sap grc migration 5.3 to 10.configuration guide
DESCRIPTION
Sap Grc Migration 5.3 to 10.ConfigurationTRANSCRIPT
SAP GRC 5.3 to 10.1 Migration Configuration
Table of ContentsSAP GRC 5.3 to 10.1 Migration Configuration..............................................................................................1
Introduction:...............................................................................................................................................3
Prerequisites:..............................................................................................................................................3
Data Export:...............................................................................................................................................17
Exporting the Configuration and Master data:......................................................................................18
Exporting Transactional Data:................................................................................................................28
Exporting SPM 5.3 Data.........................................................................................................................29
Post Installation steps of AC 10.1:.............................................................................................................31
Importing the Common configuration to GRC Server:...............................................................................80
Intra-Migration tasks:............................................................................................................................84
Importing RAR Data...................................................................................................................................88
Importing Workflow Data..........................................................................................................................96
Importing ERM Repository Data................................................................................................................97
Importing CUP Repository Data.................................................................................................................98
Importing SPM Data................................................................................................................................100
Importing Workflow Rule Data................................................................................................................101
Completing Post-Import Tasks.................................................................................................................111
Generating the Rules...........................................................................................................................112
Completing Methodology Process Assignments..................................................................................114
Data Validation:.......................................................................................................................................119
AC 10.1 Configuration:.............................................................................................................................122
BRM Configuration:.................................................................................................................................128
Create BRF+ Rule.................................................................................................................................131
Assign Condition Group Type to BRF+.................................................................................................138
Define Role Methodology Process and Steps......................................................................................138
Associate Role Methodology Process to Condition Group..................................................................139
Creating Role Approval Workflow.......................................................................................................140
Introduction:This document contains the migration steps of GRC Access Control from 5.3 to 10.1 SP4 version. Before starting the migration, check the AC 10.1 is properly installed which also includes the plug-ins on all AC backend systems. Upgrade the AC 5.X server to AC 5.3 SP20 level.
The following steps describe the migration process which is covered in detail.
1. Complete the Pre-requisites2. Export the SPM data3. Export the configuration, master, and transactional data (AC 5.3 only). Then copy the exported
data to the import location 4. Import the common configuration data into AC 10.1 5. Complete the intra-migration tasks 6. Import the application data into AC 10.1 7. Complete the post-import tasks. 8. Validate the data
Prerequisites:1. Activating the required BC sets using T-code SCPR20 in 10.1 server. BC sets to activate for
migration GRAC_ROLE_MGMT_ROLE_STATUS GRAC_ROLE_MGMT_METHODOLOGY and GRAC_ROLE_MGMT_LANDSCAPE.
Select Activate option on top and create Transport. Select Expert mode while activating.
GRAC_ROLE_MGMT_METHODOLOGY:
GRAC_ROLE_MGMT_LANDSCAPE:
Activation ended with warnings.
As per link http://scn.sap.com/thread/3370618, these warnings can be ignored. Chapter 8 in installation guide tells the same.
2. Verify following parameters are maintained with default values.
Maintaining the parameters:
Select New Entries and maintain the values
Creating a custom field in AC 5.3:
Before migrating CUP and ERM data, manually create all AC 5.3 custom fields in AC 10.1 using SAP custom field naming conventions. In AC 10.1, start field names with x, y, or z. For example if the AC 5.3 custom field name is location, use zlocation as the new custom field name to preserve the data it contains.
Create Custom fields in CUP 5.3 under configuration tab.
Custom fields will populate in user request under “more option”
Creating the organization unit:
Create Parent Organizations in 10.1 system under SPRO.
Organizations in Front End NWBC:
Create Child Org for the Parent Org’s created in SPRO.
Data Export: We export the GRC CUP, ERM and RAR data using the migration tool installed in GRC AC 5.3
server. The data export process is as per below.1. Launch the data export application using the below URL
http://<servername>:5<instance>00/webdynpro/dispatcher/sap.com/grc~acmigapl/ GRC2010Migration
Note: Server name in above URL has to be 5.3 server.
First configure the Data Export location, before Data export. Select Configure Data export location under Administration.
Exporting the Configuration and Master data:2. In the AC 5.3 Configuration and Master Data Export section, choose Data Export.
Select the objects for export.
Select Next to Review the selected objects:
Select Start Export and Results
Exporting Transactional Data:
In the AC 5.3 Transactional Data Export section, choose Data Export
Exporting SPM 5.3 Data
1. Log on to the backend system (system on which the Access Control 10.1 plug-ins are installed) to update an existing AC 4.0 or AC 5.3 environment.
2. Execute transaction /GRCPI/AC_EXPORT. 3. Enter data in the following fields (all fields are required):
Note: 1. System ID should be same as connector name which will be created in 10.1 server. Check whether SPM data is configured in 5.3, if there is no SPM data then the tool will not generate any files. Generated files get stored in the parent drive EX: if the location is like E:\usr\sap\migration, then the files get stored in E: drive, so search for files starting with “GRACSPM*”.
Post Installation steps of AC 10.1:1. Activating the SICF services using Tcode SICF.
2. AC BC sets Activation:o Activate the BC sets using SCPR20 for BRM, ARA, ARM and SPM.
Specific to Business Role Management:1. GRAC_ROLE_MGMT_SENTIVITY
2. GRAC_ROLE_MGMT_PRE_REQ_TYPE
3. GRAC_ROLE_SEARCH_COFIGURATION
4. GRAC_ACCESS_REQUEST_REQ_TYPE
5. GRAC_ACCESS_REQUEST_APPL_MAPPING
6. GRAC_ACCESS_REQUEST_PRIORITY
7. GRAC_DT_REQUEST_DISPLAY_SECTIONS
8. GRAC_DT_REQUEST_FIELD_LABELS
9. GRAC_DT_REQUEST_PAGE_SETTINGS
10. GRAC_RA_RULESET_COMMON
11. GRAC_RA_RULESET_SAP_BASISo This BC set activation will activate the rules for Basis module.
12. GRAC_RA_RULESET_SAP_R3
3. Connector Creation: o Create a RFC destination from GRC 10.1 server to back end systems, where the plugins
are installed. Follow the below steps.1. Create a RFC connection in 10.1 system using SM59
1. Create a communication user ID for RFC Connection with SAP_ALL and GRC AC All role. This User ID will be used for provisioning too.
2. In Governance, Risk and Compliance > Common Component Settings > Integration Framework, choose Maintain Connectors and Connection Types
3. Choose Define Connectors, and define the connector.
4. Choose Define Connector Groups, and define the connector group
5. In Assign Connector Groups to Group Types, assign the group type to the group, and assign the connector to the connector group in Assign Connectors to Connector Group.
6. In Governance, Risk and Compliance > Common Component Settings > Integration Framework, choose Maintain Connection Settings. The Determine Work Area dialog appears. The integration frame works are very important to perform the actions. Assign all the scenarios for each connector.
7. In Governance, Risk and Compliance > Access Control > Maintain Connector Settings. The Maintain Connector Setting screen appears. This option is also used to set the password self -service for the connector system. Activate PSS option for that feature.
8. In Governance, Risk and Compliance > Access Control > Maintain Mapping for Actions and Connector Groups. The Maintain Connector Group Status screen appears.
9. Assign the application type to the connector group, and activate it. Assign actions for the defined connectors, and assign the default connector for each action (for each connector group). Actions are like role generation, risk analysis and request creation. Assign all the actions for each connector and also select the default connector.
4. Parameter Configuration:
Configure the parameter ID’s with required values as per business requirements.
Configuring the change log
1. Configuring the Mitigation parameters
2. Risk Analysis parameters
3. Risk Analysis Spool
4. Workflow parameters
5. EAM parameters
6. Performance parameters
7. Risk Analysis—Access Request
8. Role Management
9. Access Request Role Selection
10. Access Request Default roles
11. Access Request Role Mapping
12. SOD Review
13. Access request business role
14. Access Request Validations
15. Simplified Access Request
5. Activate Common Workflow Execute Perform Automatic Workflow Customizing: By executing this, the workflow events
gets activated and will help in workflow process.
Execute Perform Task-Specific Customizing: Activate the event linkage and agents for workflow process.
If no folders are visible below the “GRC“folder please run report “RS_APPL_REFRESH” in SE38.
Click the Assign Agents link at the right side of the GRC node.
Assign Task as General Task via Task Attribute. Make sure all tasks that are not using Background task have been assigned as General Task.
Click Activate Event Linkage. Click the Properties icon
Set the Linkage Status to No errors. Make sure Event linkage activated is checked. Set Error feedback to Do not change linkage. Be sure to activate all WS.
In case the GRC plugins installed also in the central GRC instance then the task-specific customizing for Access Control is not visible in IMG as shown below. In such cases, follow the below steps.
Execute SWE2 to customize the task setting for GRC AC, when plugins are installed on central server.
Importing the Common configuration to GRC Server:1. Log on to the SAP Access Control system 10.1. 2. Execute transaction GRAC_DATA_MIGRATION 3. Choose Start Process to start the import process 4. Select the system from which to import the data
5. Choose the files to import by selecting the corresponding boxes to the left of the files. Specify the location of files, where the data was exported earlier.
Intra-Migration tasks:Perform the below steps before importing the CUP, ERM, RAR, SPM and workflow data.
Scheduling the repository synchronization:
1. Navigate to Governance, Risk and Compliance > Access Control > Synchronization Jobs, and choose Authorization Synch. The Authorization Data Synchronization screen appears
Above issue is because of RFC port. Sync job completed after opening the port.
Performing Profile, Role, and User Synchronization
2. Navigate to Governance, Risk and Compliance > Access Control > Synchronization Jobs, and choose Repository Object Synch. The Repository Object Synchronization screen appears.
3. Importing Roles for Defined Connectors (CUP Roles Only)
Execute transaction GRAC_ROLE_MASS_IMPRT to import roles to AC 10.1 for all defined connectors.
Note: 1. Run the role import from NWBC instead from above Tcode.
For above error implement SAP Note 1895324. However the role exists in the system after error.
Importing RAR Data1. Execute transaction GRAC_DATA_MIGRATION. The welcome screen appears.
2. On the Select Process Type screen, select Import RAR Data 3. In the Enter Org Unit field, enter the organization unit. This is a mandatory field. This is the
Organization Unit you created in section 4.3, creating the Organization Unit. When importing RAR data, AC 5.3 business units are migrated as AC 10.1 organizations. The Business Process, and Business Sub process fields, used with mitigation controls, are optional and can be left blank.
Importing Workflow Data1. On the Select Process Type screen, select Import Workflow Data. 2. In the Import Location field, enter the location of the exported data, and choose Get Files. 3. Choose the files to import by selecting the corresponding boxes to the left of the files
Importing ERM Repository Data1. On the Select Process Type screen, select Import ERM Repository Data 2. In the Import Location field, enter the location of the exported data, and choose Get Files
Importing CUP Repository Data1. On the Select Process Type screen, select Import CUP Repository Data 2. Optionally, choose the Use default landscape checkbox. CUP Roles in AC 5.3 do not have an
associated landscape. Choosing the Use default landscape checkbox causes the SAP solutions for GRC 10.1 Data Import Application to group all systems associated with AC 5.3 CUP Roles into the default landscape, creating the corresponding role-to-landscape association in AC 10.1.
Importing SPM Data1. On the Select Process Type screen, select Import SPM Data. 2. In the Import Location field, enter the location of the exported data, and choose Get Files
Importing Workflow Rule Data1. Execute transaction GRFNMW_DEV_RULES. The Generate MSMP Rule for Process screen appears
3. Enter the following data in the corresponding fields: In the MSMP Process ID field, enter the corresponding process ID, from among the following: SAP_GRAC_ACCESS_REQUEST, SAP_GRAC_SOD_RISK_REVIEW, or SAP_GRAC_USER_ACCESS_REVIEW. In the Rule Type field, enter BRFplus Flat Rule (Line Item by Line Item). In the Rule Kind field, choose Initiator Rule. Type values in the Rule ID and Application/Func. Group Name fields. Start the values using the letter Z, for example, ZHP_0206_AR_I_02.
4. Execute transaction GRAC_WF_MIG. The Migrate Initiators and CAD screen appears
5. Enter the following data in the corresponding fields: Select the Initiators Rule radio button. In the Initiator/CAD File Location field, enter the data location. In the MSMP Process ID field, enter the corresponding process ID, from among the following: SAP_GRAC_ACCESS_REQUEST, SAP_GRAC_SOD_RISK_REVIEW, or SAP_GRAC_USER_ACCESS_REVIEW. In the Application/Func. Group Name field, enter the value you specified in above step2. In the Initiators Rules ID field, enter the value you specified in above Step.
To import CAD/agent rules:
1. Execute transaction GRFNMW_DEV_RULES. The Generate MSMP Rule for Process screen appears.
2. Enter the following data in the corresponding fields: In the MSMP Process ID field, enter the corresponding process ID, from among the following: SAP_GRAC_ACCESS_REQUEST, SAP_GRAC_SOD_RISK_REVIEW, or SAP_GRAC_USER_ACCESS_REVIEW. In the Rule Type field, enter BRFplus Flat Rule (Line Item by Line Item). In the Rule Kind field, choose Agents Rule. Type values in the Rule ID and Application/Func. Group Name fields
3. Execute transaction GRAC_WF_MIG. The Migrate Initiator and CAD screen appears 4. Enter the following data in the corresponding fields: Select the Agent Rule radio button. In
the Initiator/CAD File Location field, enter the data location. In the MSMP Process ID field, enter the corresponding process ID, from among the following: SAP_GRAC_ACCESS_REQUEST, SAP_GRAC_SOD_RISK_REVIEW, or
SAP_GRAC_USER_ACCESS_REVIEW. In the Application/Func. Group Name field, enter the value you specified in Step 3. In the Approvers Rules ID field, enter the value you specified in Step 3. In the Alternate Approvers Rule ID field, enter the value you specified in Step 6.
Creating number ranges:
Completing Post-Import Tasks1. Complete the following tasks:
Activate GRC_MSMP_CONFIGURATION BC set Generate the rules Create function modules Maintain workflow stage settings Complete methodology process assignments
Activating the GRC_MSMP_CONFIGURATION BC Set
Generating the Rules1. Using AC 10.1, navigate to Rule Setup > Access Risks 2. Select the risk for which you need to generate rules, and choose Generate Rules 3. Alternatively, you can generate multiple rules using the IMG configuration. In this case, use
transaction SPRO > navigate to SAP Reference IMG > Governance, Risk and Compliance > Access Control > Access Risk Analysis > Generate SoD Rules. Select the range of SoD risks that you want to generate rules for, and choose Execute.
Completing Methodology Process Assignments1. Imported CUP Roles imported from back-end systems and AC 5.3 do not get an assigned
methodology process. As a result, these roles are not editable.2. You therefore need to assign the methodology process for these roles.3. In AC 10.1, choose Access Management > Role Mass Maintenance > Role Update 4. Select all migrated CUP roles, and choose Next. 5. Choose All Attributes in the Attributes field, choose Update in the Action field, and choose Next. 6. Choose Reapply role methodology, and choose Next
7. Schedule the job to run in the background, and choose Submit.
Data Validation:Perform the data validation to check the imported data.
1. RAR Data Validation:
Validating Functions:
Validating Risks:
SPM Data Validation:
1. Validating FF ID’s
ERM Validation:
1. Role Maintenance
AC 10.1 Configuration:1. Creating access control owners
2. Manage exclude objects in batch risk analysis
3. Execute batch risk analysis
Note: check the RFC connection is working correctly or not before executing job. Received error 'Function module "/GRCPI/GRIA_AUTH_G” PFCG authorization sync failed with errors. Issue got resolved after opening the server port.
BRM Configuration:1. Go to NWBC ->Access Management ->Access Control Owners and maintain the owners
2. Maintain Role Type Settings
3. Role Naming Convention
4. Define Organizational Level Mapping
Child org value mapping
Create BRF+ Rule1. Execute transaction SA38 and run the program GRAC_GENERATE_ERM_BRFRULE or select the
option Generate BRF Plus Applications, Approvers and Methodology Functions
2. Execute the TCODE: BRF+3. Select My Applications and search for the application that was just created4. Expand the Application and Function Nodes
5. Create a Decision Table by entering name and other related attributes6. Create Condition Columns for the Decision Table
7. Create Result Columns by clicking Insert Column from Data Object8. Select Condition Group (GRAC_CNDGP) object from the search result
9. Once the values for the Condition and Result Columns are defined, enter values for the Decision table used for rule execution
10. Click Insert New Row to create the values; enter values for the columns11. Select Direct Value Input12. Enter Value for the columns13. Activate the Decision Table
14. Associate the Decision Table to Function by selecting it in the Top Expression of Function
Assign Condition Group Type to BRF+1. Navigate to IMG by executing SPRO2. Select activity “Assign Condition Group to BRF+ Rules”3. Select Condition Group Methodology4. Enter the BRF+ Application and Function and save
Define Role Methodology Process and Steps1. Select the Define Methodology Processes and Steps option under Role Management in
IMG 2. Assign steps to Methodology Process.
Associate Role Methodology Process to Condition Group1. Select the “Associate Role Methodology Process to Condition Group” option from
the IMG customization 2. Associate the Condition Group to the Methodology Process
Creating Role Approval Workflow1. Role Approval Workflow needs to be maintained if Approval step is there in Role
Creation methodology2. The default workflow process can be used to set up Role Approval Workflow Process3. Select the maintain MSMP Workflow option from IMG 4. Select the Role Approval Workflow Process from Step 1 in the MSMP Workflow
Configuration and open it in Change Mode
3. Maintain the approver rules in the Maintain Rules step.4. In Step 5, maintain the Stage settings and select the Agent ID as
GRAC_ROLE_APPROVER or the approver rule create in BRF+5. Save and activate the workflow