Page tree
Skip to end of metadata
Go to start of metadata


1.1 Necessary authorizations for ALL GRC Users on SU01::

- SAP_GRC_FN_BASE >> All basis authorization needed to execute tasks related to GRC PC environment

- SAP_GRC_NWBC >> Access to WebDynpro screens and NWBC T-Code

1.2 User type determining authorizations on SU01

- SAP_GRC_FN_BUSINESS_USER >> GRFN_USER 16 >> All auths given by GRFN_API and GRFN_REP

- SAP_GRC_FN_ALL >> GRFN_USER 02 >> Any user having this object on any of it's roles on SU01 will have full display access full edit access

- SAP_GRC_FN_DISPLAY >> GRFN_USER 03 >> Any user having this object on any of it's roles on SU01 will have full display access


Engine will determine the if the requested access is granted using User >> Role >> Authorization for the role through GRFN_API

2.1 cross-reg and reg-specific roles

- Entity Role Assignment

- Regulation Role Assignment

For regulation specific roles they only work with the determined regulations, however cross-regulation roles can be used for any regulation. If you plan let's say a MToE just for SOX, and you have regulation specific roles for SOX those will be considered, but any regulation specific roles for FDA will not be consider. This is used if you have separate offices for each regulation in your company, so you can maintain different users for the different regulations.





Workflow routing

 Maintain Custom Agent Determination Rules



Reporting Authorization:

1. Report availability in the menu is given via the role having the authorization object “GRFN_REP”, activity “80” and particular report ID.

2. On report Execution system selects the object(s) where the user is assigned to the role (table HRP1852). Then the report uses the “Walking strategy” of the particular report and drills down from the selected object as defined in the strategy.

3. Authorization object GRFN_API has in general NO influence on the reporting and it is used for the access using the standard application UIs.

4. Regulations are processed exceptionally, as we need to build the list of relevant regulations on the selection screen. The regulations are the only exception where the authorizations object GRFN_API is required for reports.

Example – Report H1A with walking strategy ORGUNIT -> SUBPROCESS -> CONTROL

-If the role is on "orgunit level", user can see the assigned orgunit(s), ALL it's subprocesses and ALL it's controls

-In case the role is on "subprocess level" user can see ONLY the subprocess(es) where he is assigned and all it's controls (it will show also the parent orgunit, just to build the hierarchy)

-Or if the role is on "control level" user can see ONLY the control(s) where he is assigned (it will show parent subprocess and orgunit, just to build the hierarchy)

  • No labels