Oracle 11g - SQL Fundamental Exam Guide (Exam 1Z0-051)

Upgrade Guide
SAP GRC
Access Control™ 5.3
Document Version 1.10 - December 2008
SAP AG
Walldorf, Germany
T+49/18 05/34 34 34
F+49/18 05/34 34 20
H www.sap.com
SAP GRC Access Control 5.3 Upgrade Guide
© Copyright 2008 SAP AG. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission
of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other software
vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries,
xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner,
WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or
registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems
Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented
by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
Virsa, Virsa Systems, Access Enforcer, ComplianceOne, Compliance Calibrator, Process Control, Continuous Compliance,
Firefighter, Risk Terminator, Role Expert, the respective taglines, logos and service marks are trademarks of SAP Governance,
Risk and Compliance, Inc., which may be registered in certain jurisdictions.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well
as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all
over the world. All other product and service names mentioned are the trademarks of their respective companies. Data
contained in this document serves information purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies
(“SAP Group”) for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those
that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should
be construed as constituting an additional warranty.
Disclaimer
Some components of this product are based on Java™. Any code change in these components may cause unpredictable and
severe malfunctions and is therefore expressively prohibited, as is any decompilation of these components. Any Java™ Source
Code delivered with this product is only to be used by SAP’s Support Services and may not be modified or altered in any way.
December 2008 2/55

Typographic Conventions
Example Description
<> Angle brackets indicate that you replace these words or characters with appropriate
entries to make entries in the system, for example, “Enter your <User Name>”.
> Arrows separating the parts of a navigation path, for example, menu options
Example Emphasized words or expressions
Example Words or characters that you enter in the system exactly as they appear in the
documentation
Example Textual cross-references to an internet address, for example, http://www.sap.com
/example Quicklinks added to the internet address of a homepage to enable quick access to
specific content on the Web
123456 Hyperlink to an SAP Note, for example, SAP Note 123456
Example Words or characters quoted from the screen. These include field labels, screen
titles, push button labels, menu names, and menu options.
Cross-references to other documentation or published works
Example Output on the screen following a user action, for example, messages
Source code or syntax quoted directly from a program
File and directory names and their paths, names of variables and parameters, and
names of installation, upgrade, and database tools
EXAMPLE Technical names of system objects. These include report names, program names,
transaction codes, database table names, and key concepts of a programming language
when they are surrounded by body text, for example, SELECT and INCLUDE.
EXAMPLE Keys on the keyboard
December 2008 3/55

Document History
This guide is regularly updated on SAP Service Marketplace at http://service.sap.com/instguides
-> SAP Business Objects-> SAP Solutions for GRC -> SAP GRC Access Control -> SAP GRC Access
Control 5.3.
Make sure you have the latest version of this guide by checking SAP Service Marketplace before
starting the installation.
The following table provides an overview of the most important changes that were made in the latest ver-
sions.
Version Date Important Changes
x June 2008 Initial release to customers.
1.10 December 2008 Uninstalling Access Control 5.2 or Earlier
- removed step to uninstall AC 5.2. It is not
necessary for an upgrade.
December 2008 4/55

Table of Contents
1.1 DISCLAIMER ................................................................................................................................................. 8
1.2 IMPORTANT NAME AND PRODUCT CHANGES .................................................................................................. 8
1.3 UPGRADE PATH SUMMARIES ......................................................................................................................... 9
1.3.1 Upgrading Compliance Calibrator 5.2, Access Enforcer 5.2, Role Expert 5.2, and Firefighter 5.2 ....... 10
1.3.3 Upgrading Compliance Calibrator 5.1, Access Enforcer 5.1, Role Expert 5.1, and Firefighter 5.1. ...... 12
1.3.4 Upgrading Compliance Calibrator 4.0, Access Enforcer 4.0, Role Expert 4.0, and Firefighter 4.0 ....... 14
1.4 UPGRADE CONSIDERATIONS ........................................................................................................................ 16
1.4.1 SAP NetWeaver Version...................................................................................................................... 16
1.4.2 Backend System Prerequisites for Upgrading to SAP GRC Access Control 5.3 .................................... 16
1.4.3 Upgrade Documentation ..................................................................................................................... 17
1.4.4 Upgrading Real Time Agents .............................................................................................................. 18
1.5 THE UPGRADE PROCESS .............................................................................................................................. 18
1.5.1 Downloading the SAP GRC Access Control 5.3 files............................................................................ 19
2 UPGRADING COMPLIANCE CALIBRATOR 5.2....................................................................................... 20
3 UPGRADING ACCESS ENFORCER 5.1 AND 5.2 ....................................................................................... 21
3.1 PRE-UPGRADE PROCEDURES ........................................................................................................................ 21
3.1.1 Back Up Your Existing Access Enforcer Implementation: .................................................................... 21
3.1.2 Process HR Triggers (for systems that have SAP HR) .......................................................................... 21
3.1.3 Uninstall Previous Version of Access Enforcer .................................................................................... 22
3.1.4 Download SAP GRC Access Control 5.3 Files..................................................................................... 22
3.2 CONFIGURE MEMORY SETTINGS .................................................................................................................. 22
3.3 INSTALL SAP GRC ACCESS CONTROL 5.3 (COMPLIANT USER PROVISIONING) .............................................. 22
3.4 IMPORT SAP GRC ACCESS CONTROL 5.3 (COMPLIANT USER PROVISIONING) ROLES .................................... 23
3.5 UPGRADE SAP GRC ACCESS CONTROL 5.3 (COMPLIANT USER PROVISIONING) DATA .................................. 23
3.6 IMPORT SAP GRC ACCESS CONTROL 5.3 (COMPLIANT USER PROVISIONING) CONFIGURATION DATA ........... 23
4 UPGRADING ROLE EXPERT 5.2 ................................................................................................................ 25
4.1 UNINSTALL THE CURRENT INSTALLATION.................................................................................................... 25
4.2 INSTALL SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE E XPERT) ........................................................ 25
4.3 POST INSTALLATION CONFIGURATION ......................................................................................................... 25
4.4 UPGRADE TO THE NEW SOFTWARE .............................................................................................................. 26
4.5 ORGANIZATION VALUE MAPPING (OPTIONAL) ............................................................................................. 27
5.1 PRE-UPGRADE PROCEDURES ....................................................................................................................... 28
5.2 INSTALL THE CONVERSION UTILITY AND COMPLETE THE TECHNICAL INSTALLATION .................................... 29
5.3 IMPORT RULES INTO SAP GRC ACCESS CONTROL 5.3.................................................................................. 29
5.4 VALIDATE THE RULE LOAD ......................................................................................................................... 30
5.5 VALIDATE THE MITIGATION TABLES ........................................................................................................... 30
6.1 UNINSTALL ROLE EXPERT 5.1 ..................................................................................................................... 31
6.2 PRE-CONFIGURE THE INSTALLATION ............................................................................................................ 31
December 2008 5/55

6.3 INSTALL SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE MANAGEMENT ) ............................................. 31
6.4 UPGRADE TO SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE MANAGEMENT ) ...................................... 31
6.5 PERFORM POST-INSTALLATION CONFIGURATION ......................................................................................... 32
6.6 ORGANIZATIONAL VALUE MAPPING (OPTIONAL) ......................................................................................... 33
7.1 INSTALL SAP GRC ACCESS CONTROL 5.3. .................................................................................................. 34
7.2 CREATE SYSTEM CONNECTORS ................................................................................................................... 35
7.3 DEFINE MASTER USER SOURCE ................................................................................................................... 35
7.4 UPLOAD TEXT OBJECTS .............................................................................................................................. 35
7.5 UPLOAD AUTHORIZATION OBJECTS ............................................................................................................. 36
7.6 CREATE RULE SET ...................................................................................................................................... 37
7.7 MIGRATE EXISTING DATA ........................................................................................................................... 37
7.7.1 Data That Can Be Migrated ................................................................................................................ 37
7.7.2 Data That Cannot Be Migrated ........................................................................................................... 37
7.7.3 Migration Procedure .......................................................................................................................... 38
7.8 UPLOAD THE DATA INTO SAP GRC ACCESS CONTROL 5.3 (RISK ANALYSIS AND REMEDIATION) .................. 39
7.9 SCHEDULE BACKGROUND JOBS ................................................................................................................... 40
8.1 PRECONFIGURE THE INSTALLATION ............................................................................................................. 42
8.2 INSTALL SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE MANAGEMENT ) ............................................. 42
8.3 EXPORT ROLE E XPERT 4.0 ROLES ................................................................................................................ 44
8.4 IMPORT ROLE E XPERT 4.0 ROLES TO SAP GRC ACCESS CONTROL 5.3 (ENTERPRISE ROLE MANAGEMENT) ... 45
9 UPGRADING FIREFIGHTER 4.0, 5.1, AND 5.2........................................................................................... 46
9.1 PRE-UPGRADE PROCEDURES ....................................................................................................................... 46
9.2 UNINSTALL THE CURRENT FILES (FIREFIGHTER 5.2 ONLY) ............................................................................ 46
9.3 INSTALL SAP GRC ACCESS CONTROL 5.3 (SUPERUSER PRIVILEGE MANAGEMENT) ...................................... 46
9.4 INSTALL SAP GRC ACCESS CONTROL 5.3 REAL TIME AGENT (RTA) ........................................................... 47
9.6 VALIDATE THE ENTRIES .............................................................................................................................. 47
9.7 UPGRADE TO SAP GRC ACCESS CONTROL 5.3 (SUPERUSER PRIVILEGE MANAGEMENT) ............................... 47
10 UNINSTALLING ACCESS CONTROL 5.2 OR EARLIER ........................................................................ 48
10.1 UNINSTALL COMPLIANCE CALIBRATOR 5.2 ................................................................................................ 48
10.1.1 For Support Pack 5 and above, uninstall the following components: .................................................. 48
10.1.2 For Support Pack 4 and below, uninstall the following components: .................................................. 48
10.2 UNINSTALL COMPLIANCE CALIBRATOR 5.1 ................................................................................................ 49
10.2.1 For Support Pack 6 and above, uninstall the following components: .................................................. 49
10.2.2 For Support Pack 5 and below, uninstall the following components: .................................................. 49
10.3 UNINSTALL ACCESS ENFORCER 5.2............................................................................................................ 49
10.3.1 For all support packs, uninstall the following components:................................................................ 49
10.4 UNINSTALL ACCESS ENFORCER 5.1............................................................................................................ 49
10.5 UNINSTALL ROLE E XPERT 5.1 AND 5.2....................................................................................................... 50
10.6 FIREFIGHTER 4.0 AND 5.1 (NOTHING TO UNINSTALL).................................................................................. 50
December 2008 6/55

10.7 UNINSTALL FIREFIGHTER 5.2 ..................................................................................................................... 50

10.7.1 For Support Package 3 and below, uninstall the following components: ............................................ 50
10.7.2 For Support Package 4 and above, uninstall the following components: ............................................ 50
APPENDIX A: SAP GRC ACCESS CONTROL 5.3 PERMISSIONS.............................................................. 51
December 2008 7/55

1 Overview
This guide is for Access Control customers who want to upgrade their existing implementations to SAP
GRC Access Control 5.3.
1.1 Disclaimer
This document reflects the status of SAP’s release planning as of December 2007. It contains only
intended strategies, developments, and functionalities for SAP solutions and is not intended to be
binding upon SAP to any particular course of business, product strategy, or development; its content is
subject to change without notice. For up-to-date information on individual SAP offerings, refer to the
online version of this brochure in SAP Service Marketplace at service.sap.com/releasestrategy.
SAP assumes no responsibility for errors or omissions in this document and does not warrant the
accuracy or completeness of the information, text, graphics, links, or other items contained within this
material. This document is provided without a warranty of any kind, either express or implied, including,
but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or
noninfringement.
SAP shall have no liability for damages of any kind including without limitation, direct, special, indirect,
or consequential damages that may result from the use of these materials. This limitation shall not apply
in cases of intent or gross negligence. The statutory liability for personal injury and defective products is
not affected. SAP has no control over the information that you may access through the use of hot links
contained in these materials and does not endorse your use of third-party Web pages nor provide any
warranty whatsoever relating to third-party Web pages.
1.2 Important Name and Product Changes

As of SAP GRC Access Control 5.3, Compliance Calibrator, Access Enforcer, Role Expert, and Firefighter,
which were formerly four separate SAP GRC products, are now bundled into one software package;
separate upgrades are no longer done.
These formerly separate products are now referred to as capabilities and have been renamed as indicated
in the table below. Please keep this name change in mind as this upgrade guide references both sets of
names.
Previous Component Name New Capability Name
Compliance Calibrator Risk Analysis and Remediation
Access Enforcer Compliant User Provisioning
Role Expert Enterprise Role Management
Firefighter Superuser Privilege Management
December 2008 8/55

1.3 Upgrade Path Summaries

The tables that follow summarize strategies for upgrading to SAP GRC Access Control 5.3 from previous
versions of the product.
Each table addresses a particular upgrade path, giving a high level overview of the steps that are
involved. Subsequent chapters provide the detailed instructions for each upgrade path.
Note: We highly recommend that customers who wish to upgrade from SAP GRC 4.0 products to
SAP GRC Access Control 5.3 submit a CSN message requesting a GRC contact to advise them on
the upgrade procedure.
December 2008 9/55

1.3.1 Upgrading Compliance Calibrator 5.2, Access Enforcer 5.2, Role Expert 5.2, and Firefighter
5.2
Risk Analysis and Compliant User Enterprise Role Superuser

Remediation Provisioning Management Privilege
formerly called formerly called formerly called Management
Compliance Calibrator Access Enforcer Role Expert formerly called
Firefighter
Step 1 Uninstall Compliance Perform pre-upgrade Uninstall Role Perform the pre-
Calibrator 5.2 as outlined procedures. Expert 5.2. as upgrade
in section 10, Uninstalling 1. Back up existing outlined in section procedures:
SAP GRC Access Control Access Enforcer 10, Uninstalling SAP 1. Review SAP
5.2 or Earlier implementation. GRC Access Control Note 1006083
5.2 or Earlier
2. Run background job 2. Backup
HR Triggers Load existing
Data (SAP HR Install SAP GRC master data
systems only) Access Control 5.3
as outlined in the
3. Download
3. Uninstall existing master data
Access Enforcer SAP GRC Access
Control 5.3 from
implementation Firefighter 5.2
Installation Guide on
4. Download the SAP
SAP Service
GRC Access
Marketplace at
Control 5.3 files
http://service.sap.co
m/instguides SAP
Solution Extensions
SAP Solutions for
GRC SAP GRC
Access Control
SAP GRC Access
Control 5.3
.
Step 2 Install SAP GRC Access Configure memory Upgrade to SAP Uninstall the
Control 5.3 as outlined in settings GRC Access Control Firefighter
the SAP GRC Access 5.3 software as
Control 5.3 Installation described in
Guide on SAP Service Uninstalling SAP
Marketplace at GRC Access Control
http://service.sap.com/inst 5.2 or Earlier
guides SAP Solution
Extensions SAP Solutions
December 2008 10/55

for GRC SAP GRC Access

Control SAP GRC Access
Control 5.3.
Step 3 Not applicable Install SAP GRC Perform post- Install SAP GRC
Access Control 5.3 installation Access Control 5.3
(Compliant User configuration (Superuser
Provisioning) Privilege
Management)
Step 4 Not applicable Import Compliant User Optionally, change Install the SAP
Provisioning Roles the default Org. GRC Access
value mapping names Control 5.3 Real
in SAP GRC Access Time Agent (RTA)
Control 5.3
(Enterprise Role
Management).
Step 5 Not applicable Upgrade Compliant Not applicable Perform post-

User Provisioning installation
configuration
Step 6 Not applicable Import Compliant User Not applicable Not applicable
Provisioning
Configuration Data
More For more details, see For more details, see For more details, see For more details,
Info section 2, Upgrading section 3, Upgrading section 4, Upgrading see section 9,
Compliance Calibrator 5.2 Access Enforcer 5.1 and from SAP GRC Role Upgrading
5.2 Expert 5.2 Firefighter 4.0, 5.1,
and 5.2
December 2008 11/55

1.3.3 Upgrading Compliance Calibrator 5.1, Access Enforcer 5.1, Role Expert 5.1, and Firefighter
5.1.
Risk Analysis and Compliant User Enterprise Role Superuser Privilege

Remediation Provisioning Management Management
formerly called formerly called formerly called formerly called
Compliance Calibrator Access Enforcer Role Expert Firefighter
Step 1 Perform the pre-upgrade Perform pre- Uninstall Role Expert Perform the pre-
procedures. upgrade 5.1. upgrade procedures:
procedures. 1. Review SAP
1. Back up Note 1006083.
existing Access 2. Backup existing
Enforcer master data
implementation 3. Download
master data
2. Run background
from Firefight-
job HR Triggers
er 5.1
Load Data (SAP
HR systems
only)
3. Uninstall
existing Access
Enforcer
implementation
4. Download the
SAP GRC
Access Control
5.3 files
Step 2 Install the conversion Configure memory Pre-configure the Install SAP GRC
utility and complete the settings installation Access Control 5.3
technical installation of (Superuser Privilege
SAP GRC Access Control Management)
5.3
Step 3 Import the Compliance Install SAP GRC Install SAP GRC Install the SAP GRC
Calibrator 5.1 rules into Access Control 5.3 Access Control 5.3 Access Control 5.3
SAP GRC Access Control (Compliant User (Enterprise Role Real Time Agent
5.3 (Risk Analysis and Provisioning) Management) (RTA)
Remediation)
Step 4 Validate the rule load Import Compliant Optionally, change the Perform post-
User Provisioning default Org. value installation
Roles mapping names in SAP configuration
GRC Access Control
December 2008 12/55

5.3 (Enterprise Role

Management).
Step 5 Validate the mitigation Upgrade Compliant Not applicable Validate the entries
tables User Provisioning
Step 6 Not applicable Import Compliant Not applicable Upgrade to SAP

User Provisioning GRC Access Control
Configuration Data. 5.3 (Superuser
Privilege
Management)
More For detailed information, For detailed For detailed For detailed
Info see section 5, Upgrading information, see information, see information, see
Compliance Calibrator 5.1. section 3, Upgrading section 6, Upgrading section 9, Upgrading
Access Enforcer 5.1 Role Expert 5.1 Firefighter 4.0, 5.1,
and 5.2 and 5.2
December 2008 13/55

1.3.4 Upgrading Compliance Calibrator 4.0, Access Enforcer 4.0, Role Expert 4.0, and Firefighter 4.0
Risk Analysis and Compliant User Enterprise Role Superuser

Remediation Provisioning Management Privilege
formerly called formerly called formerly called Management
Compliance Calibrator Access Enforcer Role Expert formerly called
Firefighter
Step 1 Install SAP GRC Access Not applicable Preconfigure the 1. Perform the
Control 5.3. installation by pre-upgrade
applying the xml procedures:
files from the 2. Review SAP
Archive (SAR) file Note 100608
VIRACCNT00_sar. 3. Backup exist-
ing master da-
ta
4. Download
master data
from Fire-
fighter 4.0
Step 2 Create system connectors Not applicable Install SAP GRC Install SAP GRC
Access Control 5.3 Access Control 5.3
(Enterprise Role (Superuser
Management) Privilege
Management)
Step 3 Define Master User Not applicable Map Role Expert Install the SAP
Source 4.0 attributes to GRC Access
SAP GRC Access Control 5.3 Real
Control 5.3 Time Agent (RTA)
(Enterprise Role
Management)
attributes
Step 4 Upload text objects Not applicable Manually export Perform Post-
roles from Role Installation
Expert 4.0. configuration
Step 5 Upload authorization Not applicable Import Role Validate the

objects Expert 4.0 roles to entries
SAP GRC Access
Control 5.3
(Enterprise Role
December 2008 14/55

Management).
Step 6 Create rule sets and enter Not applicable Not applicable Not applicable
them in configuration.
Step 7. Migrate existing data Not applicable Not applicable Not applicable
Step 8. Upload existing data to Not applicable Not applicable Not applicable
SAP GRC Access Control
5.3 (Risk Analysis and
Remediation)
Step 9 Schedule background jobs Not applicable Not applicable Not applicable
More For detailed For detailed

Info For detailed information, Not applicable information, see information, see
see section 7, Upgrading section 8, section 9,
Compliance Calibrator 4.0 Upgrading Role Upgrading
Expert 4.0 Firefighter 4.0, 5.1,
and 5.2
Notes:
If you are upgrading from 4.0 to 5.3, SAP strongly encourages you to make the 4.0
version inaccessible to end users. To do so, use Transaction Codes: Lock/Unlock (transaction
SM01) and select the checkbox beside transaction /virsa/zvrat. In addition, use Role
Maintenance (transaction PFCG) to remove transaction /virsa/zvrat from end users security
roles.
When you migrate any 4.0 application to a higher version, refer to SAP Note 1006083.
For more information about SAFE and .NET migration, contact SAP Support on SAP
Service Marketplace at service.sap.com SAP Support Portal.
December 2008 15/55

1.4 Upgrade Considerations
Note: For information about SAFE and .NET migration, contact SAP Support on SAP
Service Marketplace at service.sap.com SAP Support Portal.
1.4.1 SAP NetWeaver Version

Ensure that your SAP NetWeaver system is at version WAS SAP 700 Support Package 12.
If your current version of Access Enforcer 5.1 or 5.2 runs on WAS SAP 640, you must upgrade to WAS
SAP 700. For more information, see the SAP GRC Access Control 5.3 Installation Guide on SAP Service Mar-
ketplace at http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC SAP
GRC Access Control SAP GRC Access Control 5.3.
1.4.2 Backend System Prerequisites for Upgrading to SAP GRC Access Control 5.3
SAP Notes about are upgrading SAP ERP systems are available under the Application Areas GRC,
GRC-SAE, GRC-SCC, and GRC-SRE. Examples of such notes include:
SAP Note 985617 – SAP Compliance Calibrator for SAP 700 systems
SAP Note 1001783 – VIRSANH 520_700 Install / Delta Upgrade on SAP_BASIS 700
Below are the support packages that you must apply to your SAP backend system.
SAP Backend Component If you have release Apply this support package
SAP Basis Component 46C SAPKB46C55
620 SAPKB62063
640 SAPKB64021
700 SAPKB70013
December 2008 16/55

1.4.3 Upgrade Documentation

In addition to this guide, you need a copy of the SAP GRC Access Control 5.3 Installation Guide which is on
SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for
GRC SAP GRC Access Control SAP GRC Access Control 5.3. You also need copies of the SAP Notes that
are listed in the tables below.
The following notes apply if you are upgrading your SAP ERP system as well as your Access Control sys-
tem.
Refer to the following SAP Notes for Access Control systems without SAP HR:
SAP Note Number Title Description
1133169 Upgrade to SAP BASIS 620 These notes contain information

with VIRSANH 530_620 about the upgrade that is specific
to add-ons.
1133171 Upgrade to SAP BASIS 640
SAP Notes are located on SAP
with VIRSANH 530_640
Service Marketplace at
service.sap.com /notes
1133173 Upgrade to SAP BASIS 700
with VIRSANH 530_700
Refer to the following SAP Notes for Access Control systems with SAP HR:
SAP Note Number Title Description
1133170 Upgrade R/3 Enterprise These notes contain additional

470x200 with VIRSAHR information about the upgrade that is
530_620 specific to add-ons.
SAP Notes are located on SAP
1133172 Upgrade to SAP ECC 500
Service Marketplace at
with VIRSAHR 530_640
service.sap.com /notes
1133174 Upgrade to SAP ECC 600
with VIRSAHR 530_700
December 2008 17/55

1.4.4 Upgrading Real Time Agents

If you are upgrading Access Control but you are not upgrading your SAP ERP system, consult the SAP
Notes in the table below for information about upgrading Real Time Agents (RTAs).
Note: VIRSANH and VIRSAHR comprise the RTA component.
Note Number Description
1138015 VIRSANH 530_46C Support Packages for 46C

1138109 VIRSAHR 530_46C Support Packages for 46C
1138016 VIRSANH 530_620 Support Packages for 620
1138020 VIRSAHR 530_620 Support Packages for 620
1138017 VIRSANH 530_640 Support Packages for 640 (ECC 500)
1138041 VIRSAHR 530_640 Support Packages for 640 (ECC 500)
1138018 VIRSANH 530_700 Support Packages for 700 ( ECC 600)
1138042 VIRSAHR 530_700 Support Packages for 700 ( ECC 600)
1.5 The Upgrade Process

This guide contains information that is unique to upgrading SAP GRC Access Control and leaves
out any steps that are covered in the SAP GRC Access Control 5.3 Installation Guide.
Note: To upgrade your system to SAP GRC Access Control 5.3 you must also have a copy
of the SAP GRC Access Control 5.3 Installation Guide which is located on SAP
Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions
SAP Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
To upgrade to SAP GRC Access Control 5.3 on the same server as the previous installation, follow these
steps:
1. Read the chapters in this document for each of the four SAP GRC Access Control 5.3
capabilities.
2. Get the new SAP GRC Access Control 5.3 files from SAP Service Marketplace at service.sap.com.
For detailed information, see the SAP GRC Access Control 5.3 Installation Guide on SAP Service
Marketplace at service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC
SAP GRC Access Control SAP GRC Access Control 5.3.
3. Back up your data.
4. If required, uninstall the previous version of Access Control. For detailed information, see
Uninstalling SAP GRC Access Control 5.2 or Earlier.
5. Preconfigure the installation by applying all the XML files in the ARchive (SAR) file
VIRACCNT00_0.sar that you downloaded.
December 2008 18/55

6. Use the Java Service Pack Manager (JSPM) to execute the installation. For detailed information,
see the SAP GRC Access Control 5.3 Installation Guide, section four, Installing the Software, on SAP
Service Marketplace at service.sap.com/instguides SAP Solution Extensions SAP Solutions for
GRC SAP GRC Access Control SAP GRC Access Control 5.3.
7. Configure each capability as described in the SAP GRC Access Control 5.3 Installation Guide,
on SAP Service Marketplace at service.sap.com/instguides SAP Solution Extensions SAP
Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
Note: Before you begin the post-installation configuration, uninstall all of the previous
version’s components at one time using the Software Deployment Manager (SDM) and
then install all of the new components at the same time, using the JSPM tool.
1.5.1 Downloading the SAP GRC Access Control 5.3 files

Follow the steps below to download the SAP GRC Access Control 5.3 files.
1. Go to SAP Service Marketplace at service.sap.com.

2. Under SAP Support Portal, select Software Download.
3. In the left navigation bar, click Download to expand the menu.
4. Click Installations and Upgrades to expand the menu.
5. Click Entry by Application Group.
6. Click SAP Solutions for Governance, Risk and Compliance.
7. Click SAP GRC Access Control.
8. Click SAP GRC Access Control.
9. Click SAP GRC Access Control 5.3.
10. Click Install and Upgrade.
11. Select the platform for your server.
12. Select the appropriate database component for your installation.
13. Select SAP GRC Access Control 5.3 and click Add to Download Basket.
14. Follow the online instructions to complete the download process.
Note: For a list of the individual SAP GRC Access Control 5.3 files that are contained in the
download, see the Appendix of the SAP GRC Access Control 5.3 Installation Guide on SAP
Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions
SAP Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
December 2008 19/55

2 Upgrading Compliance Calibrator 5.2
Follow the steps below to upgrade from Compliance Calibrator 5.2 to SAP GRC Access Control 5.3 (Risk
Analysis and Remediation).
Note: We recommend that you capture screen shots of Violations counts, Rule counts,
and so forth that you can use to verify your data after the upgrade.
1. Uninstall Compliance Calibrator 5.2 as outlined in Uninstalling SAP GRC Access Control 5.2 or Ear-
lier.
Note: You must uninstall all the EAR and SDA projects except the database project
(virsa~ccxsysdb.sda) before you begin the SAP GRC Access Control 5.3 (Risk Analysis and
Remediation) installation.
2. Install SAP GRC Access Control 5.3 (Risk Analysis and Remediation) as outlined in the SAP GRC
Access Control 5.3 Installation Guide on SAP Service Marketplace at
http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC SAP GRC
Access Control SAP GRC Access Control 5.3.
December 2008 20/55

3 Upgrading Access Enforcer 5.1 and 5.2
Purpose: Upgrading from Access Enforcer 5.1 or 5.2 to SAP GRC Access Control 5.3
(Compliant User Provisioning)
Pre-Requisites: Ensure that your SAP NetWeaver system is at version WAS SAP 700 Support
Package 12.
Tasks: 1. Perform pre-upgrade procedures.

a. Back up existing Access Enforcer implementation.
b. Run background job HR Triggers Load Data (SAP HR sys-
tems only)
2. Uninstall existing Access Enforcer implementation
3. Download the SAP GRC Access Control 5.3 files
4. Configure memory settings.
5. Install Compliant User Provisioning files.
6. Import Compliant User Provisioning roles.
7. Upgrade Compliant User Provisioning.
8. Import Compliant User Provisioning configuration data.
3.1 Pre-upgrade Procedures

Before you can upgrade your Access Enforcer implementation, you must perform the following
procedures:
3.1.1 Back Up Your Existing Access Enforcer Implementation:

Back up the following items:
All database tables with the prefix VIRSA_AE or VT_AE
All the installation files you used when you originally installed your current version of Access
Enforcer
Your existing data
3.1.2 Process HR Triggers (for systems that have SAP HR)

1. Log on to your current version of Access Enforcer.
2. From the navigation bar of the Configuration tab, click Background Jobs.
The Schedule Service screen appears.
3. From the Task Name dropdown list, select HR Triggers Load Data.
Note: If the background job for HR Triggers Load Data is currently active, the Deactivate
button appears at the bottom of the screen. To stop the job, click Deactivate.
4. Ensure that HR Triggers Load Data still appears as the Task Name and then select Immediate from
the Schedule Type dropdown list.
5. Click Run.
December 2008 21/55

6. From the navigation bar of the Configuration tab, click HR Triggers > Process Log to view the
processed HR triggers.
3.1.3 Uninstall Previous Version of Access Enforcer

Uninstall any previous version of Access Enforcer by following the instructions in Uninstalling SAP GRC
Access Control 5.2 or Earlier.
3.1.4 Download SAP GRC Access Control 5.3 Files

Download the SAP GRC Access Control 5.3 (Compliant User Provisioning) application files as described
in section 1.4.1.
3.2 Configure Memory Settings

You must set your memory parameters correctly to ensure that the installation does not encounter an out-
of-memory condition. You do this using the Config Tool that is installed along with SAP NetWeaver.
Proceed as follows:
1. Launch the Config Tool. The command that you use depends on your operating system:
a. If you are running the Unix or Linux operating systems, use:
/usr/sap/<SID>/DVEBMGS00/j2ee/configtool/configtool.sh
b. If you are running the Windows operating system, use:
/usr/sap/<SID>/JC00 or JC01/j2ee/configtoo//configtool.bat
2. In the Config Tool, navigate to the server instance for which you wish to set memory parameters
and select the server by its number.
3. Under the General tab, add or change the memory parameters as required. For additional details
on memory settings, refer to SAP Note 723909 (Java VM settings for J2EE 6.40/7.0).
3.3 Install SAP GRC Access Control 5.3 (Compliant User Provisioning)
1. Pre-configure the installation by applying all the xml files that you downloaded in the ARchive
(SAR) file VIRACCNT00_0.sar.
2. Install the new software by following the instructions in the SAP GRC Access Control 5.3 Installa-
tion Guide located on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution
Extensions SAP Solutions for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
3. Restart your SAP NetWeaver J2EE engine.
December 2008 22/55

4. To verify that your installation was successful, launch a Web browser and enter the following
URL in the address field:
http://<server>:<port>/AE/index.jsp
Where
server = the name or IP address of the NetWeaver J2EE server on which Compliant User
Provisioning resides
port = the port number on which Compliant User Provisioning listens
If your installation was successful, you see the start screen for SAP GRC Access Control 5.3.
3.4 Import SAP GRC Access Control 5.3 (Compliant User Provisioning) Roles
Follow the steps below:
1. Use a Web browser to connect to and log on to the SAP NetWeaver J2EE server, click User
Management.
2. Log on to the UME.
3. Click Batch Import.
4. Go to the directory into which you extracted the SAP GRC Access Control 5.3 (Compliant User
Provisioning) installation files, and, using any text editor, open the file ae_ume_roles.txt.
5. Use Browse to find the file ae_ume_roles.txt, and then click Upload.
For more information, refer to UME DOC LINK below:
Hhttp://help.sap.com/saphelp_nw70/helpdata/en/d1/a73184c45e4e119e63d1b8108f1ab0/frameset.htm
3.5 Upgrade SAP GRC Access Control 5.3 (Compliant User Provisioning) Data
1. Log on to SAP GRC Access Control 5.3 (Compliant User Provisioning).
2. From the navigation bar of the Configuration tab, select Upgrade.
The Upgrade screen appears.
3. Click Upgrade.
3.6 Import SAP GRC Access Control 5.3 (Compliant User Provisioning) Configuration Data
1. Using a Web browser, connect to the SAP NetWeaver server.
2. Type the following application URL in your internet browser:
http://<hostname>:<portnumber>/AE
Where
hostname = The name or IP address of the system on which NetWeaver runs.
portnumber = The port on which Compliant User Provisioning has been configured to
listen. The default is 50000.
For example, if the SAP GRC Access Control 5.3 (Compliant User Provisioning) server resides on
host “mighty,” and it has the default port number, the correct URL would be:
http://mighty:50000/AE.
December 2008 23/55

The initial Compliant User Provisioning screen appears.

3. Click User Login. Log on with the SAP GRC Access Control 5.3 (Compliant User Provisioning)
administrative user name and password.
4. Click the Configuration tab.
5. In the navigation bar, click Initial System Data.
The Initialize DB screen appears.
6. In the content pane, click Browse and navigate to the directory into which you extracted the SAP
GRC Access Control 5.3 (Compliant User Provisioning) installation files.
7. In the Browse window, double-click the file(s), and then, in the content pane, click Import. The files
that you import are:
a. AE_init_append_data.xml - select the Append option.
b. AE_init_clean_and_insert_data.xml - select the Clean and Insert options.
c. AE_init_append_data_ForSODUARReview.xml - select Append option.
When you have completed these tasks, you have successfully upgraded your SAP GRC Access Control
5.3 (Compliant User Provisioning) implementation.
December 2008 24/55

4 Upgrading Role Expert 5.2
Purpose: Upgrade Role Expert 5.2 to SAP GRC Access Control 5.3 (Enterprise Role
Management).
Pre-Requisites: Role Expert 5.2 is installed

SAP Note 1004139 is reviewed.
Tasks 1. Uninstall the current installation

2. Install the new software
3. Post Installation Configuration
4. Upgrade to the new software
5. Optionally, change the default Org. value mapping names in SAP GRC Access
Control 5.3 (Enterprise Role Management)
4.1 Uninstall the Current Installation

If you have not already done so, uninstall the current version of Access Control. For more information see
Uninstalling SAP GRC Access Control 5.2 or Earlier.
4.2 Install SAP GRC Access Control 5.3 (Enterprise Role Expert)
Install the new software by following the instructions in the SAP GRC Access Control 5.3 Installation Guide
on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP Solutions
for GRC SAP GRC Access Control SAP GRC Access Control 5.3
4.3 Post Installation Configuration

Follow the steps below to import configuration data for SAP GRC Access Control 5.3 (Enter-
prise Role Management).
1. Use a Web browser to connect to the SAP NetWeaver J2EE server.
2. Type the following URL in your internet browser.
http://<hostname>:<portnumber>/RE
Where
hostname = The name or IP address of the system on which SAP NetWeaver runs
portnumber = The port on which SAP GRC Access Control 5.3 (Enterprise Role Management)
has been configured to listen. The default is 50000.
For example, if the SAP GRC Access Control 5.3 (Enterprise Role Management) server resides on
host mighty and it has the default port number (50000), the correct URL would be:
http://mighty:50000/RE
December 2008 25/55

The initial page for SAP GRC Access Control 5.3 (Enterprise Role Management) appears.
3. Log on using the SAP GRC Access Control 5.3 (Enterprise Role Management) admin user and
password. Click User Login.
5. Click Initial System Data.
6. Click Browse and navigate to the directory into which you extracted the SAP GRC Access Con-
trol 5.3 (Enterprise Role Management) installation files.
7. In the Browse window, double click the appropriate xml files that are listed below and click Im-
port. The files that you import are:
a. RE_init_clean_and_insert_data.xml - select the Clean and Insert option.
b. RE_init_append_data.xml - select the Append option.
c. RE_init_methodology_data.xml - select the Append option.
8. Log on to SAP GRC Access Control 5.3 (Compliant User Provisioning) using the admin user and
password.
11. Click Browse and navigate to the directory into which you extracted the SAP GRC Access Con-
trol 5.3 installation files.
12. In the Browse window, double click the file AE_init_append_data_RE.xml.
13. Click Import and select the Append option.
4.4 Upgrade to the New Software

Follow the steps below to upgrade from Role Expert 5.2 to SAP GRC Access Control 5.3 (Enterprise Role
Management):
1. Log on to SAP GRC Access Control 5.3 (Enterprise Role Management) using the admin user and
password.
2. Click Configuration > Upgrade.
The system displays the Role Management version that is currently installed and the new version
to which you want to upgrade.
3. Click Upgrade.
The system displays a success message and the current version is updated to the new version.
December 2008 26/55

4.5 Organization Value Mapping (Optional)

Mapping Name is a new field that is introduced in SAP GRC Access Control 5.3 (Enterprise Role Manage-
ment. The conversion process uses a default Organizational Value Mapping model to map the 5.2 role data
to the 5.3 role data, and it fills the mapping name as part of the process. The system fills the mapping name
by concatenating the 5.2 fields for Org level, From, and To, so the mapping name becomes something like
this: Organizational Level_From_To.
You may want to change the system-assigned mapping names. If so, you can change the system’s mapping
name once per mapping. Once the mapping name is changed, the field becomes non-editable and you can
no longer change it.
If you wish to change the mapping name, follow the steps below:
1 In SAP GRC Access Control 5.3 (Enterprise Role Management), choose the Configuration tab.
2 Click Org. Value Mapping.
3 Select the mapping for which you want to change the mapping name.
4 Click Change
5 Enter a new mapping name and click Save
December 2008 27/55

Purpose: Upgrade from Compliance Calibrator 5.1 to SAP GRC Access Control 5.3
(Risk Analysis and Remediation).
Pre-Requisites: Compliance Calibrator 5.1 is installed and running.
Process Tasks: 1. Perform pre-upgrade procedures

2. Install the conversion utility and complete the technical installation of
SAP GRC Access Control 5.3 (Risk Analysis and Remediation)
3. Import the Compliance Calibrator 5.1 rules into SAP GRC Access
Control 5.3 (Risk Analysis and Remediation)
4. Validate that the rules loaded correctly
5. Validate the mitigation tables.
5.1 Pre-Upgrade Procedures

1. Download any spooled ad hoc reports to a file (spooled reports do not transfer to your new
installation).
2. Backup the database.
3. Capture and save a screen shot of the Compliance Calibrator 5.1 Rule Library to provide totals for
validation after the upgrade is complete.
4. Capture and save a screen shot of the Compliance Calibrator 5.1 Mitigating Control Library to
provide totals to validate against after the upgrade is complete.
5. Follow the steps below to export the rules from your existing Compliance Calibrator 5.1
installation:
a. From the Rule Architect tab of Compliance Calibrator 5.1, choose Utilities > Export Rules.
b. Click Get Rules.
You get the following warning because you have not entered a destination for each source in
the Export Rules List:
”Few Destinations are empty! Do you want to copy Source as Destination?”
c. In the warning dialog box, click OK.
d. Click Export Rules.
e. In the File Download box, click Open, then click Save. Enter a name and location for the
exported rules file.
The rule export process is complete.
December 2008 28/55

5.2 Install the Conversion Utility and Complete the Technical Installation
Note: The conversion utility EAR file (virsa~ccconvutil.ear) is included in the
ARchive (SAR) file VIRACCNTNT_0.sar.
1. Log on to the conversion utility by using the following URL:

http://<server_name>:<port>/webdynpro/dispatcher/virsa/ccconvutil/CC52ConvUtility
Where:
Server_name is the J2EE application server name,
Port is 5<xx>00 (xx is the J2EE instance)
For example, if the J2EE instance is 35, then the port assignment would be 53500.
2. Click Convert Data.
3. On the next screen click Export Rules.
4. When the system prompts you to Save, Open, or Cancel, choose Open and then choose Save As to save
the downloaded rules to another name. Make sure that the data file saves properly.
5. Uninstall the conversion utility EAR file (virsa~ccconvutil.ear).
6. Install SAP GRC Access Control 5.3 (Risk Analysis and Remediation) by following the instructions in
the SAP GRC Access Control 5.3 Installation Guide on SAP Service Marketplace at
http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC SAP GRC Access
Control SAP GRC Access Control 5.3.
5.3 Import Rules into SAP GRC Access Control 5.3
Note: Ensure that the background job daemon is running before you proceed. For more in-
formation, see the SAP GRC Access Control 5.3 Installation Guide on SAP Service Market-
place at http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for
GRC SAP GRC Access Control SAP GRC Access Control 5.3.
1. Log on to SAP GRC Access Control 5.3 (Risk Analysis and Remediation).
2. From the Rule Architect tab, choose Utilities > Import Rules.
3. Click Browse.
4. Locate the converted rules data file that you created in the previous step and click Open.
5. Click Import Rules and import the Compliance Calibrator 5.1 rules file that you created in the Pre-
Upgrade Procedures.
a. A background job is automatically scheduled and run to import records from the file and
generate the rules.
b. Verify that the rule import job completes successfully.
c. Once you have imported the rules, a new item, Data Conversion CC5.1 > CC5.3, may be added
to the bottom of the navigation bar under the Configuration tab.
December 2008 29/55

Note: If you have migrated from an earlier version than Compliance Calibrator 5.1, that
version is indicated instead of CC5.1.
Your rules have now been converted and uploaded to SAP GRC Access Control 5.3 (Risk Analysis and
Remediation).
5.4 Validate the Rule Load

1. From the Rule Architect tab in SAP GRC Access Control 5.3, choose Rule Library.
2. Validate that the number of rules are the same as before the upgrade by comparing the Compliance
Calibrator 5.1 pre-upgrade screen shot to the SAP GRC Access Control 5.3 (Risk Analysis and
Remediation) screen.
5.5 Validate the Mitigation Tables

The mitigating controls do not require conversion; all table entries should have remained the same as
before the upgrade. Validate that the number of controls are the same as before the upgrade by
comparing the pre-upgrade screen shot to the SAP GRC Access Control 5.3 (Risk Analysis and
Remediation) screen.
December 2008 30/55

Management).
Pre-Requisites: Role Expert 5.1 is installed and running and SAP Note 1004139 is reviewed.
Tasks 1. Uninstall Role Expert 5.1

2. Pre-configure the installation
3. Install SAP GRC Access Control 5.3 (Enterprise Role Management)
4. Upgrade to SAP GRC Access Control 5.3 (Enterprise Role Management)
5. Perform post-installation configuration
6. Optionally, change the system assigned organizational value mapping
names in SAP GRC Access Control 5.3 (Enterprise Role Management)
6.1 Uninstall Role Expert 5.1

1. Log on to Role Expert 5.1
2. Click the Configuration tab, and then click Initial System Data.
3. Load the file RE_51_53_upgrade_clean_insert.xml using the option Clean and Insert. This file is
located with the initial system data files in the ARchive (SAR) file VIRACCNTNT_0.sar.
4. Uninstall Role Expert 5.1 as described in Uninstalling SAP GRC Access Control 5.2 or Earlier.
6.2 Pre-configure the Installation

Pre-configure the installation by applying all the xml files in the ARchive (SAR) file VIRACCNT00_0 that
you downloaded earlier.
6.3 Install SAP GRC Access Control 5.3 (Enterprise Role Management)
for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
6.4 Upgrade to SAP GRC Access Control 5.3 (Enterprise Role Management)
Follow the steps below to upgrade from Role Expert 5.1 to SAP GRC Access Control 5.3 (Enterprise Role
Management):
1. Log on to SAP GRC Access Control 5.3 (Enterprise Role Management) using the admin user and
password.
2. Click Configuration > Upgrade.
December 2008 31/55

The system displays the Enterprise Role Management version that is currently installed and the
new version to which you want to upgrade.
3. Click Upgrade.
The system displays a success message and the current version is updated to the new version.
6.5 Perform Post-Installation Configuration

Follow the steps below to import configuration data for SAP GRC Access Control 5.3 (Enter-
prise Role Management).
1. Use a Web browser to connect to the SAP NetWeaver J2EE server.
2. Type the following URL in your internet browser.
http://<hostname>:<portnumber>/RE
Where
hostname = The name or IP address of the system on which SAP NetWeaver runs
portnumber = The port on which SAP GRC Access Control 5.3 (Enterprise Role Management)
has been configured to listen. The default is 50000.
For example, if the SAP GRC Access Control 5.3 (Enterprise Role Management) server resides on
host mighty and it has the default port number (50000), the correct URL would be:
http://mighty:50000/RE
The initial page for SAP GRC Access Control 5.3 (Enterprise Role Management) appears.
4. Log on using the SAP GRC Access Control 5.3 (Enterprise Role Management) admin user and pass-
word. Click User Login.
7. Click Browse and navigate to the directory into which you extracted the SAP GRC Access Control 5.3
(Enterprise Role Management) installation files.
8. In the Browse window, double click the xml files that are listed below and click Import. The files that
you import are:
a. RE_init_clean_and_insert_data.xml - select the Clean and Insert option.
b. RE_init_append_data.xml - select the Append option.
c. RE_init_methodology_data.xml - select the Append option.
9. Log on to SAP GRC Access Control 5.3 (Compliant User Provisioning) using the admin user and
password.
12. Click Browse and navigate to the directory into which you extracted the SAP GRC Access Control 5.3
installation files.
13. In the Browse window, double click the file AE_init_append_data_RE.xml.
December 2008 32/55

14. Click Import and select the Append option.
6.6 Organizational Value Mapping (Optional)

Mapping Name is a new field that is introduced in SAP GRC Access Control 5.3 (Enterprise Role Manage-
ment). The conversion process uses a default Organizational Value Mapping model to map the 5.2 role data
to the 5.3 role data, and it fills the mapping name as part of the process. The system fills the mapping name
by concatenating the 5.2 fields for Org level, From, and To, so the mapping name becomes something like
this: Organizational Level_From_To.
You may want to change the system-assigned mapping names. If so, you can change the system’s mapping
name once per mapping. Once the mapping name is changed, the field becomes non-editable and you can
no longer change it.
If you wish to change the mapping name, follow the steps below:
1. In SAP GRC Access Control 5.3 (Enterprise Role Management), choose the Configuration tab.
2. Click Org. Value Mapping.
3. Select the mapping for which you want to change the mapping name.
4. Click Change
5. Enter a new mapping name and click Save
December 2008 33/55

Purpose: Upgrade from Compliance Calibrator 4.0 to SAP GRC Access Control 5.3
(Risk Analysis and Remediation).
Pre-Requisites: 1. The existing installation of Compliance Calibrator is at level 4.0 SP4 or

greater
2. The SAP GRC Access Control 5.3 Real Time Agent (RTA) must be
installed on the backend system.
For instructions on how to install the RTA, see the SAP GRC Access Control
5.3 Installation Guide.
3. If there are steps that require background processing and the files are on
an application server, you must provide a directory path that the J2EE
admin user can access on the WAS server.
Alternatively, you can mount an external file system to the WAS server
and assign read/write access to the J2EE_admin and J2EE_guest users.
Tasks: 1. Install SAP GRC Access Control 5.3 (Risk Analysis and Remediation)
2. Create system connectors.
3. Define Master User Source.
4. Upload text objects
5. Upload authorization objects.
6. Create rule sets and enter them in configuration.
7. Migrate existing data.
8. Upload existing data to SAP GRC Access Control 5.3 (Risk Analysis and
Remediation)
9. Schedule background jobs.
7.1 Install SAP GRC Access Control 5.3.

Install SAP GRC Access Control 5.3 (Risk Analysis and Remediation) as described in the SAP GRC
Access Control 5.3 Installation Guide on SAP Service Marketplace at http://service.sap.com/instguides
SAP Solution Extensions SAP Solutions for GRC SAP GRC Access Control SAP GRC Access Con-
trol 5.3.
December 2008 34/55

7.2 Create System Connectors
Note: Skip this step if it has already been done during installation.
1. Open your Web browser.

2. Enter the following URL for SAP GRC Access Control 5.3 (Risk Analysis and Remediation):
http://<servername>:<port>/webdynpro/dispatcher/sap.com/grc~ccappcomp/ComplianceCalibrator
3. Log on to Risk Analysis and Remediation as an administrator.
5. Click Connectors Create.
6. Fill in the following fields:
System ID
System Name
System Type
Connection Type (the connection type is usually Adaptive RFC).
JCO Destination
Note: The Connector IDs for any one system must be identical in each Access Control
capability.
Note: If possible entries do not display for JCO Destination, it means that the Java
connectors are not properly defined. For more information see the SAP GRC Access
Control 5.3 Installation Guide on SAP Service Marketplace at
http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC SAP
GRC Access Control SAP GRC Access Control 5.3.
7. Click Save.
7.3 Define Master User Source

1. On the Configuration tab, select Master User Source.
2. Select the Configured System that has the most current user information.
3. Click Save.
7.4 Upload Text Objects

1. Log on to the SAP backend system.
2. Enter transaction code SE38 to display the ABAP Editor: Initial screen.
3. In the Program field, enter /VIRSA/ZCC_DOWNLOAD_DESC.
4. Click Execute.
December 2008 35/55

5. Create a text file as follows:

a. In the Local File field, enter a file name and a location where you want to put it.
Note: You can use the Search button to browse and name the local file. For easy access,
you can put the file on your Desktop and name it SAPText.txt.
6. Click Execute.
7. Return to the SAP GRC Access Control 5.3 (Risk Analysis and Remediation) system and click the
Configuration tab.
8. Click Upload Objects and then click Object Texts.
9. Complete the following fields:
a. System ID – If SAP GRC Access Control 5.3 (Risk Analysis and Remediation) is connected to
multiple SAP backend systems, enter a single system name here and repeat steps 1 through
10 for each SAP system.
b. Local File – Enter or browse to the location for the file SAPText.txt.
10. Click Foreground to upload your text objects.
Note: If you want to execute this job in the background, the SAPText.txt file must be
placed on an application server.
7.5 Upload Authorization Objects

2. Enter transaction code SE38 to access the ABAP Editor: Initial screen.
3. In the Program field, enter /VIRSA/ZCC_DOWNLOAD_SAPOBJ.
4. Click Execute.
5. Create a text file as follows:
a. In the Local File field, enter a file name and a location where you want to put it.
Note: You can use the Search button to browse and name the local file. For easy access,
you can put the file on your Desktop and name it SAPAuthObj.txt
6. Click Execute.
7. Return to the SAP GRC Access Control 5.3 (Risk Analysis and Remediation) system and click the
Configuration tab.
8. Click Upload Objects and then click Permissions.
9. Enter the name of your text file (for example, SAPAuthObj.txt) in the field called Local File.
10. Click Foreground to upload your authorization objects.
Note: If you want to execute this job in the background, the SAP AuthObj.txt file must be
placed on an application server.
December 2008 36/55

7.6 Create Rule Set

1. Log on to SAP GRC Access Control 5.3 (Risk Analysis and Remediation)
2. Click the Rule Architect tab, and then click Rule Sets Create.
3. Create a rule set called Global.
4. Click the Configuration tab, and then click Default Values.
5. Enter Global in the box for Default rule set for risk analysis.
6. Click Save.
7.7 Migrate Existing Data
7.7.1 Data That Can Be Migrated

You can migrate the following data from Compliance Calibrator 4.0 to SAP GRC Access Control 5.3 (Risk
Analysis and Remediation):
SoD Action Rules
SoD Permission Rules
Mitigating Controls
Critical Roles
Critical Profiles
Organizational Rules
7.7.2 Data That Cannot Be Migrated

The following data cannot be migrated from Compliance Calibrator 4.0 to SAP GRC Access Control 5.3
(Risk Analysis and Remediation):
Configuration Settings
o These must be created and saved in SAP GRC Access Control 5.3 (Risk Analysis and
Remediation).
Critical Transactions, Matrix 1 to Matrix 5, SoD Supplementary Rules, Alerts, Existing
Management Report data, Configuration options, and Custom Utilities data.
o You should manually create entries in Critical Transactions, Matrix 1 through Matrix 5
and SOD Supplementary Data in SAP GRC Access Control 5.3 (Risk Analysis and
Remediation).
Critical Actions
o In the SAP GRC Access Control 5.3 (Risk Analysis and Remediation) Rule Architect, you
combine Critical Actions into logical groupings (for example, “HR Master Data”) and
then create a function that contains those actions.
Permission Data
o You can include permission data in a function that you assign to a Critical Action Risk
and generate rules from there.
December 2008 37/55

o If your Critical Permissions are loaded to Matrix 1 – 5, you can group them into a
function, add that function to a new Critical Permission Risk, and generate rules from
there.
Note: SAP GRC Access Control 5.3 supports three types of risks: SoD, Critical Action,
and Critical Permission. Critical Actions and Permissions can only have one function
assigned; however, an SoD risk must have two or more functions assigned.
For more information about creating functions and risks, refer to the Application
Help for SAP GRC Access Control 5.3 on the SAP Help Portal at help.sap.com.
7.7.3 Migration Procedure

2. Enter transaction code SE38 to access the ABAP Editor: Initial screen.
3. In the Program field, enter /VIRSA/ZVRAT_L03.
The Risk Analysis and Remediation 5.3 Utility screen appears.
4. Under Selection Criteria, enter the System ID for your SAP GRC Access Control 5.3 (Risk Analysis
and Remediation) backend system.
Note: You can find the system ID in SAP GRC Access Control 5.3 (Risk Analysis and
Remediation), under Configuration > Connectors > Search.
5. In the File Name field, enter a name and path for your output data file.
6. Enable the CC5.1 and Above option.
7. Enter Global in the Default Rule Set ID field.
8. Click Execute.
Note: The utility exports the data to your specified file in a tab-delimited ASCII text file.
The data is not converted until you upload it to your new SAP GRC Access Control 5.3
(Risk Analysis and Remediation) system.
Note: You can only migrate rules from one Compliance Calibrator 4.0 system to SAP
GRC Access Control 5.3 (Risk Analysis and Remediation). If you have multiple backend
systems in your current system landscape, you may simplify your migration by using a
logical system to group the Compliance Calibrator 4.0 rules together (the rules must be
the same across all systems).
For more information, see the SAP GRC Access Control 5.3 Application Help at
help.sap.com and refer to the section on Logical Systems.
December 2008 38/55

7.8 Upload the Data into SAP GRC Access Control 5.3 (Risk Analysis and Remediation)
Caution: When you upload data to SAP GRC Access Control 5.3, existing rule and
mitigation data is overwritten.
Note: This conversion process immediately updates all data except Permission rules which
are sent to the background job daemon. Permission rules are not migrated until the
background job completes.
1. Log on to SAP GRC Access Control 5.3 (Risk Analysis and Remediation).
2. Click the Rule Architect tab, and then click Utilities > Import Rules.
3. In the field Local File Name, enter the path and file name that you specified when you
exported your Compliance Calibrator 4.0 data in the previous step.
4. Click Import Rules.

The system converts the data and imports it into SAP GRC Access Control 5.3 (Risk
Analysis and Remediation).
Note: Permission rules may take a few minutes to be generated as they are
processed by the background job daemon.
5. Follow the steps below to verify that the background job is complete:
a. On the Configuration tab, choose Background Job > Search.

b. In the Job ID field, enter Job PERM_RULE_GENERATION
c. Click Enter to see the job status.
6. Confirm that the correct number of rules was uploaded by comparing the Rule Library in
SAP GRC Access Control 5.3 to the Rule Library in Compliance Calibrator 4.0. Ensure that
the Number of Active Rules and the Disabled Rules in SAP GRC Access Control 5.3 (Risk
Analysis and Remediation) match those in Compliance Calibrator 4.0.
7. Confirm that the mitigating controls converted correctly by following these steps:
a. Access the Mitigating Control Library in Compliance Calibrator 4.0.
b. In SAP GRC Access Control 5.3 (Risk Analysis and Remediation), click the
Mitigation tab, and then click Mitigated Users.
c. Click Select All and click Search.
d. Ensure that the number of mitigated users is the same for both systems.
December 2008 39/55

7.9 Schedule Background Jobs
Note: See the SAP GRC Access Control 5.3 Installation Guide, Post-Installation Steps, for
details about running background jobs.
1. In SAP GRC Access Control 5.3 (Risk Analysis and Remediation), click the Configuration tab and
then click Background Job Schedule Analysis.
2. Follow the steps below to perform User, Role, and Profile Synchronization.
a. Go to the User/Role/Profile Synchronization section and select Full Sync in the Sync
Mode field.
b. Select the following synchronization types:
User Synchronization
Role Synchronization
Profile Synchronization
c. Accept wildcard (*) values for each system.
d. Click Schedule. The Schedule Risk Analysis screen displays.
e. Enter the Job Name.
f. Select Immediate.
g. Click Schedule.
The following message displays: Background job scheduled successfully, Job ID: XX.
3. Perform Batch Risk Analysis.
Note: Perform this step after you determine which users, roles, and profile analysis
should be stored in SAP GRC Access Control 5.3 (Risk Analysis and Remediation). After
the initial full synchronization, schedule a nightly background job to run an incremental
synchronization.
a. Go to Batch Risk Analysis, and select Full Sync in the Batch Mode field.
b. Select Report Type: Permission Level Analysis.
c. Select the following risk analysis types:
User Analysis
Role Analysis
Profile Analysis (only if profiles are assigned to Users in Production).
d. Click Schedule.
The Schedule Risk Analysis screen displays.
e. Schedule the job to run Immediately.
Note: For instructions on how to run this job, refer to Step 2 above: Perform
User/Role/Profile Synchronization.
December 2008 40/55

6. Schedule Management Reports.
Note: Management View Risk Analysis data can be displayed for a one month period. The
current month data is updated each time you run a Management Report job.
a. Go to Management Reports tab and select Management Reports.
b. Click Schedule.
The Schedule Risk Analysis screen displays.

c. Schedule the job to run Immediately.
Note: For instructions on how to run this job, refer to Step 2 above Perform
User/Role/Profile Synchronization.
You have completed the post-installation and conversion process.
Note: The management reports should now be populated with risk analysis data.
December 2008 41/55

Management).
Pre-Requisites: Role Expert 4.0 is installed and running

Review SAP Note 1004139
Tasks: 1. Preconfigure the installation

2. Install SAP GRC Access Control 5.3 (Enterprise Role Management)
3. Map Role Expert 4.0 attributes to SAP GRC Access Control 5.3 (Enterprise
Role Management) attributes
4. Manually export roles from Role Expert 4.0
5. Import Role Expert 4.0 roles to SAP GRC Access Control 5.3 (Enterprise
Role Management)
8.1 Preconfigure the installation

Pre-configure the installation by applying all the xml files in the ARchive (SAR) file VIRACCNT00_0.sar
that you downloaded earlier.
8.2 Install SAP GRC Access Control 5.3 (Enterprise Role Management)
Install SAP GRC Access Control 5.3 (Enterprise Role Management) by following the instructions in the
SAP GRC Access Control 5.3 Installation Guide on SAP Service Marketplace at
http://service.sap.com/instguides SAP Solution Extensions SAP Solutions for GRC SAP GRC Access
Control SAP GRC Access Control 5.3
December 2008 42/55

8.2 Map the Role Expert 4.0 Attributes to SAP GRC Access Control 5.3 (Enterprise Role
Management) Attributes
Prior to importing role information, you must manually configure some attributes in SAP GRC
Access Control 5.3 (Enterprise Role Management) as indicated in the table below:
Role Expert 4.0 Attributes that you migrate Attributes that you con-
Attributes manually figure manually
Role Type(S) Role type (s = single, c = com-

posite)
Role Name Role Name
Short Description Short Description
Local Owner Owner/Approver 1
Global Owner Alternative Owner/Approver 1
Critical Level Custom Attribute – Critical X

Level
Module Name Functional Area X

Status Custom Attribute – Status X
Project Name Project / Release X
Business Process Business Process X
Sub Process Sub Process X
Org Unit 1 Custom Attribute – Org Unit X
December 2008 43/55

Role Expert 4.0 Attributes that you migrate Attributes that you con-
Attributes manually figure manually
Transaction Transaction
Long Description in Detailed Description

English
Test Results Test Results Description
Tickets Information Reference no. in Change Histo-

ry
Function Area Functional Area X

Primary Approver Owner 2, 3, 4 and so on
Secondary Approver Alternate Owner 2, 3, 4 and so

on
Additional Attribute Custom Attribute X

Type
Additional Attribute Value for above attribute X

Value
Change History Parse it and populate in

Change history
Authorization Details Goes into change history as

1 part of Remarks
Authorization Details Goes into change history as

2 part of Remarks
Remarks 1 Goes into change history as

part of Remarks

part of Remarks

part of Remarks
8.3 Export Role Expert 4.0 Roles

Export the Role Expert 4.0 roles into an MS Excel spreadsheet. For information about how to do this, see
SAP Service Marketplace at http://service.sap.com/instguides -> SAP Solution Extensions -> SAP Solutions for
GRC ->SAP GRC Access Control SAP GRC Access Control 4.0 / 5.1 Role Expert 4.0 /5.1 for SAP User
Guide.
December 2008 44/55

8.4 Import Role Expert 4.0 Roles to SAP GRC Access Control 5.3 (Enterprise Role
Management)
1. Open SAP GRC Access Control 5.3 (Enterprise Role Management) and click on Role Expert Role
Configuration Migration from 4.0 Role.
2. Browse to the Excel file(s) that you created in the previous step.
3. Select the role type and the system landscape to be associated with the imported roles. If existing roles
need to be overwritten, click Overwrite Role if exists.
Note: Single roles must be imported before composite roles.
December 2008 45/55

9 Upgrading Firefighter 4.0, 5.1, and 5.2
Purpose: Upgrade Firefighter 4.0, 5.1, or 5.2 to SAP GRC Access Control 5.3 (Superuser
Privilege Management)
Pre-Requisites: Firefighter 4.0, 5.1, or 5.2 is installed and running.
Tasks: 1. Perform the pre-upgrade procedures:

a. Review SAP Note 1006083
b. Backup existing master data
c. Download the master data from your current Firefighter
installation
2. Uninstall the Firefighter software (only applies to version 5.2)
3. Install SAP GRC Access Control 5.3 (Superuser Privilege Management)
4. Install the SAP GRC Access Control 5.3 Real Time Agent (RTA)
5. Perform post-installation configuration
6. Validate the entries
7. Upgrade (only for Firefighter 5.1) to SAP GRC Access Control 5.3
(Superuser Privilege Management)
9.1 Pre-Upgrade Procedures

1. Read SAP Note 1006083 which is located at SAP Service Marketplace at http://service.sap.com/notes
2. Backup your existing master data.
3. Download the master data from Firefighter.
Note: For information about how to do this, see SAP Service Marketplace at
http://service.sap.com/instguides -> SAP Solution Extensions -> SAP Solutions for GRC -
>SAP GRC Access Control SAP GRC Access Control 4.0 / 5.1 Role Expert 4.0 /5.1 for SAP--
User Guide.
9.2 Uninstall the Current Files (Firefighter 5.2 only)

For version 5.2, uninstall Firefighter as described in Uninstalling SAP GRC Access Control 5.2 or Earlier.
9.3 Install SAP GRC Access Control 5.3 (Superuser Privilege Management)
for GRC SAP GRC Access Control SAP GRC Access Control 5.3.
December 2008 46/55

9.4 Install SAP GRC Access Control 5.3 Real Time Agent (RTA)
Install the SAP GRC Access Control 5.3 RTA as described in the SAP GRC Access Control 5.3 Installation
Guide on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP
9.5 Perform Post-Installation Configuration
Perform the post-installation configuration as described in the SAP GRC Access Control 5.3 Installation
Guide on SAP Service Marketplace at http://service.sap.com/instguides SAP Solution Extensions SAP
9.6 Validate the Entries

Compare the migrated data to the data in the prior version to verify that the migration processed
correctly.
1. Log on to the SAP backend system
2. Execute transaction /N/VIRSA/VFAT.
3. Validate the table entries and check the log report.
9.7 Upgrade to SAP GRC Access Control 5.3 (Superuser Privilege Management)
Note: This step only applies when you upgrade from Firefighter 5.1
Run the migration utility by following these steps:

1. Go to transaction SE38 in the SAP backend system.
2. Enter the utility /VIRSA/ZVFAT_U07 in the Program field.
3. Click Execute.
December 2008 47/55

10 Uninstalling Access Control 5.2 or Earlier
To uninstall earlier versions of Access Control you must manually uninstall all of the files for each capa-
bility separately.
You connect to the Software Deployment Manager (SDM) and select the Undeploy tab and then select the
files to be uninstalled, except for the dictionary file. You can either uninstall them as a group or indivi-
dually; if you uninstall them individually you must uninstall them in the order that they are listed below.
10.1 Uninstall Compliance Calibrator 5.2
10.1.1 For Support Pack 5 and above, uninstall the following components:
virsalib.sd
sap.com~grc~ccume.sda
sap.com~grc~ccxsysbe
sap.com~grc~ccxsysbehr
sap.com~grc~ccappcomp
sap.com~grc~ccxsysw
sap.com~grc~ccxsysbgear
sap.com~grc~ccxsysactionws
10.1.2 For Support Pack 4 and below, uninstall the following components:
virsalib.sda
sap.com~ccume.sda
virsa~ccxsysbe
virsa~ccxsysbehr
virsa~ccappcomp
virsa~ccxsysws
virsa~ccwsproxy (if exists)
virsa~ccxsysbgear
virsa~ccxsysactionws
December 2008 48/55

10.2 Uninstall Compliance Calibrator 5.1
10.2.1 For Support Pack 6 and above, uninstall the following components:
virsalib.sda
sap.com~grc~ccume.sda
sap.com~grc~ccxsysbe
sap.com~grc~ccxsysbehr
sap.com~grc~ccappcom
sap.com~grc~ccxsysws
sap.com~grc~ccxsysbgear
10.2.2 For Support Pack 5 and below, uninstall the following components:
virsalib.sd
virsa~ccume.sda
virsa~ccxsysbe
virsa~ccxsysbehr
virsa~ccappcomp
virsa~ccxsysw
virsa~ccwsproxy
virsa~ccxsysbgear
10.3 Uninstall Access Enforcer 5.2
10.3.1 For all support packs, uninstall the following components:

AEUME.sda
AEEAR.ear
AEWorkFlowWSEAR.ear (If Exists)
AEEAR4WS.ear (If Exists)
AEDictionary.sda (If Exists)
10.4 Uninstall Access Enforcer 5.1

AEUME.sda
AEEAR.ear
AEWorkFlowWSEAR.ear (if exists)
AEEAR4WS.ear (if exists)
December 2008 49/55

10.5 Uninstall Role Expert 5.1 and 5.2

AEWFCADApproversServiceWS_5_2.ear
AEWFExitServiceWS_5_2.ear
REEar.ear
REUME.sda
10.6 Firefighter 4.0 and 5.1 (Nothing to Uninstall)

Firefighter 4.0 and 5.1do not have anything that needs to be uninstalled.
10.7 Uninstall Firefighter 5.2
10.7.1 For Support Package 3 and below, uninstall the following components:
firefighterlib.sda
sapgrc~ffume.sda
sapgrc~ffappcomp.ear
10.7.2 For Support Package 4 and above, uninstall the following components:
sap.com~grc~ffext.sda
sap.com~grc~ffume.sda
sap.com~grc~ffappcomp.ear
sap.com~grc~ffwsproxy.ear
December 2008 50/55

Appendix A: SAP GRC Access Control 5.3 Permissions
The table below lists all the permissions that are delivered in SAP GRC Access Control 5.3. You
may wish to add new permissions to your existing roles after your upload them.
Permission Description Permission Name
Permission to view Access Enforcer Tab ViewAccessEnforcer
Permission to view Informer Tab ViewInformer
Permission to view Configuration Tab ViewConfiguration
Permission to create request from ViewCreateRequest

approver view
Permission to copy request from approver ViewCopyRequest

view
Permission to view request audit trail from ViewRequstAuditTrail

approver view
Permission to reaffirms from approver ViewReaffirms

view
Permission to mitigate a risk from risk ViewMitigation

analysis screen in the approver view
Permission to approve request in the ViewApprove

approver view
Permission to reject request in the ViewReject

approver view
Permission to put request on hold in the ViewHold

approver view
Permission to forward request from the ViewForwardRequest

approver view
Permission to reroute request from the ViewReRoute

approver view
Permission to perform risk analysis from ViewRiskAnalysis
December 2008 51/55

the approver view
Permission to provision roles and profiles ViewAssignRolesProfiles

in the back end system from the approver
view
Permission to select roles and add to the ViewSelectRoles

request in the approver view
Permission to select PD Profiles and add to ViewSelectPDProfiles

request in the approver view
Permission to provision user CreateSAPUser

account(create, delete, lock, unlock) in the
back end system in the approver view
Permission to create mitigation control in CreateMitigationControl

approver view
Permission to search for all request from ViewSearchRequestAll

approver view
Permission to define delegate approver for ViewApproverDelegation

himself/herself
Permission to modify Request ModifyRequestConfiguration

Configuration
Permission to modify Mitigation ModifyMitigationConfiguration

Configuration
Permission to modify risk analysis ModifyRiskAnalysisConfiguration

configuration
Permission to modify Service Level ModifyServiceLevelConfiguration

Configuration
Permission to modify Custom Fields ModifyCustomFieldsConfiguration

Configuration
Permission to modify Enduser ModifyEnduserPersonalizationConfiguration

Personalization Configuration
Permission to modify Workflow ModifyWorkflowConfiguration
December 2008 52/55

Configuration
Permission to modify Provisioning ModifyProvisioningConfiguration

Configuration
Permission to modify Approvers ModifyApproversConfiguration

Configuration
Permission to modify Reaffirms ModifyReaffirmsConfiguration

Configuration
Permission to modify Change Log ModifyChangeLogConfiguration

Configuration
Permission to search change log SearchChangeLog
Permission to modify Number Range ModifyNumberRangeConfiguration

Configuration
Permission to modify Support ModifySupportConfiguration

Configuration
Permission to modify Connectors ModifyConnectorsConfiguration

Configuration
Permission to modify Authentication ModifyAuthenticationConfiguration

Configuration
Permission to modify User Data Source ModifyUserSearchDataSourceConfiguration

Configuration
Permission for modifying Password Self ModifyPasswordSelfServiceConfiguration

Service Configuration
Permission to modify Background Jobs ModifyBackgroundJobsConfiguration

Configuration
Permission to modify Miscellaneous ModifyMiscellaneousConfiguration

Configuration
Permission for modifying Roles ModifyRolesConfiguration

Configuration
Permission for modifying Attribute ModifyAttributeConfiguration
December 2008 53/55

Configuration
Permission for modifying HR Triggers ModifyHRTriggersConfiguration

Configuration
Permission for modifying User Defaults ModifyUserDefaultsConfiguration

Configuration
Permission for modifying Initial Data ModifyInitialSystemDataConfiguration

Configuration
Permission for modifying Request ModifyAttachmentFolder

Attachment Folder
Permission for viewing System Log in ViewConfigSystemLogAction

Configuration
Permission for viewing Application Log in ViewConfigApplicationLogAction

Configuration
Permission for modifying LDAP Mapping ModifyConfigLDAPMappingAction

Configuration
Permission for Upgrade Configuration ViewUpgradeAction
Permission for Archiving Request ArchivingRequest
Permission for viewing Informer Reports ViewIFChartAccessRequestAction

Access Request Chart View
Permission for viewing Informer Reports ViewIFChartRiskViolationAction

Risk Violation Chart View
Permission for viewing Informer Reports ViewIFChartProvisioningAction

Provisioning Chart View
Permission for viewing Informer Reports ViewIFChartServiceLevelAction

Service Level Chart View
Permission for viewing Informer Service ViewIFRequestServiceLevelAction

level
Permission for viewing Informer Request ViewIFRequestConflictsMitigationAction

Conflicts and Mitigations
December 2008 54/55

Permission for viewing Informer Request ViewIFRequestRoleOwnerAction

Role Owner
Permission for viewing Informer Role ViewIFRoleOwnerAction

Owner
Permission for viewing Informer Request ViewIFRequestByStructProfilesAction

By Structural Profiles
Permission for viewing Informer Report ViewIfReportViewAction

View
Permission for viewing Informer Risk ViewIfRiskViolationDetails

Violation Details
Permission for viewing Informer Cancel ViewIfCancelRiskViolationDetails

Risk Violation Details
Permission for viewing Remove Access ViewRemoveAccess

Button on SOD Review page
Permission for viewing Save Request ViewSaveRequest

Permission for viewing Submit Request ViewSubmitRequest

Permission for viewing SOD Review ViewSODReviewHistoryReportAction

Informer Report
Permission for viewing UAR Review ViewUARReviewHistoryReportAction

Informer Report
Permission for viewing Delegation Report ViewDelegationReportAction
Permission for Requests Administration ViewRequestsAdministration
Permission to view Super Access Button ViewSuperAccess
December 2008 55/55

Oracle 11g - SQL Fundamental Exam Guide (Exam 1Z0-051)

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Oracle 11g - SQL Fundamental Exam Guide (Exam 1Z0-051)

Hochgeladen von

Copyright:

Verfügbare Formate

Upgrade Guide

Document Version 1.10 - December 2008

© Copyright 2008 SAP AG. All rights reserved.

December 2008 2/55

Example Emphasized words or expressions

Example Textual cross-references to an internet address, for example, http://www.sap.com

123456 Hyperlink to an SAP Note, for example, SAP Note 123456

EXAMPLE Keys on the keyboard

December 2008 3/55

December 2008 4/55

December 2008 5/55

December 2008 6/55

10.7 UNINSTALL FIREFIGHTER 5.2 ..................................................................................................................... 50

December 2008 7/55

1.2 Important Name and Product Changes

Previous Component Name New Capability Name

Compliance Calibrator Risk Analysis and Remediation

Access Enforcer Compliant User Provisioning

Role Expert Enterprise Role Management

Firefighter Superuser Privilege Management

December 2008 8/55

1.3 Upgrade Path Summaries

December 2008 9/55

Risk Analysis and Compliant User Enterprise Role Superuser

December 2008 10/55

for GRC SAP GRC Access

Step 5 Not applicable Upgrade Compliant Not applicable Perform post-

December 2008 11/55

Risk Analysis and Compliant User Enterprise Role Superuser Privilege

December 2008 12/55

5.3 (Enterprise Role

Step 6 Not applicable Import Compliant Not applicable Upgrade to SAP

December 2008 13/55

Risk Analysis and Compliant User Enterprise Role Superuser

Step 5 Upload authorization Not applicable Import Role Validate the

December 2008 14/55

More For detailed For detailed

December 2008 15/55

1.4 Upgrade Considerations

1.4.1 SAP NetWeaver Version

SAP Basis Component 46C SAPKB46C55

December 2008 16/55

1.4.3 Upgrade Documentation

SAP Note Number Title Description

1133169 Upgrade to SAP BASIS 620 These notes contain information

1133170 Upgrade R/3 Enterprise These notes contain additional

December 2008 17/55

1.4.4 Upgrading Real Time Agents

Note: VIRSANH and VIRSAHR comprise the RTA component.

Note Number Description

1138015 VIRSANH 530_46C Support Packages for 46C

1.5 The Upgrade Process

December 2008 18/55

1.5.1 Downloading the SAP GRC Access Control 5.3 files

1. Go to SAP Service Marketplace at service.sap.com.

December 2008 19/55

2 Upgrading Compliance Calibrator 5.2

December 2008 20/55

3 Upgrading Access Enforcer 5.1 and 5.2

Tasks: 1. Perform pre-upgrade procedures.

3.1 Pre-upgrade Procedures

3.1.1 Back Up Your Existing Access Enforcer Implementation:

3.1.2 Process HR Triggers (for systems that have SAP HR)