The Latest on Moving to SAP GRC 10.x: Q&A with James Roeske

February 19, 2015

Thank you to all who joined us for our online Q&A on Access Control and moving to SAP GRC 10.x.

Review all the discussion with GRC 2015 speaker James Roeske in the chat replay, and read the edited transcript, below.

SAPinsider: Looking forward to our chat with GRC 2015 speaker James Roeske on the latest on GRC 10.x.

Thomas Bliss, GRC 2015 Conference Producer: Thanks to everyone for joining us for today’s Q&A. 

I’m pleased to have GRC 2015 speaker James Roeske of Customer Advisory Group joining us today on preparing for migration to SAP GRC 10.0 and 10.1.  Great to have you here, James! 

James Roeske, Customer Advisory Group: Thanks Thomas for the opportunity!

Thomas Bliss: James, to kick off the Q&A, I just want to ask a first question about the buzz around end of maintenance for SAP GRC. Can you talk about where we are now with sunsetting of 5.3? 

James Roeske: Yes, Thomas, unfortunately our tried and true version 5.3 support is coming to an end at the end of this year. So I believe this is a very timely discussion for customers looking to upgrade to the 10.x version. Although I'm sad to see 5.3 come to the end of its support cycle, I'm pleased to say that version 10 does bring a lot of enhancements, new functionality, and better integration to the table for customers.

I see we already have several great questions from the audience, so I will jump right in and start to answer them and giving my insight on GRC 10.x.


Comment From Joshy K R

We are in GRC 10.0 (SP12). User Access Management in all SAP system is carried out through the GRC application. We are planning to upgrade our Business Intelligence (BI) system to HANA. In view of the above, kindly clarify whether SAP is planning to provide a Support Pack which enables user access management of the HANA system through GRC 10.0. Or will we need to upgrade our GRC system to GRC 10.1 for the same?

James Roeske: Hi Joshy, No, the prime differentiator between GRC AC 10.0 and 10.1 is that 10.1 is the version that has HANA compatibility. It does not mean that 10.1 needs to run on HANA; rather it means that it can connect to HANA type connectors.
So long story short, no, SAP will not be providing HANA support to 10.0 via a Support Pack. You will need to transition to version 10.1 to connect to your HANA backend systems.


Comment From Trevor

How big of a task do you think it is moving from 10.0 to 10.1?   

James Roeske: The transition to 10.1 from 10.0 is actually more of a technical project and not really a functional upgrade. I describe it as similar to a large Support Pack. Basically it will involve your basis team upgrading the GRC system as well as your plugin versions on the back end systems. There is no need to do data migrations, etc., in this process.
But I do suggest that you plan a full testing cycle, as well as backup everything, so you know that things will be working the way you want them to after the upgrade from 10.0 to 10.1.


Comment From Joshy K R

We are using template-based request in GRC 10.0. There is no mention of this in GRC 10.1. Is the same available in GRC 10.1 or is replaced by ‘Simplified Access Request’?

James Roeske: Yes, Template requests still exist in 10.1. They work exactly the same as they do in 10.0. Simplified Access Requests are additional functionality in 10.1 and not a replacement to templates.


Comment From surender Chimarla

If a customer wants to go from GRC 5.3 to GRC 10.0 or 10.1, what are the basic steps?

James Roeske: As a first step I suggest your refer to the SAP guide/manual that SAP provides on this topic of " Migration.” This manual documents the steps of transitioning your data from 5.3 to 10.x. It also outlines the data that is not moved using the standard tools provided by SAP, but that will need to be re-created.
The nice thing is that both 5.3 and 10.x can co-exist with each other, which means that during your project you can have both running side by side.

Comment From surender Chimarla

Thanks a lot, James.


Comment From Mychele

We have upgraded to GRC 10.0. What main features would you say are a reason to move to 10.1?

James Roeske: The biggest one is HANA support. The next is Fiori Support for Access Requests via the new graphical interface that SAP is rolling out with their Fiori initiative. If these new technologies are not a key driver for you, then the simplified inbox and simplified Access Request form might add value to your organization as well.


Comment From Joshy K R

We find that a new concept ‘Environment’ has been introduced in GRC 10.1 to provision business roles to a select set of systems. In our scenario, along with role assignment we often also need to carry out user master data changes in the relevant back-end system. So in 10.0 we add the relevant back-end system as a line item along with Business Role. Does ‘Environment’ also enables user master change in the underlying systems, or only enables you to control the system where provisioning of roles is carried out?

James Roeske: Yes, Business Roles are a new feature and new role design concept in 10.x which we never had before.
The definition of a Business Role is basically that of a "Cross System Composite" way of bundling many roles together so a user can pick one thing in ARM and gain access to multiple systems and roles across the environment. Being that Business Roles have this definition, having a user pick a single system on their request is rather redundant, so Business Roles are more generic. Basically your update will occur in the system where the provisioning is being carried out.


Comment From Rene Griffith

For Access Control, ARA, and EAM, what are the key differences between 10.0 and 10.1?

James Roeske: From the perspective of ARA and EAM, the changes are not that significant. There is a new look and feel including the color theme and icons to the NWBC menus.
From a technical perspective, most of the bug fixes and enhancements are replicated between 10.1 and 10.0. The primary differences would be on the ARM side and, of course, connecting to HANA systems, which only 10.1 can do.


Comment From Alka Paradkar

Hi James, we are moving from GRC 5.3 to 10.0. GRC 5.3 has been set up with LDAP ID. However, GRC 10.0 is already configured with unique ID (we call it worldwide ID). Does the 10.0 version have a functionality to map two different IDs so that user authentication, risk analysis, and the user access review run successfully?

James Roeske: Yes, there is functionality in the system called User Mapping, where you can tell the system that my ID might be JROESKE in LDAP but JAMESR in SAP. This map allows GRC to keep things straight and unite a single entity to a person. This is located in SPRO under GRC.


Comment From Rene Griffith

This may not be a GRC 10 question per se, but SAP is also sunsetting CUA. Can anyone explain why that is?

James Roeske:  The rumor that SAP will be sunsetting CUA has been spread for many years now, but to be honest I have not received formal confirmation from SAP that this is true. I personally believe that IDM functionality needs to evolve and be formally accepted more in the SAP user community before SAP would formally sunset CUA.


Comment From Trevor

Our management always wants to know how long it took for an approver (role approver / supervisor / BRF approver) to process a request once they received it, e.g., how long it sits at a particular stage or approver. I know you can configure SLAs, but those are more for the whole request. Is that type of reporting available in 10.x?

James Roeske: The audit trail of every request would provide the level of detail you are looking for, but I agree: Outside of SLA there is no easy general report to mass look at these times.
One approach that I use is putting escalation timers on stages. So you would put 2 days as a timer on a stage and then it would get escalated after 2 days to an alternate approver - maybe the person's superior.
I find that I can also speed up the process when people know that it gets escalated if they don't take action. But this is an approach of enforcement, rather than reporting.


Comment From Trevor

What do you view as the biggest "wins" out of 10.1 vs. 10.0?

James Roeske: The biggest wins are:

1. Being on the latest and greatest from SAP, as they tend to focus development efforts on the latest releases.

2. Support for HANA and Fiori.

3.  User experience with the simplified forms in ARM and the enhanced icons and theme in NWBC.
I recommend to all my customers upgrade to go to 10.1 right away even if they have no need for HANA support, etc.


Comment From Richard

We need to upgrade to GRC 10.x from 5.3. After we build a GRC system and add plugins to the backend systems, how do we actually get these systems to communicate with each other? Is there a document describing what we need to do?

James Roeske: It sounds like you need to complete your connector configuration in the GRC system. The connectors are the way the GRC system is able to talk to the back end systems via RFC and the plugin you already installed. Instructions on Connector configuration are located in the SAP GRC Install guide.


James Roeske: Thank you for attending!


Comment From Diane

We are looking at upgrading from 5.3 to 10.1. What are the major differences?  

James Roeske: The most significant difference is the platform the software is running on. In 5.3 you were using NetWeaver-based software. Now in 10.0 and 10.1 you are on an ABAP platform. Plus the navigation and end user experience is much more consistent and streamlined now in the 10.x version.
Other functionality enhancements that customers really like are Centralized firefighter and Workflow-enabled Firefighter log review, which was not possible in 5.3.


Comment From Jon F

In SAP WM an RF user must be maintained in the module via transaction LRFMD. We have CUP 5.3, which doesn't maintain those entries. Does Access Control 10.x enable provisioning these additional requirements? Otherwise, can the workflow not end at provisioning, but have a post-provisioning stage? At this "post-provisioning" stage, a request could go stop at the security to manually maintain the entry.

James Roeske: Very good question. Just like 5.3, version 10.x does not perform the LRFMD task either.  But you are very correct, in that you could design your workflow to have this additional notification and stage sent to the agent that performs this step manually in the system. That way you have automatic notifications to the person as well as an audit trail showing that they were sent a workflow task to perform the manual step.
We have much more flexibility in workflow configuration now in 10.x than what we could do in 5.3. But you are correct; it still will not automatically provision to LRFMD.


Comment From surender Chimarla

In 5.3, we used to create JCo's and now in GRC 10 we are using connectors. Even in 5.3, custom detonators used to trigger workflows, and in 10 MSMP with BRF. So should we go for a new setup with all ABAP, based on connectors, with new workflow design using MSMP BRF while migrating?

James Roeske: Being that the workflow engine has now changed to MSMP and BRF (SAP Standard workflow) compared to the GRC-specific workflow engine we had in the past, there is no real migration path for workflow that is automated. It is like comparing apples to oranges.
Therefore, yes, you will need to rebuild your workflows, as well as build the BRF rules to match your triggering events.

Thomas Bliss: Thanks again, everyone, for all your great questions. James Roeske will be presenting two sessions at GRC 2015 on SAP Access Control functionality, use cases, and business role management features.   

And thanks again to James Roeske of Customer Advisory Group joining us today. Looking forward to seeing you Vegas in just a few weeks, James! 

James Roeske: Thank you everyone for attending. If you would like more details of what it takes to perform a successful GRC upgrade or require any SAP GRC or Security services contact me at:
t +1-888-477-4950  | m +1-510-270-5557 |


An email has been sent to:

More from SAPinsider