SAP Access Control 12.0
Configuration Parameters
Applies to:
SAP Access Control 12.0 and above
Summary:
This guide contains information about the parameters used when configuring SAP Access Control.
Created:
January 2019
Version 1.3
© 2019 SAP AG
SAP Access Control 12.0 Configuration Parameters
Document History
Document Version
Description
1.00
Initial release
1.10
Data privacy edits
1.20
Added parameter 1128
1.30
Added parameter 2063 (SP03)
Added parameter 4022 (SP03)
Added parameter 4025 (SP03)
[ii]
Maintaining Configuration Settings in SAP Access Control 12
Typographic Conventions
Icons
Type Style
Description
Icon
Example Text
Words or characters quoted
from the screen. These
include field names, screen
titles, pushbuttons labels,
menu names, menu paths,
and menu options.
Caution
Note or Important
Example
Recommendation or Tip
Cross-references to other
documentation
Example text
Emphasized words or
phrases in body text, graphic
titles, and table titles
Example text
File and directory names and
their paths, messages,
names of variables and
parameters, source text, and
names of installation,
upgrade and database tools.
Example text
User entry texts. These are
words or characters that you
enter in the system exactly as
they appear in the
documentation.
<Example
text>
Variable user entry. Angle
brackets indicate that you
replace these words and
characters with appropriate
entries to make entries in the
system.
EXAMPLE TEXT
Keys on the keyboard, for
example, F2 or ENTER.
Description
[iii]
Maintaining Configuration Settings in SAP Access Control 12
Table of Contents
1.
Maintain Configuration Settings ........................................................................................ 1
1.1
Change Log .................................................................................................................. 3
1.2
Mitigation ...................................................................................................................... 8
1.3
Risk Analysis .............................................................................................................. 13
1.4
Risk Analysis - Spool .................................................................................................. 28
1.5
Workflow ..................................................................................................................... 30
1.6
Emergency Access Management ............................................................................... 43
1.7
UAR Review ............................................................................................................... 55
1.8
Performance ............................................................................................................... 59
1.9
Risk Analysis - Access Request ................................................................................. 64
1.10 Role Management ...................................................................................................... 67
1.11 Risk Analysis – Risk Terminator ................................................................................. 89
1.12 Access Request Role Selection ................................................................................. 92
1.13 Access Request Default Roles ................................................................................. 106
1.14 Access Request Role Mapping ................................................................................ 112
1.15 SOD Review ............................................................................................................. 114
1.16 LDAP ........................................................................................................................ 117
1.17 Assignment Expiry .................................................................................................... 118
1.18 Access Request Training Verification ....................................................................... 119
1.19 Authorizations ........................................................................................................... 122
1.20 Access Request Business Role................................................................................ 123
1.21 Management Dashboard Reports ............................................................................ 126
1.22 Access Request Validations ..................................................................................... 128
1.23 Simplified Access Request ....................................................................................... 137
1.24 Access Control – General Settings........................................................................... 141
1.25 Access Controls – ILM Configuration ....................................................................... 143
1.26 SAP Cloud Identity Access Governance Integration ................................................ 144
2.
Index by Numerical Value ............................................................................................... 145
3.
Copyright .......................................................................................................................... 148
[iv]
SAP Access Control 12.0 Configuration Parameters
1.
Maintain Configuration Settings
Access Control configuration parameters allow you to customize the SAP Access Control application.
You access parameters in Customizing (transaction SPRO). The menu path from the SAP Easy
Access screen is Tools Customizing  IMG  Execute Project  SAP Reference IMG 
Governance, Risks, and Compliance  Access Control  Maintain Configuration Settings.
To maintain the configuration settings:
1. Choose the New Entries pushbutton and select a parameter group from the dropdown list.
2. In the Parameter ID column, select a parameter ID.
3. Select a Parameter Value from the dropdown list, or, if appropriate, enter a value in the
Parameter Value field.
4. Optionally, in the Priority field, enter a number for the priority of the parameter. This is a userdefined field.
5. Choose Save.
January 2019
Page 1 of 153
SAP Access Control 12.0 Configuration Parameters
Parameter Groups
Configuration parameters are organized into Parameter Groups as shown in the table below. Each
group corresponds to an area of functionality within SAP Access Control.
Group Number
Group Description
Group
Number
Group Description
01
Change Log
14
Access Request Role Mapping
02
Mitigation
15
SOD Review
03
Risk Analysis
16
LDAP
04
Risk Analysis - Spool
17
Assignment Expiry
05
Workflow
18
Access Request Training
Verification
06
Emergency Access
Management
19
07
UAR Review
20
Access Request Business Role
08
Performance
21
Management Dashboard
Reports
09
Risk Analysis - Access
Request
22
10
Role Management
23
Simplified Access Request
11
Risk Analysis – Risk
Terminator
24
Access Control – General
Settings
12
Access Request Role
Selection
25
Access Controls – ILM
(Information Lifecycle
Management) Configuration
13
Access Request Default
Roles
26
SAP Cloud Identity Access
Governance Integration
January 2019
Authorizations
Access Request Validations
Page 2 of 153
SAP Access Control 12.0 Configuration Parameters
1.1 Change Log
The Change Log parameters control how transaction history is logged and displayed in SAP Access
Control.
Overview of Change Log Parameters
Parameter
ID
Description
Default Value
1001
Enable Function Change Log
YES
1002
Enable Risk Change Log
YES
1003
Enable Organization Rule Log
YES
1004
Enable Supplementary Rule Log
YES
1005
Enable Critical Role Log
YES
1006
Enable Critical Profile Log
YES
1007
Enable Rule Set Change Log
YES
1008
Enable Role Change Log
YES
5001
SLG1 Logs for HR Trigger
HIGH
Details of Change Log Parameters
Param ID
Description
Default
Enable Function Change Log
YES
Set to YES to display the Change History tab on the Function screen.
1001
January 2019
Page 3 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Enable Risk Change Log
YES
Set to YES to display the Change History tab on the Access Risk screen.
1002
Param ID
Description
Default
Enable Organization Rule Log
YES
Set to YES to display the Change History tab on the Organization Rules screen.
1003
January 2019
Page 4 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Enable Supplementary Rule Log
Yes
Set to YES to display the Change History tab on the Supplementary Rules screen.
1004
Param ID
Description
Default
Enable Critical Role Log
Yes
Set to YES to display the Change History tab on the Critical Role screen.
1005
January 2019
Page 5 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Enable Critical Profile Log
Yes
Set to YES to display the Change History tab on the Critical Profile screen.
1006
Param ID
Description
Default
Enable Rule Set Change Log
Yes
Set to YES to display the Change History tab on the Rule Sets screen.
1007
January 2019
Page 6 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Enable Role Change Log
YES
Set to YES to display the Change History link on the Additional Details tab of the Role
Maintenance screen.
1008
Param ID
Description
Default
SLG1 Log Level for HR Triggers
HIGH
The available values are High and Medium. When this parameter is set to High, all the
HR Trigger logs are captured under SLG1 whether the info types from the HR System
satisfy BRF rules. When this parameter is set as Medium, the system only captures
those logs that occur after the BRF rules are satisfied.
The screen shot below shows the detail SLG1 logs that are captured when the
parameter is set to High.
5001
January 2019
Page 7 of 153
SAP Access Control 12.0 Configuration Parameters
1.2 Mitigation
The Mitigation parameters control how risk mitigation works in SAP Access Control.
Overview of Mitigation Parameters
Parameter ID
Description
Default Value
1011
Default expiration time for mitigating control assignments (in
days)
365
1012
Consider Rule ID also for mitigation assignment
NO
1013
Consider System for mitigation assignment
NO
1014
Enable separate authorization check for mitigation from
access request
NO
1015
Get data for Invalid Mitigation Report from Management
Summary table
NO
1016
Specify number of days to exclude from Invalid Mitigation
Cleanup
0 (zero)
Details of Change Log Parameters
Param ID
Description
Default
Default expiration time for mitigating control assignments (in
days)
365
The default quantity of days you can mitigate any object (selection on service map). You
can overwrite this quantity in the Valid To field.
1011
January 2019
Page 8 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Consider Rule ID also for mitigation assignment
NO
By default, the application includes all rules when it mitigates the access risk.
Setting the value to YES allows you to specify the specific Rule ID to be included when
mitigating the risk.
1012
January 2019
Page 9 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Consider System for mitigation assignment
NO
Setting the value to YES allows you to apply mitigating controls to risks originating from
specific systems.
1013
January 2019
Page 10 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
1014
Description
Default
Enable separate authorization check for mitigation from access
request
NO
This parameter controls how authorization checks are done during the access request
risk mitigation process.
Previously, when risk mitigation was done during request approval, the mitigation was
saved directly to the user mitigation tables. If the request was later rejected or cancelled,
the mitigation remained in the user mitigation table even though it was then invalid.
By using this parameter, you tell the application to save the mitigation in intermediate
tables until the request is fully approved. At that point, the mitigation is transferred to the
user mitigation table.
This parameter works in conjunction with an activity (88) that is added to authorization
object GRAC_MITC.
Setting the value to YES enables activity 88 and mitigations are saved to an intermediate
table until the request is fully approved.
Setting the value to NO saves the mitigations directly to the user mitigation tables and
activity 88 is not checked.
For more information, see SAP Note 1996151
January 2019
Page 11 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
1015
Description
Default
Get data for Invalid Mitigation Report from Management
Summary table
NO
SAP Access Control allows you to run analysis reports for Invalid Mitigating Controls with
the option to use Offline Data. The report gets the offline data from the detailed violations
table from the last batch risk analysis. The data is very granular (low level) and may take
time and more system resources to get.
This parameter allows you to get the Offline Data from the Management Summary table.
As the data is already at a summary level, it takes less time and less resources to
produce the report.
Set value to No to get the data from the detailed violations table.
Set value to Yes to get the data from the Management Summary table.
Param ID
Description
Default
Specify number of days to exclude from Invalid Mitigation
Cleanup
0
As an AC Administrator, you can use Invalid Mitigation Cleanup to remove mitigation
assignments that are no longer valid because the risks no longer exist. For example, the
role assignments have been removed or the roles have changed.
Additionally, there may be a scenario where you assign mitigation controls in Role
Simulation or User Simulation, which results in invalid mitigation assignments because
the roles or the updates do not yet exist in the back-end. The mitigation assignments will
show as invalid until the user assignments and role changes have propagated to the
back-end system.
1016
If you use Invalid Mitigation Cleanup, it will remove all invalid mitigation
assignments, including those in Simulation. To keep your work from being deleted, you
can use this parameter to exclude the assignments that have been maintained within the
selected number of days from the cleanup. For example, enter 10 to exclude invalid
mitigation assignments maintained in the last 10 days.
The calculated date is based on the date of last maintenance of the mitigating control
assignments to users and roles. Whether the maintenance is done via a request,
manually, or uploaded, the calculation is the same.
Note: If you use the upload feature, all items uploaded would have a last maintained
date of the upload date even if there is no change.
January 2019
Page 12 of 153
SAP Access Control 12.0 Configuration Parameters
1.3 Risk Analysis
The Risk Analysis parameters control how risk analysis works in SAP Access Control.
Overview of Risk Analysis Parameters
Parameter ID
Description
Default Value
1021
Consider Org Rules for other applications
NO
1022
Allow object IDs for this connector to be case sensitive
<empty>
1023
Default report type for risk analysis
2
1024
Default risk level for risk analysis
3
1025
Default rule set for risk analysis
<empty>
1026
Default user type for risk analysis
A
1027
Enable Offline Risk Analysis
NO
1028
Include Expired Users
NO
1029
Include Locked Users
NO
1030
Include Mitigated Risks
NO
1031
Ignore Critical Roles and Profiles
YES
1032
Include Reference user when doing user analysis
YES
1033
Include Role/Profile Mitigation in User Risk Analysis
YES
1034
Max number of objects in a package for parallel processing
100
1035
Send e-mail notification to the monitor of the updated
mitigated object
YES
1036
Show all objects in Risk Analysis
NO
1037
Use SoD Supplementary Table for Analysis
YES
1038
Consider FF Assignments in Risk Analysis
NO
1046
Extended objects enabled connector
<empty>
1048
Business View for Risk Analysis is Enabled
NO (Technical View)
1050
Default Report View for Risk Analysis
Remediation View
January 2019
Page 13 of 153
SAP Access Control 12.0 Configuration Parameters
Details of Risk Analysis Parameters
Param ID
Description
Default
Consider Org Rules for other applications
NO
Setting the value to YES automatically selects the Consider Org Rule checkbox on the
Risk Violations tab of the Access Request and Role Maintenance screens.
1021
Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.
January 2019
Page 14 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Allow object IDs for this connector to be case sensitive
<empty>
On the Risk Analysis screen, you specify the system and the analysis criteria such as
User, Risk Level, and so on. This parameter allows you to specify for which systems the
information entered is case sensitive.
In the example below, z_cup_USR001 is case sensitive for system NCACLNT001.
1022
Note: To enter more than one system or connector, enter additional instances of the
parameter.
January 2019
Page 15 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default report type for risk analysis
2
The Risk Analysis screen allows you to select several report type options for the risk
analysis, such as Access Risk Analysis, Action Level, and Permission Level.
This parameter allows you to choose one or more report types that are selected by
default. It works as follows:
•
If you do not define a value for parameter 1023 in the IMG, the report type
defaults to 2, Permission Level.
•
If you define one or more values for parameter 1023 in the IMG, the report type
defaults to those values.
Note: In the IMG value cell, press F4 to display the available types, such as Permission
Level, and so on. The screenshot below shows the report being run with a default value
of 2, Permission Level.
1023
Note: This setting does not affect the Risk Analysis Type fields on the Batch Risk
Analysis screens; you must set these separately.
January 2019
Page 16 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default risk level for risk analysis
2
The Risk Analysis screen allows you to select several options for the risk analysis, such
as analysis criteria, report options, and additional criteria.
1024
This parameter allows you to choose the Risk Level that is selected by default.
Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc
data screens.
Param ID
Description
Default
Default rule set for risk analysis
<empty>
The Risk Analysis screen allows you to select several options for the risk analysis, such
as analysis criteria, report options, and additional criteria.
1025
This parameter allows you to choose the Rule Set that is selected by default.
Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc
data screens.
Param ID
Description
Default
Default user type for risk analysis
A
The Risk Analysis screen allows you to select several options for the risk analysis, such
as analysis criteria, report options, and additional criteria.
1026
This parameter allows you to choose the User Type that is selected by default.
Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc
data screens.
January 2019
Page 17 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Enable Offline Risk Analysis
NO
The Risk Analysis screen allows you to select several options for the risk analysis, such
as analysis criteria, report options, and additional criteria.
The parameter value is set to NO to exclude Offline Data in risk analysis by default. On the
Risk Analysis screen, the Offline Data checkbox is empty by default.
Note: If parameter 2023 is set to YES, then this parameter must also be set to Yes.
1027
Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc
data screens
Param ID
Description
Default
Include Expired Users
NO
Set to YES to include expired users from plug-in systems for risk analysis.
1028
Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.
SAP NOTE
2178532 – Risk analysis not considering locked and expired users.
Param ID
Description
Default
Include Locked Users
NO
Set to YES to include locked users from plug-in systems for risk analysis.
1029
Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.
SAP NOTE
2178532 – Risk analysis not considering locked and expired users.
January 2019
Page 18 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Include Mitigated Risks
NO
The Risk Analysis screen allows you to select several options for the risk analysis, such
as analysis criteria, report options, and additional criteria.
1030
Set the parameter value to YES to include Mitigated Risks in the risk analysis by default.
The application displays the SoD violations, the mitigated risks, and the mitigating control
assigned to it. On the Risk Analysis screen, the Include Mitigated Risks checkbox is
automatically selected.
Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc
data screens.
Param ID
Description
Default
Ignore Critical Roles and Profiles
YES
Set the value to YES to exclude critical roles and profiles for risk analysis.
1031
Param ID
1032
Note: In Batch Risk Analysis, if this parameter is set to YES, the roles and profiles that
are in the Critical Roles and Profiles tables are added to the entries specified in the IMG
Activity Maintain Exclude Objects for Batch Risk Analysis.
Description
Default
Include Reference user when doing user analysis
YES
Set the value to YES to include referenced users when performing SoD risk analysis for
users. This is also valid for Batch Risk Analysis.
Note
This parameter affects the Batch Risk Analysis as well as Ad Hoc data and screens.
January 2019
Page 19 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Include Role/Profile Mitigation in User Risk Analysis
YES
Set the value to YES to include mitigating controls assigned to roles and profiles when
performing user risk analysis. This setting affects both ad hoc user-level analysis and
data calculated during batch risk analysis.
Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data and
screens.
SAP NOTE
1732781 - Risks appear for the Roles/Users whose Mitigation has already done
Background
If Role 1 is mitigated for Risk A, then all users assigned to Role 1 are mitigated for Risk
A.
If User Jones is mitigated for Risk A, the user-level mitigation supersedes any role or
profile level mitigation.
Practical use: if businesses do not mitigate risks at the user level, they can use role or
profile mitigation as a blanket mitigation technique.
Illustration
•
•
•
•
•
1033
Role 1 and Role 2 both contain Risk A.
Role 1 is mitigated for Risk A.
User Jones is assigned both Roles 1 and 2 and is not mitigated at the user level.
User Smith is assigned both Roles 1 and 2 and is mitigated at the user level.
User Williams is assigned only Role 2 and is not mitigated at the user level.
With this scenario, how does the system respond?
If the setting for Parameter
1033 is:
YES
NO
January 2019
SAP Access Control does this:
•
•
User Jones is mitigated for Risk A due to the
mitigation applied to Role 1 (role level mitigation).
User Smith is mitigated for Risk A due to the
mitigation applied at the user level (user level
mitigation).
•
User Williams is not mitigated for Risk A.
•
•
User Jones is not mitigated for Risk A
User Smith is mitigated for Risk A due mitigation
applied at the user level
•
User Williams is not mitigated for Risk A.
Page 20 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Maximum number of objects in a package for parallel processing
100
The application uses this parameter in conjunction with the Number of Tasks specified
in the Customizing activity (IMG) Distribute Jobs for Parallel Processing to determine
the distribution of objects that are processed per job.
For example, if there are 10,000 users to analyze and this value is 100, then there will be
100 packages created each having 100 users. Each package is submitted to a separate
background process, which is available to the application via the application group.
1034
If instead, we specify three background processes are available to GRAC_SOD, 100
packages are submitted one by one to these processes. Three packages initially and
then one by one to each process, which complete the package execution.
Note: The RZ10 parameter rdisp/wp_no_btc overrides this configuration. Therefore, if
the RZ10 parameter is set to 2, then the application ignores the parameter in this setting
and uses the value 2 instead.
January 2019
Page 21 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Send e-mail notification to the monitor of the updated mitigated
object
YES
Set the value to YES to send e-mail notifications to the owner of the mitigating control
when the mitigated object is updated, such as the user/role.
1035
January 2019
Page 22 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Show all objects in Risk Analysis
NO
Set the value to YES to select the Show All Objects checkbox on the Risk Analysis
screen by default.
1036
The objects that do not have violations are displayed with the Action: No Violations.
Note: This setting applies to SoD Batch Risk Analysis.
January 2019
Page 23 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Use SoD Supplementary Table for Analysis
YES
Set value to YES to use supplementary rules for SoD risk analysis.
1037
Note: This parameter affects the Batch Risk Analysis as well as Ad Hoc data and
screens.
Param ID
Description
Default
Consider FF Assignments in Risk Analysis
NO
Set value to YES to use supplementary rules for SoD risk analysis. You can use this
parameter to select whether to include Firefighter (FF) assignments in risk analysis.
•
Select YES to include FF assignments for risk analysis.
On the Access Management > Access Risk Analysis screens, the application
displays the Include FFIDS checkbox.
•
Select NO to exclude FF assignments for risk analysis.
On the Access Management > Access Risk Analysis screens, the application
does not display the Include FFIDS checkbox.
1038
(cont.)
January 2019
Page 24 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Note: For Access Requests, the application does not allow users to choose whether to
include FFIDs for risk analysis. As shown in the graphic below, the Include FFIDs
checkbox is not part of the Risk Violation tab on the Access Request screen. If you set
the parameter value as YES, the application includes FFIDs in the risk analysis, but it will
not display the checkbox on the screen.
Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc
data screens.
January 2019
Page 25 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
1046
Description
Default
Extended objects enabled connector
<empty>
Extended objects are objects from non-SAP systems. This parameter allows you to
specify the connectors for non-SAP systems.
The connectors can have object lengths greater than SAP objects. For example, SAP
User ID length is 12, but the extended object length may be 50.
Note: You can set multiple connectors by adding multiple instances of the parameter.
Param ID
Description
Default
Business View for Risk Analysis is Enabled
NO (Technical View)
The available values are Yes and No.
If the parameter is set to Yes, the system displays the Business View format on the Risk
Violations tab during creation or approval of a request as shown in the screen shot.
1048
Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc
data screens.
January 2019
Page 26 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default Report View for Risk Analysis
Remediation View
There are three types of views for Risk Analysis reports (technical, business and
remediation). To change the global default to something other than the Technical View,
you can do that through this parameter. This parameter affects the dashboard drill-down
for Risk Analysis.
You can change the default view on a case-by-case basis for the ad hoc reports through
the User Interface (as shown below).
1050
Note: This setting does not affect the Batch Risk Analysis. It only affects the Ad Hoc
data screens.
January 2019
Page 27 of 153
SAP Access Control 12.0 Configuration Parameters
1.4 Risk Analysis - Spool
The Risk Analysis - Spool parameters control variables having to do with how Risk Analysis reports
are run.
Overview of Risk Analysis – Spool Parameters
Parameter
ID
Description
Default Value
1051
Max number of objects in a file or database record
200000
1052
Spool File Location
<empty>
1053
Spool Type
D
1054
Max number of violations supported in Organization Rule Analysis
500000
Details of Risk Analysis – Spool Parameters
Param ID
1051
Description
Default
Max number of objects in a file or database record
200000
You can use this parameter to specify the maximum number of analytics data objects the
application stores.
If parameter 1053 is set to F, the value is the maximum number of objects stored in the
file.
If parameter 1053 is set to D, the value is the maximum number of objects stored in the
REPCONTENT column of the GRACSODREPDATA table.
Note: You can use the GRAC_DELETE_REPORT_SPOOL program to clean up the
analytics data from the file system or table.
Prerequisite: You have configured parameters 1052 and 1053.
Param ID
Description
Default
Spool File Location
<empty>
You can specify the file location where the application stores the analytics data, such as
\\ <ip_address>\public\SoD\.
1052
Note: This parameter is only valid if parameter 1053 is set to F.
Prerequisite: You have configured parameter 1053.
January 2019
Page 28 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Spool Type
D
You can use this parameter to set whether the application uses the file system or the
database table to store the analytics data for access control, such as ad hoc SoD
violations.
Set the value to F to store the data on the file system. (Set the file location in parameter
1052).
Set the value to D to store the data in the GRACSODREPDATA table.
Note:
1053
•
•
•
Param ID
1054
You see the intermediate results while risk analysis is running. This gives you an
opportunity to see if the desired records are created and choose to stop or cancel
the job.
If you change the location type (such as from D to F) in mid-course, the report will
still read the previously generated files or database records. Index tables keep track
of the source of the records when the data was generated.
If you cancel the job before the report is finished, you can still read the data up to the
point the files or database records were created.
Description
Default
Max number of violations supported in Organization Rule
Analysis
500000
SAP Access Control allows you to consider Organizational Rules when performing
access risk analysis. Depending on the total number of org rules, the analysis can
generate many violations, which may cause the system to run out of memory and result
in a dump.
A feature has been added to enable the application to exit the analysis before the system
runs out of memory. You use this parameter to set the threshold limit. The default is
500,000.
•
For example, you can perform User Level risk analysis and choose the option to
Consider Org Rule. If the 500,000 violations threshold is reached, the application
stops the analysis for that user and displays the message “Too many violations”.
•
January 2019
Page 29 of 153
SAP Access Control 12.0 Configuration Parameters
1.5 Workflow
The Workflow parameters control variables across all the processes in SAP Access Control. Examples
include specifying whether to send notifications when mitigating controls or risks change.
Overview of Workflow Parameters
Parameter
ID
Description
Default Value
1061
Mitigating Control Maintenance
NO
1062
Mitigation Assignment
NO
1063
Risk Maintenance
NO
1064
Function Maintenance
NO
1101
Create Request for Risk Approval
12
1102
Update Request for Risk Approval
13
1103
Delete Request for Risk Approval
14
1104
Create Request for Function Approval
15
1105
Update Request for Function Approval
16
1106
Delete Request for Function Approval
17
1107
Create Request for Mitigation Assignment Approval
18
1108
Update Request for Mitigation Assignment Approval
19
1109
Delete Request for Mitigation Assignment Approval
20
1110
High
2
1111
High
3
1112
High
4
1113
Access Control E-mail Sender
WF-BATCH
1115
Enable Escalation for Requests on Hold
NO
1128
Send email notification to Requestor
Enable User ID Validation in Access Request against Search Data
Sources
Request Type for Role Approval
Priority for Role Approval
NO
2051
3022
3023
January 2019
YES
21
5
Page 30 of 153
SAP Access Control 12.0 Configuration Parameters
Details of Workflow Parameters
Param ID
Description
Default
Mitigating Control Maintenance
NO
The application allows users to create and change mitigating controls. Set the value to
YES to require that when users create or change mitigating controls, the application
sends a workflow item to an approver to approve the action.
Note: On the Mitigating Control screen, the Create button is replaced by a Submit button.
You can configure the role that receives the workflow item for approving the mitigating
control changes using the Customizing Activity Maintain MSMP Workflows under
Governance, Risk, and Compliance > Access Control > Workflow for Access
Control.
Figure A below shows that on the control Owners tab the Mitigation Control Approver
points to the Approver.
Figure B below shows you can use Maintain MSMP Workflows to change the approver
agent ID (GRAC_CONTROL_APPROVER).
Figure A
1061
(cont.)
January 2019
Page 31 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Figure B
January 2019
Page 32 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Mitigation Assignment
NO
The application allows users to mitigate risks for objects (user, role, profile, and so on).
•
YES: The application sends an approval workflow item to the mitigating control
approver. The screen displays a Submit button. If this parameter is set to Yes, you
must also configure parameters 1107, 1108, 1109, and 1112.
Note: You can configure the role that receives the workflow item for approving the
mitigating control changes. Use the Customizing Activity Maintain MSMP
Workflows under Governance, Risk, and Compliance > Access Control >
Workflow for Access Control.
•
NO: The users can mitigate risks without approval. The screen displays a Save
button.
1062
January 2019
Page 33 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Risk Maintenance
The application allows users to create and modify risks.
NO
•
YES: The application sends an approval workflow item to the Risk Owner (or to any
alternate workflow agent you set) for approval. The screen displays a Submit button.
If this parameter is set to Yes, you must also configure parameters 1101, 1102,
1103, and 1110.
Note: You can configure the role that receives the approval workflow item using
the Customizing Activity Maintain MSMP Workflows under Governance, Risk,
and Compliance > Access Control > Workflow for Access Control.
•
NO: Users can create and modify risks without approval. The screen displays a
Save button.
1063
January 2019
Page 34 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Function Maintenance
NO
The application allows users to create and change functions.
YES: The application sends an approval workflow item to the specified workflow agent
for approval when functions are created or modified. If this parameter is set to Yes, you
must also configure parameters 1104, 1105, 1106, and 1111.
Note: Workflow agents are users who have been assigned the role
SAP_GRAC_FUNCTION_APPROVER. You can change the approver agent by using the
Customizing Activity Maintain MSMP Workflows under Governance, Risk, and
Compliance > Access Control > Workflow for Access Control.
1064
January 2019
Page 35 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Create Request for Risk Approval
12
Use F4 help and choose the request type the workflow uses to create requests for risk
approval. This request type is associated with an MSMP process ID such as
SAP_GRAC_RISK_APPR.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
This parameter is only valid if parameter 1063 is set to Yes.
1101
January 2019
Page 36 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
1102
Param ID
1103
Param ID
1104
Param ID
1105
Param ID
1106
Description
Default
Update Request for Risk Approval
13
Use F4 help and choose the request type the workflow uses to update requests for risk
approval. The request type is associated with an MSMP process ID.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
(See also parameter 1101). This parameter is only valid if parameter 1063 is set to Yes.
Description
Default
Delete Request for Risk Approval
14
Use F4 help and choose the request type the workflow uses to delete requests for risk
approval. The request type is associated with an MSMP process ID.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
(See also parameter 1101). This parameter is only valid if parameter 1063 is set to Yes.
Description
Default
Create Request for Function Approval
15
Use F4 help and choose the request type the workflow uses to create requests for
function approval. The request type is associated with an MSMP process ID.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
(See also parameter 1101). This parameter is only valid if parameter 1064 is set to Yes.
Description
Default
Update Request for Function Approval
16
Use F4 help and choose the request type the workflow uses to update requests for
function approval. The request type is associated with an MSMP process ID.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
(See also parameter 1101). This parameter is only valid if parameter 1064 is set to Yes.
Description
Default
Delete Request for Function Approval
17
Use F4 help and choose the request type the workflow uses to delete requests for risk
approval. The request type is associated with an MSMP process ID.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
(See also parameter 1101). This parameter is only valid if parameter 1064 is set to Yes.
January 2019
Page 37 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
1107
Param ID
1108
Param ID
1109
Param ID
1110
Param ID
1111
Description
Default
Create Request for Mitigation Assignment Approval
18
Use F4 help and choose the request type the workflow uses to create requests for
mitigation assignment approval. The request type is associated with an MSMP process
ID.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
(See also parameter 1101). This parameter is only valid if parameter 1062 is set to Yes.
Description
Default
Update Request for Mitigation Assignment Approval
19
Use F4 help and choose the request type the workflow uses to update requests for
mitigation assignment approval. The request type is associated with an MSMP process
ID.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
(See also parameter 1101). This parameter is only valid if parameter 1062 is set to Yes.
Description
Default
Delete Request for Mitigation Assignment Approval
20
Use F4 help and choose the request type the workflow uses to delete requests for
mitigation assignment approval. The request type is associated with an MSMP process
ID.
You maintain the list of available request types in the Customizing Activity Define
Request Type under Governance, Risk, and Compliance > Access Control > User
Provisioning.
(See also parameter 1101). This parameter is only valid if parameter 1062 is set to Yes.
Description
Default
High
2
You use this parameter to set the default workflow request priority for Updating and
Creating Risks. Use F4 help to display the list of available priorities.
You maintain the list of priority values in the Customizing Activity Maintain Priority
Configuration under Governance, Risk, and Compliance > Access Control > User
Provisioning. You assign the MSMP Process ID of SAP_GRAC_RISK_APPR to risk
approval priorities.
Note: This parameter is only valid if parameter 1063 is set to Yes.
Description
Default
High
3
You use this parameter to set the default workflow request priority for Creating and
Updating Functions. Use F4 help to display the list of available priorities.
You maintain the list of available priority values in the Customizing Activity Maintain
Priority Configuration under Governance, Risk, and Compliance > Access Control
> User Provisioning. You assign the MSMP Process ID of SAP_GRAC_FUNC_APPR
to function approval priorities.
Note: This parameter is only valid if parameter 1064 is set to Yes.
January 2019
Page 38 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
1112
Param ID
1113
Param ID
Description
Default
High
4
You use this parameter to set the default workflow request priority for Mitigation Control
Assignments. Use F4 help to display the list of available priorities.
You maintain the list of available priority values in the Customizing Activity Maintain
Priority Configuration under Governance, Risk, and Compliance > Access Control
> User Provisioning. You assign the MSMP Process ID of
SAP_GRAC_CONTROL_ASGN to mitigation control assignment priorities.
Note: This parameter is only valid if parameter 1062 is set to Yes.
Description
Default
Access Control E-mail Sender
WF-BATCH
The application uses the e-mail of this user as defined in SU01 to send the workflow emails to the approvers.
See the Access Control Security Guide for information about required authorizations for
the WF-BATCH user.
Description
Default
Enable Escalation for Requests on Hold
NO
Parameter 1115 interacts with Access Control MSMP (Workflow) Configuration to
determine whether to escalate an access request that is on hold.
The possible values of parameter 1115 are:
•
1115
YES – the system escalates a request on hold if Escalation Type is set to
Escalate to Specified Agent in MSMP.
•
NO – the system does not escalate a request on hold even if Escalation Type is
set to Escalate to Specified Agent in MSMP.
The screenshot below shows the Escalation Type field in MSMP Configuration. You can
find this screen in Customizing under Governance, Risk and Compliance  Access
Control  Workflow for Access Control  Maintain MSMP Workflows.
(continued)
January 2019
Page 39 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Placing an Access Request on Hold
An access request approver can place a request on hold during the request review
process as illustrated in the screenshot below.
Examples of the Interaction Between Access Control Configuration Parameter
1115 and the MSMP Escalation Type Setting The table below shows what happens
when you place an access request on hold given the sample settings.
January 2019
1115 Setting
MSMP Escalation
Type Setting
Result
YES
Escalate to Specified
Agent
The request is escalated according to your
configuration.
NO
Escalate to Specified
Agent
The request is not escalated. MSMP is
overridden.
Page 40 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
YES
Skip to Next Stage
The request is escalated according to your
configuration.
NO
Skip to Next Stage
The request is not escalated. MSMP is
overridden.
YES
No Escalation
The request is not escalated.
NO
No Escalation
The request is not escalated.
More Information
See SAP Note 2136059 - UAM: On hold requests are getting escalated
The table below shows what happens when you place an access request on hold given
the sample settings.
1115 Setting
MSMP Escalation
Type Setting
Result
YES
Escalate to Specified
Agent
The request is escalated according to your
configuration.
NO
Escalate to Specified
Agent
The request is not escalated. MSMP is
overridden.
YES
Skip to Next Stage
The request is escalated according to your
configuration.
NO
Skip to Next Stage
The request is not escalated. MSMP is
overridden.
YES
No Escalation
The request is not escalated.
NO
No Escalation
The request is not escalated.
More Information
See SAP Note 2136059 - UAM: On hold requests are getting escalated
Param ID
Description
Default
Send email notification to Requestor
NO
The possible values are YES or NO.
1128
Param ID
2051
If set to YES, then the Requestor will be cc’d on the email that is send to the Approver of
the Access Request.
Description
Default
Enable User ID Validation in Access Request against Search
Data Sources
YES
January 2019
Page 41 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
If set to YES, the application validates the UserID exists on the specified source system.
If the user does not exist, the application does not allow the request to continue.
The validation is performed when you select Submit or Enter.
Param ID
3022
Description
Default
Request Type for Role Approval
21
Use F4 help and choose the request type the workflow uses for role approval. The
request type is associated with an MSMP process ID. You maintain the list of available
request types in the Customizing Activity Define Request Type under Governance,
Risk, and Compliance > Access Control > User Provisioning.
(See also parameter 1101)
Param ID
3023
Description
Default
Priority for Role Approval
5
Priority of the request for Role Approval
You use this parameter to set the default workflow request priority for Role Approvals.
Use F4 help to display the list of available priorities.
You maintain the list of available priority values in the Customizing Activity Maintain
Priority Configuration under Governance, Risk, and Compliance > Access Control
> User Provisioning. You assign the MSMP Process ID of SAP_GRAC_ROLE_APPR
to role approval priorities.
January 2019
Page 42 of 153
SAP Access Control 12.0 Configuration Parameters
1.6 Emergency Access Management
The Emergency Access Management (EAM) parameters control many aspects of how EAM functions.
Overview of EAM Parameters
Parameter
ID
Description
Default Value
4000
Application Type
1
4001
Default Firefighter Validity Period (in days)
<empty>
4002
OBSOLETE - Send e-mail immediately
YES
4003
Retrieve Change Log
<empty>
4004
Retrieve System Log
<empty>
4005
Retrieve Audit Log
<empty>
4006
Retrieve O/S Command Log
<empty>
4007
Send Log Report Execution Notification Immediately
YES
4008
Send Firefight ID Logon Notification
YES
4009
Log Report Execution Notification
4010
Firefighter ID Role Name
4012
Default users for forwarding the Audit Log workflow
2
4013
Firefighter ID owner can submit request for Firefighter ID owned
YES
4014
Firefighter ID controller can submit request for Firefighter ID
YES
4015
Enable decentralized Firefighting
NO
4017
Enable CUP request number to show in Firefighter ID/Role
Assignment Screen
YES
4018
Enable detailed application logging (SLG1) for Firefighter log
synchronization programs
NO
4020
Generate EAM log Firefighter sessions with no activity
NO
4021
Use ALV Grid for Firefighter filter transaction
NO
4025
Restrict firefighter validity period during access request
NO
5033
Allow creation of Firefighters with no Controller
YES
January 2019
YES
ZSAP_GRAC_SMP_FFID
Page 43 of 153
SAP Access Control 12.0 Configuration Parameters
Details of Emergency Access Management Parameters
Param ID
Description
Default
Application Type
1
You use this parameter to set the firefighting configuration:
•
Choose 1 for ID-based firefighting.
• Choose 2 for Role-based firefighting.
Note: Configuration of parameter 4000 in any relevant target system is also required.
4000
January 2019
Page 44 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default Firefighter Validity Period (Days)
<empty>
Set the default validity period (in days) of Firefighter ID assignments to a Firefighter.
Notes:
•
This is only the default period. You can override the validity period for each
assignment as needed in the front-end.
•
Configuration of parameter 4001 in any relevant target system is also required
4001
Param ID
Description
Default
Send E-mail Immediately
4002
THIS PARAMETER IS OBSOLETE. IT IS NO LONGER USED IN SAP ACCESS
CONTROL
January 2019
Page 45 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Retrieve Change Log
<empty>
The possible values are YES and NO.
If set to YES, the application fetches the Change Log when a user chooses the Update
Firefighter Log button or when the program GRAC_SPM_LOG_SYNC_UPDATE is
executed.
The Update Firefighter Log button is available on the Consolidated Log Report under
Emergency Access Management Reports.
Note: Plug-in systems must have the O/S time and R/3-time zone matched for the logs
to be properly collected. This is because STAD stores the logs in O/S files.
4003
January 2019
Page 46 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
4004
Param ID
4005
Description
Default
Retrieve System Log
<empty>
The possible values are YES and NO.
If set to YES, then the application fetches the System Log (debug changes) when a user
chooses the Update Firefighter Log button or when the program
GRAC_SPM_LOG_SYNC_UPDATE is executed.
The Update Firefighter Log button is available on the Consolidated Log Report under
Emergency Access Management Reports.
Description
Default
Retrieve Audit Log
<empty>
The possible values are YES and NO.
If set to YES, then the application fetches the audit (security) log when a user chooses
the Update Firefighter Log button or when the program
GRAC_SPM_LOG_SYNC_UPDATE is executed.
The Update Firefighter Log button is available on the Consolidated Log Report under
Emergency Access Management Reports.
Note: You can activate Audit Logs using the transaction SM19.
Param ID
4006
Description
Default
Retrieve O/S Command Log
<empty>
The possible values are YES and NO.
If set to YES, then the application fetches the O/S Command Log when a user chooses
the Update Firefighter Log button or runs the program
GRAC_SPM_LOG_SYNC_UPDATE. The O/S Command Log tracks information when
O/S commands (SM49) are created, changed, or executed.
The Update Firefighter Log button is available on the Consolidated Log Report under
Emergency Access Management Reports.
January 2019
Page 47 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Send Log Report Execution Notification Immediately
YES
The application can send log reports to controllers. The application sends the
notifications as e-mails or workflow items based on the configuration of the controllers.
(See figure below.)
•
Set the value to YES and the application sends email notifications or executes
workflow when a user chooses the Update Firefighter Log button or when the
program GRAC_SPM_LOG_SYNC_UPDATE is executed.
The Update Firefighter Log button is available on the Consolidated Log Report under
Emergency Access Management Reports.
•
4007
Set the value to NO and the application only collects the logs when a user chooses
the Update Firefighter Log button or when the program
GRAC_SPM_LOG_SYNC_UPDATE is executed. The application sends the e-mail
notifications or executes the workflow when the GRAC_SPM_WORKFLOW_SYNC
program is executed.
•
Notes
January 2019
•
This parameter is only valid if parameter 4009 is set to YES
•
A separate email or workflow is created for each EAM session performed
Page 48 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Send Firefighter ID Logon Notification
YES
The possible values are YES and NO.
•
Set to YES and the application sends an email notification to the controller
whenever a firefighter executes a firefighting session.
•
Set to NO if you do not want the application to send an email notification to the
controller whenever a firefighter executes a firefighting session.
4008
Param ID
4009
Param ID
4010
Description
Default
Log Report Execution Notification
YES
The possible values are YES and NO.
If set to YES, then the application sends email notifications to the controller or executes
workflow when a user chooses the Update Firefighter Log button or when the program
GRAC_SPM_LOG_SYNC_UPDATE is executed.
The Update Firefighter Log button is available on the Consolidated Log Report under
Emergency Access Management Reports.
Recommendation
Consider parameter 4007 if this parameter is set to YES
Description
Default
Firefighter ID Role Name
ZSAP_GRAC_SMP
_FFID
Enter the name of the role assigned to the firefighter ID in the target systems. This
informs the application that the user who is logging on to the target system is a firefighter
ID. The target system makes a call to the GRC system and reads this configuration to
check if the user has this role assigned to them.
Notes
•
Configuration of parameter 4010 in any relevant target systems is also required
•
If IMG Activity Maintain Firefighter ID Role Name Per Connector is utilized,
parameter 4010 is not considered and therefore does not need to be configured
See SAP Note 2106895 for more information.
January 2019
Page 49 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default users for forwarding the Audit Log workflow
2
Configuration parameter 4012 is used to restrict the users to whom the EAM log
workflow can be forwarded.
4012
Param ID
4013
Param ID
4014
Param ID
4015
• If it is set to 1, the workflow can be forwarded to any user in the GRC system.
If it is set to 2, the workflow can only be forwarded to users who are designated as
controllers in the Access Control Owners table.
Description
Default
Firefighter ID owner can submit request for Firefighter ID owned
YES
The available values are Yes and No.
Based on the parameter value, the firefighter ID owner can submit request for himself
(Yes) or not (No).
Description
Default
Firefighter ID controller can submit request for Firefighter ID
controller
YES
The available values are Yes and No.
Based on the parameter value, the firefighter ID controller can submit a request for
himself (Yes) or not (No).
Description
Default
Enable decentralized firefighting
NO
The possible values are YES and NO.
Based on the parameter value, you can enable the EAM launchpad on non-GRC
systems (Yes) or not (No).
January 2019
Page 50 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Enable CUP request number to show in Firefighter ID/Role
Assignment Screen
YES
The Firefighter ID is requested to be assigned to the Firefighter User during the Access
Request process (formerly CUP).
Setting the parameter to YES ensures that this request number is visible in the
Firefighter ID and Firefighter maintenance screens in the Comment column. This
provides a way to track the progress of the request.
4017
Setting the parameter to NO will result in the request number not being visible in the
Firefighter ID and Firefighter maintenance screens in the Comment column.
For more information, see SAP Note 1840064.
Param ID
4018
Description
Default
Enable detailed application logging (SLG1) for Firefighter log
synchronization programs
NO
SAP Access Control keeps logs of firefighting activities on the plug-in systems. The logs
are synchronized back to the central system and the data goes into firefighting reports.
Errors may occur that disrupt the synchronization of the logs from the plug-in systems to
the central system.
Set the parameter to Yes to enable detailed logging in SLG1. You can use the additional
information to determine the cause of the disruption.
January 2019
Page 51 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Generate EAM log for Firefighter sessions with no activity
NO
This parameter controls whether to send EAM log review workflow even if the Firefighter
has not performed any activity.
Set the parameter to YES to generate the EAM log review even if there is no activity.
For more information, see SAP Note 2017105
Note: Parameter 4009 must be set to Yes for this parameter to be considered.
For an example, below is the screen that shows the message indicating no activity by the
Firefighter.
4020
January 2019
Page 52 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Use ALV Grid for Firefighter Filter Transaction
NO
ONLY FOR CENTRALIZED EAM Launchpad
Input the transaction GRAC_EAM_FILTER to display the below landing page and filter by
Connector or Firefigter ID. This transaction is available whether the parameter is YES or
NO.
This parameter allows you to use the ABAP List Viewer (ALV) grid for the Firefighter
table.
NO – This is the default and you will see the traditional EAM launchpad.
4021
YES - Shows the ALV grid with the EAM launchpad. Here you can use all the ALV
features.
Refer to SAP Note 2256927 for more information.
January 2019
Page 53 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Restrict firefighter validity period during access request
NO
The possible values are YES and NO. This parameter is dependent on parameter 4001.
4025
Param ID
If set to YES, then the firefighter validity period will be restricted for access requests
based on the number of days set in parameter 4001.
Example
If parameter 4001 is set to 3 days and parameter 4025 is set to YES, the firefighter
validity period will be restricted as follows: the date cannot be greater than current date +
3 days.
If parameter 4025 is set to NO, the application does not restrict the firefighter validity
period.
Description
Default
Allow creation of firefighters with no controller
YES
In SAP Access Control, the controller is the user who reviews and approves log files from
firefighting activities.
5033
Set the parameter to YES to create firefighters without requiring a controller.
Set the parameter to NO to prevent the creation of firefighters without a controller.
January 2019
Page 54 of 153
SAP Access Control 12.0 Configuration Parameters
1.7 UAR Review
The User Access Review (UAR) parameters allow you to make decisions about how to process User
Access Reviews.
Overview of UAR Parameters
Parameter
ID
Description
Default Value
2004
Request Type for UAR
<empty>
2005
Default Priority
UAR_PRIORITY
2006
Who are the reviewers?
MANAGER
2007
Admin. Review required before sending tasks to reviewers
YES
2008
Number of line items per UAR request
100
2062
Send automatic notification when roles are removed due to UAR
Review
No
2063
Show approved line items in UAR Audit Log
YES
Details of UAR Parameters
Param ID
Description
Default
Request Type for UAR
<empty>
All request types defined for SAP_GRAC_USER_ACCESS_REVIEW are visible by
pressing F4.
2004
This is important for tagging the workflow in MSMP for UAR Review.
January 2019
Page 55 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default Priority
UAR_PRIORITY
You use this parameter to set the default priority for user access request reviews. Use F4
help to display the list of available priorities for UAR Requests.
2005
You maintain the list of available priority values in the Customizing Activity Maintain
Priority Configuration under Governance, Risk, and Compliance > Access Control
> User Provisioning. You assign the MSMP Process ID of
SAP_GRAC_USER_ACCESS_REVIEW to UAR Review priorities. In this example,
priority IDs 10, 22, 24, and 36 are relevant for UAR Review.
Param ID
Description
Default
Who are the reviewers?
MANAGER
Select either Manager or Role Owner as the approver type for user access review
requests. The application creates a review workflow for the specified approver type.
Managers receive review requests sorted by USER, and Role Owners receive review
requests sorted by ROLE.
2006
January 2019
Page 56 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Admin. review required before sending tasks to reviewers
YES
Set the value to YES to require that users who are assigned the role of access request
administrator (such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the
request before the workflow goes to the reviewers. You specify reviewers in parameter
2006.
2007
Param ID
2008
Param ID
2062
Description
Default
How many line items per UAR request
100
This parameter allows you to specify the maximum number of items per UAR request
when creating a UAR request.
For more information, see SAP Note 1938273.
Description
Default
Send automatic notification when roles are removed due to UAR
Review
No
This parameter allows you to send an automatic email notification to inform end users
when their roles are scheduled for removal as part of the User Access Review process.
We provide standard text in the notification.
To customize the text:
1. Create a new documentation object for your text.
1. Use transaction SE61 (Documentation Maintenance).
2. Choose Document Class “General Text”.
2. Update the Notification view with your customized documentation object.
1. Use transaction SM30 (View Maintenance).
2. Modify the view GRFNVNOTIFYMSGC.
3. Create new entry using the message
class 0AC_UAR_NOTIFY_USERS (UAR Notifications), message
number 000.
4. In the Document Object field, enter the name of your customized
document object.
January 2019
Page 57 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
2063
Description
Default
Show approved line items in UAR Audit Log
YES
The possible values are YES or NO.
If parameter 2063 is set to YES, then all the approved, rejected, and removed line items
will be visible in UAR Audit Log.
If parameter 2063 is set to NO, then only the removed line items will be visible in UAR
Audit Log.
January 2019
Page 58 of 153
SAP Access Control 12.0 Configuration Parameters
1.8 Performance
The Performance parameters allow you to make decisions about variables that affect the performance
of SAP Access Control.
Overview of Performance Parameters
Parameter
ID
Description
Default Value
1120
Batch size for Batch Risk Analysis
1000
1121
Batch size for User Sync
100
1122
Default batch size for Role Synchronization
1000
1123
Default batch size for Profile Synchronization
1000
1124
Default batch size for Authorization Synchronization
1000
1125
Pre-aggregate Access Risk Information
NO
1126
Number of background jobs created for one Ad-Hoc Risk Analysis
job
1
1127
Minimum number of objects considered for splitting into multiple
background jobs in Ad-Hoc Risk Analysis
1000
Details of Performance Parameters
Param ID
1120
Param ID
1121
Param ID
1122
Description
Default
Batch size for Batch Risk Analysis
1000
The application uses this value to determine the size of the batch when performing batch
risk analysis.
(See also parameter 1121 for an example).
Description
Default
Batch size for User sync
100
The application uses this value to determine the size of the batch when synchronizing
users to the GRC AC Repository.
For example, if the batch size is 1000 and there are 10,000 users, the application divides
the total users (10,000) by the batch size (1000), and then processes the job in 10
batches of the range 0 to 1000, 1001 to 2000 so on. Each batch is processed in its
entirety before continuing with the next.
To synchronize users to the GRC AC Repository, you use the Customizing Activity
Repository Object Synch under Governance, Risks, and Compliance > Access
Control > Synchronization Jobs.
Description
Default
Default batch size for role synchronization
1000
The application uses this value to determine the size of the batch when synchronizing
roles to the GRC AC Repository. Each batch is processed in its entirety before moving
on to the next. See also parameter 1121
January 2019
Page 59 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
1123
Param ID
Description
Default
Default batch size for profile synchronization
1000
The application uses this value to determine the size of the batch when synchronizing
profiles to the GRC AC Repository. Each batch is processed in its entirety before moving
on to the next. See also parameter 1121
Description
Default
Default batch size for authorization synchronization
1000
The application uses this value to determine the size of the batch when synchronizing
authorization master data from the backend ERP systems to the GRC AC Repository.
Each batch is processed in its entirety before moving on to the next. See also parameter
1121.
1124
Param ID
1125
Description
Default
Pre-aggregate Access Risk Information
NO
Setting the parameter to YES renders the SAP Fiori for SAP GRC transactional
applications Compliance Approver and Access Approver more quickly.
Setting the parameter to NO can adversely affect the rendering of the SAP Fiori for SAP
GRC transactional applications Compliance Approver and Access Approver.
When performing risk analysis, the risk count shows the number of risks per access
request. This parameter stores the risk count more efficiently. For more information, see
SAP Note 1976368.
January 2019
Page 60 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Number of background jobs created for one Ad-Hoc Risk
Analysis job
1
This parameter works with parameter 1127 for faster processing of Ad-Hoc Risk Analysis
jobs. For example, you might set parameter 1126 to 2 jobs and parameter 1127 to 1000
minimum number of objects (users, roles, profiles). Then, if you have over 1000 objects,
the one job is split into 2 background jobs for faster processing.
1126
Param ID
Description
Default
Minimum number of objects considered for splitting into multiple
background jobs in Ad-Hoc Risk Analysis
1000
This parameter works with parameter 1126 for faster processing of Ad-Hoc Risk Analysis
jobs. For example, you might set parameter 1126 to 2 jobs and parameter 1127 to 1000
minimum number of objects (users, roles, profiles). Then, if you have over 1000 objects,
the one job is split into 2 background jobs for faster processing.
1127
January 2019
Page 61 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
2050
Description
Default
Enable Real-time LDAP Search for Access Request User
NO
If set to YES, the application searches for the access request user on the specified LDAP
source and in real time.
Prerequisite
You have specified the first user search data source as LDAP, or else the application
ignores this parameter.
Note: Since the search is performed in realtime, it can negatively affect performance.
Param ID
2060
Description
Default
Organization Rules -Maximum allowed to be generated in
foreground
50000
In SAP Access Control, you can use the Organizational Rule Creation Wizard to
generate organizational rules. You can choose to generate the rules in the foreground or
the background.
Generating the rules in the foreground may use up system resources and affect
performance. You can use this parameter to set a threshold for the maximum
organizational rules that can be generated in the foreground, thereby keeping it from
negatively affecting the system resources.
For example, you set the threshold value at 20,000. If the threshold is reached when
generating organizational rules in the foreground, the application halts the task and
displays options to either run the job in the background or cancel it.
January 2019
Page 62 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Duration for displaying confirmation message (in milliseconds)
1000
This parameter applies to the SAP Fiori for SAP GRC transactional application,
Compliance Approver.
You use this parameter to set how long the confirmation message appears on the
screen. The default is 1000 milliseconds.
Below is an example of the confirmation message
2061
January 2019
Page 63 of 153
SAP Access Control 12.0 Configuration Parameters
1.9 Risk Analysis - Access Request
The Risk Analysis - Access Request parameters allow you to make decisions about how Risk Analysis
behaves when access requests are created.
Overview of Risk Analysis - Access Request Parameters
Parameter
ID
Description
Default Value
1071
Enable Risk Analysis on form submission
NO
1072
Mitigation of critical risk required before approving the request
NO
1073
Enable SoD violations detour on risks from existing roles
NO
1075
Set Default Report Format for Access Risk Analysis to Management
Summary in Access Request
NO
Details of Risk Analysis - Access Request Parameters
Param ID
1071
Description
Default
Enable risk analysis on form submission
NO
January 2019
Page 64 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
You can use this parameter to set the application automatically to perform risk analysis
on the access request the user submitted. The risk analysis results are added to the
access request for the approver to review. Therefore, the risk analysis results appear on
the approver’s screens but not on the requestor’s screens.
Set to No to disable automatic risk analysis.
Set to Yes to enable automatic risk analysis.
This triggers a risk analysis. The user must wait for the risk analysis to finish before
proceeding.
Set to Asynch to enable automatic risk analysis and allow the user to proceed to the
next screen without waiting.
The risk analysis is performed in the background and the results are attached to the
request.
Note: This does not change the workflow for the request. The request will only proceed
to the approver after the risk analysis is completed in the background.
Param ID
1072
Param ID
Description
Default
Mitigation of critical risk required before approving the request
NO
Set the value to YES to require mitigation of Risks of the type Critical Access.
Description
Default
Enable SoD violations detour on risks from existing roles
NO
The possible values for this parameter are YES and NO.
If an SoD risk exists in an access request, the application considers it a special condition
and sends it to a detour path in the workflow.
1073
However, SoD risks may arise from the new roles the user is requesting, and they may
arise from the existing roles that are already assigned to the user.
Set the value to YES to consider risks from new and existing roles for the detour.
Set the value to NO to consider risks only from new roles (and not existing roles) for the
detour.
January 2019
Page 65 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
1075
Set Default Report Format for Access Risk Analysis to
Management Summary in Access Request
NO
Customers can choose one of the following two formats as the default report format
when running Access Risk Analysis:
January 2019
•
Choose NO to set the default report format to Summary
•
Choose YES to set the default report format to Management Summary
Page 66 of 153
SAP Access Control 12.0 Configuration Parameters
1.10
Role Management
The Role Management parameters allow you to make decisions parameters that affect role creation
and processing.
Overview of Role Management Parameters
Parameter
ID
Description
Default Value
3000
Default Business Process
<empty>
3001
Default Subprocess
<empty>
3002
Default Criticality Level
<empty>
3003
Default Project Release
<empty>
3004
Default Role Status
<empty>
3005
Reset Role Methodology when Changing Role Attributes
YES
3006
Allow add functions to an authorization
YES
3007
Allow editing organizational level values for derived roles
NO
3008
A ticket number is required after authorization data changes
YES
3009
Allow Role Deletion from back-end system
YES
3010
Allow attaching files to the role definition
YES
3011
Conduct Risk Analysis before Role Generation
YES
3012
Allow Role Generation on Multiple Systems
NO
3013
User logged-on user credentials for role generation
NO
3014
Allow role generation with Permission Level violations
NO
3015
Allow role generation with Critical Permission violations
NO
3016
Allow role generations with Action Level violations
NO
3017
Allow role generation with critical Action violations
NO
3018
Allow role generation with Critical Role/Profile violations
NO
3019
Overwrite individual role Risk Analysis results for Mass Risk Analysis
NO
3020
Role certification reminder notification
10
3021
Directory for mass role import server files
<empty>
3024
Enforce methodology process for derived roles during generation
YES
3025
Allow selection of Org Value Maps without leading org.
NO
3026
Save Role Provisioning Details While Copying Role
YES
3027
Automate authorization copy from master role to derived roles
NO
3028
Generate derived roles after Creation/Update
NO
3029
Notify User When Business Role Assignment Changes
NO
3040
A ticket number is required for changes to role master data
NO
3041
Perform mandatory risk analysis during role maintenance
NO
3042
Do not allow role maintenance with risks
NO
January 2019
Page 67 of 153
SAP Access Control 12.0 Configuration Parameters
Details of Role Management Parameters
Param ID
Description
Default
Default Business Process
<empty>
Select the business process the application displays by default on the Role Import
screen. Use F4 help to display the available business processes.
You maintain the list of business processes in the Customizing Activity Maintain
Business Processes and Subprocesses under Governance, Risk and Compliance >
Access Control.
3000
January 2019
Page 68 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
3001
Description
Default
Default Subprocess
<empty>
Select the sub process the application displays by default on the Role Import screen.
Use F4 help to display the available subprocesses.
You maintain the list of subprocesses in the Customizing Activity Maintain Business
Processes and Subprocesses under Governance, Risk and Compliance > Access
Control.
Default Criticality Level
3002
Select the criticality level the application displays by default on the Role Import screen.
Use F4 help to display the available criticality levels.
You maintain the list of sub processes in the Customizing Activity Specify Criticality
Level under Governance, Risk and Compliance > Access Control > Role
Management.
Default Project Release
3003
<empty>
Select the role status the application displays by default on the Role Import screen. Use
F4 help to display the available role status.
You maintain the list of project releases in the Customizing Activity Maintain Role
Status under Governance, Risk and Compliance > Access Control > Role
Management
Reset Role Methodology when Changing Role Attributes
3005
<empty>
Select the project release the application displays by default on the Role Import screen.
Use F4 help to display the available project releases.
You maintain the list of project releases in the Customizing Activity Maintain Project
and Product Release Name under Governance, Risk and Compliance > Access
Control > Role Management.
Default Role Status
3004
<empty>
YES
The possible values are YES and NO.
This parameter determines whether the role methodology step is reset to the first step
(Definition) after a mass update. It is particularly useful to avoid creating mass approval
requests.
January 2019
Page 69 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Allow add functions to an authorization
YES
Set the value to YES to display the Add/Delete Function button on the Maintain
Authorizations tab of the Role Maintenance screen.
3006
Param ID
3007
Description
Default
Allow editing organizational level values for derived roles
NO
The maintenance screen for derived roles displays organizational levels from the parent
role.
Set the value to YES to allow the derived roles to change the values for the
organizational levels.
January 2019
Page 70 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
A ticket number is required after authorization data changes
YES
Set the value to YES to require a ticket number when role authorizations are modified in
PFCG and the user chooses the Synch with PFCG button.
Note: The Ticket Number field is a free text entry field. You can enter information
appropriate for your company’s change request processes.
3008
Interaction with parameter 3040:
Parameter 3008 interacts with parameter 3040 (A ticket number is required for changes
to role master data) in the following way:
If 3040 is set to Yes, then 3008 is ignored. If 3040 is set to No, then 3008 behaves as
documented.
January 2019
Page 71 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Allow Role Deletion from back-end system
YES
Set the value to YES to allow users the option to roles from both Access Control and
relevant plug-in systems. Setting this value to Yes deletes the roles in each of the
systems the role resided individually. For example, the role is DELETED directly from
PRD instead of having a delete request transported through CTS.
Set the value to NO to allow users to delete roles only from Access Control.
3009
Param ID
Description
Default
Allow attaching files to the role definition
YES
Set the value to YES to allow users to attach files by displaying the Attachments tab on
the Role Maintenance screen.
3010
January 2019
Page 72 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Conduct Risk Analysis before Role Generation
YES
Set the value to YES to automatically perform risk analysis when the user generates
roles.
3011
January 2019
Page 73 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Allow Role Generation on Multiple Systems
NO
Set the value to YES to allow users to select multiple systems when generating roles.
The application displays systems in the landscape, which are available for role
generation action.
3012
January 2019
Page 74 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Use logged-on user credentials for role generation
NO
When generating a role, the application connects to back-end systems to push the
authorization data. The application needs a username/password to open the connection
to the back-end ERP system. You can use this parameter to specify whether the
application uses a generic username/password for all role generation connections to the
ERP system, or the username/password of the person generating the role.
•
Set the value to NO to use a generic username/password for the connection to the
ERP system.
You maintain the generic username/password for the connector in the Customizing
Activity Create Connectors under Governance, Risk, and Compliance >
Common Component Settings > Integration Framework.
•
Set the value to YES to allow the application to use the username/password of the
person who is generating the role.
3013
The advantage of setting this parameter to Yes is that when you open a role in the ERP
system, you can view who generated it. If the parameter is set to No, you can only see
which connector, with the generic username/password, that generated it
Param ID
Description
Default
Allow role generation with Permission Level violations
NO
Set the value to YES to allow the application to generate roles even if Permission Level
violations are present.
Set the value to NO to prohibit role generation if permission level violations are present.
3014
January 2019
Page 75 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
3015
Param ID
3016
Param ID
3017
Param ID
3018
Description
Default
Allow role generation with critical permission violations
NO
Set the value to YES to allow the application to generate roles even if permission level
violations are present.
Set the value to NO to prohibit role generation if permission level violations are present.
Description
Default
Allow role generation with action level violations
NO
Set the value to YES to allow the application to generate roles even if action level
violations are present.
Set the value to NO to prohibit role generation if action level violations are present.
Description
Default
Allow role generation with critical action violations
NO
Set the value to YES to allow the application to generate roles even if critical action
violations are present.
Set the value to NO to prohibit role generation if critical action violations are present.
Description
Default
Allow role generation with critical role/profile violations
NO
Set the value to YES to allow the application to generate roles even if critical role/profile
violations are present.
Set the value to NO to prohibit role generation if critical role/profile violations are present.
January 2019
Page 76 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Overwrite individual role risk analysis results for mass risk
analysis
NO
The possible values are YES and NO.
The application allows you to perform ad hoc risk analysis for multiple roles under
Access Management > Role Mass Maintenance > Run Risk Analysis. The
application stores the results of the analysis. (See also parameters 1052 and 1053).
When you next perform mass risk analysis, the application searches the stored data to
determine if there are previous risk analysis results for each role. You can choose
whether the application overwrites the risk analysis results.
•
Set the parameter to YES to write or overwrite stored results during mass role risk
analysis
•
Set the parameter to NO if you do not want to overwrite the stored results during
mass role risk analysis. In this case, results are only stored during the risk analysis
phase of role maintenance or during ad-hoc role risk analysis.
•
Note: The above actions are done per individual role. The application does not
automatically overwrite the results for all roles.
3019
Param ID
3020
Description
Default
Role certification reminder notification
10
January 2019
Page 77 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
You use this parameter to set how many days prior to the Next Certification date the
application sends a reminder to the role owner.
For example, if the next certification is June 15, xxxx, and this parameter value is 10,
then the application sends the reminder notification to the role owner on June 5, xxxx.
You set the Certification Period in Days and Next Certification date in the Define
Role phase, on the Properties tab.
Note: Additional information about Certification Notifications:
You can use the following Customizing activities to maintain custom notification e-mails
under Governance, Risks, and Compliance > Access Control > Workflow for
Access Control:
•
Maintain Custom Notification Messages
•
Maintain Text for Custom Notification Messages
• Maintain Background Job for E-mail Reminders
The following is an example of a notification e-mail:
The application provides notification templates. You can assign custom notification
templates in the Customizing activity: Maintain Custom Notification Messages under
Governance, Risk, and Compliance > Access Control > Workflow for Access
Control.
January 2019You can customize the notification text by using the Customizing Activity Maintain
PageText
78 of 153
for Custom Notification Messages under Governance, Risks, and Compliance >
Access Control > Workflow for Access Control.
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Role certification reminder notification (cont.)
10
You can customize the notification text by using the Customizing Activity Maintain Text
for Custom Notification Messages under Governance, Risks, and Compliance >
Access Control > Workflow for Access Control.
3020
(cont.)
For certification notifications to be delivered, you must run the
GRAC_ERM_ROLE_CERTIFY_NOTIF program in either the foreground or the
background.
You can schedule background jobs to run periodically using the Customizing Activity
Maintain Background Job for E-mail Reminders under Governance, Risk, and
Compliance > Access Control > Workflow for Access Control.
If you run the program in the foreground, the application displays a results screen:
January 2019
Page 79 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
3021
Param ID
Description
Default
Directory for mass role import server files
<empty>
The application allows you to perform mass role import under Access Management >
Role Mass Maintenance > Role Import. You can select the Import Source as File on
Server. You use this parameter to specify the location of the files on the server.
Description
Default
Enforce methodology process for derived roles during generation
YES
You use this parameter to determine the derived roles displayed in the role generation
phase of the master role.
Set the value to YES to display only the derived roles that reach the role generation
phase of the methodology process.
Set the value to NO to display all derived roles, regardless of their phase in the
methodology process.
In the following example, Figure A shows five derived roles available; two of the roles are
in Role Generation phase.
Figure B shows that if the value is set to YES, only the two roles in Role Generation
phase are displayed.
3024
January 2019
Page 80 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Allow selection of Org. Value Maps without leading org.
NO
You use this parameter to determine if users may derive roles by using Org Value Maps
that do not contain a leading organization.
Set the value to YES to allow role derivation using Org Value Maps that do not contain a
leading organization.
Set the value to NO to require that role derivation is performed using Org Value Maps
that do contain a leading organization.
Single Role Derivation
Choose Access Management  Role Management  Role Search  Search and open
any role.
Go to the role derivation phase and choose Derive.
If the AC Configuration parameter 3025 = YES, the screen appears as below:
3025
If the AC Configuration parameter 3025 = NO, the screen appears as below:
January 2019
Page 81 of 153
SAP Access Control 12.0 Configuration Parameters
Mass Role Derivation
Choose Access Management Role Mass Maintenance Role Derivation.
Search and select any map and choose Next to go to the Select Master Role screen.
If the AC Configuration parameter 3025 = YES, the screen appears as below:
If the AC Configuration parameter 3025 = NO, the screen appears as below:
January 2019
Page 82 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
3026
Param ID
3027
Param ID
3028
Param ID
Description
Default
Save Role Provisioning Details While Copying Role
YES
You use this parameter to specify whether you wish to copy the role details such as the
system validity period when copying roles. The default value is YES – copy the details
when creating a new role.
Description
Default
Automate authorization copy from master role to its derived roles
NO
Possible values are YES and NO.
If the parameter is set to YES, the application automatically copies authorization data
from the master role to its derived roles.
If the parameter is set to NO, the application does not copy the authorization data from
the master role to its derived roles.
Description
Default
Generate Derived roles after Creation/Update
NO
In SAP Access Control, you can create derived roles and update them using Role
Derivation and Derived Role Org. Values Update. To generate the profiles in the
backend system, you must use Role Generation to create the background job. This is a
manual step, and if not done, the profiles are not generated and the changes to the
derived roles are not implemented.
This parameter allows you to schedule the background job for Role Generation
automatically.
Set this parameter to YES to schedule the background job automatically at the time you
create or update a derived role.
Description
Default
Notify User When Business Role Assignment Changes
NO
SAP Access uses Parameter 3029 in Business Role Management to determine whether
to notify users when their role assignments change. The possible values are:
3029
•
YES – Notify users when their role assignments change.
•
NO – Do not notify users when their role assignments change.
During business role creation, under Provisioning options, there is an Update
Assignment button. If you select this button, when changes occur to the business role
assignment, the application sends a notification to all end users who are assigned to this
business role. If you want to turn this notification off, set parameter 3029 to NO.
Example
The screenshot below shows a sample user notification.
January 2019
Page 83 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
More Information
See SAP Note 2130921 for more information.
January 2019
Page 84 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
A ticket number is required for changes to role master data
NO
Parameter 3040, if set to Yes, requires a ticket number be assigned when any role
master data changes. This number allows changes to be traced to the original change
request.
The possible values of parameter 3040 are:
• YES – ticket numbers must be entered when role master data changes
• NO – ticket numbers are not required when role master data changes
This functionality applies to all phases of role maintenance as well as changes made
using Role Copy, Role Mass Maintenance: Role Import, Role Update, Derived Role Org.
Value Update, and Mass Update.
When a role is created, a dialog box appears allowing the user to enter a ticket number
and description. Ticket Number is mandatory. The screenshot below shows the dialog
box that displays for entering a ticket number when you create a new role.
3040
When a user edits a role that is completed, the same dialog box is displayed for entering
a new ticket number. For all subsequent edits, the same ticket number will be used
automatically without the user entering a new number. The application tracks all ticket
numbers in the role change history.
On the Role Maintenance screen, under the Additional Details tab, you can choose
Ticket Number to display the current ticket number for the role. By default, this tab is
read-only. Only the users with special authorization (GRAC_ROLED V8 Modify ticket)
can edit the ticket details (including the ticket number) here.
January 2019
Page 85 of 153
SAP Access Control 12.0 Configuration Parameters
3040
(cont.)
Click Additional Details  Change History to see the history of changes to this role along
with the associated ticket numbers.
You can use Role Search to search for roles with a certain ticket number as shown in the
screenshot below.
Interaction with Parameter 3008
Parameter 3008 (A ticket number is required after authorization data changes) interacts
with parameter 3040 in the following way: If 3040 is set to Yes, then 3008 is ignored. If
3040 is set to No, then 3008 behaves as described.
January 2019
Page 86 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Perform mandatory risk analysis during role maintenance
NO
Possible values are:
•
Yes: When maintaining a role in Business Role Management, if the risk analysis
methodology is mapped, then risk analysis must be run. If you do not perform
risk analysis, the error message "Perform Risk Analysis Mandatory" is displayed.
•
No: The Analyze Access Risks phase can be skipped. Role maintenance moves
to the next phase without risk analysis.
3041
Refer to SAP Note 2421282 – Business Role Management – Parameters to enforce Risk
Analysis during Role Maintenance for more information.
January 2019
Page 87 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Do not allow role maintenance with violations
NO
Possible values are:
•
Yes: When creating or maintaining a role in Business Role Management, if a risk
exists, it is mandatory to either remediate the risk by changing the authorizations
in the role, or to mitigate the risk using role mitigation.
Note: If you do the mitigation, this is Role Mitigation. All users that are assigned
this role will be “grandfathered in” with the role mitigation.
•
No: The violations check is skipped. Role creation or maintenance moves to the
next phase, regardless of risks.
3042
Refer to SAP Note 2421282 – Business Role Management – Parameters to enforce Risk
Analysis during Role Maintenance, for more information.
Consider the interactions with parameter 1062: Mitigation Assignment:
January 2019
•
Yes: If you mitigate any risk during role maintenance, the mitigation assignment
workflow is triggered. Notification is sent to the Mitigation Control Owner.
•
No: If you mitigate any risk during role maintenance, the mitigation assignment
workflow is not triggered.
Page 88 of 153
SAP Access Control 12.0 Configuration Parameters
1.11
Risk Analysis – Risk Terminator
The Risk Analysis – Risk Terminator control parameters that affect Risk Terminator.
Overview of Risk Analysis – Risk Terminator Parameters
Parameter
ID
Description
Default Value
1080
Connector enabled for Risk Terminator
<empty>
1081
Enable Risk Terminator for PFCG Role Generator
NO
1082
Enable Risk Terminator for PFCG User Assignment
NO
1083
Enable Risk Terminator for SU10 multiple User Assignment
NO
1084
Enable Risk Terminator for SU10 multiple User Assignment
NO
1085
Stop role generation if violations exist
NO
1086
Comments are required in case of violations
NO
1087
Send Notification in case of violations
NO
1088
Default report type for Risk Terminator
2
January 2019
Page 89 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Connector enabled for Risk Terminator
<empty>
Enter the name of the connector in the value field to enable it for risk terminator. To use
this parameter, you must also configure parameters 1081 – 1088.
You can enter multiple values by entering multiple instances of the parameter, as follows:
Note: The following parameters must be configured in the relevant target systems:
1000, 1001, 1002, 1081 – 1088.
1080
Param ID
1081
Param ID
1082
Param ID
1083
•
Parameter 1000 is the target Connector ID (Plug-in Connector).
•
Parameter 1001 is the GRC Connector ID.
•
Parameter 1002 is the rule set to be used.
•
Parameters 1081 – 1088 should be the same in both GRC and the target
systems. This is a recommendation, but not a requirement.
Description
Default
Enable Risk Terminator for PFCG Role Generation
NO
Set to YES to trigger the risk terminator service for PFCG Role Generation. This
parameter is only valid if parameter 1080 is configured with at least one connector.
The Risk Terminator service is a tool that resides in the back-end SAP ABAP system and
notifies you when a risk violation occurs.
Description
Default
Enable Risk Terminator for PFCG User Assignment
NO
Set to YES to trigger the risk terminator service for PFCG User Assignment. This
parameter is only valid if parameter 1080 is configured with at least one connector.
Description
Default
Enable Risk Terminator for SU01 Role Assignment
NO
January 2019
Page 90 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Set to YES to trigger the risk terminator service for SU01 Role Assignment. This
parameter is only valid if parameter 1080 is configured with at least one connector.
Param ID
1084
Param ID
1085
Param ID
1086
Param ID
1087
Param ID
1088
Description
Default
Enable Risk Terminator for SU10 multiple User Assignment
NO
Set to YES to trigger the risk terminator service for SU10 Multiple User Assignment. This
parameter is only valid if parameter 1080 is configured with at least one connector.
Description
Default
Stop role generation if violations exist
NO
If set to YES, the risk terminator service stops generating roles if violations exist. This
parameter is only valid if parameter 1080 is configured with at least one connector.
Description
Default
Comments are required in case of violations
NO
Set the value to YES to require the user to enter comments if SoD violations are reported
and the user wants to continue with role generation or role assignment. This parameter is
only valid if parameter 1080 is configured with at least one connector.
Description
Default
Send Notification in case of violations
NO
Set the value to YES to enable the application to send e-mail notifications to the role
owner when violations occur. This parameter is only valid if parameter 1080 is configured
with at least one connector.
Description
Default
Default report type for Risk Terminator
2
Select the default report type the risk terminator service uses to report SoD violations.
Use F4 help to display the available report types. This parameter is only valid if
parameter 1080 is configured with at least one connector.
January 2019
Page 91 of 153
SAP Access Control 12.0 Configuration Parameters
1.12
Access Request Role Selection
The Access Request Role Selection parameters affect how you select and process roles when you
create an access request.
Overview of Access Request Role Selection Parameters
Parameter
ID
Description
Default Value
2031
Allow All Roles for Approver
YES
2032
Approver Role Restriction Attribute
<empty>
2033
Allow All roles for Requestor
YES
2034
Requestor Role Restriction Attribute
<empty>
2035
Allow Role Comments
YES
2036
Role Comments Mandatory
YES
2037
Display expired roles for existing roles
YES
2038
Auto Approve Roles without Approvers
YES
2039
Search Role by Transactions from Backend System
NO
2040
Assignment Comments mandatory on rejection
NO
2042
Visibility of Valid from/Valid to for profiles
0
2043
Authorization object for role search – provisioning
GRAC_ROLED
2044
Display profiles in Existing Assignments, My Profile and Model User
YES
2045
Default provisioning action after adding roles/profiles/FFID from
existing assignment and My Profile
010
2046
Field type for business process and system fields, in access request
role search
<empty>
2047
Filter business process and systems based on application area
NO
2048
Default provisioning environment for business role
<empty>
Param ID
2031
Description
Default
Allow All Roles for Approver
YES
The application allows approvers to add additional roles to access requests when
reviewing them.
Set the value to YES to allow approvers to view and select all roles.
Set the value to NO to restrict the roles the approvers can view and select for request
creation. You specify the restriction criteria in parameter 2032.
January 2019
Page 92 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Approver Role Restriction Attribute
<empty>
The application allows approvers to add additional roles to access requests when
reviewing them. You can restrict the roles approvers can view and select for request
creation.
•
Set the value to A to Restrict on Role Approver.
Approvers can view and select only those roles for which they are the role approver.
•
Set the value to B to Restrict on Business Process.
Approvers can view and add only those roles with business process attributes that
match those in the request
•
Set the value to F to Restrict on Functional Area.
Approvers can view and add only those roles with functional area attributes that
match those in the request.
Prerequisite: You have set parameter 2031 to NO. If parameter 2031 is set to YES, the
application ignores the restrictions specified here.
2032
Param ID
2033
You can add multiple restriction values by adding additional instances of the parameter.
Description
Default
Allow All Roles for Requestor
YES
Set the value to YES to allow the user to view all roles for request creation.
Set the value to NO to restrict the roles the user can view for request creation. You
specify the restriction criteria in parameter 2034.
January 2019
Page 93 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Requestor Role Restriction Attribute
<empty>
This parameter allows you to require that, for access request creation, the application
displays only the roles that have attributes that match the specified requestor attributes.
•
Set the value to B to Restrict on Business Process. The application displays only
the roles that match the requestor’s business process attribute.
•
Set the value to F to Restrict on Functional Area. The application displays only the
roles that match the requestor’s functional area attribute.
Prerequisite: You have set parameter 2033 (Allow All Roles for Requestor) to NO. If
parameter 2033 is set to YES, the application ignores the restrictions specified here.
2034
Param ID
2035
Param ID
You can add multiple restriction values by adding additional instances of the parameter.
Description
Default
Allow Role Comments
YES
Set value to YES to allow the user to enter Role Comments when creating access
requests.
Description
Default
Role Comments Mandatory
YES
Set value to YES to require Role Comments when creating access requests.
2036
Note: This is a GLOBAL setting and is required for all roles included on requests.
Mandatory comments can also be determined at the individual role level.
Prerequisite: Parameter 2035 must be set to YES.
January 2019
Page 94 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Display expired roles for existing roles
YES
Set the value to YES to include the roles for which the user assignment is expired when
the user chooses the Existing Assignment button on the Access Request.
2037
Param ID
2038
Description
Default
Auto Approve Roles without Approvers
YES
Set the value to YES to allow the application to approve access requests for roles
without role assignment approvers.
January 2019
Page 95 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Search Role by Transactions from Backend System
NO
Set the value to NO to allow users to search for roles using the role information in the
GRC AC Repository.
Set the value to YES to allow users to search for roles by transactions on a specific
backend system in real time. This has the following effect:
•
It adds the Transaction from Backend System criteria to the Select Roles
screen.
•
It makes the System criteria mandatory.
•
It fetches role information from the specified system in real time, which may
influence performance.
2039
Param ID
2040
Param ID
2042
Description
Default
Assignment comments mandatory on rejection
NO
The available values are YES and NO.
If the value is set to NO, when you open an access request, you are not required to enter
a comment if you reject a role, a system, or a Firefighter ID assignment.
If the value is set to YES, you must enter a comment if you reject a role, a system, or a
Firefighter ID assignment
Description
Default
Visibility of Valid from/Valid to for profiles
0
The available values are: 0,1,2,3,4
The effect on the user experience is based on the value the user selects – The visibility
of dates and editable property of Valid from and Valid To field will depend on the value
selected for the parameter as indicated in the screen shots below.
January 2019
Page 96 of 153
SAP Access Control 12.0 Configuration Parameters
January 2019
Page 97 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Authorization object for role search - provisioning
GRAC_ROLED
This parameter allows you to determine the behavior of role search based on
authorizations and the roles the user can see during role definition and role provisioning.
2043
•
GRAC_ROLED
Enter this value to enforce role search authorizations during the role definition.
•
GRAC_ROLEP
Enter this value to enforce role search authorizations during role provisioning.
•
BOTH
Enter this value enforce role search authorizations during both role definition and
role provisioning.
For more information about the authorization objects, see the Access Control Security
Guide.
Param ID
2044
Description
Display profiles in Existing Assignments, My Profile, and Model
User
Default
YES
(Continued …)
January 2019
Page 98 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
The available values are Yes and No.
Based on the parameter value, the system displays or hides Profiles for Existing
Assignments, My Profile, and Model User as illustrated by the screen shots below.
January 2019
Page 99 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default provisioning action after adding roles/profiles/FFID from
existing assignments and My Profile
010
The available values are: 006,009,010
Based on the parameter value the provisioning action is set for roles/profiles/FFID from
existing assignments and My Profile as indicated in the screen shots below.
2045
January 2019
Page 100 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Field type for business process and system fields, in access
request role search
<empty>
This parameter allows you to choose the field type for the Business Process and
System search criteria on the Access Request Role Search screen. You can choose
the field types as a Text field with F4 help or a dropdown list.
2046
January 2019
•
Set the value to 0 (zero) to display the field types for both Business Process and
System as a text field. (See example below.)
•
Set the value to 1 to display the Business Process field as a dropdown list, and
the System field as a text field.
•
Set the value to 2 to display the Business Process field as a text field, and the
System field as a dropdown list.
•
Set the value to 3 to display both the Business Process and System fields as a
dropdown list.
Page 101 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Filter business process and systems based on Application Area
NO
You can use Application Area to group systems that are of the same application type
(for example, ECC, BI/BW, etc.).
You designate the connector group as an Application Area by connecting it to Group
Type CUP-AA - Application Area.
(IMG: Governance Risk and Compliance > Common Component Settings > Integration
Framework > Maintain Connectors and Connector Types.)
2047
Then, you can assign the Application Area to Business Processes.
(IMG: Governance Risk and Compliance > Access Control > Maintain Business Processes
and Subprocesses.)
Note: Only Connector Groups that have been assigned the group type CUP-AAApplication Area can be assigned to business processes.
You can assign a Business Process to multiple Application Areas.
Continued…
January 2019
Page 102 of 153
SAP Access Control 12.0 Configuration Parameters
… Parameter 2047 continued.
Param ID
2047
Description
Default
Set this parameter to Yes to allow filtering of Systems and Business Processes by
assigned Application Area during role selection.
Set this parameter to No to not allow filtering by Application Area.
Setting this parameter to Yes displays the Application Area field in the Advanced
Search on the Add Roles to Request screen in the Simplified Access Request, or during
F4 System search on the regular Access Request screen. (See figures below)
Simplified Access Request screen
Continued…
January 2019
Page 103 of 153
SAP Access Control 12.0 Configuration Parameters
… Parameter 2047 continued.
Param ID
Description
Default
Regular Access Request
2047
Note: If this parameter is set to Yes, you must also set Parameter 2046 to 0 or 1 for this
functionality to be used in the regular Access Request.
For the Simplified Access Request, you can set Parameter 2046 to any setting
January 2019
Page 104 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default provisioning environment for business role
<empty>
Use this parameter to set the default provisioning environment for business roles. For
example, if you set the parameter to TST then when a user submits a request for a
business role the default provisioning environment is Test.
2048
The possible values for this parameter are:
DEV - Development
PRD - Production
TST - Test
January 2019
Page 105 of 153
SAP Access Control 12.0 Configuration Parameters
1.13
Access Request Default Roles
The Access Request Default Roles parameters control the assignment and characteristics of default
roles assigned during access request creation
Overview of Access Request Default Roles
Parameter
ID
Description
Default Value
1302
Add default roles only for systems specified in the Access Request
NO
2009
Consider Default Roles
YES
2010
Request type for default roles
<empty>
2011
Default Role Level
REQ&ROL
2012
Role Attributes
<empty>
2013
Request Attributes
<empty>
Details of Access Request Default Roles
Param ID
Description
Default
Add default roles only for systems specified in the Access
Request
NO
Default roles are automatically assigned to users on a system. Typically, these roles
have little to no risk and contain authorizations you want everyone to have.
For example, you want everyone with access to System_A to have authorization to view
data. Therefore, when someone requests access to System_A the application
automatically assigns the default roles to him or her in addition to whatever roles they
requested.
1302
Previously, the application would assign all default roles for all systems in one request
even if the systems were not specified in the request. The rationale is that all default
roles are safe, so the risk is low, and it saves you from having to assign the roles in
separate requests. For example, someone requests access to System_A. The
application assigns them the default roles for System_A and the default roles for all other
systems.
You can use this parameter to have the application add default roles only for systems
explicitly included in the access request.
If the parameter is set to YES, the application only adds system-specific roles to the
request.
If the parameter is set to NO, the application adds default roles for all systems into the
request.
Note: This parameter is only valid if parameter 2009 is set to Yes.
January 2019
Page 106 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Consider Default Roles
YES
If set to YES, the application automatically adds the relevant default roles to the access
request.
Prerequisites: You have maintained the following parameters as needed: 1302, 2010,
2011, 2012, and 2013.
In this example, the value for the attribute Functional Area maps to a relevant default
role, so the application adds the role to the request.
2009
January 2019
Page 107 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Request type for default roles
<empty>
Enter the request types that are relevant for default roles functionality. The application
adds default roles only for the specified roles.
Enter multiple request types by adding additional instances of the parameter.
2010
Use F4 help to display the available request types. You maintain the list of available
request types in the Customizing Activity Define Request Type under Governance,
Risk, and Compliance > Access Control > User Provisioning.
See also parameters 2009, 2011, 2012, and 2013.
Param ID
Description
Default
Default Role Level
REQ&ROL
Select which attribute type determines the relevance of the default roles.
2011
•
Role – The application uses the role attributes to determine the relevant default roles
and adds the default roles at the time the user adds the roles to the request. That is,
the user does see the added default roles at the time they create the request. You
define the relevant role attributes in parameter 2012.
•
Request - The application uses the request attributes to determine the relevant
default roles and adds the default roles when the request is displayed for the
approver. That is, the user does not see the added default roles at the time they
create the request. You define the relevant request attributes in parameter 2013.
•
Request & Role – The application uses both the request and the role attributes to
determine the default roles. If a default role is added due to a role attribute, the user
will see it after adding it to the request. If a default role is added due to a request
attribute, the role is added when the request is displayed for the approver. You
define the relevant role attributes in parameter 2012 and the relevant request
attributes in parameter 2013.
In this example, the value is set to Request. The manager receives a request with the
default role z_user_admin already added, because Functional Area is a relevant
attribute.
(Continued …)
January 2019
Page 108 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
In this example, the value is set to Role. On the request screen, the application shows
the default roles as Existing and adds them to the request.
January 2019
Page 109 of 153
SAP Access Control 12.0 Configuration Parameters
(Cont.)
See also parameters 2009, 2010, 2012, and 2013.
January 2019
Page 110 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Role Attributes
<empty>
Enter the role attributes the application considers for Default Role Attribute mapping.
These are mutually exclusive of the request attributes maintained in parameter 2013.
You can add multiple role attributes by adding additional instances of the parameter.
2012
See also parameters 2009, 2010, 2011, and 2013
Param ID
Description
Default
Request Attributes
<empty>
Enter the request attributes the application considers for Default Role Attribute mapping.
These are mutually exclusive of the request attributes maintained in parameter 2012.
You can add multiple request attributes by adding additional instances of the parameter.
2013
See also parameters 2009, 2010, 2011, and 2012.
January 2019
Page 111 of 153
SAP Access Control 12.0 Configuration Parameters
1.14
Access Request Role Mapping
The Access Request Role Mapping parameters determine how and if you use role mapping during
access request creation.
Overview of Access Request Role Mapping Parameters
Parameter
ID
Description
Default Value
2014
Enable Role Mapping
YES
2015
Applicable to Role Removals
YES
Details of Access Request Role Mapping Parameters
Param ID
Description
Default
Enable Role Mapping
YES
The application allows you to assign roles as child roles (or map the roles). This allows
anyone who is assigned this role to be assigned the authorizations and access for the
child roles.
Set the parameter value to YES to enable this functionality. The role mappings are
applicable for provisioning access requests.
Note: On the Role Maintenance screen, you can select the Consider Parent Role
Approver checkbox to use only the approvers associated with the parent roles and ignore
any approvers associated with the child roles.
In the following example, the user is requesting the role BS_BS_123 of system GF1>GO7. The mapped role AC_C_ROLE1 is automatically added to the request. The user
can choose to remove the role from the request.
Note: The Source System dropdown list is from the same landscape you chose on the
Detail tab.
2014
January 2019
Page 112 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
2015
Description
Default
Applicable to Role Removals
YES
Set the value to YES to allow users to include mapped roles in requests for role removal.
For example, if a user creates a request to remove a role assigned to them, and the role
has mapped roles, then the mapped roles are automatically included in the request. The
user can choose to keep the mapped roles by deleting them from the removal request.
January 2019
Page 113 of 153
SAP Access Control 12.0 Configuration Parameters
1.15
SOD Review
The Separation of Duties (SOD) Review parameters allow you to make decisions about how to
process SOD Reviews.
Overview of SOD Parameters
Parameter
ID
Description
Default Value
2016
Request Type for SoD
<empty>
2017
Default priority for SoD
<empty>
2018
Who are the reviewers?
MANAGER
2019
Admin. Review required before sending tasks to reviewers
YES
2020
Unique number of line items per SoD request (Maximum 9999)
<empty>
2023
Is actual removal of role allowed?
YES
Details of SOD Parameters
Param ID
Description
Default
Request Type for SoD
<empty>
Use F4 help and select the request type when SoD review requests are created.
2016
Param ID
2017
You maintain the list of available request type values in the Customizing Activity Define
Request Types under Governance, Risk, and Compliance > Access Control > User
Provisioning. You assign the MSMP Process ID of SAP_GRAC_SOD_RISK_REVIEW.
Description
Default
Default priority for SoD
<empty>
Use F4 help and select the default priority used for SoD review requests.
You maintain the list of available priority values in the Customizing Activity Maintain
Priority Configuration under Governance, Risk, and Compliance > Access Control
> User Provisioning. You assign the MSMP Process ID of
SAP_GRAC_SOD_RISK_REVIEW.
January 2019
Page 114 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
2018
Param ID
Description
Default
Who are the reviewers?
MANAGER
Select either Manager or Risk Owner as the approver type for user access review
requests. The application creates a review workflow for the specified approver type.
Managers receive review requests sorted by USER, and Risk Owners receive review
requests sorted by Risk.
Description
Default
Admin. review required before sending tasks to reviewers
YES
Set the value to YES to require that users with the role of access request administrator
(such as SAP_GRAC_ACCESS_REQUEST_ADMIN) must review the request before the
workflow goes to the reviewers. You specify reviewers in parameter 2018.
2019
Param ID
2020
Description
Default
Number of unique line items per SOD request (Maximum 9999)
<empty>
You use this parameter to control the number of unique line items an approver wants to
see in a SOD Review Request. The possible values are all numeric values between
0001 and 9999. For more information, see SAP Note 1994429 - UAM: Running Batch
Risk Analysis is mandatory for SOD Review Request creation.
January 2019
Page 115 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
2023
Description
Default
Is actual removal of role allowed
YES
You use this parameter to configure whether the reviewers of SoD risks can remove the
roles associated with an SOD risk or only propose removal of the roles.
•
Set value as NO
This is the recommended setting. On the SoD Review screen, the application
displays the Propose Removal button. Reviewers can only propose the removal of
roles associated with a SoD risk violation. The workflow goes to the security
administrator who can view the source of the risk before deciding whether to remove
the role.
•
Set value as YES
This setting is not recommended. On the SoD Review screen, the application
displays the Remove Role button. This allows the reviewer to delete the roles
directly without going through approval by the security administrator.
Warning: Reviewers do not have the ability to view the source of the risks; therefore,
they have the risk of potentially deleting relevant roles.
•
Note: If this parameter is set to Yes, then Parameter 1027 must also be set to Yes.
January 2019
Page 116 of 153
SAP Access Control 12.0 Configuration Parameters
1.16
LDAP
The Lightweight Directory Access Protocol (LDAP) parameter determines where you can search for
user data.
Overview of LDAP Parameters
Parameter
ID
2052
Description
Default Value
Use LDAP domain forest
NO
Details of LDAP Parameters
Param ID
2052
Description
Default
Use LDAP domain forest
NO
The available values are Yes and No.
The effect on the user experience is based on the value set in configuration. If the value
is Yes, users can search from multiple domains when the user data source is LDAP.
January 2019
Page 117 of 153
SAP Access Control 12.0 Configuration Parameters
1.17
Assignment Expiry
The Assignment Expiry parameter controls the period after which roles expire.
Overview of Assignment Expiry Parameters
Parameter
ID
2041
Description
Default Value
Duration for assignment expiry in Days
<empty>
Details of Assignment Expiry Parameters
Param ID
2041
Description
Default
Duration for assignment expiry in Days
<empty>
On the My Profile and Existing Assignment screens, the application displays the
Status field for the roles. Roles that are about to expire displays the status of Expiring.
You use this parameter to specify the timeframe (in days) that triggers the application to
display the status as Expiring.
In the following example, the My Profile and Existing Assignment screens will show
the status of Expiring for all roles assigned to the user that is about to expire in 1 to 45
days.
January 2019
Page 118 of 153
SAP Access Control 12.0 Configuration Parameters
1.18
Access Request Training Verification
The Access Request Training Verification parameter allows you to require training certification for
specific roles.
Overview of Access Request Training Verification Parameters
Parameter
ID
2024
Description
Default Value
Training and verification
<empty>
January 2019
Page 119 of 153
SAP Access Control 12.0 Configuration Parameters
Details of Access Request Training Verification Parameters
Param ID
Description
Default
Training and verification
<empty>
The application allows you to require that users complete training courses before the
application provisions specific roles to them.
You enable this functionality by:
1. Setting training requirements
(See Example 1 below.)
2. Configuring MSMP routing rule
3. Configuring the data source systems for verifying if the training requirements are
completed
Example 1: The user is requesting a role that has a TRAINING prerequisite and Verify
on Request is set to Yes. The application will not allow them to submit the request until
all the prerequisites are met.
2024
The application has a Routing rule for Training and Verification in MSMP
(GRAC_MSMP_DETOUR_TRG_VERIF). The routing checks this parameter to
determine the data source for verifying if the user has completed the training required for
the roles they are requesting to add. If the required training is not completed for a role,
the application does not provision the role, and instead, sends the request to the routing
path.
January 2019
•
Leave the value field empty to disable the function. The workflow does not take
any routing paths.
•
Set the value to BAdI and the application uses the specified BAdI to perform the
verification.
•
Set the value to WS and the application uses the specified web service to
perform the verification.
(cont.)
Page 120 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Training and verification (cont.)
<empty>
Note: Specify the prerequisite system in the connector configuration. To configure the
connectors, use the Customizing Activity Maintain Connectors and Connector Types
under Governance, Risk, and Compliance > Common Component Settings >
Integration Framework. The connector must be of the type WS and associated with a
logical port. You can define the logical port in transaction SOAMANAGER.
2024
(cont.)
Prerequisite: You have implemented the BAdI or web service (WS) as needed.
Note: You can configure the routing in the Customizing Activity Maintain MSMP
Workflows under Governance, Risk, and Compliance > Access Control > Workflow
for Access Control.
January 2019
Page 121 of 153
SAP Access Control 12.0 Configuration Parameters
1.19
Authorizations
The Authorizations parameters control how authorization messages and logging are handled.
Overview of Authorizations Parameters
Parameter
ID
Description
Default Value
1100
Enable the authorization logging
NO
1114
Display authorization message in reports
YES
Param ID
1100
Param ID
Description Details of Authorizations Parameters
Default
Enable the authorization logging
NO
If set to YES, the application logs all occurrences of insufficient authorizations on the
GRC box in transaction SLG1. For example, an owner wants to perform an action and is
missing the necessary authorizations.
Description
Default
Display authorization message in reports
YES
If set to YES, the application logs all occurrences of insufficient authorizations on the
GRC box in transaction SLG1. For example, an owner wants to perform an action and is
missing the necessary authorizations.
The Access Control reports and dashboards display data based on the user’s
authorizations. You can use this parameter to display a message and link that displays
the objects the user is authorized to view.
•
Set the value as YES to display the message and link.
•
Set the value as NO if you do not want to display the message and link.
1114
January 2019
Page 122 of 153
SAP Access Control 12.0 Configuration Parameters
1.20
Access Request Business Role
The Access Request Business Role parameters control how business roles are processed during
access request creation.
Overview of Access Request Business Role Parameters
Parameter
ID
Description
Default Value
4011
Allow deletion of technical roles if part of business roles
YES
4016
Consider only the approved/completed version of a business role
when provisioning
NO
4019
Exclude manual changes to role assignments or profiles from
repository sync
NO
4022
Future dated assignments sync is mandatory
NO
Details of Authorizations Parameters
Param ID
Description
Default
Allow deletion of technical roles if part of business roles
YES
The possible values are YES and NO.
Business roles are logical roles that exist only in the Access Control application. They
allow you to create relationships with multiple technical roles, and thereby granting the
authorizations from multiple roles by assigning a single business role.
Use this parameter to set whether to allow the deletion of technical roles if they are
assigned to a user as part of business role.
•
Set the value to NO to prohibit the deletion of such technical roles. The
application displays an error message:
Role TechRole01 cannot be deleted; it is part of BusinessRole_AB.
•
Set the value to YES to allow the application to delete the technical roles.
4011
January 2019
Page 123 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Consider only the approved/completed version of a business role
when provisioning
NO
This parameter allows the system to consider only the Approved or Completed versions
of a Business Role for provisioning.
The possible values are YES and NO.
If 4016 is set to YES:
4016
Setting in
IMG
BRM Setting
Behavior During Provisioning
YES
Approval is
configured
Only the Approved version of the business roles is
considered for provisioning.
YES
Approval is not
configured
Only the Complete version of the business roles is
considered for provisioning.
4016
If 4016 is set to N0:
4016
Setting in
IMG
BRM
Setting
Behavior During Provisioning
NO
Not equal to
Approval or
Complete
The system considers the current version of the business
role when provisioning, irrespective of whether it is
Approved or Complete.
For more information, see SAP Note 1781696.
Param ID
4019
Description
Default
Exclude manual changes to role assignments or profiles from
repository sync
NO
This parameter controls whether manual changes to role assignments and profiles done
in SU01 and SU10 on the backend system are synched to the GRC repository.
Set the parameter to No to include the manual changes to role assignments or profiles
in the synch job.
Set the parameter to Yes to exclude the manual changes to role assignments or profiles
in the synch job.
For more information, see SAP Note 1874160.
January 2019
Page 124 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Future dated assignments sync is mandatory
NO
The possible values are YES or NO.
4022
If set to YES, then in the Repository synchronization selection screen, the Sync Future
Dated assignment checkbox is checked and cannot be changed.
January 2019
Page 125 of 153
SAP Access Control 12.0 Configuration Parameters
1.21
Management Dashboard Reports
The Management Dashboard Reports parameters set defaults for the Access Dashboard reports.
Overview of Management Dashboard Reports Parameters
Parameter
ID
Description
Default Value
1047
Default Management Report Violation Count
P
1049
Default Management Report Risk Type
ALL
Details of Management Dashboard Reports Parameters
Param ID
Description
Default
Default Management Report Violation Count
P
This parameter is used by the Access Risk Violations Dashboard. It controls the default
behavior for how the application displays the violation count. The possible values are P
and R.
If the parameter is set to P, the application displays the violation count by permission as
shown in the example below.
If the parameter is set to R, the application displays the violation count by access risk
level.
1047
January 2019
Page 126 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default Management Report Risk Type
ALL
Management reports consider all three types of access risk types. SOD, Critical Actions
and Critical Permission. The inclusion of all risk types does pie chart calculations for all
the management reports: Risk Violations, User Analysis and Role Analysis. This
parameter provides a way to restrict the access risk types in the management reports.
1049
If parameter 1049 is set to *, all three types of access risk types are captured.
If parameter 1049 is set to 1, Segregation of Duties will be captured.
If parameter 1049 is set to 2, Critical Actions will be captured.
If parameter 1049 is set to 3, Critical Permissions will be captured.
January 2019
Page 127 of 153
SAP Access Control 12.0 Configuration Parameters
1.22
Access Request Validations
The Access Request Validations parameters allow you to make decisions about how to process User
Access Reviews.
Overview of Access Request Validations Parameters
Parameter
ID
Description
Default Value
5021
Validate the manager ID for the specified User ID
YES
5022
Consider the password change in access request
YES
5023
Consider details from multiple data sources for missing user details
in access requests
NO
5024
Enable in-line editing for user group and parameters in Access
Request
NO
5026
Make system and provisioning actions visible for filtering user
assignments for model users
NO
5027
Default value for filtering by system
<empty>
5028
Default value for filtering by provisioning action
<empty>
Details of Access Request Validations Parameters
Param ID
Description
Default
Validate the manager ID for the specified User ID
YES
The application allows you to choose whether to validate the manager ID against the
specified user ID when submitting an access request. The application takes the value
from the Manager field on the Access Request > User Details page and checks it
against the information from table USR01 in the current system.
Set the value to Yes to enable the validation.
Set the value to No to disable the validation.
5021
January 2019
Page 128 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Consider the password change in access request
YES
On the Access Request screen, users can change their account information including
their password. When the request is created and approved, the application sends an
email notification to the user.
Set the value to YES to allow users to change passwords in the request.
Set the value to NO to prevent users from changing their passwords in the request.
For more information, see SAP Note 1696143.
5022
January 2019
Page 129 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Consider details from multiple data sources for missing user
details in access requests
NO
This parameter controls where the system looks for user details when an access request
is created using the standard access request method. It does not apply to access
requests that are created using templates. The possible values are YES or NO.
5023
The User Details are defined in the SAP IMG under Governance, Risk, and
Compliance  Access Control  Maintain Data Sources Configuration.
(cont.)
January 2019
Page 130 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
(cont.)
January 2019
Page 131 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
The application only searches the entries for User Detail Data Sources. There can be several
entries in this table.
If the parameter is set to NO, the application obtains the user details from the first connector
(User Detail Data Source) where the user exists. It does not check if the user exists in any
additional connectors even if it needs more details.
If the parameter is set to YES, the application searches the user details of all data sources
where the user exists. For example, if the application finds only partial data from the first data
source, it continues to retrieve data from additional data sources until there are no more data
sources or until the data for the user is complete.
January 2019
Page 132 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Enable in-line editing for user group and parameter in access
request.
NO
This parameter applies to the Access Request screen. It enables you to choose whether
users may enter values on the User Group and Parameter tabs or if they must choose
from predetermined values.
Set the value to Yes to allow users to enter any value on the screen.
Set the value to No to force users to choose from predetermined values
5024
Param ID
Description
Default
Make system and provisioning actions visible for filtering user
assignments for model users.
5026
NO
(cont.)
January 2019
Page 133 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Parameter 5026 allows Access Control to display system and provisioning actions that
you can use to filter user assignments for model users. You must enter a value or YES or
NO.
If you choose NO, the Model User Access screen looks like this:
If you choose YES, the Model User Access screen looks like this:
Recommendation
If this parameter is set to YES, review parameters 5027 and 5028.
January 2019
Page 134 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default value for filtering by system
<empty>
This parameter applies to the Model User Access screen. It enables you to choose a
default system for filtering when you define the user access. Valid values are any
systems in your landscape. If you leave the field empty, the user access is not filtered by
the system.
Note: This parameter is only valid if parameter 5026 is set to YES.
5027
January 2019
Page 135 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Default value for filtering by provisioning action
<empty>
This parameter applies to the Model User Access screen. It enables you to choose a
default provisioning action for filtering when you define the user access. Valid values are
Assign, Remove, Retain, and <empty>. If you leave the field empty, the user access is
not filtered by the provisioning action.
Note: This parameter is only valid if parameter 5026 is set to YES.
5028
January 2019
Page 136 of 153
SAP Access Control 12.0 Configuration Parameters
1.23
Simplified Access Request
The Simplified Access Request parameters control how the Simplified Access Request screen
functions.
Overview of Simplified Access Request Parameters
Parameter
ID
Description
Default Value
5031
Enable “Open in Advanced Mode” option
YES
5032
Disable Type-ahead search in Simplified Access Request
NO
Details of Simplified Access Request Parameters
Param ID
5031
Description
Default
Enable “Open in Advanced Mode” option
YES
January 2019
Page 137 of 153
SAP Access Control 12.0 Configuration Parameters
This parameter applies to the Simplified Access Request screen. It enables you to
choose whether to display the button Open in Advanced Mode.
Set the value to Yes if you want to display the button Open in Advanced Mode on the
Simplified Access Request screen.
Set the value to No if you do not want to display the button Open in Advanced Mode on
the Simplified Access Request screen.
If 5031=Yes, the screen display looks like the image below. The Open in Advanced Mode
button is present.
If 5031=No, the Open in Advanced Mode button is missing as shown in the image below:
The screenshot below shows what users see if they select the Open in Advanced Mode
button.
January 2019
Page 138 of 153
SAP Access Control 12.0 Configuration Parameters
(cont.)
The screenshot below shows what users see if they select the Open in Advanced Mode
button.
Param ID
Description
Default
Disable Type-ahead search in Simplified Access Request
NO
This parameter influences how the search function works when you search for roles
during Simplified Access Request.
5032
When you choose the Select Roles for Addition button, you are given a choice to search
by User, System, Role, or Key Word. You can also have the system anticipate your
search value by setting the parameter value to No. Then, as you enter text, the system
finds one or more possible matches for the text and presents these to you as choices.
Set the parameter value to No if you want to use type-ahead search.
Set the value to Yes if you do not want to use type-ahead search.
January 2019
Page 139 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
The image below shows how you access the role search screen.
(cont.)
Choose a search key such as Role.
Begin to type a value. As illustrated below, if parameter 5032 is set to NO, the system
proposes possible values from which you can choose.
January 2019
Page 140 of 153
SAP Access Control 12.0 Configuration Parameters
1.24
Access Control – General Settings
The Access Control – General Settings parameters allow customization for business-use.
Overview of Access Control – General Settings Parameters
Parameter
ID
Description
Default Value
2401
Allowed extensions for attachments
*
2402
Display Change delegation link for delegated user if only GRC-AC
application is active.
YES
Details of Access Control – General Settings Parameters
Param ID
2401
Description
Default
Allowed extensions for attachments
*
The application allows users to attach files. By default, it allows all file types. You can
use this parameter to restrict the types of files users can attach. To restrict file types:
1. Enter the allowed file types in this parameter. Separate each file type by a
comma.
For example: docx, pdf, xlsx
2. Implement the BAdI GRFN_DOCUMENT to enable the logic and configure the
wording for the error message.
For more information, see SAP Note 2058231.
January 2019
Page 141 of 153
SAP Access Control 12.0 Configuration Parameters
Param ID
Description
Default
Display Change Delegation link for delegated user if only GRC-AC
YES
application is active.
This parameter allows the administrator to hide the Change Delegation link from the enduser. For more information, see SAP Note 2275031.
Note: This parameter applies to Access Control only.
•
Select YES to display the Change Delegation link.
•
Select NO to hide the Change Delegation link.
2402
January 2019
Page 142 of 153
SAP Access Control 12.0 Configuration Parameters
1.25
Access Controls – ILM Configuration
The Access Control – ILM Configuration parameters allow customization for SAP Information Lifecycle
Management (ILM).
Overview of Access Control – ILM Configuration Parameters
Parameter
ID
6001
Description
Default Value
Fiscal Year Variant
<empty>
Details of Access Control – ILM Configuration Parameters
Param ID
Description
Default
Fiscal Year Variant
<empty>
If you use the SAP table T009 – Fiscal Year Variants to define your financial periods,
you enter your Fiscal Year Variant as the value of parameter 6001.
Parameter 6001 works with the Fiscal Year Variants table and the SAP Information
Lifecycle Management (ILM) transaction IRMPOL – ILM Policies to define the dates
for blocking and deleting personal data in SAP Access Control.
Prerequisite Note: For more information, see SAP Note 2382181 – Data
Protection in Access Control, Process Control, and Risk Management. You do
need to license and activate SAP ILM to use this functionality.
6001
January 2019
Background
SAP customers use the Fiscal Year Variant to define the fiscal periods and year that
their company uses to organize financial statements.
In SAP ILM, you use transaction IRMPOL – ILM Policies to set policies and maintain
rules for data retention and subsequent deletion. For customers using the SAP
Fiscal Year Variant, the Time Offset field in transaction IRMPOL allows you to make
the following settings that work with SAP Access Control:
•
If you want ILM to use parameter 6001, select the value
END_OF_FISCAL_YR as your Time Offset
•
If you do not want ILM to use parameter 6001, select the value
END_OF_YEAR as your Time Offset
Page 143 of 153
SAP Access Control 12.0 Configuration Parameters
1.26 SAP Cloud Identity Access Governance
Integration
The cloud integration parameters allow you to set up connections between the access control onpremise system and the SAP Cloud Identity Access Governance access analysis service.
Overview of Access Control – Cloud Integration Parameters
Parameter
ID
Description
Default Value
1090
SAP Cloud Identity Access Governance Risk Analysis
1091
SAP Cloud Identity Access Governance Risk Analysis URL
Destination
<empty>
1092
SAP Cloud Identity Access Governance OAuth Destination
<empty>
No
Details of Access Control – Cloud Integration Parameters
Param ID
1090
Param ID
1091
Description
Default
No
SAP Cloud Identity Access Governance Risk Analysis
Set to “Yes” to enable integration with the SAP Cloud Identity Access Governance
access analysis service.
Description
Default
SAP Cloud Identity Access Governance Risk Analysis URL
<empty>
Destination
As part of the configuration steps, you have created the connector for
IAG_SOD_CHECK. Enter the name of that connector here.
Note: The value must match the name of the connector exactly.
Param ID
1092
Description
Default
<empty>
SAP Cloud Identity Access Governance OAuth Destination
As part of the configuration steps, you have created the connector for IAG_SOD_AUTH.
Enter the name of that connector here.
Note: The value must match the name of the connector exactly.
For more information about configuring connectors, see the Integration Guide for SAP Access Control
12.0 with SAP Cloud Identity Access Governance at
https://help.sap.com/viewer/p/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE.
January 2019
Page 144 of 153
SAP Access Control 12.0 Configuration Parameters
2.
Index by Numerical Value
1001 ................................................................................ 3
1002 ................................................................................ 4
1003 ................................................................................ 4
1004 ................................................................................ 5
1005 ................................................................................ 5
1006 ................................................................................ 6
1007 ................................................................................ 6
1008 ................................................................................ 7
1011 ................................................................................ 8
1012 ................................................................................ 9
1013 .............................................................................. 10
1014 .............................................................................. 11
1015 .............................................................................. 12
1016 .............................................................................. 12
1021 .............................................................................. 14
1022 .............................................................................. 15
1023 .............................................................................. 16
1024 .............................................................................. 17
1025 .............................................................................. 17
1026 .............................................................................. 17
1027 .............................................................................. 18
1028 .............................................................................. 18
1029 .............................................................................. 18
1030 .............................................................................. 19
1031 .............................................................................. 19
1032 .............................................................................. 19
1033 .............................................................................. 20
1034 .............................................................................. 21
1035 .............................................................................. 22
1036 .............................................................................. 23
1037 .............................................................................. 24
1038 .............................................................................. 24
1046 .............................................................................. 26
1047 ............................................................................ 126
1048 .............................................................................. 26
1049 ............................................................................ 127
1050 .............................................................................. 27
1051 .............................................................................. 28
1052 .............................................................................. 28
1053 .............................................................................. 29
1054 .............................................................................. 29
1061 .............................................................................. 31
1062 .............................................................................. 33
1063 .............................................................................. 34
1064 .............................................................................. 35
1071 .............................................................................. 64
1072 .............................................................................. 65
1073 .............................................................................. 65
January 2019
1075 .............................................................................. 66
1080 .............................................................................. 90
1081 .............................................................................. 90
1082 .............................................................................. 90
1083 .............................................................................. 90
1084 .............................................................................. 91
1085 .............................................................................. 91
1086 .............................................................................. 91
1087 .............................................................................. 91
1088 .............................................................................. 91
1090 ............................................................................ 144
1091 ............................................................................ 144
1092 ............................................................................ 144
1100 ............................................................................ 122
1101 .............................................................................. 36
1102 .............................................................................. 37
1103 .............................................................................. 37
1104 .............................................................................. 37
1105 .............................................................................. 37
1106 .............................................................................. 37
1107 .............................................................................. 38
1108 .............................................................................. 38
1109 .............................................................................. 38
1110 .............................................................................. 38
1111 .............................................................................. 38
1112 .............................................................................. 39
1113 .............................................................................. 39
1114 ............................................................................ 122
1115 .............................................................................. 39
1120 .............................................................................. 59
1121 .............................................................................. 59
1122 .............................................................................. 59
1123 .............................................................................. 60
1124 .............................................................................. 60
1125 .............................................................................. 60
1126 .............................................................................. 61
1127 .............................................................................. 61
1128 .............................................................................. 41
1302 ............................................................................ 106
2004 .............................................................................. 55
2005 .............................................................................. 56
2006 .............................................................................. 56
2007 .............................................................................. 57
2008 .............................................................................. 57
2009 ............................................................................ 107
2010 ............................................................................ 108
2011 ............................................................................ 108
2012 ............................................................................ 111
Page 145 of 153
SAP Access Control 12.0 Configuration Parameters
2013 ............................................................................ 111
2014 ............................................................................ 112
2015 ............................................................................ 113
2016 ............................................................................ 114
2017 ............................................................................ 114
2018 ............................................................................ 115
2019 ............................................................................ 115
2020 ............................................................................ 115
2023 ............................................................................ 116
2024 ............................................................................ 120
2031 .............................................................................. 92
2032 .............................................................................. 93
2033 .............................................................................. 93
2034 .............................................................................. 94
2035 .............................................................................. 94
2036 .............................................................................. 94
2037 .............................................................................. 95
2038 .............................................................................. 95
2039 .............................................................................. 96
2040 .............................................................................. 96
2041 ............................................................................ 118
2042 .............................................................................. 96
2043 .............................................................................. 98
2044 .............................................................................. 98
2045 ............................................................................ 100
2046 ............................................................................ 101
2047 ............................................................................ 102
2048 ............................................................................ 105
2050 .............................................................................. 62
2051 .............................................................................. 41
2052 ............................................................................ 117
2060 .............................................................................. 62
2061 .............................................................................. 63
2062 .............................................................................. 57
2063 .............................................................................. 58
2401 ............................................................................ 141
2402 ............................................................................ 142
3000 .............................................................................. 68
3001 .............................................................................. 69
3002 .............................................................................. 69
3003 .............................................................................. 69
3004 .............................................................................. 69
3005 .............................................................................. 69
3006 .............................................................................. 70
3007 .............................................................................. 70
3008 .............................................................................. 71
3009 .............................................................................. 72
3010 .............................................................................. 72
3011 .............................................................................. 73
3012 .............................................................................. 74
3013 .............................................................................. 75
3014 .............................................................................. 75
January 2019
3015 .............................................................................. 76
3016 .............................................................................. 76
3017 .............................................................................. 76
3018 .............................................................................. 76
3019 .............................................................................. 77
3020 .............................................................................. 77
3021 .............................................................................. 80
3022 .............................................................................. 42
3023 .............................................................................. 42
3024 .............................................................................. 80
3025 .............................................................................. 81
3026 .............................................................................. 83
3027 ........................................................................ 83, 88
3028 .............................................................................. 83
3029 .............................................................................. 83
3040 .............................................................................. 85
3041 .............................................................................. 87
3042 .............................................................................. 88
4000 .............................................................................. 44
4001 .............................................................................. 45
4002 .............................................................................. 45
4003 .............................................................................. 46
4004 .............................................................................. 47
4005 .............................................................................. 47
4006 .............................................................................. 47
4007 .............................................................................. 48
4008 .............................................................................. 49
4009 .............................................................................. 49
4010 .............................................................................. 49
4011 ............................................................................ 123
4012 .............................................................................. 50
4013 .............................................................................. 50
4014 .............................................................................. 50
4015 .............................................................................. 50
4016 ............................................................................ 124
4017 .............................................................................. 51
4018 .............................................................................. 51
4019 ............................................................................ 124
4020 .............................................................................. 52
4021 .............................................................................. 53
4022 ............................................................................ 125
4025 .............................................................................. 54
5001 ................................................................................ 7
5021 ............................................................................ 128
5022 ............................................................................ 129
5023 ............................................................................ 130
5024 ............................................................................ 133
5026 ............................................................................ 133
5027 ............................................................................ 135
5028 ............................................................................ 136
5031 ............................................................................ 137
5032 ............................................................................ 139
Page 146 of 153
SAP Access Control 12.0 Configuration Parameters
5033 .............................................................................. 54
January 2019
6001 ............................................................................ 143
Page 147 of 153
SAP Access Control 12.0 Configuration Parameters
Copyright
© 2019 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP AG. The information contained herein may be changed without prior
notice.
Some software products marketed by SAP AG and its distributors contain proprietary software
components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z,
System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS,
S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture,
POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes,
BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2,
Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are
trademarks or registered trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered
trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web
Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology
invented and implemented by Netscape.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Explorer, StreamWork, and other SAP
products and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of SAP AG in Germany and other countries.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of Business Objects
Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products
and services mentioned herein as well as their respective logos are trademarks or registered
trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective companies.
Data contained in this document serves informational purposes only. National product specifications
may vary.
© 2019 SAP SE or an SAP affiliate company. All rights reserved.
January 2019
Page 148 of 153
SAP Access Control 12.0 Configuration Parameters
These materials are subject to change without notice. These materials are provided by SAP SE and its
affiliated companies ("SAP Group") for informational purposes only, without representation or warranty
of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials.
The only warranties for SAP Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should be
construed as constituting an additional warranty.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the
express permission of SAP SE or an SAP affiliate company.
See http://www.sap.com/corporate-en/legal/copyright/index.epx#trademark
information and notices.
January 2019
for additional trademark
Page 149 of 153