Rulesets for your GRC Solution
Used to monitor risks, a ruleset is the basis for carrying out a risk analysis in the SAP system. Based on the ruleset, critical authorizations, and conflicts of segregation of duties (SoD) can be checked and cleaned regularly or on a case-by-case basis through critical combinations of authorizations.
Keep a close eye on your risks!
Given the constantly growing requirements and risks in SAP, challenges arise in terms of creating and maintaining custom-made rules for the respective GRC solutions. For analyzes, reports and processing of authorizations and system settings, a constantly updated and well-maintained ruleset ensures a secure administration in the SAP system.
With the help of our services, we evaluate the requirements individually and, depending on the catalog of requirements and legal regulations, we can build up the basic knowledge and the necessary know-how. We support you in identifying which risks are relevant for you and together we can define the right ruleset for your GRC solution. If you already have a ruleset in use, we will help you ensure that your current ruleset is up to date, identify potential for optimization and establish best practice approaches.
- Compliance workshops to expand compliance knowledge
- Analysis of rulesets and regulations to ensure the accuracy of fit to the individual requirements
- Creation of a new and individual ruleset
- Implementation of a ruleset in your GRC solution
- Technology consulting for maintaining and updating rulesets at the push of a button with the Easy Content Solution
Are you interested in our GRC services?
Contact us for a non-binding offer!
Your challenge
Building a ruleset is not a one-time task. A ruleset must be constantly checked, expanded, or adapted. Changed processes mean changed risks and consequently different rules. So, what are the most common problems, why is there no ruleset or why does this no longer meet the requirements? Our experience shows that it is often one of the following reasons:
- Missing responsibilities
- Communication to the department
- Development of the necessary GRC competence
- Technological changes
- Many in-house developments
- Cybersecurity risks

Our solution
Our approach always pursues an overall view of the risks. These are mapped in a global ruleset and always reduced to the most critical authorizations in order to keep complexity low and to make rules transparent. Our ruleset takes into account the changes made with SAP S/4HANA (including Fiori apps) and customer-specific in-house developments. Together with you, we decide where and which rules are relevant for your organization.
We first analyze the requirements that will be placed on the new ruleset. For this purpose, we record, for example, compliance requirements from a regulatory and ICS perspective and review your possibly existing ruleset. In the next step, we check your in-house development to identify missing or incorrect authorization checks and correct them.
In addition, the maintenance of the SU24 default values plays a central role, which allows the critical authorizations relevant for the ruleset to be assigned to a transactional context. In the last step, we create the final rulesets for you and validate the results so that the ruleset is not only professionally but also technically clean. We support you with the implementation in the productive environment to monitor and control the authorizations for your processes so that the rules are established, maintained, and accepted on the long term.
All information and services at a glance...
In the new SAP compliance flyer for your GRC solution!
Our Approach

Xiting Compliance Services
We support you on your way from creating awareness about compliance to defining and implementing a ruleset for the XAMS CRAF solution, SAP GRC Access Control and SAP IAG, among others. No matter if it is the creation of a coordinated, final ruleset, or support in developing a ruleset with “ECS meets XAMS”. In any case, our aim is to be your competent and reliable partner for risk management.
Compliance Workshop
- Essential basic knowledge about Governance, Risk and Compliance (GRC)
- Communication of connections and effects on compliance in SAP system landscapes
- Proof of concept of rules in the GRC solution (e.g., in XAMS CRAF)
- Risk analysis of a selection of rules (up to 15 rules) in the GRC solution
Custom Ruleset
- Compliance workshop (1 day)
- Essential basic knowledge about risks and compliance in SAP
- Requirements’ analysis and risk workshop with the departments
- Analysis of in-house developments and ICS requirements
- Recommendation for mitigation of risks
- Implementation of a ruleset in the GRC solution (e.g., XAMS CRAF)
- Risk analysis with the fully defined ruleset
ECS meets XAMS
- ECS license for SAP standard modules and industry specifics
- ECS compliance workshop (2 days)
- Essential basic knowledge about risks and compliance in SAP
- Basic training on ECS
- Implementation of a ruleset in the GRC solution (e.g., XAMS CRAF)
- Risk analysis with individually selectable ECS rules