Q and A


GRC 10.0 architecture - What’s changed? A Q&A on preparing for SAP BusinessObjects GRC with Kurt Hollis

by Allison Martin

I recently moderated an online Q&A with Kurt Hollis on the GRC 10.0 architecture. During this one-hour Forum, Kurt Hollis took questions on the 10.0 release of the SAP BusinessObjects GRC suite, its new features and its streamlined architecture: what has changed, how it simplifies the life of system administrators and architects, and tip for  preparing for the new release.

 Kurt took questions on a range of topics, such as Access Control migration, dedicated  server requirements, tips on installing Content Lifecycle Management, performance issues with risk analysis, virtualization of AC solutions, and other topics.

You can review all the all the posts in the Forum here, or read the following edited transcript of the discussion:

Allison: Welcome to today's forum on GRC 10.0 architecture, with Kurt Hollis of Deloitte. Kurt is a featured speaker at GRC 2012 in Las Vegas this March, and will be presenting a session on SAP GRC architecture, with a focus on the 10.0 release.

This is an opportunity to ask your questions about the GRC architecture, sizing, migration, and other technical questions about the systems behind the new GRC release.

Welcome, Kurt, and thank you for joining us today! I know there are already some questions posted for you , so we can get started right away.

Kurt Hollis: Thanks Allison for having me at today’s Q&A.  Please ask your questions in the posts and I will do a quick reply with information and answers. 

BethLescano: Hi Kurt, Is CLM a required component for GRC?

Thanks, Beth

Kurt Hollis: Hi Beth: 
CLM is optional component.  But it may be needed if you plan to bring in content from partners into the GRC system.  This is most useful for Process Control.  I always install the CLM in GRC 10.0 ABAP system knowing it will become more useful in the near future for delivered content.  Make sure you use the later support packages with it. Lots of fixes recently.

Jamie A Carder: This is Jamie Carder of Eastman Chemical. We have the following question: Can GRC 10.0 co-exist with the SAP Business Suite (ie ERP, SCM, CRM, BI)?

Kurt Hollis: GRC 10.0 needs to be installed on its own system based on NetWeaver 7.02 EHP2.  It should not be installed in any Business Suite product.  However, the GRC 10 system connects to all those mentioned products using the Plug-in.  This gives all those systems the GRC capabilities for Access Management and Control and Process and Risk Management.  Popular components include Risk Analysis for SOD violations, user provisioning, and role management.

Perla Priscila: Hello Kurt,

SAP systems may work with AC 5.3 and 10.0 using the same plugin. May the connector for ORACLE ERP (R12 or 11.5.9) also work for both AC versions?

Kurt Hollis: Hi Priscila:
There are adapters for Oracle provided with the SAP GRC product.  This allows for the SAP GRC system to provide AC 10.0 functions for the Oracle systems.  The plugin for SAP GRC is for the SAP ERP system only.


BethLescano: Hi Kurt,

Is the Crystal Reports adapter a separately installable component or is it bundled with the GRC10 installation?



Kurt Hollis: SAP Note 1353044 - Installation Guide CR Viewer for SAP Business Suite Apps

praveenkumaraakula: Hello Kurt- We are on AC 5.3 planning to upgrade to AC 10. I have below concerns. Could you tell us what will happen to the following:

1. Firefighter logs

2. UAR review history

3. Password Self Service registration



Kurt Hollis: Hi Praveen: Good question, what happens to AC 5.3 data.

The AC 5.3 is not upgraded, but migrated. This means you get a tool to export the data out of the AC 5.3 system.  This is mainly for the configuration, rules, roles, and more. Not all data is migrated. Since the GRC 10 is built on ABAP, you can keep the AC 5.3 system for a while for historic data. 

I do not think the FF logs are migrated from the backend system, but all the FF's, owners, controllers are. The same is probably true for the UAR history.  Password self-registration will require some post setup after migration, I am sure. 

I will check the Migration guide and reply back.  The migration guide is available from the or the service portal.


BethLescano: Hi Kurt,

Is the Crystal Reports adapter a separately installable component or is it bundled with the GRC10 installation?



Kurt Hollis: The Crystal Reports adapter is a fr ont end software component much like an Adobe Reader component.  It gets installed on the user’s laptop or computer and is needed to view the Crystal Reports. 

This eliminates the need for Business Object Enterprise server for the Crystal Reports viewing. These reports are very nice. The adapter is downloaded separately from SAP service portal.  See the note SAP Note 1353044 - Installation Guide CR Viewer for SAP Business Suite Apps.

patrickweyers: Hi Kurt,

For AC 5.3, the implementation team had to look after a number of server-side settings that were not immediately obvious (such as a LOT of disk space for background job spool files, database indices for analysis performance). There was a particular bottleneck when it came to running a risk analysis via web service from e.g. the Compliant User Provisioning component (as opposed to running it directly in the RAR component) that put a technical limit to how many risk violations could be handled (including occasional server crashes if the maximum was exceeded).

How do these things relate to GRC 10 and specifically the Access Control part? Does the risk analysis still operate with such spool files? This needs to be considered when sizing the hardware. Is the risk analysis from the access request now better integrated?

Thanks a lot,


Kurt Hollis: Hi Patrick:

Good question.  The AC 5.3 RAR is a more intense application than many realized at first -- the jobs and disk space, and how the other applications called the risk analysis through web services and limitations you mentioned. 

With GRC 10, all the risk analysis is accessible by all of the AC applications directly because now everything is set up integrated toget her. Risk analysis calls are faster, and without using web service calls (unless externally done from another product).

The jobs are much more robust and can scale across many batch processes -- you set the limits.  The job logs are stored in the database and not externally.  These are efficiently stored.  The space for the Risk analysis can be large tables, but this depends on the setup and restricting the risk analysis to only what should be analyzed and not everything. 

I saw everything needed 20-30GB space but later after setup correctly, only needed 10GB per system analyzed.

Much better system then AC 5.3.  This is a very good move to go to GRC 10.0


MohamedFairisBinOsman: Hi Kurt,
Can AC10 be installed on a virtual environment/servers?


Kurt Hollis:  

Yes, the GRC system can be installed on Virtual systems.  Memory reservation should be considered for this system at least 8GB and maybe more.  The system is best to have 2 CPU minimum.  Jobs run at night, the user interface is Web (NWBC) and the number of users is usually low on the system.  So a good candidate for Virtualization.



BethLescano: Hi Kurt,

How can we use CLM for AC10?




Kurt Hollis: Hi Beth:
CLM is ready for use now (it was a bit delayed), but has limited use with AC10.  It is really meant for Process Control content right now.  It does work with the master data for all the applications in GRC though.  It is here for the future content exchanges with partners and to load external data in the system.  Old tool called MDUG is not used anymore.


Perla Priscila: Hello Kurt,

When doing a system copy of AC 10.0, which would be some specific considerations, aside from the ones that apply for a typical ABAP system copy procedure and RFC connections.

Best regards,

Perla Silva

Kurt Hollis: I have done system copies and client copies of GRC 10 systems.  The main consideration is the connectors to the other systems.  After a system copy, if you want to keep the master data associated with a certain connector and use this data, you must keep the connectors the same name.  The data is stored with the connector name.  I have cleaned out the tables and reloaded them after a system copy using new connectors.  This is only supported for non-production systems of course.  No other issues exist other than handling all the connectivity issues after the copy.


Jamie A Carder: This is Eastman Chemical.

We have AC5.3 but have only the RAR portion because we were a VIRSA user.

When we migrate to GRC 10.0 do we need to run the portions of the instructions which relate to SPM, CUP, ERM which we do not have for RAR? That is, is any of this data required as master data in some form?

Kurt Hollis: Hi Jamie:

Use can just migrate the RAR configuration, rules, and data to GRC 10.0.  You use the new migration tool to get the desired data out of the system.  Map to the new connector name.  Only need to migrate the RAR data.


Jamie A Carde r: Can we run with our current AC5.3 connectors and the new GRC 10.0 Plug-in in parallel for user testing?

Kurt Hollis: Hi Jamie:
The Plugin as of SP5 contain both the GRC 10.0 plug-in and the support for Access Control 5.3 at the same time.  Just be careful, the SAP note tells you what SP levels the AC 5.3 is supporting with the GRC 10 SP levels.  You need to match the SP levels up so this works right.

So yes, giving those considerations, you can run them in parallel.


Perla Priscila: Thanks, Kurt.

We are planning to upgrade from AC 5.3 to AC 10.0. Our concern is that the Oracle systems might have to be scheduled, to update their xPAC for connection, at last.

Since only SAP systems might start updating to the plugin first and continue working in AC 5.3 SP16, meanwhile our implementation of AC 10.0 is available for them to operate.

Kurt Hollis: Hi Priscila:

Yes, valid concerns you have.  The xPac timing is important if the data structures in GRC 10 have changed for them.  I do not know without further checking if the structures changed.  New xPAC connectors are available from the SAP downloads.  Maybe you run setup the new xPAC connectors to get these tested.  You will need to setup the connector names early in the GRC 10 config since so much depends on them.  This can be added in stages though.  Good that you are thinking this through the steps to make a valid plan. 


Allison: Thanks to all who posted questions and followed the discussion!

A full summary of all the questions will be available here in the Compliance Forum, and you can meet Kurt in person and attend sessions on SAP GRC at our annual GRC 2012 conference next month at the MGM Grand in Las Vegas, March 13-16, 2012. 

Finally, thank you to Deloitte’s Kurt Hollis for taking the time to respond to these questions.

Kurt Hollis:  Yes, and thanks for all the questions today.  Lots of good questions around the upgrades and migrations.  Lots of this will be covered at the conference.

Thanks Allison for having me at this discussion.

Allison:  This concludes today’s Forum with Kurt Hollis. If you have additional questions, you can also post it for the entire community by selecting "New Thread" in the Compliance Forum. For additional GRC information, the Compliance Forum archives past Q&As and we'll continue to update you on future live Forums.

Thanks again for a great discussion! I look forward to seeing you all at GRC 2012 in Las Vegas.


An email has been sent to:

More from SAPinsider


Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!