Handling Empty Authorization Values in SAP GRC Access Risk Analysis (ARA)
Understanding the Risks and Best Practices for Managing Blank or Missing Authorization Values in ARA Rule Sets
The Back Story:
Before SP16, dummy values were integral in risk analysis, creating many false positives. For example: `S_USER_GRP` with field `CLASS` having a value of “ “. This is considered in the Risk analysis and leaves false positives. There is no option to handle it easily.
Solution:
With SP16, SAP shifted to excluding these values by default, but also added a SPRO parameter to adjust the behaviour as per the business requirement with which organizations accustomed to the previous approach can disable it.
How to Implement:
1 - Implement the Correction Instruction
Apply the correction note. Refer to SAP note 3482508 (if you are below SP16). Alternatively, upgrade to the equivalent Support Package level.
2 - Perform Manual Activities
If specific objects are not created automatically by the SNote process, complete the manual activities outlined in the SAP Note.
3 - Configure the SPRO parameter
A new SPRO parameter, 1056 – Consideration type for empty authorization values, has been introduced with this correction. Maintain the same.
Value - 1: Excludes empty authorization values (default post-SP16 behaviour).
Value - 2: Includes empty authorization values (pre-SP16 behaviour).
The changes introduced in SAP GRC 12.0 SP16 provide a more streamlined risk analysis process by default. However, the flexibility to restore the pre-SP16 behavior ensures organizations can maintain consistency with historical risk analysis practices if needed. By implementing the correction and configuring the SPRO parameter, you can align the risk analysis engine with your specific needs, ensuring robust and accurate risk management.