Topics
Regions
Industries

Scenario 1: Create a Role via Transaction PFCG

Use transaction PFCG or on the SAP Easy Access Screen, follow menu path SAP Menu > Tools > User Maintenance > Role Administration > Roles. Enter the value Z_RISK_TERMINATOR in the Role field as shown in Figure 1.
Figure 1
Define a role name Click the Single Role button and enter a description; in my example, Role to Test Risk Terminator Functionality (Figure 2). Figure 2 The role description Click the Menu tab and then click Yes in the dialog box (Figure 3). Figure 3 Save entries for role name and description A status message is displayed (Figure 4). Figure 4 Menu screen for role maintenance Click the + Transaction button. Enter transactions XK01 and ME21N and press Enter (Figure 5). Figure 5 Add transaction codes to a role Click the Assign transactions button. You receive the following status message: 2 transactions added (Figure 6). Figure 6 A status message for successful assignment of a transaction code to a role Click the Authorizations tab and then click the Change Authorization Data button (Figure 7). Figure 7 Maintain authorization data for a role Click Yes in the dialog box (Figure 8). Figure 8 Save changes to a defined role Figure 9 displays a risk analysis report (summary level report format) showing the risk violations inherent in the definition of the role. Figure 9 An access risk violation report for role maintenance You can toggle between the different report formats (Detail Level, Executive Level, Management Level, and Summary Level). Click Detail Level using the drop-down option of the Format Type field in Figure 9. Click the Continue Profile Generation button. You have the option to discard the transaction under processing or continue processing the transaction. Click the Continue button (Figure 10). Figure 10 Risk Terminator alert for Role Assignment Now click the Full authorization button and then click the save icon (Figure 11). Figure 11 Define field values for organization levels of a role You receive the following status message: Org. levels were saved (Figure 12). Figure 12 Save entries for organization level maintenance Click the Yellow arrow near the role description in Figure 12. Click the enter icon (Figure 13). Figure 13 Notification for assignment of full authorization to authorization fields Now click the Save icon in Figure 14. Figure 14 Maintained authorization data You may wish to change the default profile name in the next screen (Figure 15). Figure 15 Maintain the profile name and a description Click the enter icon (the green check mark) to accept the default value for the profile name. You receive the following status message: Data was saved (Figure 16). Figure 16 Status message for changes to role Click Generate by following Authorizations > Generate or clicking the icon circled in Figure 16. In the risk analysis report you receive the following status message:  Profile(s) created (Figure 17). Figure 17 An access risk analysis report for role maintenance Click the Continue Profile Generation link.  You have the option to discard the changes, continue a simulation, or generate the role (Figure 18). Click the Generate button.
Figure 18
Risk Terminator Alert for Role Changes
Enter a reason (for example, Organization Structure Limitation) in the risk terminator comment box (Figure 19). This reason can be used as a selection criterion when reporting on Risk Terminator. The reason defined explains why you want to go ahead and perform an assignment that conflicts with defined segregation of duty (SoD) rules.
Figure 19
Define a reason for an access risk violation
Click the Continue button.  Note that the status has changed to generated in Figure 20.
Figure 20
The maintained role with generated status

Scenario 2: Risk Terminator: Create a User and Assign a Role via Transaction SU01

Follow Easy Access menu path SAP Menu > Tools > User Maintenance > Users (Transaction SU01) and enter User_RT1 into the User field (Figure 21).
Figure 21
The initial screen to create a user
Click the Create icon. Enter a value for the Last Name field (Figure 22).
Figure 22
Define a last name for a user
Click the Logon data tab. Enter values for the Initial password and Repeat password fields (Figure 23).
Figure 23
Define a password for a user
Click the Roles tab. Enter the role created and maintained in Scenario 1 – Z_RISK_TERMINATOR and then click the save icon (Figure 24).
Figure 24
Assign a role to a user
The risk analysis (SoD conflict) report is triggered and displayed as shown in Figure 25.
Figure 25
The access risk violation analysis report for user maintenance
Click the Continue User Save button. You have the option to discard the transaction being processed or continue processing the transaction (Figure 26). Click the Continue button.
Figure 26
Risk Terminator alert for User Role Assignment
Enter a reason (for example, Organization Structure Limitation) in the Risk Terminator Comment box (Figure 27). This reason can be used as a selection criterion when reporting on Risk Terminator. The reason defined explains why you want to go ahead and perform an assignment that conflicts with defined SoD rules. Click the Continue button.
Figure 27
Define a reason for an access risk violation

Mass Maintenance of a User’s Role via Transaction SU10

Use transaction SU10 or follow SAP Easy Access menu path SAP Menu > Tools > User Maintenance > User Mass Maintenance. Enter the user IDs – User_RT2 and User_RT3 (Figure 28). Click the change icon.
Figure 28
The initial screen for mass user maintenance
Choose the Roles Tab and enter a value in the Role field: the role created in scenario 1 – Z_RISK_TERMINATOR (Figure 29). Click the save icon.
Figure 29
Assign a role to multiple users
In the dialog that appears click Yes (Figure 30).
Figure 30
Notification of mass user maintenance
The risk analysis (SoD conflict) report is triggered and displayed (Figure 31).
Figure 31
An Access risk violation report for mass user maintenance
Click the Continue User Save button. You have the option to discard the transaction under processing or continue processing the transaction. Click the Continue button (Figure 32).
Figure 32
The Risk Terminator alert for mass user maintenance
Enter a reason (for example, Organization Structure Limitation) in the Risk Terminator Comment box (Figure 33). This reason can be used as a selection criterion when reporting on Risk Terminator. The reason defined explains why you want to go ahead and perform an assignment that conflicts with defined SoD rules.
Figure 33
Define a reason for an access risk violation in mass user maintenance
Click the Continue button to view the log of the user maintenance activity (Figure 34).
Figure 34
The log for mass user maintenance

Risk Terminator Reporting

SAP BusinessObjects Access Control 10.0 provides a report called Risk Terminator Log Report for the purpose of reviewing Risk Terminator-related activities in the SAP system landscape. You can access the report via the front-end tools (NWBC or Portal) of SAP BusinessObjects Access 10.0 by following menu path Reports and Analytics > Risk Terminator > Risk Terminator Log Report (Quick Link) as shown in Figure 35.
Figure 35
The Risk Terminator Log Report link
Click the Risk Terminator Log Report link to view the initial screen for the report (Figure 36).
Figure 36
The initial screen of the Risk Terminator Log Report
You can save defined criteria as variants to execute the report at a later time. This step is particularly useful for frequently used criteria. You can define the following criteria when running the Risk Terminator Log Report:
Figure 37
The initial screen of the Risk Terminator Log Report showing defined reasons
The default view displays all the aforementioned metrics as well as a column named Userroleflag that indicates whether a user (U) or role (R) object is concerned with the Risk Terminator service. A sample Risk Terminator report (sorted by date of generation) generated using default settings is shown in Figure 38.
Figure 38
A typical Risk Terminator Log Report

Kehinde Eseyin

Kehinde Eseyin is a security architect. He holds a bachelor’s degree in computer science. He has about 12 years of IT security, governance framework, IS risk, and compliance experience gained by working in numerous global organizations. Over the years, he has demonstrated competencies in security design, information assurance, cyber security, data privacy, threat and vulnerability management, penetration testing, business architecture, project management, IT audit, IS controls framework, and identity and access management. You may contact the author at eseyinok@gmail.com. If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.
3 Scenarios for Simulating Risk Analysis Processes with Risk Terminator

3 Scenarios for Simulating Risk Analysis Processes with Risk Terminator

Reading time: 7 mins

Meet the Experts

Follow three scenarios that simulate risk analysis for role maintenance and user role provisioning with Risk Terminator in SAP BusinessObjects Access Control 10.0.

Key Concept

An access risk violation occurs when defined access control policies and procedures designed to enforce control of a user’s capability to perform specific activities in the system are compromised. In a typical business environment, controlling what a user can or cannot do without a robust access and risk control management system can be challenging. The Risk Terminator functionality provides the basic infrastructure needed to address this business concern, especially when user and role maintenance occur directly in the plug-in system.

The Risk Terminator functionality can be applied to different business cases revolving around user maintenance (creation and modification) and role maintenance (creation and modification). To simulate how risk analysis works for role maintenance and user role provisioning, I use three business scenarios. They are based on the configuration settings defined in the GRC system and the Plug-in system, which I described in my article titled “Combat Access Risk Violations in Your SAP ABAP Back-End System with Risk Terminator.”

Explore related questions

what is this?

Here are summaries of my three Risk Terminator scenarios.

Membership Required

You must be a member to access this content.

View Membership Levels

Already a member? Log in here

More Resources

Become a Member

Unlimited access to thousands of resources for SAP-specific expertise that can only be found here.

Sign Up

Become a Partner

Access exclusive SAP insights, expert marketing strategies, and high-value services including research reports, webinars, and buyers' guides, all designed to boost your campaign ROI by up to 50% within the SAP ecosystem.

Sign Up

Upcoming Events

  1. SAPinsider Technology Executive Forum

     

    December 02 - 03, 2025

     

    Phoenix, Arizona

     

    United States

     
    Learn More
    View Event

Sign Up for the SAPInsider Weekly

Always have access to the latest insights with articles, Q&As, whitepapers, webinars, and podcasts. Gain the inside edge. The SAPinsider Weekly helps you stay SAP savvy. Access exclusive bonus materials, discounts, and more.

Get the Newsletter