GRC 52 Migration v3 PDF

SAP GRC
Access Controls 5.2

Product Migration
Access Controls 5.2

Migration Steps and Supported Upgrade Strategies
Governance, Risk, and Compliance
Copyright 2007 SAP AG. All Rights Reserved

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express
permission of SAP AG. The information contained herein may be changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary software components of other
software vendors.
Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.
IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400,
iSeries, pSeries, xSeries, zSeries, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS,
POWER, POWER5, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe
Systems Incorporated in the United States and/or other countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered
trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium,
Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and
implemented by Netscape.
MaxDB is a trademark of MySQL AB, Sweden.
SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned
herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in
several other countries all over the world. All other product and service names mentioned are the trademarks of their
respective companies. Data contained in this document serves informational purposes only. National product
specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or
transmitted in any form or for any purpose without the express prior written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any other agreement with SAP.
This document contains only intended strategies, developments, and functionalities of the SAP product and is not
intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please
note that this document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or
completeness of the information, text, graphics, links, or other items contained within this material. This document is
provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties
of merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or
consequential damages that may result from the use of these materials. This limitation shall not apply in cases of
intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no control over the
information that you may access through the use of hot links contained in these materials and does not endorse your
use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.
GRC_5.2_Migration_Strategy_E.doc
Page 2 of 36
Table of Contents
INTRODUCTION .......................................................................................................................................................5
DISCLAIMER .............................................................................................................................................................5
UPGRADE STRATEGY OVERVIEW .....................................................................................................................6
CONSIDERATIONS FOR UPGRADING ................................................................................................................7
SYSTEM PRE-REQUISITES FOR UPGRADING TO 5.2.....................................................................................7
ACCESS CONTROLS (OSS NOTE#943796)..................................................................................................................7
UPGRADING ERP SYSTEMS, NOT GRC SOLUTIONS .....................................................................................8
UPGRADE DOCUMENTATION..............................................................................................................................8
5.1 TO 5.2 UPGRADES .................................................................................................................................................8
ABAP BASED UPGRADES ..........................................................................................................................................8
UPGRADES FROM PRIOR VERSIONS ............................................................................................................................9
VIRSA ACCESS ENFORCER UPGRADING FROM 5.1 TO 5.2 .......................................................................10
TASK 1: PRE-UPGRADE PROCEDURES .......................................................................................................................10
TASK 2: CONFIGURING MEMORY SETTINGS .............................................................................................................12
TASK 3: UPGRADING THE DEPLOYED ACCESS ENFORCER FILES ..............................................................................13
TASK 4: IMPORTING VIRSA ACCESS ENFORCER ROLES ............................................................................................14
TASK 5: UPGRADING VIRSA ACCESS ENFORCER DATA ............................................................................................17
TASK 6: IMPORTING INITIAL ACCESS ENFORCER CONFIGURATION DATA ................................................................17
TO IMPORT INITIAL VIRSA ACCESS ENFORCER CONFIGURATION DATA:.........................................................................17
VIRSA COMPLIANCE CALIBRATOR UPGRADING FROM 5.1 TO 5.2 .......................................................19
TASK 1: PRE-UPGRADE PROCEDURES. .....................................................................................................................19
TASK 2: INSTALL THE CONVERSION UTILITY AND COMPLETE THE TECHNICAL INSTALLATION OF CC 5.2 (BASIS
TASK).......................................................................................................................................................................20
TASK 3: IMPORT RULES TO CC 5.2 ..........................................................................................................................22
TASK 4: VALIDATE RULE LOAD ..............................................................................................................................22
TASK 5: VALIDATE MITIGATION TABLES ................................................................................................................22
VIRSA COMPLIANCE CALIBRATOR UPGRADING FROM 4.0 TO 5.2 .......................................................23
TASK 1: CREATE SYSTEM CONNECTORS ..................................................................................................................23
TASK 2: DEFINE MASTER USER SOURCE ..................................................................................................................24
TASK 3: UPLOAD STATIC TEXT ................................................................................................................................24
TASK 4: UPLOAD AUTHORIZATION OBJECTS (SU24) ...............................................................................................25
TASK 5: CREATE RULE SET AND ENTER IN CONFIGURATION ...................................................................................25
TASK 6: OUTPUT EXISTING DATA TO A FILE ...........................................................................................................25
STEP 7: UPLOAD THE OUTPUT DATA TO YOUR NEW SAP COMPLIANCE CALIBRATOR INSTALLATION ....................27
STEP 8: SCHEDULE BACKGROUND JOBS ...................................................................................................................30
VIRSA ROLE EXPERT UPGRADING FROM 5.1 TO 5.2 ..................................................................................32
VIRSA ROLE EXPERT UPGRADING FROM 4.0 TO 5.2 ..................................................................................33
TASK 1: MAP RE 4.0 ATTRIBUTES TO RE 5.2...........................................................................................................33
TASK 2: EXPORT RE 4.0 ROLES ................................................................................................................................35
TASK 3: IMPORT RE 4.0 ROLES TO RE 5.2................................................................................................................35
Page 3 of 36

VIRSA FIREFIGHTER UPGRADING FROM 3.0 OR 4.0 TO 5.2......................................................................36
TASK 1: PRE-UPGRADE PROCEDURES .......................................................................................................................36
TASK 2: FF 5.2 BACKEND COMPONENT IS INSTALLED .............................................................................................36
TASK 3: EXECUTE MIGRATION PROGRAM ...............................................................................................................36
TASK 4: VALIDATE ENTRIES ....................................................................................................................................36
Page 4 of 36

Introduction
This guide provides information for existing GRC Access Control customer upgrading their existing
implementations from 4.0 ABAP or 5.1 NetWeaver to 5.2 NetWeaver.
Disclaimer
This document reflects the status of SAPs release planning as of December 2006. This document
contains only intended strategies, developments, and/or functionalities of the SAP solutions and is not
intended to be binding upon SAP to any particular course of business, product strategy, and/or
development; its content is subject to change without notice. For up-to-date information on individual SAP
offerings, please refer to the online version of this brochure in the SAP Service Marketplace extranet at
service.sap.com/releasestrategy.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the
accuracy or completeness of the information, text, graphics, links, or other items contained within this
material. This document is provided without a warranty of any kind, either express or implied, including,
but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or
noninfringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or
consequential damages that may result from the use of these materials. This limitation shall not apply in
cases of intent or gross negligence. The statutory liability for personal injury and defective products is not
affected. SAP has no control over the information that you may access through the use of hot links
contained in these materials and does not endorse your use of third-party Web pages nor provide any
warranty whatsoever relating to third-party Web pages.
Page 5 of 36

Upgrade Strategy Overview
The following table is a summary of the Access Controls Migration and Upgrade Strategy for Upgrading
from 4.0 or 5.1 to 5.2.
Access Controls Migration / Upgrade Strategy
CC 5.2
CC 5.1
CC 4.0
Migration
steps are
provided in
this guide
Consult SAP
GRC for
upgrade/
migration (3)
AE 5.1
(1.3 sp5)
AE 4.0
(AE 1.3)
RE 5.1
RE 4.0
FF
SAFE
.net
Not
Supported
(1)
Not
Supported
(2)
Not
Supported
(1)
Not
Supported
(2)
Not
Supported
(1)
Not
Supported
(2)
Not
Supported
(1)
Not
Supported
(2)
Migration
steps are
provided in
this guide.
AE 5.2
AE 5.2 is
compatible
with CC 4.0.
The 5.2 RTA
must be
installed which
is 4.0 sp9.
RE 5.2
Migration
steps are
provided in
this guide
Migration
steps are
documented
in the 5.2
Installation
Guide and
SAP Note
#1004078
ABAP
component of
Role Expert
4.0 no longer
available if AE
5.2 is
implemented.
You must
upgrade to RE
5.2.
Migration
steps are
provided
in this
guide
FF 5.2
ABAP
component
of
Firefighter
will be
upgraded to
5.2 (Java
component
does not
have to be
implemente
d)
Migration
steps are
provided in
this guide
Can be
upgraded to
5.2 ABAP
version
without
JAVA
implementa
tion
Footnotes:
1. Conversion support is planned for Q4, 2007.
2. AE.net customers should not upgrade any ABAP or NW components to 5.2. Conversion of .net customers is
planned for 2008.
3. Reference Restriction Document Number 01200314691000104633, Note 1045144.
Page 6 of 36

Considerations for Upgrading
As of GRC Access Control 5.2 all Access Control capabilities are bundled into one ABAP / backend
software package. It is therefore neither recommended nor supported to upgrade individual capabilities.
Please do not attempt to upgrade Access Control capabilities for Virsa Compliance Calibrator without also
upgrading Access Control capabilities for Virsa Firefighter.
Below are considerations if you plan to upgrade to any of the 5.2 products.
Firefighter 4.0 will be upgraded to 5.2

o IMPACT: Reason Codes must be configured and are required (See Release notes for
details of new functionality)
o
Additional features which may or may not be implemented
Java front end for reporting can be enabled

Additional parameters which control timing of the notifications being sent
A Firefighter Owner can no longer assign themselves to be a Firefighter
Compliance Calibrator will be upgraded to the 5.2 RTA.

o No impact
Role Expert - ABAP component will no longer be available.
System Pre-requisites for Upgrading to 5.2

Access Controls (OSS Note#943796)
Software Component
Release
Package Name
SAP Basis Component
46C
SAPKB46C53
620
SAPKB62061
640
SAPKB64019
700
SAPKB70010
Page 7 of 36

Upgrading ERP systems, not GRC solutions
GRC Solutions are available on Service Marketplace. If prior installations of GRC solutions were
implemented via STMS, refer to Note 1006083.
If the SAP NetWeaver version is being implemented, both ABAP and Java software components should
be downloaded installed. Download the GRC Solutions based on your basis release (ex. 620, 640, 700).
SAP Notes are available for detailed ERP upgrade information under Application Area GRC or GRC-SAE,
GRC-SCC, GRC-SRE.
Examples of Notes:
Note 985617 - SAP Compliance Calibrator 4.0 for SAP 700 Systems
Note 1001783 - VIRSANH 520_700 Install / Delta Upgrade on SAP_BASIS 700
Upgrade Documentation
5.1 to 5.2 Upgrades
The following Quick Reference Guides are included at the end of this document.
Access Enforcer
o
Compliance Calibrator
o
Access Enforcer Upgrade 5.1 to 5.2
CC Upgrade from 5.1 to 5.2
Role Expert
o
RE Upgrade from 5.1 to 5.2
ABAP Based Upgrades

The following Quick Reference Guides are included at the end of this document.
o
Role Expert
o
CC Upgrade from 4.0 to 5.2
RE Upgrade from 4.0 to 5.2
Firefighter
o
FF 5.2 Migration Document from 3.0 or 4.0 to 5.2
Page 8 of 36

Upgrades from Prior Versions
o
If upgrading CC from versions <4.0, please enter a customer message via the Support
Portal under component GRC-SCC.
Access Enforcer
o
Refer to SAP Note #1004078
Page 9 of 36
Virsa Access Enforcer Upgrading from 5.1 to 5.2

Purpose:
Access Enforcer Conversion from v5.1 to v5.2
Why:
To upgrade pre-existing Access Enforcer implementations
Pre-Requisites
Back up existing Access Enforcer implementation

Run background job to process HR Triggers (required only for systems with SAP HR)
When:
Perform these tasks when upgrading Access Enforcer from v5.1 to v5.2
Process Tasks:
1.
2.
3.
4.
5.
6.
Pre-upgrade Procedures
Configuring Memory Settings
Upgrading the Deployed Access Enforcer Files
Importing Virsa Access Enforcer Roles
Upgrading Virsa Access Enforcer Data
Importing Initial Access Enforcer Configuration Data
Note: The process of upgrading Virsa Access Enforcer is similar to the initial installation with some
minimal differences.
For upgrading from versions of Access Enforcer older than 5.1 VP1, refer to SAP Note 1004078.
Task 1: Pre-upgrade Procedures

Before you can upgrade your Access Enforcer implementation, you must perform the following preupgrade procedures:
Run a background job to process HR Triggers in your current version of Access Enforcer
(applicable for systems with SAP HR).
Back up your existing Access Enforcer implementation.
Complete the Pre-Installation Procedures as listed in the Installation Guide.
To process HR Triggers in Access Enforcer:

1. Log in to your current version of Access Enforcer.
2. From the navigation menu of the Configuration tab, click Background Jobs. The Schedule
Service page appears.
Page 10 of 36

3. From the Task Name drop-down list, select HR Triggers Load Data. If the background job is
currently active, the Deactivate button appears at the bottom of the page. Click Deactivate to
stop the background job.
4. Ensure HR Triggers still appears as the Task Name and then from the Schedule Type dropdown list, select Immediate.
5. Click Run.
6. To view all the processed HR Triggers, from the navigation menu of the Configuration tab, click
HR Triggers > Process Log.
To back up your existing Access Enforcer implementation:

1. Back up your existing Access Enforcer implementation to a safe place.
This includes:
a. Backing up your Access Enforcer database (all database tables with the prefix VIRSA_
or VT_AE_).
b. Backing up the installation files you used when you originally installed your current
version of Access Enforcer.
Note: You should err on the side of caution here. You need to be able to restore your existing Access
Enforcer implementation in the event that the upgrade process unexpectedly fails.
2. Perform all of the Pre-Installation Tasks listed below.
3. Verify that you have downloaded all of the files listed in the distribution list.
Pre-installation Procedures
The Virsa Access Enforcer application files are available on the SAP Service Marketplace at:
service.sap.com.
To download the Virsa Access Enforcer files:
1. From the SAP Support Portal section, click the Software Download quick link.
2. From the SAP Installations & Upgrades page, in the navigation bar on the left, click Entry by
Application Group.
Page 11 of 36

3. From the Installations & Upgrades page, click the SAP Solutions for Governance, Risk, and
Compliance link.
4. Under the SAP Solutions for Governance, Risk, and Compliance area, click the SAP GRC
Access Control link, then the VIRSA ACCESS ENFORCER link.
5. Under the VIRSA ACCESS ENFORCER area, click the link for the particular system where you
plan to install Virsa Access Enforcer.
6. Click the Installation link, then the Download tab, and follow the instructions under this tab to
download the files.
To proceed with the Virsa Access Enforcer pre-installation:
1. Create a folder on your system with no spaces in the folder name.
An example of a good folder name is AE_Install.
2. Go to the SAP Service Marketplace as described in the previous section and download the Virsa
Access Enforcer files into your local folder. Depending on the speed of your network, it can take
up to four hours to download the application files.
3. Extract the setup files that you have downloaded.
4. Verify whether your download was successful.
To verify a successful download, compare the list of files in your download directory (for example,
AE_Install) to the list of files in the distribution list that accompanies the download. If all of the
files listed in the distribution list are present, the download has been successful.
Caution: Do not create your folder on your desktop, or copy the Virsa Access Enforcer Installation
Package onto your desktop. The installation process will not function properly if executed from your
desktop.
Task 2: Configuring Memory Settings

This task is the same for installation and upgrade.
To ensure that Virsa Access Enforcer installation does not encounter an out-of-memory condition, you
need to set your memory parameters. You do this using the Config Tool installed along with NetWeaver.
The command you use to launch the Config Tool depends on your operating system:
If you are running the Unix or Linux operating systems, use:

/usr/sap/<SID>/DVEBMGS00/j2ee/configtool/configtool.sh
If you are running the Windows operating system, use:

\usr\sap\<SID>\JC00 or JC01\j2ee\configtool\configtool.bat
1. In the Config Tool, navigate to the server instance for which you wish to set the memory
parameters, and select the server by its server number.
2. Under the General tab, add or change memory parameters as required.
For additional details on memory settings, refer to SAP Note 723909.
Task 3: Upgrading the Deployed Access Enforcer Files

1. Use the Software Deployment Manager (SDM) to un-deploy the following files:
a. AEUME.sda
b. AEEAR4WS.ear
c. AEWorkFlowWSEAR.ear
Page 12 of 36

d. AEEAR.ear
2. Use the SDM to re-deploy the following files in the order presented here:
AEDictionary.sda
AEUME.sda
AEEAR.ear
AEWorkFlowWSEAR.ear
AEEAR4WS.ear
3. Restart your NetWeaverJ2EE engine.

4. Verify that your update has been successful. Launch a Web browser, and enter the following
URL in the address field:
http://<server>:<port>/AE/index.jsp
where
server = the name or IP address of the NetWeaver J2EE server on which Access Enforcer
resides
port = the port number on which Access Enforcer listens
If your update was successful, you see the Virsa Access Enforcer start page, as shown below:
Page 13 of 36

Task 4: Importing Virsa Access Enforcer Roles
Before proceeding to Upgrading Virsa Access Enforcer Data, you must import Virsa Access Enforcer
Roles. There are differences in this task depending on which version of WAS SAP is installed on your
system WAS 640 or WAS 700.
Was SAP 640:

1. Start the UME.
2. Use a Web browser to connect to and log in to the NetWeaver J2EE server, and on the Index
page, click User Management. Log into the UME.
3. In the left navigation pane, click User Data Import.
Page 14 of 36

4. Go to the directory into which you extracted the Virsa Access Enforcer installation files, and using
any text editor, open the file ae_ume_roles.txt. Select and copy the entire contents of the file.
5. Go back to the UME, and in the Enter Data text field, paste the contents of
ae_ume_roles.txt.
When upgrading, you must remember to check Overwrite Existing Data.
6. Click Import.
Was SAP 700:

1. Start the UME.
2. Use a Web browser to connect to and log into the NetWeaver J2EE server, and on the Index
page, click User Management. Log into the UME.
Page 15 of 36

3. Click Batch Import.
4. Go to the directory into which you extracted the Virsa Access Enforcer installation files, and using
any text editor, open the file ae_ume_roles.txt. Select and copy the entire contents of the
file.
5. Go back to the UME, and in then in the blank area, paste the contents of ae_ume_roles.txt.
6. Click Upload.
Page 16 of 36

Task 5: Upgrading Virsa Access Enforcer Data
To Upgrade Virsa Access Enforcer Data:
Note: If the Upgrade button on the Upgrade page is inactive, do not perform the Tasks in this section.
1. Log in to Virsa Access Enforcer.
2. From the navigation menu of the Configuration tab, select Upgrade.
The Upgrade page appears.
3. Click Upgrade.
Task 6: Importing Initial Access Enforcer Configuration Data

To import initial Virsa Access Enforcer configuration data:
1. Using a Web browser, connect to the NetWeaver server.
2. Type the application URL in your internet browser.
http://<hostname>:<portnumber>/AE
where
hostname = The name or IP address of the system on which NetWeaver runs.
portnumber = The port on which Virsa Access Enforcer has been configured to listen. The
default is 50000.
For example, if the Access Enforcer server resides on host mighty, and it has the default port
number, the correct URL would be:
http://mighty:50000/AE
You see the initial Access Enforcer screen.
3. Click User Login to display the Login screen.
Use the username and password of the AEAdmin user you just created.
4. Click the Configuration tab.
Page 17 of 36

5. In the navigation pane, click Initial System Data.
The Initialize DB page appears.
6. In the content pane, click Browse, and navigate to the directory into which you extracted the
Virsa Access Enforcer installation files.
7. In the Browse window, double-click the appropriate .xml file, and then in the Virsa Access
Enforcer content pane, click Import.
The files you import are:
a. AE_init_append_data.xml - select the Append option.
b.
AE_init_clean_and_insert_data.xml - select the Clean and Insert option.
When you have completed these tasks, you have successfully upgraded your Virsa Access Enforcer
implementation.
Page 18 of 36
Virsa Compliance Calibrator Upgrading from 5.1 to 5.2

Purpose:
Compliance Calibrator Conversion
Why:
To upgrade existing Compliance Calibrator implementation to 5.2
Pre-Requisites
Compliance Calibrator 5.1 should be installed and running.
When:
Perform these tasks when upgrading Compliance Calibrator from v5.1 to v5.2
Process Tasks:
1.
Pre-Upgrade Procedures
2.
Install Conversion Utility and Complete Technical Installation of CC 5.2
3.
Import Rules
4.
Validate Rule Load
5.
Validate Mitigation Tables
Task 1: Pre-Upgrade Procedures.

1. Download any spooled ad hoc reports to a file. These spooled reports will not be transferred to
your new installation.
2. Ensure a current backup of the database has been performed.
3. Capture and save a screen shot of the Rule Library which will provide totals to validate against
after the upgrade is complete.
4. Capture and save a screen shot of the Mitigation Control Library which will provide totals to
validate against after the upgrade is complete.
5. Export Rule from your existing Compliance Calibrator installation
a. From Rule Architect tab of your existing Compliance Calibrator installation, choose Utilities
> Export Rules.
b. Click Get Rules
c.
Because you have not entered a Destination for each Source in the Export Rules list, the
system displays the following warning: Few Destinations are empty! Do you want to copy
Source as Destination?
d. In the warning dialog box, click OK.

e. Click Export Rules
f.
In the File Download box, click Open, then Save. Enter a name and location for the exported
rules file.
g. The rule export process is complete.
Page 19 of 36

Task 2: Install the Conversion Utility and Complete the Technical Installation of
CC 5.2 (Basis Task)
1. Deploy the conversion utility EAR file (virsa~ccconvutil.ear) ONLY from the CC5.2 software.
2. To login to conversion utility, use the following URL address:
http://<server_name>:<port>/webdynpro/dispatcher/virsa/ccconvutil/CC52ConvUtility
Where:
Server_name is the J2EE application server name

Port
is 5<xx>00
xx
is the J2EE instance
For example, if the J2EE instance were 35, then the port assignment would be 53500.
3. Click the Convert Data button.
Page 20 of 36

4. On the next screen click on Export Rules.
5. When prompted to Save, Open, or Cancel it is recommended to click on Open and then use the
Save As option to save the downloaded rules.
6. Make sure that you saved the data file properly.
7. Un-deploy the conversion utility EAR file (virsa~ccconvutil.ear)
8. Now install CC5.2 (Please refer to the installation guide for CC5.2 installation).
Note: You need to un-deploy all the EAR and SDA projects except database project
(virsa~ccxsysdb.sda) and then proceed the CC5.2 installation steps.
Page 21 of 36

Task 3: Import Rules to CC 5.2
Note: Ensure Background Daemon is running before proceeding to the next steps.
1. From the Rule Architect tab, choose Utilities > Import Rules.
2. Click Browse; locate the converted rules data file you created and click Open.
3. Click Import Rules. Import the 5.1 rules file created in Task 1 Pre-Upgrade Procedures.
a. A background job is automatically scheduled and run to import records from the file and
generate the rules.
b. Verify that the rule import job completes successfully.
c.
Once you have completed the rule import process, a new item, Data Conversion CC5.1>CC5.2, is added to the bottom of the navigation menu under the Configuration tab. (If
you have migrated from an earlier version than Compliance Calibrator 5.1, that version is
indicated instead of CC5.1.
4. To migrate the rules data into your new Compliance Calibrator installation:
d. From the Configuration tab, choose Data Conversion CC 5.1 -> CC 5.2.
e. A confirmation dialog box appears.
f.
Click OK to proceed with the conversion.
Note: Once the migration is complete, the Data Conversion CC 5.1>CC5.2 item is removed from the
Configuration tab navigation menu.
Your rules have now been converted and uploaded to your new Compliance Calibrator installation.
Task 4: Validate Rule Load

1. From the Rule Architect tab, choose Rule Library
2. Validate the number of rules are the same as before the upgrade by comparing the CC 5.1 preupgrade screen shot to the CC 5.2 screen.
Task 5: Validate Mitigation Tables

1. The Mitigation Controls did not require conversion and all table entries should have remained as
before the upgrade.
2. Validate the number of controls are the same as before the upgrade by comparing the CC 5.1
pre-upgrade screen shot to the CC 5.2 screen.
Page 22 of 36
Virsa Compliance Calibrator Upgrading from 4.0 to 5.2

Purpose:
Conversion from 4.0 or > to Compliance Calibrator v5
Why:
To load rule sets, configuration and mitigation to Compliance Calibrator 5.x to perform
risk analysis and populate the management view graphs and summaries
Pre-Requisites
Back-end (originating) system: SAP Compliance Calibrator 4.0 SP4 or greater

Front-end (destination) system: SAP Compliance Calibrator 5.0 or greater, freshly
installed (no existing data). The 5.2 RTA must be installed on the back-end system.
Instructions in note 1039039 need to be completed after the 5.2 RTA is installed. If
there are steps which require background processing and files are to be placed on an
Application Server, Basis must provide a directory path in the WAS server which is
accessible by the J2ee Admin user. Alternatively, an external file system could be
mounted to the WAS server and read/write access can be assigned to the
J2ee_admin and J2ee_guest users. The files referenced need to be placed in the
folder.
When:
Perform this task after Compliance Calibrator v5.x has been successfully installed
Process Tasks
1. Create System Connectors

2. Define Master User Source
3. Upload Static Text
4. Upload Authorization Objects (SU24)
5. Create Rule Set and Enter in Configuration
6. Output Existing Data
7. Upload Existing Data to new version of Compliance Calibrator
8. Schedule Background Jobs
Note: The following Migration steps are Post CC 5.X Installation Steps
Task 1: Create System Connectors

Note: Basis Activity; required only if not completed during Installation)
1. Open your web browser.
2. Enter the URL for Compliance Calibrator:
http://<servername>:<port>/webdynpro/dispatcher/virsa/ccappcomp/ComplianceCalibrator
3. Log onto Compliance Calibrator as a user with Administration privileges.
4. Click on the Configuration tab.
5. Expand the Connector menu, and then click Create.
6. Complete the following fields:
System ID
System Name
Page 23 of 36
System Type
Connection Type
Note: Most often, this would be Adaptive RFC (Remote Function Call).
JCO Destination
When setting up the connector it is important this connector ID be identical to any
other Access Control product which may already be created.
If possible entries for this field do not display, the Java Connectors have not been
set up properly. Contact Basis.
7. Click Save button.
Task 2: Define Master User Source

1. While in the Configuration tab, select Master User Source. Select the Configured System
which has the most current and up to date user information.
2. Click the Save button.
Task 3: Upload Static Text

1. Log-on to the SAP backend system (SAP Win GUI).
2. Enter transaction code SE38.
The ABAP Editor: Initial Screen is displayed.
3. Enter /VIRSA/ZCC_DOWNLOAD_DESC in the Program field.
4. Click the Execute button.
5. Enter the file path where you want to download the text file and the name of the file in the Local
File field.
Use the search button to the right of the Local File field to both browse and name the local file.
For easy access, download to the Desktop and name the file SAPText.
7. Return to CC 5 (front-end), and click the Configuration tab.
8. Expand Upload Objects menu item; select Text Objects.
System ID
If CC is connected to multiple SAP systems, enter a single system name here and repeat
Task 3 (steps 1 through 10) for each SAP system.
Local file Enter (or browse to) the file path for file SAPText.txt
10. Execute your selections in the Foreground.

To execute this job in the Background, the SAPText.txt file must be placed on an
application server.
Page 24 of 36

Task 4: Upload Authorization Objects (SU24)
1. Logon to the SAP backend system (SAP Win GUI).
2. Enter transaction code SE38.
3. The ABAP Editor: Initial Screen is displayed.
4. Enter /VIRSA/ZCC_DOWNLOAD_SAPOBJ in the Program field.
6. Enter the file path where you want to download the text file and the name of the file in the Local
File field.
Use the search button to the right of the Local File field to both browse and name the local file.
For easy access, download to the Desktop and name the file SAPAuthObj.
8. Return to CC 5 (front-end), and click the Configuration tab.
9. Expand Upload Objects menu item; select Auth Objects.
Local file Enter (or browse to) the file path for file SAPAuthObj.txt.
11. Execute your selections in the Foreground.

To execute this job in the Background, the SAP AuthObj.txt file must be placed on an
application server.
Task 5: Create Rule Set and Enter in Configuration

1. Go to Rule Architect and Create a Rule Set Global is the suggested first set.
2. Enter the Rule set ID in Configuration Default Values Default Rule Set for Risk Analysis.
3. Go back to the Configuration tab, Risk Analysis -> Default Values and enter the Default rule set
for risk analysis Global if that is what was created in step 1, and save.
Task 6: Output Existing Data to a File
What is Converted: SoD Action Rules and Permission Level Rules, Mitigation Controls, Critical
Roles and Critical Profiles.
Whats NOT Converted: Critical Transactions, Matrix 1 to Matrix 5, SoD Supplementary Rules,
Alerts, Existing Management Report data, Configuration options, and Custom Utilities data.
o
Entries in Critical Transactions, Matrix 1 through Matrix 5 and SOD Supplementary Data
should be manually created in CC 5.x.
Critical actions should be grouped into logical groupings (HR Master Data) and a
function created containing those actions.
If permission data is known, that can now be included in the function, a Critical Action
risk is then created and the function assigned and rules generated.
If loaded to Matrix 1 -5, critical permissions can be grouped into a function and that
function added to a new Critical Permission risk and rules generated.
In 5.2 there are three types of risks - SoD, Critical Action and Critical Permission.
This is defined in the Risk. Critical Actions and Permissions may have only one
Page 25 of 36

function assigned, where an SoD risk must have two or more functions assigned.
Please refer to the User guide for more information related to creating functions and
risks.
o
Configuration settings need to be created and saved in CC 5.x.
1. Log in to the SAP originating back-end system that contains the data from Compliance Calibrator
you want to migrate.
o
The RTAs must be installed on the system.
2. Using transaction SA38 or SE38, execute the following program:

/VIRSA/ZVRAT_L03
The Compliance Calibrator Conversion Utility screen appears.
Page 26 of 36

3. Under Selection Criteria, enter the System ID that matches the System ID you specified when
you created the connector during your (destination) SAP Compliance Calibrator 5.x installation. If
you dont know the system ID, log into CC 5.2. Go to Configuration, Connectors, Search and
note down the System ID which has been created. (Created in Task 2).
Note: Only rules from one system can be migrated from 4.0 to 5.2. Rule migration from multiple
systems is expected to be supported in the next release. You may use a Logical System to group
rules from multiple back end systems if the rules are the same across all. Please refer to Logical
Systems in the User guide.
4. In the File Name field, enter a path and file name for your output data file.
5. If you are outputting data for a destination system that is SAP Compliance Calibrator version 5.1
or greater:
o
Enable the CC5.1 and Above? option
In the Default Rule Set ID field specify a name for your default rule set.
6. Click the Execute icon.

The utility exports the data to the file you specified. Data is stored in a tab-delimited ASCII text
file. It is not converted until you upload it to your new SAP Compliance Calibrator installation.
Step 7: Upload the Output Data to Your New SAP Compliance Calibrator
Installation
WARNING: When you upload data to the destination SAP Compliance Calibrator system, any existing
rules or mitigations data will be destroyed. Make sure you only upload to a new installation of Compliance
Calibrator.
Note: This conversion process immediately updates all data except Permission rules, which are sent to
the background job daemon. Permission rules will not be converted unless or until the background job
completes.
1. Log in to your new SAP Compliance Calibrator (destination) system.

2. Navigate to Rule Architect > Utilities > Import Rules.
Page 27 of 36
3. In the Local File Name field, specify the path and file name you specified when exporting your
SAP Compliance Calibrator 4.0 data.
4. Click Import Rules. Your data is converted and imported to the new SAP Compliance Calibrator
system. Permission Rules may take a few minutes to be generated by the background job
daemon.
5. Once the background job is completed (Configuration-> Background Job -> Search, Job
PERM_RULE_GENERATION State is Complete) confirm the number of rules by comparing the
Rule Library in 5.2 to the Rule Library in 4.0.
o
Ensure the Number of Active Rules and Disabled Rules are the same
Page 28 of 36

6. Confirm Mitigating Controls are also converted correctly by reviewing the Mitigating Control
Library in R/3.
7. Go to Mitigation. Open the Mitigated Users Tab and ensure the number of Mitigated Users
(record 1 of # is listed at the bottom) match the number of Mitigated Users in the Mitigating
Control Library of R/3.
Page 29 of 36

Step 8: Schedule Background Jobs
1. In the Configuration tab, expand Background Job.
2. Click Schedule Analysis.
3. Perform User/Role/Profile Synchronization.
Note: This synchronization pulls the User IDs from the specified systems and post to the CC
tables. After the initial synchronization, it is best practice to schedule a nightly batch job to run an
Incremental Synchronization.
a. Go to the User/Role/Profile Synchronization section and then select Full Sync in the
Sync Mode field.
b. Select the following synchronization types:
c.
User Synchronization
Role Synchronization
Profile Synchronization
Accept wildcard (*) values for each corresponding System.
d. Click the Schedule button. The Schedule Risk Analysis screen is displayed.
e. Complete the following field:
f.
Job Name free form text field
g. Select Immediate.
h. Click the Schedule button.
If successful, the following message displays Background job scheduled successfully,
Job ID: XX
4. Perform Batch Risk Analysis
Note: This background job will pull master data and store in the internal CC tables; therefore,
perform this step after it has been determined which users, roles, and profile analysis should be
stored in Compliance Calibrator. After the initial full synchronization, it is best practice to
schedule a nightly batch job to run an Incremental Synchronization.
a. Go to the Batch Risk Analysis section, and then select Full Sync in the Batch Mode
field.
b. Select Report Type: Permission Level Analysis.
c.
Select the following risk analysis types:

o
User Analysis
Role Analysis
Profile Analysis (only if profiles are assigned to Users in Production)
d. Click the Schedule button. The Schedule Risk Analysis screen is displayed.
e. Schedule the job to run immediately.
Note: To view instructions on how to run this job, refer to Step 3 above. Perform
User/Role/Profile Synchronization
Page 30 of 36

5. Schedule Management Reports.
Note: Management View Risk Analysis data can be displayed for a one month period. The
current month data is updated each time you run a Management Report job. Consider this when
you are scheduling the background job.
a. Go to the Management Report section, and then select Management Reports.
b. Click the Schedule button. The Schedule Risk Analysis screen is displayed.
c.
Schedule the job to run immediately.
Note: To view instructions on how to run this job, refer to Step 3 above. Perform
User/Role/Profile Synchronization
Note: The management reports should now be populated with risk analysis data.
You have completed the post-installation and conversion process.
Page 31 of 36
Virsa Role Expert Upgrading from 5.1 to 5.2

Purpose:
Role Expert Conversion from v5.1 to v5.2
Why:
To upgrade pre-existing Role Expert implementations
When:
Perform these tasks when upgrading Role Expert from v5.1 to v5.2
This is an automatic process.

1. To upgrade from Role Expert 5.1 to Role Expert 5.2, click Configuration-->Upgrade.
This displays the Role Expert version that is currently deployed and the new version to which to
upgrade to.
2. Click the Upgrade button on the displayed page.
A success message is displayed and the Current version is updated to the new version.
Page 32 of 36
Virsa Role Expert Upgrading from 4.0 to 5.2

Purpose:
Role Expert Conversion from v4.0 to v5.2
Why:
To upgrade pre-existing Role Expert implementations
Pre-Requisites
Role Expert 5.2 installed
When:
Perform these tasks when upgrading Role Expert from v4.0 to v5.2
Process Tasks
1: Map RE 4.0 attributes to RE 5.2

2: Manually export roles from Role Expert 4.0
3: Import roles to Role Expert 5.2.
Role Expert 5.2 must be installed and configured to successfully migrate roles in RE 4.0 to
RE 5.2.
Task 1: Map RE 4.0 Attributes to RE 5.2

Prior to importing Role information from Role Expert 4.0 into Role Expert 5.2, Role Expert 5.2
users must manually configure some attributes in Role Expert as follows:
Attributes in Role Expert 4.0
Mapped Attributes in Role Expert 5.2
Role Type(S)
Role type (s = single, c = composite)
Role Name
Role Name
Short Description
Short Description
Local Owner
Owner/Approver 1
Global Owner
Alternative Owner/Approver 1
Critical Level
Custom Attribute Critical Level
Module Name
Functional Area
Status
Custom Attribute Status
Project Name
Project / Release
Business Process
Business Process
Sub Process
Sub Process
Org Unit 1
Custom Attribute Org Unit
Page 33 of 36

Attributes in Role Expert 4.0
Mapped Attributes in Role Expert 5.2
Org Unit 2
Org Unit 3
Org Unit 4
Org Unit 5
Org Unit 6
Transaction
Transaction
Long Description in English
Detailed Description
Test Results
Test Results Description
Tickets Information
Reference no. in Change History
Function Area
Functional Area
Primary Approver
Owner 2, 3, 4, etc.
Secondary Approver
Alternate Owner 2, 3, 4, etc.
Additional Attribute Type
Custom Attribute
Additional Attribute Value
Value for above attribute
Change History
Parse it and populate in Change history
Authorization Details 1
Will go into change history as part of Remarks
Authorization Details 2
Remarks 1
Remarks 2
Remarks 3
Page 34 of 36

Task 2: Export RE 4.0 Roles
Using Role Expert 4.0, export all roles into excel files.
For help with this Task, see the Role Expert 4.0 user guide.
Task 3: Import RE 4.0 Roles to RE 5.2

Open the Role Expert 5.2 application and click on Configuration-->Migration from Role Expert
4.0 --> Role.
Browse to the excel file(s) created in task 2.
Select the role type and the system landscape to be associated to the imported roles.
If existing roles need to be overwritten, click the checkbox displayed
Note: Single and Composite role should be imported separately. If composite role have some
single roles, those roles should already exist in the Role Expert database. Therefore, single Roles
MUST be imported BEFORE Composite roles.
Page 35 of 36
Virsa Firefighter Upgrading from 3.0 or 4.0 to 5.2

Purpose:
Firefighter Conversion
Why:
To upgrade existing Firefighter implementation to 5.2
Pre-Requisites
When:
Firefighter 3.0 or 4.0 should be installed and running.

Perform these tasks when upgrading Firefighter from 3.0 or 4.0 to v5.2
Process Tasks:
1.
2.
3.
4.
Backup existing master data

Install Access Controls 5.2 RTA
Run Migration Program
Validate Data
Task 1: Pre-upgrade Procedures

1.
Download the master data from Firefighter (refer to SAP Note 1006083)
Task 2: FF 5.2 Backend Component is Installed

1.
Access Controls 5.2 RTA to be implemented
Task 3: Execute Migration Program

1.
2.
3.
4.
Log-on to the SAP backend system (SAP Win GUI).

Enter transaction code SE38.
a. The ABAP Editor: Initial Screen is displayed.
Enter /VIRSA/ZVFAT_U07 in the Program field.
Click the Execute button.
NOTE: 5.2 supports multiple language, this program will split text data from the Master Tables to Text
Tables. Data which is moved:
Firefighter Owners table data

Firefighters table data
Controllers table data
Configuration table data
Critical T codes table data
Log Report data
If there is no data in these tables, nothing will be migrated.
Task 4: Validate Entries

1.
Log-on to the SAP backend system (SAP Win GUI).
2.
Execute transaction /N/VIRSA/VFAT
3.
Validate table entries and log report are unchanged
Page 36 of 36

GRC 52 Migration v3 PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

GRC 52 Migration v3 PDF

Încărcat de

Drepturi de autor:

Formate disponibile

SAP GRC

Access Controls 5.2

Access Controls 5.2

Governance, Risk, and Compliance

Copyright 2007 SAP AG. All Rights Reserved

Governance, Risk, and Compliance

Governance, Risk, and Compliance

Governance, Risk, and Compliance

Governance, Risk, and Compliance

Governance, Risk, and Compliance

Firefighter 4.0 will be upgraded to 5.2

Additional features which may or may not be implemented

Java front end for reporting can be enabled

Compliance Calibrator will be upgraded to the 5.2 RTA.

Role Expert - ABAP component will no longer be available.

System Pre-requisites for Upgrading to 5.2

SAP Basis Component

Governance, Risk, and Compliance

Note 1001783 - VIRSANH 520_700 Install / Delta Upgrade on SAP_BASIS 700

Access Enforcer Upgrade 5.1 to 5.2

CC Upgrade from 5.1 to 5.2

RE Upgrade from 5.1 to 5.2

ABAP Based Upgrades

CC Upgrade from 4.0 to 5.2

RE Upgrade from 4.0 to 5.2

FF 5.2 Migration Document from 3.0 or 4.0 to 5.2

Governance, Risk, and Compliance

Refer to SAP Note #1004078

Governance, Risk, and Compliance

Virsa Access Enforcer Upgrading from 5.1 to 5.2

Access Enforcer Conversion from v5.1 to v5.2

To upgrade pre-existing Access Enforcer implementations

Back up existing Access Enforcer implementation

Task 1: Pre-upgrade Procedures

Back up your existing Access Enforcer implementation.

Complete the Pre-Installation Procedures as listed in the Installation Guide.

To process HR Triggers in Access Enforcer:

Governance, Risk, and Compliance

To back up your existing Access Enforcer implementation:

Governance, Risk, and Compliance

Task 2: Configuring Memory Settings

If you are running the Unix or Linux operating systems, use:

If you are running the Windows operating system, use:

Task 3: Upgrading the Deployed Access Enforcer Files

Governance, Risk, and Compliance

3. Restart your NetWeaverJ2EE engine.

Governance, Risk, and Compliance

Was SAP 640:

3. In the left navigation pane, click User Data Import.

Governance, Risk, and Compliance

Was SAP 700:

Governance, Risk, and Compliance

Governance, Risk, and Compliance

Task 6: Importing Initial Access Enforcer Configuration Data

Governance, Risk, and Compliance

AE_init_clean_and_insert_data.xml - select the Clean and Insert option.

Governance, Risk, and Compliance

Virsa Compliance Calibrator Upgrading from 5.1 to 5.2

Compliance Calibrator Conversion

To upgrade existing Compliance Calibrator implementation to 5.2

Compliance Calibrator 5.1 should be installed and running.

Install Conversion Utility and Complete Technical Installation of CC 5.2

Validate Rule Load