Skip to Content

GRC AC 10.1 Managing expired and expiring roles: how to extend role assignment validity

Dear SAP Community,

During the configuration of GRC 10.1 Access Request, I was trying to find the best way to manage expired and expiring role assignments. From my understanding, the only tool available is the security report "List Expired and Expiring Roles for Users", which does not offer a way of extending the role assignment validity or to notify either managers or end users of the incoming access limitation.

How did you tackle this issue in your implementations?

  • must users (or managers) create a new access request, each time their roles are about to expire?
  • do you notify the users (or managers) that their roles are about to expire?
  • did you create a workflow for role assignment validity extension, where managers review their users' assignments and extend the necessary ones?

Is there a standard way to achieve any of this?

I was hoping that role reaffirm or user access review would provide this funcionality, but unfortunately they only serve to remove assignments, not to extend them...

Thanks and best regards,


Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • Posted on Dec 06, 2018 at 02:20 PM

    Hi Miguel,

    the only way in Access Control to achieve this is with Access Requests. When you request access for a user, you can click on the "Existing Assignment" button to see all the roles that are assigned and likely to expire. You can then add them to the access request and have the action set to "Retain" (instead of "Assign" or "Remove"). Retain allows you to change the validity date.

    You can also set parameter 2045 to 010 (Retain), so that the default provisioning action is always Retain when you select them from the existing assignments.



    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Mar 19, 2019 at 03:49 PM

    Hi MS,

    Role that you are referring here are Business Role(BR) or Technical Role(TR)?Did you try the following program for Role Expiry




    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 27, 2020 at 04:06 PM

    Hi Experts,

    Added to this aspect, i have a question related to this.

    When a request was submitted for Retain/Change data provisioning action. It is going for manager and other approvers for approval. But, by the time the role gets approved the role was removed at from user assignments at backend ECC and request is going to Escapte path with conditon"Provisoning failure".

    I would like to know what would be default time/period that a request will look for backend assignments.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.