Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
20 January 2022

Implementing Business Role Management in SAP GRC - Best Practices

Business role and access provisioning management is a powerful tool to streamline and automate assignments in SAP systems, whilst reducing the number of users with inappropriate access.

SAP access can quickly get complicated as more roles get created for different reasons. Composite roles, which are a cluster of single roles, help to group access together in a particular system and can simplify access requests and provisioning.

However, composite roles are limited to single systems, whereas the roles of business users often stretch across multiple systems. This is where Business Role Management comes in useful, as they can be customised to business needs by grouping single and composite roles across several systems.

It also increases the efficiency of the end-to-end provisioning process by enabling central assignment, through tools like SAP GRC, to allow request raisers to specify access via a single Business Role. Furthermore, the access request workflow enabled in SAP GRC eliminates manual assignment in the backend, reducing the possibility of incorrect access.

Business Roles can also be integrated into wider Identity Access Management strategies as it aligns with IdAM goals of ensuring the right access is assigned to the right users through simplification and automation, based on HR actions for Joiners, Movers and Leavers.

This blog will walk through best practices for the first phase of Business Role Management implementation; Initial Analysis. Be sure to check out our follow-up article, where we address the best practices for the remaining phases.

Best practice for the ‘initial analysis’

The initial analysis is the stage where business roles should be defined, risk analysis carried out and future owners and approvers of these roles consulted. This is where tasks carried out by different job functions must be reflected accurately by the access in the system – as with all role design, the business process is the driver for the access.

  • How does the business work?

The design team must be made up of people who understand how the business works and can draw out their needs and translate them into technical requirements. This balance of skill and knowledge bridging business and technical functions is what will make the difference between a good implementation and a great implementation; it enhances communication between teams and ensures the key issues are identified.

More technical and more business-focused users can always be consulted to understand the details, but it takes a team with a wider understanding of both areas to identify the critical links.

  • Role review

If the design of the new Business Roles is based on the current user access, it may be necessary to perform a role review to verify if users actually require the access they are currently assigned. This is important if the previous process involved manual assignment of access, as duplication and unnecessary access is more likely to be granted.

This is particularly true in systems that have been in place for some time. If users have moved and switched roles in these systems, access creep is inevitable and should be addressed before a business role implementation.

  • Transactions

During the analysis phase, beware of roles that do not include any transactions - this could seem like a redundant role, or a system user role, however business users may require it. For example, users who need to pull information cross-systems will require Remote Function Call authorisations, where no transactions will be defined.

  • Access risks

Another important point to consider is the types of access risks, like Segregation of duties risk, that could arise within the new business roles. The initial design of each business role should undergo risk analysis at the role level within SAP GRC. This will identify risks that may appear as a result of cross-system access due to new combinations of technical roles.

If performing a risk analysis is included as part of the automated business role assignment workflow, these risks will need to be mitigated at the business role level. It is important to define within your reporting rules any risks which may be cross-system, such as maintaining master data within one system, while transacting upon that data within another.

  • Approvers and owners

It is good practice to ensure defined owners and approvers are assigned to each new business role. Owners should be accountable for the content of the business role and the approvers should be responsible for approving assignments to users. This segregation of duties ensures that no one person can control the access within the role and also have the ability to assign it.

At the end of the initial analysis, there should be a newly designed business role to single role mapping that can be uploaded into the SAP GRC master data for automated provisioning and a clear document of owners and approvers.


The next phases of implementing Business Role Management effectively in SAP GRC are deployment and hypercare. Click here to read part two where we explore these next steps.

Or, if you’re looking for additional resources on how to effectively manage access for joiners, movers and leavers within SAP, you can  read our full SAP Identity & Access Management guide here.