GRC Training Terminology
GRC Terminology
Term
Sourc
e
Meaning
Example
Action
GRC
A business function step, usually an SAP ECC
transaction code.
FB01 Post an FI Document
F-65 Park an FI Document
ME21 Create a Purchase
Order
Action Level
GRC
Term for analysis of risks at the SAP transaction code
level, without looking at additional permissions (R/3
authorizations) which could otherwise eliminate the
risk.
GRC
A GRC Access Risk is a description of a unique situation
a Critical Action /Role or a Segregation of Duties
(SOD) breakdown.
Access Risk
Short
term
Risk
The system has a delivered set of critical
technical actions (like SE16, SM30 to amend
database files) and roles, and these can be
added to.
The SOD risk will always have two parts, like
Create Fictitious Vendor and Enter a fictitious
Invoice. Each SOD Access Risk can be assigned
a Risk level and can be activated / deactivated.
There is a pre-defined list of 454 SOD risks - each has a
combination of conflicting GRC Functions assigned, or a
critical action and its related permission.
Access Risk
Analysis
ARA
GRC
The part of the GRC package which is used to analyze
for access risks - specifically access to powerful /
critical transactions and Segregation of Duties (SOD)
breakdowns.
SOD Risk H0164
is the combination of :
Function HR03 Modify
Employee Payroll Data
AND
Function HR14 Enter time
data
�GRC Training Terminology
Term
Short
term
Sourc
e
Meaning
Example
Access Rule
Rule
GRC
A system-generated object with a single pair of tcodes
& related permissions, based on the combination of
GRC Functions which were defined as the Access Risk.
Each Access Risk has one or more Access Rules
generated for it.
Access Risk F028 is defined
as having access to both
Function AP02 (47 tcodes)
AND Function GL01 (69
tcodes) together. So
Access Risk F028 has over
3200 generated Access
Rules.
Access Rule set
Rule set
GRC
A pre-defined set of :
GLOBAL
ZAUDIT
Access Risks and assigned Function combinations,
against which a User or Role can be checked for
potential SOD breakdown issues.
Critical roles, critical profiles and critical actions
mostly focused on semi-technical system access.
A system may have several rule sets, e.g. SAPdelivered, External Audit, MIT modified, and the risk
analysis reports can be run using any one rule set at a
time. Also, rule sets can be compared to each other for
differences.
�GRC Training Terminology
Term
Short
term
Sourc
e
Meaning
Example
Authorization
Profiles
Profiles
SAP
In earlier SAP releases, a users access was defined
through creating and assigning manually created
Authorization Profiles. The current SAP release defines
user access by having job-related Roles from which
the R/3 Security Profile Generator then generates a
large Profile (for each Role). Thus, when a Role is
assigned to a user, the corresponding Profile is also
assigned and the system uses this to determine the
users authorized access.
At MIT, the process of creating Authorization Profiles
without an associated Role has to be continued for
those parts of SAP R/3 access which are provisioned
from the RolesDB system.
SAP_ALL
Z#:JV_FY
Business Analyst
BA
MIT
The VPF Business Analyst (BA) is a member of the VPF
Financial Systems and Data team who helps in the
operational management of financial systems,
processes, reporting, and data.
Also, the BA supports the GRC/SOD review process by
validating the business access requirements in the area
they support.
Business End
User
End User
MIT
An SAP system user for whom access needs to be
provided.
GRC
A very high level categorization which is used to group
Access Rules.
IS&T Business System Analyst IS&Ts counterpart to
the VPF Business Analyst providing more technical
support, or can be both the BA and BSA support in
areas where there is no designated BA.
Also, now supports the GRC/SOD review process in
terms of simulations and action/permission knowledge.
Business Process
Business System
Analyst
BSA
MIT
Accounts Payable, HR &
Payroll
�GRC Training Terminology
Term
Short
term
Composite Role
Critical Role
Critical Profile
Critical Action
Critical
Custom User
Group
User
Group
ESS
ESS
Sourc
e
Meaning
SAP
This is type of R/3 Security Role which is a combination
of other Roles and can be assigned to one or more
users. A typical MIT composite Role will have several
different shared Roles and one or more unique ones as
well, creating a unique combination of access
authorizations.
These composite Roles more closely match one or
more users' complete access requirements, making
Role provisioning easier as it can mostly be done at the
Composite role level, reducing the complexity for the
Role Owner. Note: authorization profiles provisioned
from the MIT Roles Database system are in addition to
those from the composite Roles, so GRC-Access Risk
Analysis always needs to be performed at the User
level to get a complete analysis.
Naming convention: Z_DDD_C_X where DDD is the MIT
department, C indicates it is a composite role, and X
is descriptive of the role (see example to the right).
GRC
Roles, Profiles and Transaction Codes (GRC Actions /
Permissions) can be tagged as "critical" to ensure
inclusion in access reviews (compliance and technical).
If required, Mitigation Controls can be assigned to the
critical risk.
GRC
SAP
GRC has a Custom User Group for use in filtering
reports.
This is in addition to the SAP R/3 users User Group
field.
Web-based portal for Employee Self Service
functionality
Example
Z_VPF_C_ADMIN_COMMON
Role = SAP_ALL
Tcode/Action = FB01 with
Permission 01 (Post)
VPF
�GRC Training Terminology
Term
Short
term
Exception Access
Rules
Sourc
e
Meaning
Example
GRC
Reporting exceptions can be defined : e.g.
Organization / Access risk
Not currently used at MIT.
FireFighter logs
Logs
GRC
Action logs recorded in SAP R/3 when a user checks-in
to the GRC FFID.
Firefighter Role
Role
SAP
An SAP R/3 Security Role assigned to the FireFighter
R/3 Users. Different types of FireFighter need different
access and Roles.
SAP
A special SAP R/3 business user provisioned with the
SAP R/3 Security FireFighter Role. There are several
different types of FireFighter :
FireFighter R/3
User
FireFight
er
Business User where the FF role is limited to
back-up actions, or special actions that would
otherwise have created an SOD issue if combined
with a users existing role.
VPF Business Analyst - broad access for
emergency VPF Financial Systems support
IS&T Business System Analyst broad access
for emergency IS&T support
IST&T Basis additional technical access not
usually needed.
FireFighter R/3 User naming convention: FF_XXX_NN
where XXX = the business area letters and NN is a
sequential number. The User Type = SERVICE and so
cannot be used directly in SAP; instead it is called up
from GRC-EAM.
�GRC Training Terminology
Term
Firefighter ID
Short
term
FFID
Sourc
e
Meaning
GRCEAM
A GRC-EAM identifier used to manage access to the
Firefighter R/3 User :
each GRC FFID is assigned to a Firefighter R/3 User
(and so indirectly to the assigned R/3 access role).
regular SAP users are assigned to the GRC FFID,
when they have been approved as having a back-up
or a support function that requires FireFighter
access.
The Firefighter R/3 User can only be entered / checked
into via the GRC-EAM system, and an R/3 user only has
access to the FFIDs they have been assigned to. When
finished their work, the user checks-out of the FFID in
GRC system.
When a FireFighter Id is used, an email is sent to its
assigned FFID Controller and the FireFighters actions in
R/3 are logged for review.
Firefighter ID
Controller
Firefighter ID
Owner
FFID
Controlle
r
GRCEAM
An MIT person (currently only in VPF or IS&T) who
performs the process of monitoring FireFighter usage
both the checking-in activity and the review of action
logs.
GRCEAM
Not currently made use of by MIT but is a required
assignment for a FFID. At MIT, this will be the same as
the FFID Controller.
Example
�GRC Training Terminology
Term
Short
term
Function
Sourc
e
Meaning
Example
GRC
A GRC Function identifies a medium-level business
process and will have one or many transaction codes
(GRC Actions) assigned, with additional permission
level definitions where appropriate.
Also, a transaction code may be assigned to several
functions, if it has the implied business flexibility.
PR02 Maintain Purchase
Order - with permissions to
create or change.
GRC has approximately 200 pre-delivered functions
that are used to define the mostly SOD-related Access
Risks.
GRC Power User
Power
User
MIT
BSAs, BAs and some Role owners will use most of the
reports in GRC - so they are known as the "Power
Users" in respect of the report usage and training
requirements.
GRC system
GRC-ARA
GRC-EAM
GRC
GRC
SAPs Governance, Risk and Compliance software
system MIT is currently using the following
components.
GRC-ARA : Access Risk Analysis this analyzes
access in SAP ECC Security Profiles, Roles and Users
to see if there are (a) any critical features
(transactions, roles, profiles) and (b) any potential
Segregation of Duties breakdowns, as well as reporting
details of user access and role / profile assignments.
GRC-ARA also has a what-if simulation reporting
capabilities, to analyze risks for proposed role /
user changes.
GRC-EAM: Emergency Access Management also
known as FireFighter user management. See entries
under FireFighter.
HR04 Enter Employee
Time Data.
�GRC Training Terminology
Term
Short
term
MIT Roles
Database
RolesDB
Mitigation
Control
Mitigatio
n
Sourc
e
Meaning
Example
MITs custom system for managing some of the crosssystem access, including some SAP access. SAP
access is provisioned through an automated process,
mapping RolesDB rules to SAP R/3 Security profiles,
which are then assigned to the R/3 User.
GRC
The Mitigation Control object contains an explanation
of how a specific Access Risk (SOD or Critical risk) has
been mitigated. Each Mitigation Control has a unique
id.
At MIT, the same access risk can exist in
different areas but may be mitigated differently,
so there is a separate Mitigation Control for each
Risk / User Group combination, where the User
group may be VPF-Property, or VPF-Accounts
Payable.
Where the same risk is mitigated the same was
across all of MIT user community, the same
Mitigation Control can be used for all users.
The Mitigation Control identifier is assigned to the
appropriate combination of Access Risk and User to
whom it applies.
General MIT business
control: bank
reconciliation performed by
VPF independent of VPF AR
Cashiers.
New SOD mitigation
reports (for otherwise
unmitigated access): VPF
AP report xxxx.
�GRC Training Terminology
Term
Short
term
Sourc
e
Meaning
Example
Permission Level
Permissio
ns
GRC
In standard SAP Security, the transaction-level checks
may include an additional check of an "Authorization"
which is like an MIT "Qualifier" - to restrict that user to
by Company Code, or types of Customers, or FI
Document Types and additionally allows access
restriction by system activity, like create, change and
display, where the transaction itself can allow access to
all activities if not restricted by the authorization.
Action / Transaction Code :
FS00 Maintain GL Account
Master (Allows : Create,
Change, Display, Lock,
Delete)
In GRC these lower-level authorization are called
"Permissions".
The Access Risk Analysis reports should be executed at
this level, as this will reduce the number of risks
reported compared to the Action level reporting,
where the permission distinguished between create,
change and display.
Profile Generator
PFCG
SAP
SAP ECC access management tool used to generate
access roles and the Authorization Profiles based on
roles.
The process whereby system access is provided to
users.
Specifically for SAP this encompasses the procedures
for requesting, analyzing risk, approving and executing
changes to roles, profiles and their assignment to
users. Three systems are involved: SAP ECC, MIT
RolesDB, and SAP GRC.
GRC
For each defined GRC Risk, an associated risk level is
assigned - high, medium or low. This is used in
Dashboard and other GRC report filtering.
Provisioning
Risk Level
Permission / Authorization:
only given Activity = 03
(Display).
No access to
Activity = 01 (Create) or 02
(Change) etc.
�GRC Training Terminology
Term
Short
term
Sourc
e
Risk Owner
Risk Violations
Role
Role Owner
Meaning
Example
For each business area at MIT, the Risk Owner is the
person who has the responsibility for ensuring the
business system controls are in place and functioning,
and any and all appropriate follow-up actions are taken.
In the GRC/SOD context this includes periodic reviews
of system access, SOD analysis as well as any SODrelated mitigation controls.
Violation
s
GRC
Access risk - can be analyzed at User, Role or Profile
level.
SAP
An SAP access control object used to group together
actions (transaction codes) and permissions
(authorizations) to represent all or part of a business
job role.
MIT has several roles per user, e.g. those which are:
common to all MIT users, common to all business area
(e.g. VPF-FAR) users, common to a group within the
business area (e.g. Cashier), or finally a role specific to
only one job duty for only one or a few users.
See also Composite Role definition.
For each business area at MIT, the Role Owner is the
person who has the responsibility for managing the
SAP access roles specific for their area: requesting role
changes and role / user reassignments.
Z_VPF_S_AR_MANAGER
Z_VPF_S_DOCUMENT_REVE
RSE
�GRC Training Terminology
Term
Roles Database
SAP Access
Control
SAP
Authorization
Short
term
RolesDB
SAP R/3
Security
Sourc
e
MIT
SAP
SAP ECC
SAP Core
SAP 6.0
SAP User Group
Meaning
Example
An MIT custom system to manage access across many
of MITs computer systems, including SAP.
The SAP access focus relates to provisioning common
Roles and related Profiles (with common actions and
permissions) and additional qualifier profiles the
latter relates to controlling access at organizational
levels or other SAP system attributes.
The qualifier provisioning is managed by the MIT
business users who have provisioning rights.
Currently, some RolesDB common Roles are blocked for
the SAP users who have already had their Roles in SAP
re-engineered as part of the SOD project.
SAPs core system access control functionality using:
Users, Roles, Profiles and Authorizations.
The SAP software used by MIT for Financial Accounting,
Procurement and HR/Payroll. ECC stands for
Enterprise Core Component, and 6.0 is the software
release level.
User
Group
SAP
Each SAP R/3 user is defined in the SAP system. One
of the SAP Users attributes is the User Group field
which MIT is using to identify a group of users for
analysis.
Some GRC-ARA reports make use of this User Group
for selection. Additionally, GRC has a Custom User
Group.
VPF-FAR
�GRC Training Terminology
Term
Short
term
Sourc
e
Meaning
Example
Segregation of
Duties
SOD
GRC
System access is expected to support the business
requirement that no single user should have end-toend business process access, otherwise there is risk of
internal fraud occurring.
In some high risk areas, access to only several steps in
a process are enough to cause a Segregation of Duties
breakdown.
Ability to create a Vendor
Master and any one of:
create a Purchase order,
post an invoice, generate a
payment.
Simulation
Simulatio
n
GRC
The GRC-ARA simulation tool is a "what if" access risk
analysis - it simulates adding more access (actions and
permissions) to existing Users, Roles or Profiles.
The simulation can also specify access to be removed
e.g. what if transaction FCH9 Void Check were removed
from a user who currently has it.
What if tcode ME21N
(Create a Purchase Order)
is added to User FREDX, or
to Role
Z_VPF_S_AR_MANAGER.
MIT
A person in VPF who has been designated to coordinate
several of the GRC-related processes.
SOD Coordinator
SUIM
SUIM
SAP
An SAP R/3 transaction which calls up a menu of
authorization-related reports of Users, Roles, Profiles,
Authorizations.
Note: each item on the menu requires access to be
granted, as it links to a different SAP transaction code
like S_BCE_68001421 which in turn call up the related
RSUSRxxx program.
Transaction code
tcode
SAP
The SAP ECC system users "transaction code" for each
business action - usually all menu lines have a
transaction code behind them to call up the dialog
(online) function.
In GRC, these are called Actions.
FB01 Post an FI Document
FB02 Change an FI
Document
FB03 Display an FI
Document
�GRC Training Terminology
Term
Short
term
Sourc
e
Meaning
Example
User Master
User
SAP
This is the SAP system user master record or Logon Id
the naming convention at MIT is to match the MIT
Kerberos Id, based on the users name.
PAMELAS
DALET
VACHA
Workflow ECC
In SAP ECC, workflow is automated for some financial
postings/documents. Users enter financial transactions
and they are work flowed in custom MIT
programming to approvers inboxes.
Workflow GRC
GRC functionality for approving access change requests
- currently not implemented.
