Get answers to your questions on SAP Access Control 10.1 implementations, from budget and personnel resources to common pain points and blueprinting best practices.
Meet the panelist:
Dylan Hack, Deloitte & Touche, LLP
Dylan Hack is a Manager with Deloitte & Touche, LLP. He has 15 years of SAP project experience with global clients in the USA, Canada and Europe. Since 2003, he has focused on SAP security & privacy and IT governance projects. Dylan has lead onsite and outsourced teams for global GRC implementations across several industries including: pharmaceutical, high-tech, media/entertainment, automotive, consumer products, and telecommunications.
Kendall Hatch: Hi, and welcome to our Live Q&A, focusing on SAP Access Control 10.1 implementation best practices. We’re joined today by Deloitte’s Dylan Hack, who will be taking your questions for the next hour. Dylan will also be speaking on this subject at the upcoming SAPinsider GRC conference in Las Vegas. Thanks for joining us, Dylan!
Dylan Hack: Hello and welcome to this Q&A session. I’m very happy to be there — thanks for allowing me to occupy your time for the next hour. I’ll do my best to answer your questions as today. If I am unable to fully answer your question, just let me know and I’ll do my best to answer it offline after this Q&A.
Comment From Kenny: What SAP Fiori applications are available for governance, risk, and compliance (GRC)?
Dylan Hack: There are many SAP Fiori GRC apps available and SAP is continually adding new ones to the list. The full list of GRC and non-GRC SAP Fiori apps can be found on http://help.sap.com and the SAP Fiori Apps Reference Library (https://fioriappslibrary.hana.ondemand.com/sap/fix/externalViewer/), but here are a few to list for you here: Compliance Approver, Request Access for Others, Access Approver, Check Request Status, Access Risk, Mitigation Control, and so on.
Comment From Kenny: What version of SAP GRC solutions is required for any related SAP Fiori GRC apps?
Dylan Hack: According to SAP, SAP Fiori is recommended to be installed on SAP Access Control 10.1 support pack 10 or higher. I believe the beta version was available for lower support packs, possibly including 10.0, but there have been many corrections and updates to the software. Further technical help can also be found on http://help.sap.com.
Comment From Rosmin: Is there a download available to practice SAP on modules such as finance, material management (MM), and so on?
Dylan Hack: Great question. I’d recommend starting with SAP’s own training courses on http://open.sap.com as they offer a wealth of both functional and technical courses. The content is approved and operated by SAP.
Comment From Anton Gavrilenko: We are interested in using GRC Access Control functionality to manage our organization structure and user authorizations, like HR functionality (transaction OOSB). We know that in earlier version of SAP Access Control this was not supported. And what about the new version? What is the best practice in this case?
Dylan Hack: I hope I understood your question correctly. As of SAP Access Control 10.0, the system supports “HR Triggers” functionality to assign roles to positions and/or users. The HR actions that represent hiring, terminations, and position changes are sent to GRC which then triggers a specific workflow. This also works in SAP Access Control version 10.1. There are pros and cons to using HR Triggers. It's more complicated to set up and maintain than traditional user provisioning, but can be useful for very large organizations (>30,000 SAP users).
Comment From @SAPTrainer: Speaking of cutover, am I correct to presume that there is no easy/automated way to migrate in-progress (OPEN) 5.3 requests into 10.1? We are working under the presumption that any OPEN request in 5.3 must be re-entered from scratch into 10.1. Your thoughts?
Dylan Hack: That is a correct assumption. No open requests for SAP Access Control (or SAP Process Control) can be migrated. Per the SAP Migration Guide on http://service.sap.com/instguides, they recommend closing all open requests before migration or running both in parallel until completed.
Comment From Morten: What are prerequisites for installing GRC plug-ins and foundation packages?
Dylan Hack: Each it depends on which support pack version of the plug-in and foundational package you are installing. As time moves forward, minimum requirements tend to go up. The good news is that these items are well documented on the version that you would be planning to install. The best instruction is to have the Basis team download the version you need and list out the minimum requirements. Barebones minimum size that I’ve seen recommended is 2 CPU, 16GB RAM, and 200GB space but that’s just barely squeaking in for a development system.
Comment From Faizel: Can I migtate just the ruleset from 5.3 to 10.1 and what is the best way to do this?
Dylan Hack: Yes, actually SAP provides a nice conversion tool for this process. You can install a migration pack on 5.3 that allows you to export various data, including the rule set, and then import to 10.x with transaction GRAC_DATA_MIGRATION. The GRC Migration Guide can walk you through step by step. I still use it even after several migrations.
Comment From TAB: What is the primary reason to upgrade to 10.1?
Dylan Hack: It depends on what version you are upgrading from. There are major differences from 5.3, but even if you’re just moving from 10.0 to 10.1 there are a couple of things that come to mind:
1) SAP UI5 is upgraded in 10.1 which allows the use of the "simplified" inbox and request screens
2) SAP Fiori can be connected to GRC for mobile device access request approvals.
Comment From Terry T: What's the best way to monitor usage of specific critical tcodes (such as Basis tcodes) using SAP Access Control 10.0? We don't have SAP Process Control activated at this time.
Dylan Hack: To monitor the “usage” of the critical transaction codes, you can set up alerts in the GRC IMG. It's really handy — as a prerequisite you need a Critical Risk setup with an owner, you need to run the action usage synchronization jobs, and then set up the alert. You might want to customize the notifications to be more instructive, but otherwise, it's fairly simple to set up. The risk owner will be notified if the user runs a critical transaction.
Comment From Faizel: We are upgrading to 10.1 from 5.3. What is the recommendation — to migrate or do a fresh install and start from scratch?
Dylan Hack: It's a bit confusing, but there is no "upgrade" from 5.3 to 10.x — it's only a migration. That means a fresh install of 10.x, then limited data migration (rules, FF, and some other master data) to the new 10.x installation.
Comment From Suraj: Are any licenses required to implement SAP Access Control?
Dylan Hack: Yes, SAP Access Control licensing is required to implement it; however, it is possible that your company many already have the licenses for it as part of their negotiation. I’d recommend starting with your purchasing representative that handles SAP licenses.
Comment From bb_wi: How big a task (or rather a project in itself) would it be to update the rule sets once we move from SAP ERP Central Component (SAP ECC) to SAP S/4HANA? Does SAP provide some automation in regards to the update of the rule sets or do we have to do it manually one by one?
Dylan Hack: That's a great question. It really depends on if you are just sitting the existing SAP ECC on top of SAP HANA or you are replacing portions of SAP ECC with SAP HANA apps. With the former scenario (placing SAP ECC on top of SAP HANA), there will not be much to do with your rule sets. However, if the latter is true, then you’ll need to go through and figure out what modules are changing. To my knowledge, so far there are no conversion programs for moving SAP ECC rules into an SAP S/4HANA format.
Comment From Guest: I would like to take the responsibility for approving FFID requests and subsequently reviewing the changes from IT Security and place the responsibility in the hands of management. Is it possible via a workflow to have management review FFID logs and systematically approve or comment on changes?
Dylan Hack: Hopefully I understand the question correctly. Obviously, you can have workflow set up to send you provisioning approvals and also for subsequent review of activities. From there, during the review, you can “forward” the request to another reviewer if you have the authority. That person could then be the final approver if that is what you wanted. I've enabled “forward” often in the past; it's an MSMP workflow option in the Firefighter approver stage.
Comment From Lianne: How does security role design factor into 10.1? Our company is currently on version 5.3 and have been told in the past (via consulting firms) that our current security role design (which includes value roles and enabler roles) may not be optimal for version 10.1 and that we should consider redesigning in advance or migrating to the latest GRC version.
Dylan Hack: The answer is pretty easy. If the role design is not optimal for current processes today, then it won't be optimal for anything else. While any existing role design can be entered into GRC, I would agree that if possible, it would be better to start GRC with the correct role design. The reason is that the role design in GRC affects how roles are selected and filtered from the Access Request screen. Still, it depends on your priorities, you can do the redesign earlier or after — I've seen it happen both ways.
Comment From Jo: We moved to SAP Access Control 10.1 last year and we are interested in sending the segregation of duty (SoD) reports periodically directly from GRC as we did on the version 5.1 (using the job scheduling and sending directly to the user’s email). What is the alternative to this on 10.1?
Dylan Hack: The only SoD report emails I am aware of are:
1) The SoD review workflow process
2) Critical risk alerts
The SoD review starts a workflow review process for SoD conflicts that are found in the system based on the selection criteria you choose, and the critical risk alerts will send an email to notify the critical risk owner if an activity was actually performed by the user that matches to the critical risk.
Comment From Jason B: When first executing tcode SU25, we see the following: "Have you checked SAP Note 440231 for current information?” We checked that note, and it states to implement 14 different notes, all relating to SU24 and SU25. Would it be advised to implement all these notes?
Dylan Hack: Thanks for sending the technical questions, but in general I can say for this question that when notes are referencing many other notes and dependencies, then each one needs to be checked and evaluated and likely implemented. Occasionally this happens. My best recommendation is to stay as current as possible with the latest support packs, otherwise you could end up implementing a few dozen notes if the specific fix is for a feature that is relatively new or under utilized by the mainstream users (for example, SoD review).
Comment From CG: Can 10.1 run an SoD report for multiple users that have more the one SAP ID?
Dylan Hack: Yes, but by default it will evaluate each ID separately. Otherwise you will need to map the IDs together for the same user in the IMG. It's a manual task unfortunately.
Comment From Shyam Iyer: We are considering a fresh GRC implementation. How important is the role design adopted in SAP ECC? Are there any specific prerequisites that need to be in place in the current setup, especially with respect to naming conventions and structure of the roles (master/derived roles, composite roles, enabler roles, and so on)? This is specifically with respect to a very loosely built up environment which requires a lot of rework and redesign.
Dylan Hack: Check out the previous post on this subject, but another thing you can think about if a role redesign is not an option, is to consider making smart use of the other role meta data that is in GRC that can be configured, like business process, sub-process, criticality, sensitivity, and other fields. These can be used for role selection criteria in user access requests that could make your user experience easier.
Comment From Bryan: This is more of a general question: If one is familiar with SAP Access Control 10.0, what major differences does a GRC admin/support person need to be aware of when embarking on a 10.1 upgrade or implementation? Is it a complete retooling of one's knowledge in the past? Would it require extensive training to be able to support 10.1? I keep hearing it is "different" but no details.
Dylan Hack: If your GRC support person is experienced with 10.0, then the learning curve for 10.1 is little to none. I haven’t done the Basis activities for several years, but the biggest differences between SAP Access Control 10.0 to 10.1 are all on the Basis side. For regular SAP Access Control administrators, the biggest effort is getting to know the advantages of Simplified Request, SAP Fiori, and reading up on any new features.
Comment From Kailas: We are on 10. We want to know how we can connect to SAP SuccessFactors Employee Central to 10.1. This will allow us to automate terminations.
Dylan Hack: There are two great documents to start with "SAP Access Control–SAP SuccessFactors Integration" and "SAP SuccessFactors Integration with SAP Access Control" both dated December 2015. I don't have the specific link, butthey are available on the SAP Service Marketplace.
Comment From Guest: Do you recommend using the new “simplified request” form? If so, are there any gotchas that we should be aware of? Also, has anything major changed with the user access review process? With the previous versions of GRC, we were told not to use the role certification process — is this improved with 10.1?
Dylan Hack: Yes, I do recommend using the "simplified request" screen, especially if requests are being performed by end users; otherwise, the traditional request screen offers more flexibility for more experienced users. Regarding user access reviews, there has been only small changes in display features from 10.0 to 10.1. Unfortunately, there have been a few bugs with it in earlier support packs. So when implementing, get caught up on the latest support packs first. About recertification, I haven't recently used it. I'm unable to provide an opinion on it at the moment.
Comment From Sai: We are interested in using SAP Fiori with 10.0. We are not finding any documentation on this. I saw your earlier response. Is there any specific SAP help page you can direct me to know more details about the technical information regarding this?
Dylan Hack: SAP Fiori will first need its own environment setup in general. This will need to be completed as a prerequisite by the Basis team. Then, I’d recommend that you go to http://help.sap.com/fiori and htttp://www.sap.com/product/technology-platform/fiori.html to explore all the implementation documentation and videos on the website.
Kendall Hatch: That just about wraps up our time today. Thanks to all who posted questions and followed the discussion! We'll be posting the transcript of this discussion on SAPinsiderOnline. This topic will also be covered in depth at the upcoming SAPinsider GRC conference, running March 21-24 in Las Vegas. For more information, click here.
Finally, thanks to Deloitte’s Dylan Hack for taking the time to respond to these questions today!
Dylan Hack: Thank you for your questions today, I have really appreciated your support and participation! I’ll post some transcript responses to questions I was not able to answer online today. If you plan to be at the GRC conference in Las Vegas, come and see me on Wednesday, March 22 at 11:30am for the presentation “Take the stress off your SAP Access Control 10.1 implementation.”