Tips for Overcoming User Management Challenges When Implementing or Upgrading to SAP GRC 10.0

  • by Nitin Aggarwal , Chartered Accountant and Certified Information Systems Auditor, Infosys
  • Subramaniam Iyer, Security Professional, Infosys
  • October 11, 2013
Learn about the challenges organizations face when implementing or upgrading to SAP GRC 10.0 in the areas of user management and authentication.
Key Concept

User management in SAP GRC 10.0 involves the following processes:

  •  User provisioning and de-provisioning: The automated process for creation and inactivation of users in SAP GRC 10.0.
  •  Authentication: User credentials that can be used to authenticate to SAP GRC 10.0.
  •  Authorization: Assignment of GRC access rights to end users in SAP GRC 10.0.
  •  Approval re-affirmation: Re-authentication during the approval process in SAP GRC 10.0.

Organizations that upgrade their SAP GRC systems from 5.3 to 10.0 might face big challenges in the areas of user management and user authentication for accessing their SAP GRC applications. This is primarily because SAP GRC 5.3 was on a Java platform and the application components were installed on a Java-based SAP NetWeaver application server, whereas SAP GRC 10.0 is on an ABAP platform.

The user management and authentication technologies supported on the SAP NetWeaver Java-based application server are different from those on the SAP NetWeaver ABAP-based application server. It is not easy to match the as-is situation on the ABAP platform. On version 5.3, for instance, there was default access with a basic end-user role for every employee in the organization or the user could log on to an SAP GRC application using the windows active directory password.

Such requirements are new and not a regular use case for applications on ABAP platforms. No single document highlights all the challenges you face during an implementation or upgrade to SAP GRC 10.0, or provides the solution to the requirements mentioned above. SAP does provide a few standard functionalities that support some of these requirements to an extent. However, there are plenty of gray areas. We discuss these areas and guide you in making the right decisions in selecting the right solutions.

Nitin Aggarwal

Nitin Aggarwal is a chartered accountant and a certified information systems auditor with more than 10 years of experience in SAP implementations, business process control reviews, access and authorizations reviews, and IT audit. He is a subject matter expert on SAP Access Control and has been involved in numerous implementations over the past seven years.

See more by this author

Subramaniam Iyer

Subramaniam Iyer is an experienced security professional with more than 12 years of experience, including six years as an SAP security consultant with a multinational pharmaceutical organization. He has strong understanding, knowledge, and experience in the key areas of access control to SAP applications, including applying concepts, methodologies, and techniques in the areas of authentication and authorization mechanisms.

You may contact Subramaniam via email at


See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.