Managing Segregation of Duties (SoD) rules in SAP GRC has historically been a complex and error-prone process, especially when dealing with exports and imports across systems or environments.
But with SAP GRC 12.0 SP25, a major usability enhancement has arrived: the GRC Ruleset Manager, enabling import/export of the entire SoD ruleset using a single XML file.
The Old Way: Manual TXT File Management
Prior to this enhancement, administrators managing SoD rules had to work with up to 10 separate TXT files, each representing a component of the ruleset such as Business Process, Function, Risk etc., as shown in the below image:
While this feature provides flexibility to update the ruleset, it is often challenging as outlined in the below table:
Challenges with TXT-Based Ruleset Management
For large organizations managing hundreds of risks and functions, this quickly became unmanageable — particularly during audits, rule updates, or system migrations.
The New Way: XML-Based Ruleset Manager
SAP’s new Ruleset Manager, introduced in GRC 12.0 SP25 (For customer who are on older versions, can implement it via Note 3468630), replaces the scattered TXT files with a single, structured XML file.
Key Benefits
Centralized Format: One file includes all functions, risks, mappings, and metadata — fully organized and logically grouped.
Simplified Export/Import: Quickly export the ruleset from one system and import into another without juggling multiple files.
Better Readability: XML structure is hierarchical and human-readable, making it easier to understand dependencies.
Error Reduction: Fewer files mean fewer chances of human error during manual handling.
Easy External Collaboration: Share one file with auditors, consultants, or business stakeholders for review or updates.
Improved Governance: Easier to version, validate, and track changes using XML-based tools or source control systems like Git.
Below is a quick comparison between old and new way of managing Rulesets:
How to Get Started with SAP GRC Ruleset Manager
If you're on GRC 12 SP25 or higher, the Ruleset Manager is included by default.
If you're on a lower support pack, you can implement SAP Note 3468630 to enable this functionality without a full upgrade.
Refer to SAP Note 3481764 for a complete guide on how to use the new functionality, XML structure examples, and import/export steps.
How to use?
To use the Ruleset Manager, go to SE38 and execute the program “GRAC_RULE_SET_MANAGER” (This is the default way. Alternatively, you can create a custom transaction code).
Select the mode – File mode is where you can download XML file, and Transport mode is where it allows you to capture the Ruleset in a transport request.
Once downloaded, you can open it in Excel file and make necessary changes to the ruleset and upload it back. The process remains same for moving the Ruleset from one system to the other.
View the video that explains the process of using GRC Ruleset Manager:
You can view/share the video on YouTube using this Link.
When to Use This Feature
During rule harmonization or redesign projects
While migrating GRC configurations across landscapes
For external reviews or audits needing a portable ruleset format
To bulk update risks or functions based on business or regulatory changes
For backup/versioning of rulesets in structured formats
Additional References:
Here are some references that might help you in understanding this topic better.
SAP Note 3468630 - Enhancement for Rule Set Manager
SAP Note 3469294 - Improvement note: Rule Set Manager
Final Thoughts
The new Rule Set Manager is a small but powerful improvement that brings much-needed modernization to SAP GRC’s backend rule management. It eliminates long-standing inefficiencies tied to TXT file handling and helps GRC teams focus on what truly matters — maintaining clean, accurate, and compliant SoD rules.
If SoD rule maintenance has been a pain point in your GRC processes, this is your opportunity to adopt a smarter, simpler approach — with minimal effort and maximum impact.