In SAP GRC Access Control, a user can end up with the same single role two different ways at once: assigned directly, and pulled in through a business role. Both paths grant the same access, but they live in completely different rows — so the redundancy is invisible unless you reconstruct it.
That redundancy quietly distorts everything downstream. Access reviews double-count the role. A cleanup removes the direct assignment but leaves the business-role copy (or the reverse). Date-based recertification compares the wrong start date. And when you can’t see which path granted what, you can’t safely remove either.
This prompt rebuilds the full picture from four standard GRC tables and produces one workbook that labels every user-role assignment as Direct, Via Business Role, or Both — with the dates lined up so you can see exactly what’s safe to clean up. It’s free. No form, no login.
What you'll need
| Table | What it gives you |
|---|---|
GRACUSERROLE | User-role assignments (the base table): User ID, assigned role GUID, business role GUID, start/end timestamps, target connector |
GRACRLCONN | Connector role mapping: maps connector role GUIDs to real role names/text and mapped role IDs |
GRACROLE | Role master data: role text, type, and description; business roles are where Role Type = BUS |
GRACROLERELAT | Business-role-to-single-role links: Parent Role ID (business role) to Child Role ID (single role), plus relation type |
Export all four tables from your GRC system and provide them as the four source files. The prompt joins them: GRACUSERROLE is the base, GRACRLCONN normalizes the assigned role, GRACROLE supplies role text and type, and GRACROLERELAT validates the business-role-to-single-role relationship.
The prompt
Copy this verbatim into your LLM of choice, then attach the CSV described above.
You are an Excel/SAP GRC data expert. I have uploaded four Excel files:
1. GRACUSERROLE
- Contains user role assignments.
- Important fields include User ID, assigned role GUID, business role GUID, start timestamp/date, end timestamp/date, target connector, and assignment-from-composite-role indicator.
2. GRACRLCONN
- Contains connector role mapping.
- Use this to map connector role GUIDs to actual role names/text and mapped role IDs.
3. GRACROLE
- Contains role master data.
- Use this to identify business roles and role text.
- Business roles are identified where Role Type = BUS.
- Pull Role ID, Role Name, Role Type, Business Process, Subprocess, Connector Group, and Description where available.
4. GRACROLERELAT
- Contains business role to single role relationships.
- Parent Role ID = Business Role ID.
- Child Role ID = Single Role ID.
- Use Role Relation Type to validate the relationship.
Please create a final Excel workbook with separate sheets.
Main required sheet:
"User_BR_SR_Final"
For each user assignment, show:
- Client
- Target Connector
- User ID
- Business Role ID
- Business Role Text
- Business Role Description
- Business Role Type
- Assigned Connector Role GUID
- Single Role ID
- Single Role Text
- Single Role Description
- Single Role Type
- Assigned RFC Destination
- Start Date
- End Date
- Start Timestamp
- End Timestamp
- Business Role Assignment Flag
- Direct Assignment Flag
- Base Assignment Source
- Assignment Type / Date Comparison
- Direct Start Date(s)
- Business Role Start Date(s)
- Date Comparison Detail
- Relation Exists In GRACROLERELAT
- Role Relation Type
- Environment
- Assignment from comp role
- Original user-role row GUID
Logic:
1. Use GRACUSERROLE as the base user-role assignment table.
2. Normalize the assigned role:
- GRACUSERROLE assigned role GUID should be mapped through GRACRLCONN.
- If GRACRLCONN has a mapped role ID, use that as Single Role ID.
- Otherwise use the assigned connector role GUID.
3. Use GRACROLE to get role text, role type, and description for both business roles and single roles.
4. If GRACUSERROLE has a populated business role GUID, classify that row as "Via Business Role".
5. If business role GUID is blank, classify that row as "Direct Assignment Only".
6. For each User ID + Target Connector + Single Role ID:
- Compare direct assignments against business-role-derived assignments.
- If the same single role exists both directly and through a business role, compare dates.
- Classify as:
- Direct Assignment Only
- Via Business Role Only
- Both Direct and Via Business Role - Same Start Date
- Both Direct and Via Business Role - Different Start Date
7. Use GRACROLERELAT to validate whether the Business Role ID and Single Role ID relationship exists.
- Mark "Yes" if found.
- Mark "No" if the business role exists but relationship is not found.
- Mark "N/A - Direct" for direct-only rows.
Additional sheets to create:
1. "Unique User_SR_Review"
- Summarized User ID + Target Connector + Single Role ID view.
- Include single role text, business role IDs/texts, assignment type, direct start dates, business role start dates, and date comparison details.
2. "Summary"
- Count rows from each source file.
- Count unique users.
- Count unique business roles used in user assignments.
- Count unique single roles.
- Count direct/no-business-role rows.
- Count via-business-role rows.
3. "Assignment Summary"
- Count by Assignment Type / Date Comparison.
4. "Relation_Check_Summary"
- Count by Relation Exists In GRACROLERELAT.
5. "BR_to_SingleRole_Map"
- Business role to single role mapping from GRACROLERELAT.
- Include parent role ID, parent role text, parent role type, child role ID, child role text, role type, and relation type.
Final workbook requirements:
- Save as "User_vs_BusinessRole_vs_SingleRole_Final.xlsx".
- Apply Excel table formatting to each sheet.
- Freeze the top row.
- Add filters.
- Auto-fit or adjust column widths.
- Keep GUID columns as text, not numbers.
- Convert SAP timestamps like YYYYMMDDHHMMSS into readable dates.
Why the assignment type matters
The value isn’t the row count — it’s the Assignment Type column. "Both Direct and Via Business Role" means the user keeps the access even if you revoke one path, which is the trap most cleanups fall into. "Different Start Date" flags where the two assignments disagree on when access began — often a manual direct grant layered on top of a governed business role. Start with those two buckets before you touch anything, and use the GRACROLERELAT relationship check to confirm the business role really does contain the single role.
Beyond a one-time snapshot
This prompt is a one-time snapshot from exported GRC tables. SyntaAI does it live and continuously across your entire SAP landscape — plus role build, user admin, FUE optimization, UAR, audit, threat detection, vulnerability scanning, and SoD.
Want the SQL to pull GRACUSERROLE / GRACRLCONN / GRACROLE / GRACROLERELAT straight from your GRC schema?
Optional. The prompt above is fully readable and copyable whether or not you use this.