Sap Grc Migration 5.3 to 10.Configuration Guide
Short Description
Sap Grc Migration 5.3 to 10.Configuration...
Description
SAP GRC 5.3 to 10.1 Migration Configuration
Table of Contents SAP GRC 5.3 to 10.1 Migration Configuration.............................................................1 Introduction:............................................................................................................... 3 Prerequisites:.............................................................................................................. 3 Data Export:............................................................................................................. 17 Exporting the Configuration and Master data:.......................................................18 Exporting Transactional Data:...............................................................................28 Exporting SPM 5.3 Data......................................................................................... 29 Post Installation steps of AC 10.1:............................................................................31 Importing the Common configuration to GRC Server:..............................................80 Intra-Migration tasks:............................................................................................ 84 Importing RAR Data.................................................................................................. 88 Importing Workflow Data.......................................................................................... 96 Importing ERM Repository Data................................................................................ 97 Importing CUP Repository Data................................................................................98 Importing SPM Data................................................................................................ 100 Importing Workflow Rule Data................................................................................101 Completing Post-Import Tasks................................................................................111 Generating the Rules........................................................................................... 112 Completing Methodology Process Assignments..................................................114 Data Validation:...................................................................................................... 119 AC 10.1 Configuration:........................................................................................... 122 BRM Configuration:................................................................................................. 128 Create BRF+ Rule................................................................................................ 131 Assign Condition Group Type to BRF+.................................................................138 Define Role Methodology Process and Steps.......................................................138 Associate Role Methodology Process to Condition Group....................................139 Creating Role Approval Workflow........................................................................140
Introduction: This document contains the migration steps of GRC Access Control from 5.3 to 10.1 SP4 version. Before starting the migration, check the AC 10.1 is properly installed which also includes the plug-ins on all AC backend systems. Upgrade the AC 5.X server to AC 5.3 SP20 level. The following steps describe the migration process which is covered in detail. 1. Complete the Pre-requisites 2. Export the SPM data 3. Export the configuration, master, and transactional data (AC 5.3 only). Then copy the exported data to the import location 4. Import the common configuration data into AC 10.1 5. Complete the intra-migration tasks 6. Import the application data into AC 10.1 7. Complete the post-import tasks. 8. Validate the data
Prerequisites: 1. Activating the required BC sets using T-code SCPR20 in 10.1 server. BC sets to activate for migration GRAC_ROLE_MGMT_ROLE_STATUS GRAC_ROLE_MGMT_METHODOLOGY and GRAC_ROLE_MGMT_LANDSCAPE.
Select Activate option on top and create Transport. Select Expert mode while activating.
GRAC_ROLE_MGMT_METHODOLOGY:
GRAC_ROLE_MGMT_LANDSCAPE:
Activation ended with warnings.
As per link http://scn.sap.com/thread/3370618, these warnings can be ignored. Chapter 8 in installation guide tells the same. 2. Verify following parameters are maintained with default values.
Maintaining the parameters: Select New Entries and maintain the values
Creating a custom field in AC 5.3:
Before migrating CUP and ERM data, manually create all AC 5.3 custom fields in AC 10.1 using SAP custom field naming conventions. In AC 10.1, start field names with x, y, or z. For example if the AC 5.3 custom field name is location, use zlocation as the new custom field name to preserve the data it contains. Create Custom fields in CUP 5.3 under configuration tab.
Custom fields will populate in user request under “more option”
Creating the organization unit:
Create Parent Organizations in 10.1 system under SPRO.
Organizations in Front End NWBC:
Create Child Org for the Parent Org’s created in SPRO.
Data Export:
We export the GRC CUP, ERM and RAR data using the migration tool installed in GRC AC 5.3 server. The data export process is as per below. 1. Launch the data export application using the below URL http://:500/webdynpro/dispatcher/sap.com/grc~ac migapl/ GRC2010Migration Note: Server name in above URL has to be 5.3 server.
First configure the Data Export location, before Data export. Select Configure Data export location under Administration.
Exporting the Configuration and Master data: 2. In the AC 5.3 Configuration and Master Data Export section, choose Data Export.
Select the objects for export.
Select Next to Review the selected objects:
Select Start Export and Results
Exporting Transactional Data: In the AC 5.3 Transactional Data Export section, choose Data Export
Exporting SPM 5.3 Data 1. Log on to the backend system (system on which the Access Control 10.1 plugins are installed) to update an existing AC 4.0 or AC 5.3 environment. 2. Execute transaction /GRCPI/AC_EXPORT. 3. Enter data in the following fields (all fields are required):
Note: 1. System ID should be same as connector name which will be created in 10.1 server. Check whether SPM data is configured in 5.3, if there is no SPM data then the tool will not generate any files. Generated files get stored in the parent drive EX: if the location is like E:\usr\sap\migration, then the files get stored in E: drive, so search for files starting with “GRACSPM*”.
Post Installation steps of AC 10.1: 1. Activating the SICF services using Tcode SICF.
2. AC BC sets Activation: o Activate the BC sets using SCPR20 for BRM, ARA, ARM and SPM. Specific to Business Role Management: 1. GRAC_ROLE_MGMT_SENTIVITY
2. GRAC_ROLE_MGMT_PRE_REQ_TYPE
3. GRAC_ROLE_SEARCH_COFIGURATION
4. GRAC_ACCESS_REQUEST_REQ_TYPE
5. GRAC_ACCESS_REQUEST_APPL_MAPPING
6. GRAC_ACCESS_REQUEST_PRIORITY
7. GRAC_DT_REQUEST_DISPLAY_SECTIONS
8. GRAC_DT_REQUEST_FIELD_LABELS
9. GRAC_DT_REQUEST_PAGE_SETTINGS
10.GRAC_RA_RULESET_COMMON
11.GRAC_RA_RULESET_SAP_BASIS o This BC set activation will activate the rules for Basis module.
12.GRAC_RA_RULESET_SAP_R3
3. Connector Creation: o Create a RFC destination from GRC 10.1 server to back end systems, where the plugins are installed. Follow the below steps. 1. Create a RFC connection in 10.1 system using SM59
1. Create a communication user ID for RFC Connection with SAP_ALL and GRC AC All role. This User ID will be used for provisioning too. 2. In Governance, Risk and Compliance > Common Component Settings > Integration Framework, choose Maintain Connectors and Connection Types
3. Choose Define Connectors, and define the connector.
4. Choose Define Connector Groups, and define the connector group
5. In Assign Connector Groups to Group Types, assign the group type to the group, and assign the connector to the connector group in Assign Connectors to Connector Group.
6. In Governance, Risk and Compliance > Common Component Settings > Integration Framework, choose Maintain Connection Settings. The Determine Work Area dialog appears. The integration frame works are very important to perform the actions. Assign all the scenarios for each connector.
7. In Governance, Risk and Compliance > Access Control > Maintain Connector Settings. The Maintain Connector Setting screen appears. This option is also used to set the password self -service for the connector system. Activate PSS option for that feature.
8. In Governance, Risk and Compliance > Access Control > Maintain Mapping for Actions and Connector Groups. The Maintain Connector Group Status screen appears.
9. Assign the application type to the connector group, and activate it. Assign actions for the defined connectors, and assign the default connector for each action (for each connector group). Actions are like role generation, risk analysis and request creation. Assign all the actions for each connector and also select the default connector.
4. Parameter Configuration: Configure the parameter ID’s with required values as per business requirements.
Configuring the change log
1. Configuring the Mitigation parameters
2. Risk Analysis parameters
3. Risk Analysis Spool
4. Workflow parameters
5. EAM parameters
6. Performance parameters
7. Risk Analysis—Access Request
8. Role Management
9. Access Request Role Selection
10.Access Request Default roles
11.Access Request Role Mapping
12.SOD Review
13.Access request business role
14.Access Request Validations
15.Simplified Access Request
5. Activate Common Workflow Execute Perform Automatic Workflow Customizing: By executing this, the workflow events gets activated and will help in workflow process.
Execute Perform Task-Specific Customizing: Activate the event linkage and agents for workflow process.
If no folders are visible below the “GRC“folder please run report “RS_APPL_REFRESH” in SE38.
Click the Assign Agents link at the right side of the GRC node.
Assign Task as General Task via Task Attribute. Make sure all tasks that are not using Background task have been assigned as General Task.
Click Activate Event Linkage. Click the Properties icon
Set the Linkage Status to No errors. Make sure Event linkage activated is checked. Set Error feedback to Do not change linkage. Be sure to activate all WS.
In case the GRC plugins installed also in the central GRC instance then the task-specific customizing for Access Control is not visible in IMG as shown below. In such cases, follow the below steps.
Execute SWE2 to customize the task setting for GRC AC, when plugins are installed on central server.
Importing the Common configuration to GRC Server: 1. 2. 3. 4.
Log on to the SAP Access Control system 10.1. Execute transaction GRAC_DATA_MIGRATION Choose Start Process to start the import process Select the system from which to import the data
5. Choose the files to import by selecting the corresponding boxes to the left of the files. Specify the location of files, where the data was exported earlier.
Intra-Migration tasks: Perform the below steps before importing the CUP, ERM, RAR, SPM and workflow data. Scheduling the repository synchronization: 1. Navigate to Governance, Risk and Compliance > Access Control > Synchronization Jobs, and choose Authorization Synch. The Authorization Data Synchronization screen appears
Above issue is because of RFC port. Sync job completed after opening the port.
Performing Profile, Role, and User Synchronization 2. Navigate to Governance, Risk and Compliance > Access Control > Synchronization Jobs, and choose Repository Object Synch. The Repository Object Synchronization screen appears.
3. Importing Roles for Defined Connectors (CUP Roles Only)
Execute transaction GRAC_ROLE_MASS_IMPRT to import roles to AC 10.1 for all defined connectors.
Note: 1. Run the role import from NWBC instead from above Tcode.
For above error implement SAP Note 1895324. However the role exists in the system after error.
Importing RAR Data 1. Execute transaction GRAC_DATA_MIGRATION. The welcome screen appears.
2. On the Select Process Type screen, select Import RAR Data 3. In the Enter Org Unit field, enter the organization unit. This is a mandatory field. This is the Organization Unit you created in section 4.3, creating the Organization Unit. When importing RAR data, AC 5.3 business units are migrated as AC 10.1 organizations. The Business Process, and Business Sub process fields, used with mitigation controls, are optional and can be left blank.
Importing Workflow Data 1. On the Select Process Type screen, select Import Workflow Data. 2. In the Import Location field, enter the location of the exported data, and choose Get Files. 3. Choose the files to import by selecting the corresponding boxes to the left of the files
Importing ERM Repository Data 1. On the Select Process Type screen, select Import ERM Repository Data 2. In the Import Location field, enter the location of the exported data, and choose Get Files
Importing CUP Repository Data 1. On the Select Process Type screen, select Import CUP Repository Data 2. Optionally, choose the Use default landscape checkbox. CUP Roles in AC 5.3 do not have an associated landscape. Choosing the Use default landscape checkbox causes the SAP solutions for GRC 10.1 Data Import Application to group all systems associated with AC 5.3 CUP Roles into the default landscape, creating the corresponding role-to-landscape association in AC 10.1.
Importing SPM Data 1. On the Select Process Type screen, select Import SPM Data. 2. In the Import Location field, enter the location of the exported data, and choose Get Files
Importing Workflow Rule Data 1. Execute transaction GRFNMW_DEV_RULES. The Generate MSMP Rule for Process screen appears
3. Enter the following data in the corresponding fields: In the MSMP Process ID field, enter the corresponding process ID, from among the following: SAP_GRAC_ACCESS_REQUEST, SAP_GRAC_SOD_RISK_REVIEW, or SAP_GRAC_USER_ACCESS_REVIEW. In the Rule Type field, enter BRFplus Flat Rule (Line Item by Line Item). In the Rule Kind field, choose Initiator Rule. Type values in the Rule ID and Application/Func. Group Name fields. Start the values using the letter Z, for example, ZHP_0206_AR_I_02.
4. Execute transaction GRAC_WF_MIG. The Migrate Initiators and CAD screen
appears
5. Enter the following data in the corresponding fields: Select the Initiators Rule radio button. In the Initiator/CAD File Location field, enter the data location. In the MSMP Process ID field, enter the corresponding process ID, from among the following: SAP_GRAC_ACCESS_REQUEST, SAP_GRAC_SOD_RISK_REVIEW, or SAP_GRAC_USER_ACCESS_REVIEW. In the Application/Func. Group Name field, enter the value you specified in above step2. In the Initiators Rules ID field, enter the value you specified in above Step.
To import CAD/agent rules: 1. Execute transaction GRFNMW_DEV_RULES. The Generate MSMP Rule for
Process screen appears.
2. Enter the following data in the corresponding fields: In the MSMP Process
ID field, enter the corresponding process ID, from among the following: SAP_GRAC_ACCESS_REQUEST, SAP_GRAC_SOD_RISK_REVIEW, or SAP_GRAC_USER_ACCESS_REVIEW. In the Rule Type field, enter BRFplus Flat Rule (Line Item by Line Item). In the Rule Kind field, choose Agents Rule. Type values in the Rule ID and Application/Func. Group Name fields
3. Execute transaction GRAC_WF_MIG. The Migrate Initiator and CAD screen
appears 4. Enter the following data in the corresponding fields: Select the Agent Rule
radio button. In the Initiator/CAD File Location field, enter the data location. In the MSMP Process ID field, enter the corresponding process ID,
from among the following: SAP_GRAC_ACCESS_REQUEST, SAP_GRAC_SOD_RISK_REVIEW, or SAP_GRAC_USER_ACCESS_REVIEW. In the Application/Func. Group Name field, enter the value you specified in Step 3. In the Approvers Rules ID field, enter the value you specified in Step 3. In the Alternate Approvers Rule ID field, enter the value you specified in Step 6.
Creating number ranges:
Completing Post-Import Tasks 1. Complete the following tasks:
Activate GRC_MSMP_CONFIGURATION BC set Generate the rules Create function modules Maintain workflow stage settings Complete methodology process assignments
Activating the GRC_MSMP_CONFIGURATION BC Set
Generating the Rules 1. Using AC 10.1, navigate to Rule Setup > Access Risks 2. Select the risk for which you need to generate rules, and choose Generate Rules 3. Alternatively, you can generate multiple rules using the IMG configuration. In this case, use transaction SPRO > navigate to SAP Reference IMG > Governance, Risk and Compliance > Access Control > Access Risk Analysis > Generate SoD Rules. Select the range of SoD risks that you want to generate rules for, and choose Execute.
Completing Methodology Process Assignments 1. Imported CUP Roles imported from back-end systems and AC 5.3 do not get an assigned methodology process. As a result, these roles are not editable. 2. You therefore need to assign the methodology process for these roles. 3. In AC 10.1, choose Access Management > Role Mass Maintenance > Role Update 4. Select all migrated CUP roles, and choose Next. 5. Choose All Attributes in the Attributes field, choose Update in the Action field, and choose Next. 6. Choose Reapply role methodology, and choose Next
7. Schedule the job to run in the background, and choose Submit.
Data Validation: Perform the data validation to check the imported data. 1. RAR Data Validation: Validating Functions:
Validating Risks:
SPM Data Validation: 1. Validating FF ID’s
ERM Validation: 1. Role Maintenance
AC 10.1 Configuration: 1. Creating access control owners
2. Manage exclude objects in batch risk analysis
3. Execute batch risk analysis
Note: check the RFC connection is working correctly or not before executing job. Received error 'Function module "/GRCPI/GRIA_AUTH_G” PFCG authorization sync failed with errors. Issue got resolved after opening the server port.
BRM Configuration: 1. Go to NWBC ->Access Management ->Access Control Owners and maintain the owners
2. Maintain Role Type Settings
3. Role Naming Convention
4. Define Organizational Level Mapping
Child org value mapping
Create BRF+ Rule 1. Execute transaction SA38 and run the program GRAC_GENERATE_ERM_BRFRULE or select the option Generate BRF Plus Applications, Approvers and Methodology Functions
2. Execute the TCODE: BRF+ 3. Select My Applications and search for the application that was just created 4. Expand the Application and Function Nodes
5. Create a Decision Table by entering name and other related attributes 6. Create Condition Columns for the Decision Table
7. Create Result Columns by clicking Insert Column from Data Object 8. Select Condition Group (GRAC_CNDGP) object from the search result
9. Once the values for the Condition and Result Columns are defined, enter values for the Decision table used for rule execution 10. Click Insert New Row to create the values; enter values for the columns 11. Select Direct Value Input 12. Enter Value for the columns 13. Activate the Decision Table
14. Associate the Decision Table to Function by selecting it in the Top Expression of Function
Assign Condition Group Type to BRF+ 1. 2. 3. 4.
Navigate to IMG by executing SPRO Select activity “Assign Condition Group to BRF+ Rules” Select Condition Group Methodology Enter the BRF+ Application and Function and save
Define Role Methodology Process and Steps 1. Select the Define Methodology Processes and Steps option under Role Management in IMG 2. Assign steps to Methodology Process.
Associate Role Methodology Process to Condition Group 1. Select the “Associate Role Methodology Process to Condition Group” option from the IMG customization 2. Associate the Condition Group to the Methodology Process
Creating Role Approval Workflow 1. Role Approval Workflow needs to be maintained if Approval step is there in Role Creation methodology 2. The default workflow process can be used to set up Role Approval Workflow Process 3. Select the maintain MSMP Workflow option from IMG 4. Select the Role Approval Workflow Process from Step 1 in the MSMP Workflow Configuration and open it in Change Mode
3. Maintain the approver rules in the Maintain Rules step. 4. In Step 5, maintain the Stage settings and select the Agent ID as GRAC_ROLE_APPROVER or the approver rule create in BRF+ 5. Save and activate the workflow
View more...
Comments
