Beruflich Dokumente
Kultur Dokumente
SAP GRC
Access Control™ 5.3
SAP AG
Walldorf, Germany
T+49/18 05/34 34 34
F+49/18 05/34 34 20
H www.sap.com
SAP GRC Access Control 5.3 Upgrade Guide
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner,
WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or
registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented
by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
Virsa, Virsa Systems, Access Enforcer, ComplianceOne, Compliance Calibrator, Process Control, Continuous Compliance,
Firefighter, Risk Terminator, Role Expert, the respective taglines, logos and service marks are trademarks of SAP Governance,
Risk and Compliance, Inc., which may be registered in certain jurisdictions.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all
over the world. All other product and service names mentioned are the trademarks of their respective companies. Data
contained in this document serves information purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies
(“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those
that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should
be construed as constituting an additional warranty.
Disclaimer
Some components of this product are based on Java™. Any code change in these components may cause unpredictable and
severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java™ Source
Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.
Typographic Conventions
Example Description
<> Angle brackets indicate that you replace these words or characters with appropriate
entries to make entries in the system, for example, “Enter your <User Name>”.
> Arrows separating the parts of a navigation path, for example, menu options
Example Words or characters that you enter in the system exactly as they appear in the
documentation
/example Quicklinks added to the internet address of a homepage to enable quick access to
specific content on the Web
Example Words or characters quoted from the screen. These include field labels, screen
titles, push button labels, menu names, and menu options.
Cross-references to other documentation or published works
Example Output on the screen following a user action, for example, messages
Source code or syntax quoted directly from a program
File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE.
Document History
This guide is regularly updated on SAP Service Marketplace at http://service.sap.com/instguides
-> SAP Business Objects-> SAP Solutions for GRC -> SAP GRC Access Control -> SAP GRC Access
Control 5.3.
Make sure you have the latest version of this guide by checking SAP Service Marketplace before
starting the installation.
The following table provides an overview of the most important changes that were made in the latest ver-
sions.
Version Date Important Changes
x June 2008 Initial release to customers.
1.10 December 2008 Uninstalling Access Control 5.2 or Earlier
- removed step to uninstall AC 5.2. It is not
necessary for an upgrade.
Table of Contents
1.1 DISCLAIMER ................................................................................................................................................. 8
1.2 IMPORTANT NAME AND PRODUCT CHANGES .................................................................................................. 8
1.3 UPGRADE PATH SUMMARIES ......................................................................................................................... 9
1.3.1 Upgrading Compliance Calibrator 5.2, Access Enforcer 5.2, Role Expert 5.2, and Firefighter 5.2 ....... 10
1.3.3 Upgrading Compliance Calibrator 5.1, Access Enforcer 5.1, Role Expert 5.1, and Firefighter 5.1. ...... 12
1.3.4 Upgrading Compliance Calibrator 4.0, Access Enforcer 4.0, Role Expert 4.0, and Firefighter 4.0 ....... 14
1.4 UPGRADE CONSIDERATIONS ........................................................................................................................ 16
1.4.1 SAP NetWeaver Version...................................................................................................................... 16
1.4.2 Backend System Prerequisites for Upgrading to SAP GRC Access Control 5.3 .................................... 16
1.4.3 Upgrade Documentation ..................................................................................................................... 17
1.4.4 Upgrading Real Time Agents .............................................................................................................. 18
1.5 THE UPGRADE PROCESS .............................................................................................................................. 18
1.5.1 Downloading the SAP GRC Access Control 5.3 files............................................................................ 19
2 UPGRADING COMPLIANCE CALIBRATOR 5.2....................................................................................... 20
3 UPGRADING ACCESS ENFORCER 5.1 AND 5.2 ....................................................................................... 21
3.1 PRE-UPGRADE PROCEDURES ........................................................................................................................ 21
3.1.1 Back Up Your Existing Access Enforcer Implementation: .................................................................... 21
3.1.2 Process HR Triggers (for systems that have SAP HR) .......................................................................... 21
3.1.3 Uninstall Previous Version of Access Enforcer .................................................................................... 22
3.1.4 Download SAP GRC Access Control 5.3 Files..................................................................................... 22
3.2 CONFIGURE MEMORY SETTINGS .................................................................................................................. 22
3.3 INSTALL SAP GRC ACCESS CONTROL 5.3 (COMPLIANT USER PROVISIONING) .............................................. 22
3.4 IMPORT SAP GRC ACCESS CONTROL 5.3 (COMPLIANT USER PROVISIONING) ROLES .................................... 23
3.5 UPGRADE SAP GRC ACCESS CONTROL 5.3 (COMPLIANT USER PROVISIONING) DATA .................................. 23
3.6 IMPORT SAP GRC ACCESS CONTROL 5.3 (COMPLIANT USER PROVISIONING) CONFIGURATION DATA ........... 23
4 UPGRADING ROLE EXPERT 5.2 ................................................................................................................ 25
4.1 UNINSTALL THE CURRENT INSTALLATION.................................................................................................... 25
4.2 INSTALL SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE E XPERT) ........................................................ 25
4.3 POST INSTALLATION CONFIGURATION ......................................................................................................... 25
4.4 UPGRADE TO THE NEW SOFTWARE .............................................................................................................. 26
4.5 ORGANIZATION VALUE MAPPING (OPTIONAL) ............................................................................................. 27
5 UPGRADING COMPLIANCE CALIBRATOR 5.1....................................................................................... 28
5.1 PRE-UPGRADE PROCEDURES ....................................................................................................................... 28
5.2 INSTALL THE CONVERSION UTILITY AND COMPLETE THE TECHNICAL INSTALLATION .................................... 29
5.3 IMPORT RULES INTO SAP GRC ACCESS CONTROL 5.3.................................................................................. 29
5.4 VALIDATE THE RULE LOAD ......................................................................................................................... 30
5.5 VALIDATE THE MITIGATION TABLES ........................................................................................................... 30
6 UPGRADING ROLE EXPERT 5.1 ................................................................................................................ 31
6.1 UNINSTALL ROLE EXPERT 5.1 ..................................................................................................................... 31
6.2 PRE-CONFIGURE THE INSTALLATION ............................................................................................................ 31
6.3 INSTALL SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE MANAGEMENT ) ............................................. 31
6.4 UPGRADE TO SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE MANAGEMENT ) ...................................... 31
6.5 PERFORM POST-INSTALLATION CONFIGURATION ......................................................................................... 32
6.6 ORGANIZATIONAL VALUE MAPPING (OPTIONAL) ......................................................................................... 33
7 UPGRADING COMPLIANCE CALIBRATOR 4.0....................................................................................... 34
7.1 INSTALL SAP GRC ACCESS CONTROL 5.3. .................................................................................................. 34
7.2 CREATE SYSTEM CONNECTORS ................................................................................................................... 35
7.3 DEFINE MASTER USER SOURCE ................................................................................................................... 35
7.4 UPLOAD TEXT OBJECTS .............................................................................................................................. 35
7.5 UPLOAD AUTHORIZATION OBJECTS ............................................................................................................. 36
7.6 CREATE RULE SET ...................................................................................................................................... 37
7.7 MIGRATE EXISTING DATA ........................................................................................................................... 37
7.7.1 Data That Can Be Migrated ................................................................................................................ 37
7.7.2 Data That Cannot Be Migrated ........................................................................................................... 37
7.7.3 Migration Procedure .......................................................................................................................... 38
7.8 UPLOAD THE DATA INTO SAP GRC ACCESS CONTROL 5.3 (RISK ANALYSIS AND REMEDIATION) .................. 39
7.9 SCHEDULE BACKGROUND JOBS ................................................................................................................... 40
8 UPGRADING ROLE EXPERT 4.0 ................................................................................................................ 42
8.1 PRECONFIGURE THE INSTALLATION ............................................................................................................. 42
8.2 INSTALL SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE MANAGEMENT ) ............................................. 42
8.3 EXPORT ROLE E XPERT 4.0 ROLES ................................................................................................................ 44
8.4 IMPORT ROLE E XPERT 4.0 ROLES TO SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE MANAGEMENT) ... 45
9 UPGRADING FIREFIGHTER 4.0, 5.1, AND 5.2........................................................................................... 46
9.1 PRE-UPGRADE PROCEDURES ....................................................................................................................... 46
9.2 UNINSTALL THE CURRENT FILES (FIREFIGHTER 5.2 ONLY) ............................................................................ 46
9.3 INSTALL SAP GRC ACCESS CONTROL 5.3 (SUPERUSER PRIVILEGE MANAGEMENT) ...................................... 46
9.4 INSTALL SAP GRC ACCESS CONTROL 5.3 REAL TIME AGENT (RTA) ........................................................... 47
9.6 VALIDATE THE ENTRIES .............................................................................................................................. 47
9.7 UPGRADE TO SAP GRC ACCESS CONTROL 5.3 (SUPERUSER PRIVILEGE MANAGEMENT) ............................... 47
10 UNINSTALLING ACCESS CONTROL 5.2 OR EARLIER ........................................................................ 48
10.1 UNINSTALL COMPLIANCE CALIBRATOR 5.2 ................................................................................................ 48
10.1.1 For Support Pack 5 and above, uninstall the following components: .................................................. 48
10.1.2 For Support Pack 4 and below, uninstall the following components: .................................................. 48
10.2 UNINSTALL COMPLIANCE CALIBRATOR 5.1 ................................................................................................ 49
10.2.1 For Support Pack 6 and above, uninstall the following components: .................................................. 49
10.2.2 For Support Pack 5 and below, uninstall the following components: .................................................. 49
10.3 UNINSTALL ACCESS ENFORCER 5.2............................................................................................................ 49
10.3.1 For all support packs, uninstall the following components:................................................................ 49
10.4 UNINSTALL ACCESS ENFORCER 5.1............................................................................................................ 49
10.4.1 For all support packs, uninstall the following components:................................................................ 49
10.5 UNINSTALL ROLE E XPERT 5.1 AND 5.2....................................................................................................... 50
10.5.1 For all support packs, uninstall the following components:................................................................ 50
10.6 FIREFIGHTER 4.0 AND 5.1 (NOTHING TO UNINSTALL).................................................................................. 50
1 Overview
This guide is for Access Control customers who want to upgrade their existing implementations to SAP
GRC Access Control 5.3.
1.1 Disclaimer
This document reflects the status of SAP’s release planning as of December 2007. It contains only
intended strategies, developments, and functionalities for SAP solutions and is not intended to be
binding upon SAP to any particular course of business, product strategy, or development; its content is
subject to change without notice. For up-to-date information on individual SAP offerings, refer to the
online version of this brochure in SAP Service Marketplace at service.sap.com/releasestrategy.
SAP assumes no responsibility for errors or omissions in this document and does not warrant the
accuracy or completeness of the information, text, graphics, links, or other items contained within this
material. This document is provided without a warranty of any kind, either express or implied, including,
but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or
noninfringement.
SAP shall have no liability for damages of any kind including without limitation, direct, special, indirect,
or consequential damages that may result from the use of these materials. This limitation shall not apply
in cases of intent or gross negligence. The statutory liability for personal injury and defective products is
not affected. SAP has no control over the information that you may access through the use of hot links
contained in these materials and does not endorse your use of third-party Web pages nor provide any
warranty whatsoever relating to third-party Web pages.
Note: We highly recommend that customers who wish to upgrade from SAP GRC 4.0 products to
SAP GRC Access Control 5.3 submit a CSN message requesting a GRC contact to advise them on
the upgrade procedure.
1.3.1 Upgrading Compliance Calibrator 5.2, Access Enforcer 5.2, Role Expert 5.2, and Firefighter
5.2
Step 1 Uninstall Compliance Perform pre-upgrade Uninstall Role Perform the pre-
Calibrator 5.2 as outlined procedures. Expert 5.2. as upgrade
in section 10, Uninstalling 1. Back up existing outlined in section procedures:
SAP GRC Access Control Access Enforcer 10, Uninstalling SAP 1. Review SAP
5.2 or Earlier implementation. GRC Access Control Note 1006083
5.2 or Earlier
2. Run background job 2. Backup
HR Triggers Load existing
Data (SAP HR Install SAP GRC master data
systems only) Access Control 5.3
as outlined in the
3. Download
3. Uninstall existing master data
Access Enforcer SAP GRC Access
Control 5.3 from
implementation Firefighter 5.2
Installation Guide on
4. Download the SAP
SAP Service
GRC Access
Marketplace at
Control 5.3 files
http://service.sap.co
m/instguides SAP
Solution Extensions
SAP Solutions for
GRC SAP GRC
Access Control
SAP GRC Access
Control 5.3
.
Step 2 Install SAP GRC Access Configure memory Upgrade to SAP Uninstall the
Control 5.3 as outlined in settings GRC Access Control Firefighter
the SAP GRC Access 5.3 software as
Control 5.3 Installation described in
Guide on SAP Service Uninstalling SAP
Marketplace at GRC Access Control
http://service.sap.com/inst 5.2 or Earlier
guides SAP Solution
Extensions SAP Solutions
Step 3 Not applicable Install SAP GRC Perform post- Install SAP GRC
Access Control 5.3 installation Access Control 5.3
(Compliant User configuration (Superuser
Provisioning) Privilege
Management)
Step 4 Not applicable Import Compliant User Optionally, change Install the SAP
Provisioning Roles the default Org. GRC Access
value mapping names Control 5.3 Real
in SAP GRC Access Time Agent (RTA)
Control 5.3
(Enterprise Role
Management).
Step 6 Not applicable Import Compliant User Not applicable Not applicable
Provisioning
Configuration Data
More For more details, see For more details, see For more details, see For more details,
Info section 2, Upgrading section 3, Upgrading section 4, Upgrading see section 9,
Compliance Calibrator 5.2 Access Enforcer 5.1 and from SAP GRC Role Upgrading
5.2 Expert 5.2 Firefighter 4.0, 5.1,
and 5.2
1.3.3 Upgrading Compliance Calibrator 5.1, Access Enforcer 5.1, Role Expert 5.1, and Firefighter
5.1.
Step 1 Perform the pre-upgrade Perform pre- Uninstall Role Expert Perform the pre-
procedures. upgrade 5.1. upgrade procedures:
procedures. 1. Review SAP
1. Back up Note 1006083.
existing Access 2. Backup existing
Enforcer master data
implementation 3. Download
master data
2. Run background
from Firefight-
job HR Triggers
er 5.1
Load Data (SAP
HR systems
only)
3. Uninstall
existing Access
Enforcer
implementation
4. Download the
SAP GRC
Access Control
5.3 files
Step 2 Install the conversion Configure memory Pre-configure the Install SAP GRC
utility and complete the settings installation Access Control 5.3
technical installation of (Superuser Privilege
SAP GRC Access Control Management)
5.3
Step 3 Import the Compliance Install SAP GRC Install SAP GRC Install the SAP GRC
Calibrator 5.1 rules into Access Control 5.3 Access Control 5.3 Access Control 5.3
SAP GRC Access Control (Compliant User (Enterprise Role Real Time Agent
5.3 (Risk Analysis and Provisioning) Management) (RTA)
Remediation)
Step 4 Validate the rule load Import Compliant Optionally, change the Perform post-
User Provisioning default Org. value installation
Roles mapping names in SAP configuration
GRC Access Control
Step 5 Validate the mitigation Upgrade Compliant Not applicable Validate the entries
tables User Provisioning
More For detailed information, For detailed For detailed For detailed
Info see section 5, Upgrading information, see information, see information, see
Compliance Calibrator 5.1. section 3, Upgrading section 6, Upgrading section 9, Upgrading
Access Enforcer 5.1 Role Expert 5.1 Firefighter 4.0, 5.1,
and 5.2 and 5.2
1.3.4 Upgrading Compliance Calibrator 4.0, Access Enforcer 4.0, Role Expert 4.0, and Firefighter 4.0
Step 1 Install SAP GRC Access Not applicable Preconfigure the 1. Perform the
Control 5.3. installation by pre-upgrade
applying the xml procedures:
files from the 2. Review SAP
Archive (SAR) file Note 100608
VIRACCNT00_sar. 3. Backup exist-
ing master da-
ta
4. Download
master data
from Fire-
fighter 4.0
Step 2 Create system connectors Not applicable Install SAP GRC Install SAP GRC
Access Control 5.3 Access Control 5.3
(Enterprise Role (Superuser
Management) Privilege
Management)
Step 3 Define Master User Not applicable Map Role Expert Install the SAP
Source 4.0 attributes to GRC Access
SAP GRC Access Control 5.3 Real
Control 5.3 Time Agent (RTA)
(Enterprise Role
Management)
attributes
Step 4 Upload text objects Not applicable Manually export Perform Post-
roles from Role Installation
Expert 4.0. configuration
Management).
Step 6 Create rule sets and enter Not applicable Not applicable Not applicable
them in configuration.
Step 7. Migrate existing data Not applicable Not applicable Not applicable
Step 8. Upload existing data to Not applicable Not applicable Not applicable
SAP GRC Access Control
5.3 (Risk Analysis and
Remediation)
Step 9 Schedule background jobs Not applicable Not applicable Not applicable
Notes:
If you are upgrading from 4.0 to 5.3, SAP strongly encourages you to make the 4.0
version inaccessible to end users. To do so, use Transaction Codes: Lock/Unlock (transaction
SM01) and select the checkbox beside transaction /virsa/zvrat. In addition, use Role
Maintenance (transaction PFCG) to remove transaction /virsa/zvrat from end users security
roles.
When you migrate any 4.0 application to a higher version, refer to SAP Note 1006083.
For more information about SAFE and .NET migration, contact SAP Support on SAP
Service Marketplace at service.sap.com SAP Support Portal.
Note: For information about SAFE and .NET migration, contact SAP Support on SAP
Service Marketplace at service.sap.com SAP Support Portal.
1.4.2 Backend System Prerequisites for Upgrading to SAP GRC Access Control 5.3
SAP Notes about are upgrading SAP ERP systems are available under the Application Areas GRC,
GRC-SAE, GRC-SCC, and GRC-SRE. Examples of such notes include:
SAP Note 985617 – SAP Compliance Calibrator for SAP 700 systems
SAP Note 1001783 – VIRSANH 520_700 Install / Delta Upgrade on SAP_BASIS 700
Below are the support packages that you must apply to your SAP backend system.
SAP Backend Component If you have release Apply this support package
620 SAPKB62063
640 SAPKB64021
700 SAPKB70013
Refer to the following SAP Notes for Access Control systems with SAP HR:
SAP Note Number Title Description
Note: To upgrade your system to SAP GRC Access Control 5.3 you must also have a copy
of the SAP GRC Access Control 5.3 Installation Guide which is located on SAP
Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions
SAP Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
To upgrade to SAP GRC Access Control 5.3 on the same server as the previous installation, follow these
steps:
1. Read the chapters in this document for each of the four SAP GRC Access Control 5.3
capabilities.
2. Get the new SAP GRC Access Control 5.3 files from SAP Service Marketplace at service.sap.com.
For detailed information, see the SAP GRC Access Control 5.3 Installation Guide on SAP Service
Marketplace at service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC
SAP GRC Access Control SAP GRC Access Control 5.3.
3. Back up your data.
4. If required, uninstall the previous version of Access Control. For detailed information, see
Uninstalling SAP GRC Access Control 5.2 or Earlier.
5. Preconfigure the installation by applying all the XML files in the ARchive (SAR) file
VIRACCNT00_0.sar that you downloaded.
6. Use the Java Service Pack Manager (JSPM) to execute the installation. For detailed information,
see the SAP GRC Access Control 5.3 Installation Guide, section four, Installing the Software, on SAP
Service Marketplace at service.sap.com/instguides SAP Solution Extensions SAP Solutions for
GRC SAP GRC Access Control SAP GRC Access Control 5.3.
7. Configure each capability as described in the SAP GRC Access Control 5.3 Installation Guide,
on SAP Service Marketplace at service.sap.com/instguides SAP Solution Extensions SAP
Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
Note: Before you begin the post-installation configuration, uninstall all of the previous
version’s components at one time using the Software Deployment Manager (SDM) and
then install all of the new components at the same time, using the JSPM tool.
Note: For a list of the individual SAP GRC Access Control 5.3 files that are contained in the
download, see the Appendix of the SAP GRC Access Control 5.3 Installation Guide on SAP
Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions
SAP Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
Follow the steps below to upgrade from Compliance Calibrator 5.2 to SAP GRC Access Control 5.3 (Risk
Analysis and Remediation).
Note: We recommend that you capture screen shots of Violations counts, Rule counts,
and so forth that you can use to verify your data after the upgrade.
1. Uninstall Compliance Calibrator 5.2 as outlined in Uninstalling SAP GRC Access Control 5.2 or Ear-
lier.
Note: You must uninstall all the EAR and SDA projects except the database project
(virsa~ccxsysdb.sda) before you begin the SAP GRC Access Control 5.3 (Risk Analysis and
Remediation) installation.
2. Install SAP GRC Access Control 5.3 (Risk Analysis and Remediation) as outlined in the SAP GRC
Access Control 5.3 Installation Guide on SAP Service Marketplace at
http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC SAP GRC
Access Control SAP GRC Access Control 5.3.
Purpose: Upgrading from Access Enforcer 5.1 or 5.2 to SAP GRC Access Control 5.3
(Compliant User Provisioning)
Pre-Requisites: Ensure that your SAP NetWeaver system is at version WAS SAP 700 Support
Package 12.
Note: If the background job for HR Triggers Load Data is currently active, the Deactivate
button appears at the bottom of the screen. To stop the job, click Deactivate.
4. Ensure that HR Triggers Load Data still appears as the Task Name and then select Immediate from
the Schedule Type dropdown list.
5. Click Run.
6. From the navigation bar of the Configuration tab, click HR Triggers > Process Log to view the
processed HR triggers.
3.3 Install SAP GRC Access Control 5.3 (Compliant User Provisioning)
1. Pre-configure the installation by applying all the xml files that you downloaded in the ARchive
(SAR) file VIRACCNT00_0.sar.
2. Install the new software by following the instructions in the SAP GRC Access Control 5.3 Installa-
tion Guide located on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution
Extensions SAP Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
3. Restart your SAP NetWeaver J2EE engine.
4. To verify that your installation was successful, launch a Web browser and enter the following
URL in the address field:
http://<server>:<port>/AE/index.jsp
Where
server = the name or IP address of the NetWeaver J2EE server on which Compliant User
Provisioning resides
port = the port number on which Compliant User Provisioning listens
If your installation was successful, you see the start screen for SAP GRC Access Control 5.3.
3.4 Import SAP GRC Access Control 5.3 (Compliant User Provisioning) Roles
Follow the steps below:
1. Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server, click User
Management.
2. Log on to the UME.
3. Click Batch Import.
4. Go to the directory into which you extracted the SAP GRC Access Control 5.3 (Compliant User
Provisioning) installation files, and, using any text editor, open the file ae_ume_roles.txt.
5. Use Browse to find the file ae_ume_roles.txt, and then click Upload.
For more information, refer to UME DOC LINK below:
Hhttp://help.sap.com/saphelp_nw70/helpdata/en/d1/a73184c45e4e119e63d1b8108f1ab0/frameset.htm
3.5 Upgrade SAP GRC Access Control 5.3 (Compliant User Provisioning) Data
1. Log on to SAP GRC Access Control 5.3 (Compliant User Provisioning).
2. From the navigation bar of the Configuration tab, select Upgrade.
The Upgrade screen appears.
3. Click Upgrade.
3.6 Import SAP GRC Access Control 5.3 (Compliant User Provisioning) Configuration Data
1. Using a Web browser, connect to the SAP NetWeaver server.
2. Type the following application URL in your internet browser:
http://<hostname>:<portnumber>/AE
Where
hostname = The name or IP address of the system on which NetWeaver runs.
portnumber = The port on which Compliant User Provisioning has been configured to
listen. The default is 50000.
For example, if the SAP GRC Access Control 5.3 (Compliant User Provisioning) server resides on
host “mighty,” and it has the default port number, the correct URL would be:
http://mighty:50000/AE.
When you have completed these tasks, you have successfully upgraded your SAP GRC Access Control
5.3 (Compliant User Provisioning) implementation.
Purpose: Upgrade Role Expert 5.2 to SAP GRC Access Control 5.3 (Enterprise Role
Management).
4.2 Install SAP GRC Access Control 5.3 (Enterprise Role Expert)
Install the new software by following the instructions in the SAP GRC Access Control 5.3 Installation Guide
on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP Solutions
for GRC SAP GRC Access Control SAP GRC Access Control 5.3
The initial page for SAP GRC Access Control 5.3 (Enterprise Role Management) appears.
3. Log on using the SAP GRC Access Control 5.3 (Enterprise Role Management) admin user and
password. Click User Login.
4. Click the Configuration tab.
5. Click Initial System Data.
6. Click Browse and navigate to the directory into which you extracted the SAP GRC Access Con-
trol 5.3 (Enterprise Role Management) installation files.
7. In the Browse window, double click the appropriate xml files that are listed below and click Im-
port. The files that you import are:
a. RE_init_clean_and_insert_data.xml - select the Clean and Insert option.
b. RE_init_append_data.xml - select the Append option.
c. RE_init_methodology_data.xml - select the Append option.
8. Log on to SAP GRC Access Control 5.3 (Compliant User Provisioning) using the admin user and
password.
9. Click the Configuration tab.
10. Click Initial System Data.
11. Click Browse and navigate to the directory into which you extracted the SAP GRC Access Con-
trol 5.3 installation files.
12. In the Browse window, double click the file AE_init_append_data_RE.xml.
13. Click Import and select the Append option.
Purpose: Upgrade from Compliance Calibrator 5.1 to SAP GRC Access Control 5.3
(Risk Analysis and Remediation).
4. Capture and save a screen shot of the Compliance Calibrator 5.1 Mitigating Control Library to
provide totals to validate against after the upgrade is complete.
5. Follow the steps below to export the rules from your existing Compliance Calibrator 5.1
installation:
a. From the Rule Architect tab of Compliance Calibrator 5.1, choose Utilities > Export Rules.
b. Click Get Rules.
You get the following warning because you have not entered a destination for each source in
the Export Rules List:
”Few Destinations are empty! Do you want to copy Source as Destination?”
c. In the warning dialog box, click OK.
d. Click Export Rules.
e. In the File Download box, click Open, then click Save. Enter a name and location for the
exported rules file.
The rule export process is complete.
5.2 Install the Conversion Utility and Complete the Technical Installation
Note: The conversion utility EAR file (virsa~ccconvutil.ear) is included in the
ARchive (SAR) file VIRACCNTNT_0.sar.
Note: Ensure that the background job daemon is running before you proceed. For more in-
formation, see the SAP GRC Access Control 5.3 Installation Guide on SAP Service Market-
place at http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for
GRC SAP GRC Access Control SAP GRC Access Control 5.3.
1. Log on to SAP GRC Access Control 5.3 (Risk Analysis and Remediation).
2. From the Rule Architect tab, choose Utilities > Import Rules.
3. Click Browse.
4. Locate the converted rules data file that you created in the previous step and click Open.
5. Click Import Rules and import the Compliance Calibrator 5.1 rules file that you created in the Pre-
Upgrade Procedures.
a. A background job is automatically scheduled and run to import records from the file and
generate the rules.
b. Verify that the rule import job completes successfully.
c. Once you have imported the rules, a new item, Data Conversion CC5.1 > CC5.3, may be added
to the bottom of the navigation bar under the Configuration tab.
Note: If you have migrated from an earlier version than Compliance Calibrator 5.1, that
version is indicated instead of CC5.1.
Your rules have now been converted and uploaded to SAP GRC Access Control 5.3 (Risk Analysis and
Remediation).
Purpose: Upgrade Role Expert 5.1 to SAP GRC Access Control 5.3 (Enterprise Role
Management).
Pre-Requisites: Role Expert 5.1 is installed and running and SAP Note 1004139 is reviewed.
6.3 Install SAP GRC Access Control 5.3 (Enterprise Role Management)
Install the new software by following the instructions in the SAP GRC Access Control 5.3 Installation Guide
on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP Solutions
for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
6.4 Upgrade to SAP GRC Access Control 5.3 (Enterprise Role Management)
Follow the steps below to upgrade from Role Expert 5.1 to SAP GRC Access Control 5.3 (Enterprise Role
Management):
1. Log on to SAP GRC Access Control 5.3 (Enterprise Role Management) using the admin user and
password.
2. Click Configuration > Upgrade.
The system displays the Enterprise Role Management version that is currently installed and the
new version to which you want to upgrade.
3. Click Upgrade.
The system displays a success message and the current version is updated to the new version.
Purpose: Upgrade from Compliance Calibrator 4.0 to SAP GRC Access Control 5.3
(Risk Analysis and Remediation).
Tasks: 1. Install SAP GRC Access Control 5.3 (Risk Analysis and Remediation)
2. Create system connectors.
3. Define Master User Source.
4. Upload text objects
5. Upload authorization objects.
6. Create rule sets and enter them in configuration.
7. Migrate existing data.
8. Upload existing data to SAP GRC Access Control 5.3 (Risk Analysis and
Remediation)
9. Schedule background jobs.
Note: Skip this step if it has already been done during installation.
Note: The Connector IDs for any one system must be identical in each Access Control
capability.
Note: If possible entries do not display for JCO Destination, it means that the Java
connectors are not properly defined. For more information see the SAP GRC Access
Control 5.3 Installation Guide on SAP Service Marketplace at
http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC SAP
GRC Access Control SAP GRC Access Control 5.3.
7. Click Save.
Note: You can use the Search button to browse and name the local file. For easy access,
you can put the file on your Desktop and name it SAPText.txt.
6. Click Execute.
7. Return to the SAP GRC Access Control 5.3 (Risk Analysis and Remediation) system and click the
Configuration tab.
8. Click Upload Objects and then click Object Texts.
9. Complete the following fields:
a. System ID – If SAP GRC Access Control 5.3 (Risk Analysis and Remediation) is connected to
multiple SAP backend systems, enter a single system name here and repeat steps 1 through
10 for each SAP system.
b. Local File – Enter or browse to the location for the file SAPText.txt.
10. Click Foreground to upload your text objects.
Note: If you want to execute this job in the background, the SAPText.txt file must be
placed on an application server.
Note: You can use the Search button to browse and name the local file. For easy access,
you can put the file on your Desktop and name it SAPAuthObj.txt
6. Click Execute.
7. Return to the SAP GRC Access Control 5.3 (Risk Analysis and Remediation) system and click the
Configuration tab.
8. Click Upload Objects and then click Permissions.
9. Enter the name of your text file (for example, SAPAuthObj.txt) in the field called Local File.
10. Click Foreground to upload your authorization objects.
Note: If you want to execute this job in the background, the SAP AuthObj.txt file must be
placed on an application server.
o If your Critical Permissions are loaded to Matrix 1 – 5, you can group them into a
function, add that function to a new Critical Permission Risk, and generate rules from
there.
Note: SAP GRC Access Control 5.3 supports three types of risks: SoD, Critical Action,
and Critical Permission. Critical Actions and Permissions can only have one function
assigned; however, an SoD risk must have two or more functions assigned.
For more information about creating functions and risks, refer to the Application
Help for SAP GRC Access Control 5.3 on the SAP Help Portal at help.sap.com.
Note: You can find the system ID in SAP GRC Access Control 5.3 (Risk Analysis and
Remediation), under Configuration > Connectors > Search.
5. In the File Name field, enter a name and path for your output data file.
6. Enable the CC5.1 and Above option.
7. Enter Global in the Default Rule Set ID field.
8. Click Execute.
Note: The utility exports the data to your specified file in a tab-delimited ASCII text file.
The data is not converted until you upload it to your new SAP GRC Access Control 5.3
(Risk Analysis and Remediation) system.
Note: You can only migrate rules from one Compliance Calibrator 4.0 system to SAP
GRC Access Control 5.3 (Risk Analysis and Remediation). If you have multiple backend
systems in your current system landscape, you may simplify your migration by using a
logical system to group the Compliance Calibrator 4.0 rules together (the rules must be
the same across all systems).
For more information, see the SAP GRC Access Control 5.3 Application Help at
help.sap.com and refer to the section on Logical Systems.
7.8 Upload the Data into SAP GRC Access Control 5.3 (Risk Analysis and Remediation)
Caution: When you upload data to SAP GRC Access Control 5.3, existing rule and
mitigation data is overwritten.
Note: This conversion process immediately updates all data except Permission rules which
are sent to the background job daemon. Permission rules are not migrated until the
background job completes.
1. Log on to SAP GRC Access Control 5.3 (Risk Analysis and Remediation).
2. Click the Rule Architect tab, and then click Utilities > Import Rules.
3. In the field Local File Name, enter the path and file name that you specified when you
exported your Compliance Calibrator 4.0 data in the previous step.
Note: Permission rules may take a few minutes to be generated as they are
processed by the background job daemon.
5. Follow the steps below to verify that the background job is complete:
6. Confirm that the correct number of rules was uploaded by comparing the Rule Library in
SAP GRC Access Control 5.3 to the Rule Library in Compliance Calibrator 4.0. Ensure that
the Number of Active Rules and the Disabled Rules in SAP GRC Access Control 5.3 (Risk
Analysis and Remediation) match those in Compliance Calibrator 4.0.
7. Confirm that the mitigating controls converted correctly by following these steps:
a. Access the Mitigating Control Library in Compliance Calibrator 4.0.
b. In SAP GRC Access Control 5.3 (Risk Analysis and Remediation), click the
Mitigation tab, and then click Mitigated Users.
c. Click Select All and click Search.
d. Ensure that the number of mitigated users is the same for both systems.
Note: See the SAP GRC Access Control 5.3 Installation Guide, Post-Installation Steps, for
details about running background jobs.
1. In SAP GRC Access Control 5.3 (Risk Analysis and Remediation), click the Configuration tab and
then click Background Job Schedule Analysis.
2. Follow the steps below to perform User, Role, and Profile Synchronization.
a. Go to the User/Role/Profile Synchronization section and select Full Sync in the Sync
Mode field.
b. Select the following synchronization types:
User Synchronization
Role Synchronization
Profile Synchronization
c. Accept wildcard (*) values for each system.
d. Click Schedule. The Schedule Risk Analysis screen displays.
e. Enter the Job Name.
f. Select Immediate.
g. Click Schedule.
The following message displays: Background job scheduled successfully, Job ID: XX.
3. Perform Batch Risk Analysis.
Note: Perform this step after you determine which users, roles, and profile analysis
should be stored in SAP GRC Access Control 5.3 (Risk Analysis and Remediation). After
the initial full synchronization, schedule a nightly background job to run an incremental
synchronization.
a. Go to Batch Risk Analysis, and select Full Sync in the Batch Mode field.
b. Select Report Type: Permission Level Analysis.
c. Select the following risk analysis types:
User Analysis
Role Analysis
Profile Analysis (only if profiles are assigned to Users in Production).
d. Click Schedule.
The Schedule Risk Analysis screen displays.
Note: For instructions on how to run this job, refer to Step 2 above: Perform
User/Role/Profile Synchronization.
Note: Management View Risk Analysis data can be displayed for a one month period. The
current month data is updated each time you run a Management Report job.
b. Click Schedule.
Note: For instructions on how to run this job, refer to Step 2 above Perform
User/Role/Profile Synchronization.
Note: The management reports should now be populated with risk analysis data.
Purpose: Upgrade Role Expert 4.0 to SAP GRC Access Control 5.3 (Enterprise Role
Management).
8.2 Install SAP GRC Access Control 5.3 (Enterprise Role Management)
Install SAP GRC Access Control 5.3 (Enterprise Role Management) by following the instructions in the
SAP GRC Access Control 5.3 Installation Guide on SAP Service Marketplace at
http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC SAP GRC Access
Control SAP GRC Access Control 5.3
8.2 Map the Role Expert 4.0 Attributes to SAP GRC Access Control 5.3 (Enterprise Role
Management) Attributes
Prior to importing role information, you must manually configure some attributes in SAP GRC
Access Control 5.3 (Enterprise Role Management) as indicated in the table below:
Role Expert 4.0 Attributes that you migrate Attributes that you con-
Attributes manually figure manually
Role Expert 4.0 Attributes that you migrate Attributes that you con-
Attributes manually figure manually
Transaction Transaction
8.4 Import Role Expert 4.0 Roles to SAP GRC Access Control 5.3 (Enterprise Role
Management)
1. Open SAP GRC Access Control 5.3 (Enterprise Role Management) and click on Role Expert Role
Configuration Migration from 4.0 Role.
2. Browse to the Excel file(s) that you created in the previous step.
3. Select the role type and the system landscape to be associated with the imported roles. If existing roles
need to be overwritten, click Overwrite Role if exists.
Purpose: Upgrade Firefighter 4.0, 5.1, or 5.2 to SAP GRC Access Control 5.3 (Superuser
Privilege Management)
Note: For information about how to do this, see SAP Service Marketplace at
http://service.sap.com/instguides -> SAP Solution Extensions -> SAP Solutions for GRC -
>SAP GRC Access Control SAP GRC Access Control 4.0 / 5.1 Role Expert 4.0 /5.1 for SAP--
User Guide.
9.3 Install SAP GRC Access Control 5.3 (Superuser Privilege Management)
Install the new software by following the instructions in the SAP GRC Access Control 5.3 Installation Guide
on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP Solutions
for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
9.4 Install SAP GRC Access Control 5.3 Real Time Agent (RTA)
Install the SAP GRC Access Control 5.3 RTA as described in the SAP GRC Access Control 5.3 Installation
Guide on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP
Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
9.5 Perform Post-Installation Configuration
Perform the post-installation configuration as described in the SAP GRC Access Control 5.3 Installation
Guide on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP
Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
9.7 Upgrade to SAP GRC Access Control 5.3 (Superuser Privilege Management)
Note: This step only applies when you upgrade from Firefighter 5.1
To uninstall earlier versions of Access Control you must manually uninstall all of the files for each capa-
bility separately.
You connect to the Software Deployment Manager (SDM) and select the Undeploy tab and then select the
files to be uninstalled, except for the dictionary file. You can either uninstall them as a group or indivi-
dually; if you uninstall them individually you must uninstall them in the order that they are listed below.
10.1.1 For Support Pack 5 and above, uninstall the following components:
virsalib.sd
sap.com~grc~ccume.sda
sap.com~grc~ccxsysbe
sap.com~grc~ccxsysbehr
sap.com~grc~ccappcomp
sap.com~grc~ccxsysw
sap.com~grc~ccxsysbgear
sap.com~grc~ccxsysactionws
10.1.2 For Support Pack 4 and below, uninstall the following components:
virsalib.sda
sap.com~ccume.sda
virsa~ccxsysbe
virsa~ccxsysbehr
virsa~ccappcomp
virsa~ccxsysws
virsa~ccwsproxy (if exists)
virsa~ccxsysbgear
virsa~ccxsysactionws
10.2.1 For Support Pack 6 and above, uninstall the following components:
virsalib.sda
sap.com~grc~ccume.sda
sap.com~grc~ccxsysbe
sap.com~grc~ccxsysbehr
sap.com~grc~ccappcom
sap.com~grc~ccxsysws
sap.com~grc~ccxsysbgear
10.2.2 For Support Pack 5 and below, uninstall the following components:
virsalib.sd
virsa~ccume.sda
virsa~ccxsysbe
virsa~ccxsysbehr
virsa~ccappcomp
virsa~ccxsysw
virsa~ccwsproxy
virsa~ccxsysbgear
10.7.1 For Support Package 3 and below, uninstall the following components:
firefighterlib.sda
sapgrc~ffume.sda
sapgrc~ffappcomp.ear
10.7.2 For Support Package 4 and above, uninstall the following components:
sap.com~grc~ffext.sda
sap.com~grc~ffume.sda
sap.com~grc~ffappcomp.ear
sap.com~grc~ffwsproxy.ear
The table below lists all the permissions that are delivered in SAP GRC Access Control 5.3. You
may wish to add new permissions to your existing roles after your upload them.
Configuration
Configuration