What’s coming with SAP Access Control 10.1? Q&A with Deloitte's Kurt Hollis

by Kurt Hollis

October 30, 2013


GRC 2014 speaker Kurt Hollis recently joined us for a Q&A on what’s new in SAP Access Control 10.1. He took reader questions on the AC 10.1 release timeline, certification, use of UI5 and HTML5, plug-in connectors, migration tips, and more.

Kurt will be leading a hands-on lab at GRC 2014  this year on AC.10. You can learn more about Kurt's lab, and read our edited transcript of Kurt's chat with our readers, moderated by GRC 2014 conference producer Allison Martin.


Allison Martin: Thanks to everyone for joining us today for this chat with Deloitte’s Kurt Hollis. Kurt has been a speaker at many of our GRC events, and will be speaking again at GRC 2014 this March in Orlando. Kurt will also be running a hands-on lab covering SAP Access Control 10.1 configuration at the event!

Thanks, Kurt, for taking the time to answer some questions about Access Control 10.1 today.

Kurt Hollis: Thanks for having me today for the GRC 10.1 Q&A! Special thanks to all who are attending this.

Allison Martin: We have lots of questions from our readers. I’ll let you get to those now…


Comment From Carsten Rørholt: Does GRC 10.1 work in at multi-client environment? At my former employer, we used GRC in a single client environment and it worked fine.  But at my current employer, they have had some problems with GRC in a multi-client environment, so they are not using it anymore. So does GRC 10.1 work in at multi-client environment? Or what are the challenges with GRC in a multi-client environment?             

Kurt Hollis: Yes, GRC works great in a multi-client environment. For the Development system, this is very much recommended. I usually set up a golden client, a dev client, and a test client for refining rule set or trying new config items.

Comment From Darek: When will AC 10.1 be available to all SAP customers who currently use AC 10.0?

Kurt Hollis: Ramp up for 10.1 is available now and completed 1/31/2014. It will be available to all customers.

Comment From Nagarajan: What is the reason for the release of 10.1 version of AC when AC 10.0 was released in 2011? If new features were added, then they could have been added to 10.0 via updates.

Kurt Hollis: Main reason is for native HANA support and support for the new HTML 5 and UI5; these required a new SAP NetWeaver release.

Comment From Perla Silva: Hi Kurt, is it possible to use the same back-end plugin for versions 10.0 and 10.1?

Kurt Hollis: Yes. GRC Plugin 10.0 can be used with GRC 10.1 systems and GRC Plugin 10.1 can be used with GRC 10.0 systems:

Backward Compatibility for Access Control 10.0: The backward compatibility of GRCFND_A V1000 for Access Controls starts with Support Pack 10. Until SP10, both GRCFND_A and plug-in add-ons GRCPINW & GRCPIERP needed to be on the same level. However, from SP10 onwards, this is not required, which means that the add-on GRCFND_A on GRC system can be upgraded without the need to upgrade the plug-in add-on to the same level, provided the plug-in is at a minimum SP level of SP10. In other words, once the plug-in is on SP10, the GRC add-on GRCFND_A can be upgraded to SP11 or higher without upgrading the plug-in.

Backward Compatibility for Process Control 10.0: The backward compatibility of GRCFND_A V1000 for Process Controls has been introduced from support pack 12. Once the GRC system and GRC plug-ins are on SP12, it will no longer be mandatory to upgrade the plug-in in case the support pack in GRC system is upgraded to higher levels.

Please note the following points before upgrade to the AC 10.1 Plug-Ins:

- Recommendation is to upgrade both front-end (GRCFND_A) and back-end plug-in (GRCPINW & GRCPIERP) components to AC 10.1 which also contains the AC 5.3 RTA.

- During the time of transition, you can still connect to AC 10.1 Plug-in (GRCPINW & GRCPIERP) from AC 10.0 front-end.

- Also, you can connect to AC 10.0 Plug-in (GRCPINW & GRCPIERP) from AC 10.1 front-end as long as support pack of AC 10.0 plug-in is SP10 and above. However, some new AC 10.1 functionalities, such as Organization Rule Wizard, Custom User group creation, and EAM DB log collection, will not work.

(From SAP notes) 

All New Content for October on the SAP Customer IT Hub!
Get quick and easy access to the wealth of knowledge, resources, tools, support and services that are available to all SAP customers.

Comment From Judy Thompson: What differences should we expect when we migrate from GRC 5.3 AC to AC 10.1? Can we migrate the data easily?

Kurt Hollis: There is a guide from SAP, the Migration guide; you should get this guide on the Web site in the GRC area. Yes, the data can be migrated easily. Use the Java-based migration tool to get the data out. Some projects, instead, just set up the new GRC 10.1 and transfer only the ruleset. The workflow is thought to be better redone using the new MSMP and BRF+ delivered workflows and building on them rather than migrate these. Not all data can transfer from AC 5.3; some is historic data. The older system is left running to access some of that data for audit purposes.    

Comment From Guest: Do you control ITAR and EAR through GRC 10.1?

Kurt Hollis: More from a regulation standpoint in PC. You can use PC to comply with ITAR and EAR; also, the GTS piece helps with actual compliance of those.

Comment From Guest: What are the new features in AC 10.1?

Kurt Hollis: Simplified Access Request - SAP Access Control 10.1 features a new, simplified, and intuitive Access Request form allowing you to define Request Reasons and to use these reasons for request selection. You can click the role name and access critical information, such as Tcodes, and you can save a draft version of the request. You can also add comments for each role. New side panels provide additional information, such as the details of risk analysis.

- Custom User Groups from SU01 Attributes - You can now create custom user groups based on SU01 attributes. You can use these groups when performing risk analysis.

-  System-Specific Org Rule Analysis - You can now define and activate the Org Rules for specific systems only. Using organizational rules in risk analysis can be time consuming, especially in batch risk analysis. In most cases, Org Rules only apply to some of the connected ERP systems. By having system-specific Org Rules, only the relevant rules are used for risk analysis, resulting in highly improved run times.

- Org Rule Maintenance Wizard - The Org Rule Maintenance Wizard makes creating organizational rules faster and easier and eliminates possible invalid entries due to manual input errors. The wizard allows you to select the desired ERP system, select the Rule Sets, select the Organizational Levels from existing risks, and select Organizational Level values from the ERP system. You can then review and edit the new rule before generating it.

- Context-Based Side Panels - This new user interface feature, an alternative to the dialog box, provides more on-screen information about the process you are using without requiring you to leave the main screen. For example, while working on the access risk screen, you can use the Violation Historic View side panel to display the number of users associated with this access risk over time, and also the number of mitigations over time.

- Access Control for SAP HANA - This feature enables SAP Access Control to manage access and risk analysis for SAP HANA-based authorizations to support SAP HANA Performance Applications and SAP HANA Business Analytics.

- Role Search Personalization - You can now add custom fields to the role search criteria for access requests and configure the field attributes to the following values: Display only, Hidden, or Default.

- Context Sensitive Help - You can directly access the help topics for the process you are executing by clicking on the application screen and accessing the Help Center.

Enhanced Features: Improvements to Access Risk Analysis and Remediation:

- Access Risk Root Cause Analysis - The access risk root cause analysis remediation view enables easier identification and remediation of access risks. It offers a set of tools for segmenting risk violations so you know which risks to target first. You can enable remediation workflow processes from the remediation view to ensure that the processing and auditing of remediation activities are followed and tracked.

- Extended Remediation Capabilities - Remediation capabilities are extended by allowing reviewers to initiate removing roles or editing role validity dates directly from the access risk analysis results. These two new workflow processes are fully configurable and may reuse routing and approval rules from any other GRC workflow process. This functionality is available for both SAP Access Control and the integrated access risk analysis portion of SAP Process Control.

- Reporting & Dashboard Authorization - Reports and dashboards are now secured using role-based authorizations. In addition, users’ authorizations can be displayed in a dialog box when desired. An administrator can enable or disable this link for display.

Comment From Kaitlin: How have you seen Access Control 10.1 integrated with BPC 10?

Kurt Hollis: You can integrate with BPC 10 since it is an SAP ABAP NetWeaver-based system using the Plug-in GRCPINW and you can manage security access controls same as other systems.

Comment From Gowrinadh Challagundla: Have you ever tried configuring a FireFighter to multiple systems and logging in to multiple systems at the same time? And running a sync job without logging out from FireFighters? It will create a work flow before the ff logs out.

Kurt Hollis: Need more information about the question. Are you referring to assigning multiple IDs across multiple systems? How have you set up the FFs for the review?

Comment From Craig: Hello Kurt! We are currently running GRC 5.3. We have recently joined ramp-up for 10.1 and are building out an entirely new landscape due to the switch from Java to ABAP.|Do you know of a place where I can get more information on setting up the new plug-in connector settings, say, in an ECC system? I can't find anywhere on what to enter for Plug-In Connector and GRC Connecter parameter values. Just that it must match what is in the GRC system.

Also, I've heard that once the new plug-ins are installed, that your connections from the 5.3 system will break; however, a future support pack may allow you to run both an AC 10.1 system and an AC 5.3 system in parallel until cutover is complete. Have you heard if that's definitely going to be a possibility? Thanks Kurt!


Kurt Hollis: Hi Craig: The setup of the connectors includes 6 steps and it is all in the SPRO transaction. 3 of the steps are in the integration section and the other 3 steps are in the Access Control section.

1. First, set up RFC Connections to the Plug-In systems, such as the ERP system (the name of the connector will be critical)

2. Second, Each rule set is activated and linked into a separate logical group (technical name in brackets):

- GRAC_RA_RULESET_SAP_R3: Rules for ERP including Basis and HR (SAP_R3_LG)


- GRAC_RA_RULESET_SAP_NHR: Rules for ERP excluding HR and Basis (SAP_NHR_LG)






- GRAC_RA_RULESET_JDE: Rules for JD Edwards (JDE_LG)



3. Next, set up Connector Assignments and Connector Groups

The Connector Group is important for the Rule Set activated (from Step 2)

4. Set up the Connector Assignment for each of the Integration Scenarios

Note: Must perform all scenarios’ setup regardless of using or not

5. Simple Setting to Map the Target Connector to the Application Type

6. Assign the Connector Group the Actions and the Target Connectors

Usually Assign all Actions, set default

The connector instructions are in the SPRO transaction in the text boxes in front of each step. No more config guide from SAP like with AC 5.3.

Yes, the VIRSA code is included in the new plug-ins for 10.1 and it is backwards compatible with GRC AC 5.3, SP18 and higher. The exact version matching needs to be checked in the SAP Notes

 - 1662113 Using Access Control 5.3 with your 10.0 plug in systems

- 1590030 GRC10 Plug-in & 5.3 VIRSA Plug-in (RTA) Co-Existence

- 1352498 Support Pack Numbering – GRC Access Control


Comment From Lorraine: Today we only unitize RAR & CUP in 5.3. Do you recommend a "technical" upgrade with GRC 10 and then implementing BRM functionally later?

Kurt Hollis: Hello Lorraine: Your situation is common. RAR and CUP most popular. Of course the Firefighter is too.

You can implement the new ARA and EAM in 10.0 or 10.1 now and add the role management piece later. It is advised to plan the needed business configuration decisions into the new EAM setup to support the added role management to avoid going back and refitting the EAM to the role management later.

Comment From Lorraine: Thanks, do you have a template for the business configuration piece or know where I can find it?

Kurt Hollis: Hi Lorraine: I will get the answer to the template question and respond back later. It is not provided in the system from SAP, other than the standard delivered content in the standard system. However, there was a ready to run or starter package before. That is what I am checking for you. I will reply again later after I check into this.

If you go to the GRC conference in 2014, there is a new GRC Hands-on lab where each person gets their own GRC system to configure and get the applications up and running for the first time. This is a great way to quickly learn how to set up GRC 10.1 easily from experienced people. I am the speaker and instructor for this lab exercise. The lab is based on GRC Access Control 10.1.

Comment From Lorraine: Can you recommend any ways of validating that the migration was successful, like any reports?

Kurt Hollis: Hi Lorraine. During the import of the migrated data, it is validated and logs exist. Once the data is imported, you can view the data either in the application set-up screens or view the contents of the tables. You can also download the data and compare it using spreadsheets if it is not too large. This is one area that is more intensive work. The migration tool aids in filtering, transformation of data, the validation of the loading of the data, but detailed verification and comparing is much more manual work.

Comment From Kaitlin: Have you been able to connect Access Control to BPC and implement it successfully at a client? Can you share details?

Kurt Hollis: I personally have not connected to BPC systems, but I see it no differently than any other source system. The roles may be unique and the rule set may require more custom work, but that is the case with some systems not included in the delivered rule sets from SAP.

Comment From Rémi: What differences should we expect when we migrate from GRC 10.0 AC to AC 10.1?

Kurt Hollis: Upgrading from GRC 10.0 to 10.1 required a week-long upgrade of the SAP NetWeaver system to release 7.40, SP3 or 4. The application is not impacted after the upgrade and functions as before, nut now you have access to the new features as listed in the prior posting for the 10.1 version. The driver to get to 10.1 depends if you are after those new features.

I like the new user interface features of UI5 and HTML5 look and feel changes. Still uses the NWBC. The HANA analytics are available in both 10.0 and 10.1. The big thing is if you are installing all your new products on HANA, this new release supports that. 

Comment From Khurram: Hi Kurt, any new feature in 10.1 with respect to HR Triggers? Also, now can we have multiple rules for a single HR trigger in BRF+ decision table? Thanks.

Kurt Hollis: Yes, based on a single trigger received on something like a new user creation, you can define multiple conditions on what access needs to be assigned to them based on business requirements.

Comment From Rémi: Have you already migrated a client from AC 10.0 to AC 10.1? How smooth was the migration? Any pitfalls to avoid?

Kurt Hollis: Hi Rémi: The upgrade from GRC 10.0 to 10.1 involves mostly the SAP NetWeaver upgrade from 7.02 or 7.31 to 7.40 version. One struggle I had was generating the correct stack.xml file for the upgrade in solution manager. I had to update my solution manager content first, then it was Okay. No big issue really. Very smooth. I did not migrate it to HANA DB, but that can be done using the system copy migration process.

Comment From Dave: Kurt, any insight into the most pressing business case for moving to HANA-enabled Access Control? What does HANA bring to AC that changes its performance?

Kurt Hollis: Hi Dave, good question. The main reason for the HANA platform is to support custom reporting and queries not available in the standard delivered packages, some of which are below. The BW custom reporting was available in the past, and this is a natural progress.

The (building blocks) prerequisites for creating ad hoc reports for analyzing the access risks, access risk violations, incidents of SoD risk and mitigating control risk violations, org rules, mitigating controls, actions, functions, critical actions/roles/profiles, action usage, incidents, Segregation of Duties (SoD), and user access risk. Analysis areas include risks library, rules library, users, roles.

Based on this virtual data model, you can generate reports to answer the following business questions:

- What are the access risk violations over the past six months?

- What are the risk violations for a specific role?

- What mitigating activities have been performed over the past three months?

- What unmitigated risks exist in the system?

- What is the history for SoD reviews?

- What is the history for user access reviews?

For access requests:

- How many access requests were created for the last three months?

- What types of access requests were created: User Access, reviews of Segregation of Duties, Emergency Access?

- What was the length of time for the access requests to be completed for the last five months?

- What access requests are still pending? How long have they been open?

- How many users and roles were provisioned for the last four months?

- What are the most frequently requested roles?

- What are the service level agreements for the requests?

Comment From Craig: Is there any reason with the new GRC 10.0 or 10.1 applications to have a plug-in installed on the same system as the GRC Access Control 10.1 application if it is a standalone ABAP system?

Kurt Hollis: Hi Craig: It is not required to have this plug-in on the new GRC 10.1 system. It is only needed if you wish to use the Access Control features on the GR system itself, just like any other connected system.

Comment From Gadde Kiran: When will GRC AC 10.1 certification be available?

Kurt Hollis: Hi Gadde: GRC 10.0 certification is available now, and it usually takes 6-12 months until the next one. I would go for the GRC 10.0 certification.

Comment From Guest: Is it comparable in terms of workload to set up user request workflows compliant user provisioning tool (CUP 5.3) or Manage and Provision users (10.X) for a workflow of similar complexity? How different is the setup from one GRC version to the other? Are there predefined templates available in 10.X?

Kurt Hollis: The workflows are pre-delivered and can be almost ready to use out of the box, just like in AC 5.3. There are steps to make assignments and configure them before using. They are delivered in the BCSET. You can set up using the SPRO and IMG. The setup is more of a learning curve and a bit more complex, but a lot more powerful.

Comment From Gadde Kiran: What are the new reporting capabilities in GRC AC 10.1 and what is the process to migrate GRC AC 10.1 from all previous versions?

Kurt Hollis: Hi Gadde: The reporting capabilities in GRC AC 10.1 are similar to 10.0 and expanded once integrated with SAP HANA. See the post about the GRC HANA reporting prior.

The upgrade from GRC 5.3 is a Java to ABAP migration and involves extra steps to migrate the Java-based data into a new build of GRC 10.1 on ABAP.

The upgrade from GRC 10.0 to GRC 10.1 is a more straight forward ABAP NW 7.02 or 7.31 to NW 7.40 ABAP-based systems upgrade, basically on version upgrade. The data and application will not be changed much and then you can take advantage of the new release features of 10.1. See the prior post on the new release features of 10.1.

Comment From Guest: Do you suggest any kind of validation reporting to use when validating the migration was successful?

Kurt Hollis: During the import of the migrated data, it is validated and logs exist. Once the data is imported, you can view the data either in the application set-up screens or view the contents of the tables. You can also download the data and compare it using spreadsheets if not too large of data. This is one area that is more intensive work. The migration tool aids in filtering, transformation of data, the validation of the loading of the data, but detailed verification and comparing is very manual work.

Not as automated as we would prefer, but still a good process to work with during migration. The best practice is to make sure the export is as clean as possible before the import; this saves cleanup later in the new system.


Allison Martin: Thanks to everyone who joined us today! For more GRC advice and tips, be sure to join Kurt and all our speakers at GRC 2014, March 18-21 in Orlando. We hope to see you all in Orlando this spring!

Kurt, thank you again for taking these questions today. Looking forward to seeing you again in Orlando!

Kurt Hollis:  Allison, as always, thanks for having me today for this Q&A on GRC 10.1 release. A lot of great questions and information shared to all. I am looking forward to the GRC conference in Orlando in March and seeing all of you there.

All New Content for October on the SAP Customer IT Hub!
Get quick and easy access to the wealth of knowledge, resources, tools, support and services that are available to all SAP customers.

An email has been sent to:

More from SAPinsider