS15 as seen:

Process 7: Identify Risk IDs in the Rule Set:

Under setup on the NWBC screen, click on Access Risks which will give the
result of all Risk IDs setup in the rule set:

9 | Page
The above shows the Risk IDs and its associated Business Process, Function
IDs and Risk Level defined.

******************************************************************************
**********
Basics of a Rule Set:
- Rule set comprises of: Risk ID and Function IDs all mapped to a
Business Process
- Risk IDs consists of Function IDs
- Risk IDs are defined as SOD or Critical Action
- Function IDs consists of Transactions and its associated permissions
- If Risk ID is defined as SOD, it should have two function IDs minimum
- If Risk ID is defined as Critical Action, it can have ONLY ONE function ID
- Risk Level can be low, medium or HIGH
- The details of Risk IDs and Function IDs is something which Business
has to define or finalize

10 | P a g e