Q and A


Transcript from last week's live Q&A with SAP BusinessObjects GRC 10.0 expert Kurt Hollis

by Allison Martin

I recently moderated a web Forum with Deloitte specialist and GRC 2011 speaker, Kurt Hollis on preparing your systems for GRC 10.0

For the full Q&A, you can view the questions from Insider Learning Network members and Kurt's responses in the Compliance Forum, or read a transcript of the Q&A, below:

Allison Martin:  Welcome to today's forum on GRC 10.0 with Kurt Hollis

Kurt, thank you for joining us today! Before you respond to questions, I'd like to start with one that stems from your session at GRC 2011:

Can you go over the details of what is now on Java and what pieces of GRC run on ABAP?

Kurt Hollis
: Hi Allison and thanks for your question, this is a good one. 
The previous version of GRC Access Control (5.3, 5.2, 5.1) runs on the SAP Netweaver JAVA stack.  But now with SAP GRC 10.0, the Access Control components are now running on the SAP Netweaver ABAP stack.  This is a big improvement.  So now, the entire Suite of GRC products run on the ABAP stack which includes Process Control, R isk Management, and Access Control.  GTS also runs on the same ABAP system if desired.  This simplifies the system landscape and the maintenance.  Big advantage is the improved integration of all the products together including RAR, CUP, ERM, and SPM which are now together as one suite.  The only need for a JAVA stack is to support the Portal part (which is now optional) and the Adobe document services if needed for your scenarios.

Perla Priscila: Could SAP GRC Access Control 5.3 be integrated with SAP GRC Process Control 10.0?

Kurt Hollis:
Yes, Process Control 10 and Access Control 5.3 can still be run as separate components and still be integrated using the web services calls between them.  The SAP maintenance runs the same end dates in parallel for these old and new products.  I think it would be wise to consider migration to the new Access Control 10.0 over time.  You will already have the Access Control 10 running in the Process Control 10 system anyway because they are installed together in one foundation package.  The good news is the RTA (now Plugin) supports Access Control 5.3 again since support package 04 just came out.  The VIRSA code is introduced again.  Be sure to make note of the required release level of Access Control 5.3 needed (SP level) to run this way.  You may have to upgrade the SP level of AC 5.3.

Daniel Franjko: On the Access Control 5.3 question, there is an issue that SAP is aware of that they are working on to create a support pack that will enable 5.3 to be compatible with Process Control 10.0.  At Timken, we will upgrade Access Control after implementing Process Control so both are on 10.0 in order to avoid any other compatibility issues.

Kurt Hollis:
  The support for both Access Control 5.3 and 10.0 is now released as part of GRCPINW and GRCPIERP support package 04.  This integration is based on AC 5.3 SP15.  Only critical AC 5.3 RTA updates will be included in the SP's for the GRCPI's.  Still good.  The big thing is now we can run both Process Control 10.0 and Access Control 5.3 and use the GRCPI to support both in the ERP system.  Yea!

Markus Schmidthuysen: Hi everybody, first question from my side: Which version of SAP NW is required? …7.02?

Kurt Hollis:
Hi: The new GRC Suite 10.0 runs on the Netweaver 7.02 EHP2 release.  Also, must be at SP06 of the NW 7.02 minimum.

Nice release!  This is the same NW release that the new ERP EHP5 is based on. It includes the NWBC 3.0 integration and Crystal reports integration.  Very nice!

If coming from older versions of GRC, you will need to upgrade this to the EHP2 using the EHPI installation process.  Also, the Portal components require this release (optional).

Bill Barnum: What is current scheduled date for release of GRC 10 to SAP customers??? And how confident is that date?

Perla Priscila
: Hi Bill, In SAP Marketplace's availability matrix you may find that SAP:
BusinessObjects Process Control 10.0 is released 29.07.2011
SAP BusinessObjects Risk Management 10.0 for 5.06.2011
SAP BusinessObjects Access Control 10.0 is also considered for 29.07.2011.
Regards, Perla S.

JEANNEGRIMES: Is the 7/29/11 date firm? Earlier this week we were told 7/15

Kurt Hollis:
I believe this was answered but to be sure you know the date was pushed back until July 29th, 2011.  This is to give more time to get all the updates and enhancements learned from R ampup into the product.  It looks very good and should be released generally on that date.  Right now it is up to Support package 04 level which just came out.

LaxmanB: Hi Kurt, are the GRC 10.0 installation, setup/config guides available? If so will you be able to provide the link?

Kurt Hollis
: SAP provides all of the GUIDES including installation, upgrade, migration (needed for Access Control especially), security, and operations out on the service marketplace at  You do need the SAP ID to login here.  Just navigate to support portal and to release/info tab and then to the install/upgrade guides menu item.

One guide not released is the configuration guide.  SAP provides configuration documentation in the SPRO transaction although limited in explaining.  I am not sure if the plan is to release a guide for this yet.  SAP experts are posting how to guides on the SDN web site however. This is a good site for more detailed information after the installation is completed.

Perla Priscila: For SAP BO GRC 10.0 Suite, will there be one "RTA" needed in the backend or should it be applied per function (PC, AC)?

If there is more than one RTA, is there any dependency between the RTA's or may only one function be used?

Kurt Hollis: The RTA is now replaced by the new GRC Plugin 10.0.  This plugin comes in two parts.  One part (GRCPIERP) for ERP which includes support for Access Control and Process Control.  The other part is for both ERP and non-ERP system called GRCPINW and supports Access Control in all systems including ERP. So no separate RTA for Process Control needed.

As of Support Package 04 of the GRCPIERP and GRCPINW components, support is re-introduced for the Access Control 5.3 (VIRSA) in the new GRCPI components for backward compatibility and migration support.  So the new GRCPI with this SP level will support both releases of Access Control at the same time.  Interesting, right?

JEANNEGRIMES: You said the Portal part is optional – what is the other alternative?

Kurt Hollis:
Portal is optional, the new GRC Suite 10 runs in a web browser based on the embedded NWBC which is part of the Netweaver 7.02 EHP2 release.  Be aware you may need the Crystal Reports adapter installed locally for running reports in Crystal Reports view.  You can run these reports as non crystal reports too using the Web Dynpro ABAP list viewer (ALV) in the web browser.    You can also use the NWBC front end too.

SAP GUI is only needed for those who install and configure and maintain the system.

Markus Schmidthuysen: What is the nota fiscal content within SAP NW PI about? Does this come/go from/to a particular legacy system?

Kurt Hollis: Nota Fiscal content is targeted for country Brazil for electronic signatures which is a requirement there. Not needed for USA or Europe/Asia installations. South America mainly.

Blair Towe: We are considering the implementation of GRC 10. If we did this, would there be one central system with Access Control, Process Control and Risk Management, or is there reason why you would want to separate these out?

Kurt Hollis: Hi Blair:  No reason to separate these out.  They are designed to run together and it is recommended to have one central system to run these together. The only performance impacts are with the risk analysis jobs which should run at night or when appropriate time permits.  You can add app server if needed for the jobs runs.

Daniel Franjko: How well does Process Control 10.0 work with continuously monitoring and continuously auditing automated/application controls in SAP and with other non-SAP systems?

Kurt Hollis: SAP delivers a very good set of controls for monitoring in the SAP system.  For non-SAP systems, some custom work to setup these controls is needed at the client site.  A good product to use for the non-SAP integration is greenlight technologies products.  Check these out.  The system supports web service calls for non-sap systems.

Dave Hannon: Kurt, can you highlight a couple of the advantages of the new user interface on GRC 10? Thanks.

Kurt Hollis: New user interface is based on NWBC technology.  NWBC is the Netweaver Business Client.  This same web based user interface runs in the SAP Portal, NWBC stand-alone front end, or embedded NWBC running from the GRC ABAP system in a web browser.

The new interface has simplified and unified navigation for all of the combined GRC suite products in a set of six basic menus.

To run the interface you would have web URL. Here’s an example.  Big improvement over the last release.

Markus Schmidthuysen: What value-add do I have when I use SAP B O AC in addition to SAP NW Identity Mgmt.?

Kurt Hollis: Two products with distinct differences.   One overlap is the Identity management can create user accounts and so can the access control user provisioning.  The big difference is the GRC products check for SOD risks with users’ access before provisioning.

Sven Fahn: Hi Kurt, I heard different comments regarding the "out of the box" content of pre-defined rules (AC, PC) in 10.0.
 - will the content of pre-defined rules be similar to 5.3, 3.0 etc.?
 - won’t there be any rules in initial roll-out of 10.0, due to the assumption that they haven’t been used by the clients so far?
 - is there an approach to build up a multiplex, LoB- / industry-specific content with client & partners within the next months or years by using the content lifecycle management?

Kurt Hollis: Hi Sven: The rules are delivered in BCSETS initially in the GRC 10 system.  Another acceptable way to get the rules is from the Access Control 5.3 SP15 rule set and import these.  I like using the SP15 rules set which I am familiar with and can more easily view the contents before loading them.

Yes, there is an approach to build up content with content lifecycle management.  Actually, partner firm Deloitte is working on this with SAP.  There is a presentation on this topic from the GRC 2011 conference.  Let me see if I can find the web link to some of the public information and update this post with.

LaxmanB: Hi Kurt, Why is it called BOBJ GRC 10.0?

Kurt Hollis: Business Objects is a grouping or suite of products from SAP.  SAP GRC was placed under the Business Objects grouping of products al ong with Business Objects Business Intelligence, GRC suite, EPM, and EIM, BI, and Analytics.

Business Objects is a company SAP acquired.  Crystal Reports is the most popular item. So it is now called SAP Business Objects GRC.

Markus Schmidthuysen: Are there some pre-configured example scenarios available like IDES for SAP ERP?

Kurt Hollis: No preconfigured scenarios exist. However, demos are available.  We have our own demos at our firm for example.  But SAP did not release any packages for this like IDES.  I did see the SAP Discovery systems had GRC, but it was older versions. 

Markus Schmidthuysen: What landscape strategy do you recommend: one centralized GRC system or multiple distributed GRC systems?

Kurt Hollis: Keep landscape simple. One system for each of DEV, QAS, and Production.  QA is also nice to have, but if costs are restrictive, you can do without and test in separate clients in DEV.  You should run the Process Control, Risk Management and Access Control together in the one system, not distributed.  However, GTS (Global trade) should be considered for its own system.

Markus Schmidthuysen: Ok, great. What if I have different companies located in different countries within my group that have also different auditing/reporting requirements? Can this all be pictured within one centralized product GRC system?

Kurt Hollis: One approach would to be to use the underlying organizational model to separate the different companies within the one GRC system and client.  If this is not enough, you can create additional clients, allowing separation of configuration and data, within the same GRC system now to support the multiple companies.

Markus Schmidthuys en: SAP BusinessObjectEnterprise XI 3.1 and SAP Integration Kit: Not PI? Is the XI 3.1 already integrated in SAP BO GRC or what is this about?

Kurt Hollis: You do not need the Business Objects Enterprise server for using Crystal reports in the reports from the new GRC suite 10.0 anymore.  The new design uses the new Crystal Reports adapter which is installed on each persons front end computer (kind of like having Adobe reader for PDF) to launch the Crystal reports.

It is only the Crystal Reports that is in the new GRC system and not any Integration kit or Enterprise XI 3.1 needed or included.  The technique changed to launch the crystal reports.

Allison Martin: This marks the end of the discussion. Thanks to all who posted questions and followed along!

A full summary of all the questions will be available here in the Compliance Forum and in the Compliance Group on Insider Learning Network. I encourage you to join this group for ongoing information and additional resources.

And finally, thank you to Kurt for taking the time to respond to these questions.

An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!