Professional Documents
Culture Documents
GRC_5.2_Migration_Strategy_E.doc
Page 2 of 36
Table of Contents
INTRODUCTION .......................................................................................................................................................5
DISCLAIMER .............................................................................................................................................................5
UPGRADE STRATEGY OVERVIEW .....................................................................................................................6
CONSIDERATIONS FOR UPGRADING ................................................................................................................7
SYSTEM PRE-REQUISITES FOR UPGRADING TO 5.2.....................................................................................7
ACCESS CONTROLS (OSS NOTE#943796)..................................................................................................................7
UPGRADING ERP SYSTEMS, NOT GRC SOLUTIONS .....................................................................................8
UPGRADE DOCUMENTATION..............................................................................................................................8
5.1 TO 5.2 UPGRADES .................................................................................................................................................8
ABAP BASED UPGRADES ..........................................................................................................................................8
UPGRADES FROM PRIOR VERSIONS ............................................................................................................................9
VIRSA ACCESS ENFORCER UPGRADING FROM 5.1 TO 5.2 .......................................................................10
TASK 1: PRE-UPGRADE PROCEDURES .......................................................................................................................10
TASK 2: CONFIGURING MEMORY SETTINGS .............................................................................................................12
TASK 3: UPGRADING THE DEPLOYED ACCESS ENFORCER FILES ..............................................................................13
TASK 4: IMPORTING VIRSA ACCESS ENFORCER ROLES ............................................................................................14
TASK 5: UPGRADING VIRSA ACCESS ENFORCER DATA ............................................................................................17
TASK 6: IMPORTING INITIAL ACCESS ENFORCER CONFIGURATION DATA ................................................................17
TO IMPORT INITIAL VIRSA ACCESS ENFORCER CONFIGURATION DATA:.........................................................................17
VIRSA COMPLIANCE CALIBRATOR UPGRADING FROM 5.1 TO 5.2 .......................................................19
TASK 1: PRE-UPGRADE PROCEDURES. .....................................................................................................................19
TASK 2: INSTALL THE CONVERSION UTILITY AND COMPLETE THE TECHNICAL INSTALLATION OF CC 5.2 (BASIS
TASK).......................................................................................................................................................................20
TASK 3: IMPORT RULES TO CC 5.2 ..........................................................................................................................22
TASK 4: VALIDATE RULE LOAD ..............................................................................................................................22
TASK 5: VALIDATE MITIGATION TABLES ................................................................................................................22
VIRSA COMPLIANCE CALIBRATOR UPGRADING FROM 4.0 TO 5.2 .......................................................23
TASK 1: CREATE SYSTEM CONNECTORS ..................................................................................................................23
TASK 2: DEFINE MASTER USER SOURCE ..................................................................................................................24
TASK 3: UPLOAD STATIC TEXT ................................................................................................................................24
TASK 4: UPLOAD AUTHORIZATION OBJECTS (SU24) ...............................................................................................25
TASK 5: CREATE RULE SET AND ENTER IN CONFIGURATION ...................................................................................25
TASK 6: OUTPUT EXISTING DATA TO A FILE ...........................................................................................................25
STEP 7: UPLOAD THE OUTPUT DATA TO YOUR NEW SAP COMPLIANCE CALIBRATOR INSTALLATION ....................27
STEP 8: SCHEDULE BACKGROUND JOBS ...................................................................................................................30
VIRSA ROLE EXPERT UPGRADING FROM 5.1 TO 5.2 ..................................................................................32
VIRSA ROLE EXPERT UPGRADING FROM 4.0 TO 5.2 ..................................................................................33
TASK 1: MAP RE 4.0 ATTRIBUTES TO RE 5.2...........................................................................................................33
TASK 2: EXPORT RE 4.0 ROLES ................................................................................................................................35
TASK 3: IMPORT RE 4.0 ROLES TO RE 5.2................................................................................................................35
GRC_5.2_Migration_Strategy_E.doc
Page 3 of 36
GRC_5.2_Migration_Strategy_E.doc
Page 4 of 36
Disclaimer
This document reflects the status of SAPs release planning as of December 2006. This document
contains only intended strategies, developments, and/or functionalities of the SAP solutions and is not
intended to be binding upon SAP to any particular course of business, product strategy, and/or
development; its content is subject to change without notice. For up-to-date information on individual SAP
offerings, please refer to the online version of this brochure in the SAP Service Marketplace extranet at
service.sap.com/releasestrategy.
SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the
accuracy or completeness of the information, text, graphics, links, or other items contained within this
material. This document is provided without a warranty of any kind, either express or implied, including,
but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or
noninfringement.
SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or
consequential damages that may result from the use of these materials. This limitation shall not apply in
cases of intent or gross negligence. The statutory liability for personal injury and defective products is not
affected. SAP has no control over the information that you may access through the use of hot links
contained in these materials and does not endorse your use of third-party Web pages nor provide any
warranty whatsoever relating to third-party Web pages.
GRC_5.2_Migration_Strategy_E.doc
Page 5 of 36
CC 5.2
CC 5.1
CC 4.0
Migration
steps are
provided in
this guide
Consult SAP
GRC for
upgrade/
migration (3)
AE 5.1
(1.3 sp5)
AE 4.0
(AE 1.3)
RE 5.1
RE 4.0
FF
SAFE
.net
Not
Supported
(1)
Not
Supported
(2)
Not
Supported
(1)
Not
Supported
(2)
Not
Supported
(1)
Not
Supported
(2)
Not
Supported
(1)
Not
Supported
(2)
Migration
steps are
provided in
this guide.
AE 5.2
AE 5.2 is
compatible
with CC 4.0.
The 5.2 RTA
must be
installed which
is 4.0 sp9.
RE 5.2
Migration
steps are
provided in
this guide
Migration
steps are
documented
in the 5.2
Installation
Guide and
SAP Note
#1004078
ABAP
component of
Role Expert
4.0 no longer
available if AE
5.2 is
implemented.
You must
upgrade to RE
5.2.
Migration
steps are
provided
in this
guide
FF 5.2
ABAP
component
of
Firefighter
will be
upgraded to
5.2 (Java
component
does not
have to be
implemente
d)
Migration
steps are
provided in
this guide
Can be
upgraded to
5.2 ABAP
version
without
JAVA
implementa
tion
Footnotes:
1. Conversion support is planned for Q4, 2007.
2. AE.net customers should not upgrade any ABAP or NW components to 5.2. Conversion of .net customers is
planned for 2008.
3. Reference Restriction Document Number 01200314691000104633, Note 1045144.
GRC_5.2_Migration_Strategy_E.doc
Page 6 of 36
Release
Package Name
46C
SAPKB46C53
620
SAPKB62061
640
SAPKB64019
700
SAPKB70010
GRC_5.2_Migration_Strategy_E.doc
Page 7 of 36
Note 985617 - SAP Compliance Calibrator 4.0 for SAP 700 Systems
Upgrade Documentation
5.1 to 5.2 Upgrades
The following Quick Reference Guides are included at the end of this document.
Access Enforcer
o
Compliance Calibrator
o
Role Expert
o
Compliance Calibrator
o
Role Expert
o
Firefighter
o
GRC_5.2_Migration_Strategy_E.doc
Page 8 of 36
Compliance Calibrator
o
If upgrading CC from versions <4.0, please enter a customer message via the Support
Portal under component GRC-SCC.
Access Enforcer
o
GRC_5.2_Migration_Strategy_E.doc
Page 9 of 36
Why:
Pre-Requisites
When:
Perform these tasks when upgrading Access Enforcer from v5.1 to v5.2
Process Tasks:
1.
2.
3.
4.
5.
6.
Pre-upgrade Procedures
Configuring Memory Settings
Upgrading the Deployed Access Enforcer Files
Importing Virsa Access Enforcer Roles
Upgrading Virsa Access Enforcer Data
Importing Initial Access Enforcer Configuration Data
Note: The process of upgrading Virsa Access Enforcer is similar to the initial installation with some
minimal differences.
For upgrading from versions of Access Enforcer older than 5.1 VP1, refer to SAP Note 1004078.
Run a background job to process HR Triggers in your current version of Access Enforcer
(applicable for systems with SAP HR).
GRC_5.2_Migration_Strategy_E.doc
Page 10 of 36
4. Ensure HR Triggers still appears as the Task Name and then from the Schedule Type dropdown list, select Immediate.
5. Click Run.
6. To view all the processed HR Triggers, from the navigation menu of the Configuration tab, click
HR Triggers > Process Log.
Pre-installation Procedures
The Virsa Access Enforcer application files are available on the SAP Service Marketplace at:
service.sap.com.
To download the Virsa Access Enforcer files:
1. From the SAP Support Portal section, click the Software Download quick link.
2. From the SAP Installations & Upgrades page, in the navigation bar on the left, click Entry by
Application Group.
GRC_5.2_Migration_Strategy_E.doc
Page 11 of 36
1. In the Config Tool, navigate to the server instance for which you wish to set the memory
parameters, and select the server by its server number.
2. Under the General tab, add or change memory parameters as required.
For additional details on memory settings, refer to SAP Note 723909.
Page 12 of 36
AEDictionary.sda
AEUME.sda
AEEAR.ear
AEWorkFlowWSEAR.ear
AEEAR4WS.ear
GRC_5.2_Migration_Strategy_E.doc
Page 13 of 36
GRC_5.2_Migration_Strategy_E.doc
Page 14 of 36
6. Click Import.
GRC_5.2_Migration_Strategy_E.doc
Page 15 of 36
4. Go to the directory into which you extracted the Virsa Access Enforcer installation files, and using
any text editor, open the file ae_ume_roles.txt. Select and copy the entire contents of the
file.
5. Go back to the UME, and in then in the blank area, paste the contents of ae_ume_roles.txt.
6. Click Upload.
GRC_5.2_Migration_Strategy_E.doc
Page 16 of 36
3. Click Upgrade.
GRC_5.2_Migration_Strategy_E.doc
Page 17 of 36
6. In the content pane, click Browse, and navigate to the directory into which you extracted the
Virsa Access Enforcer installation files.
7. In the Browse window, double-click the appropriate .xml file, and then in the Virsa Access
Enforcer content pane, click Import.
The files you import are:
a. AE_init_append_data.xml - select the Append option.
b.
When you have completed these tasks, you have successfully upgraded your Virsa Access Enforcer
implementation.
GRC_5.2_Migration_Strategy_E.doc
Page 18 of 36
Why:
Pre-Requisites
When:
Perform these tasks when upgrading Compliance Calibrator from v5.1 to v5.2
Process Tasks:
1.
Pre-Upgrade Procedures
2.
3.
Import Rules
4.
5.
Because you have not entered a Destination for each Source in the Export Rules list, the
system displays the following warning: Few Destinations are empty! Do you want to copy
Source as Destination?
In the File Download box, click Open, then Save. Enter a name and location for the exported
rules file.
GRC_5.2_Migration_Strategy_E.doc
Page 19 of 36
is 5<xx>00
xx
For example, if the J2EE instance were 35, then the port assignment would be 53500.
3. Click the Convert Data button.
GRC_5.2_Migration_Strategy_E.doc
Page 20 of 36
5. When prompted to Save, Open, or Cancel it is recommended to click on Open and then use the
Save As option to save the downloaded rules.
6. Make sure that you saved the data file properly.
7. Un-deploy the conversion utility EAR file (virsa~ccconvutil.ear)
8. Now install CC5.2 (Please refer to the installation guide for CC5.2 installation).
Note: You need to un-deploy all the EAR and SDA projects except database project
(virsa~ccxsysdb.sda) and then proceed the CC5.2 installation steps.
GRC_5.2_Migration_Strategy_E.doc
Page 21 of 36
Once you have completed the rule import process, a new item, Data Conversion CC5.1>CC5.2, is added to the bottom of the navigation menu under the Configuration tab. (If
you have migrated from an earlier version than Compliance Calibrator 5.1, that version is
indicated instead of CC5.1.
4. To migrate the rules data into your new Compliance Calibrator installation:
d. From the Configuration tab, choose Data Conversion CC 5.1 -> CC 5.2.
e. A confirmation dialog box appears.
f.
Note: Once the migration is complete, the Data Conversion CC 5.1>CC5.2 item is removed from the
Configuration tab navigation menu.
Your rules have now been converted and uploaded to your new Compliance Calibrator installation.
GRC_5.2_Migration_Strategy_E.doc
Page 22 of 36
Why:
To load rule sets, configuration and mitigation to Compliance Calibrator 5.x to perform
risk analysis and populate the management view graphs and summaries
Pre-Requisites
When:
Perform this task after Compliance Calibrator v5.x has been successfully installed
Process Tasks
Note: The following Migration steps are Post CC 5.X Installation Steps
System ID
System Name
GRC_5.2_Migration_Strategy_E.doc
Page 23 of 36
System Type
Connection Type
Note: Most often, this would be Adaptive RFC (Remote Function Call).
JCO Destination
When setting up the connector it is important this connector ID be identical to any
other Access Control product which may already be created.
If possible entries for this field do not display, the Java Connectors have not been
set up properly. Contact Basis.
System ID
If CC is connected to multiple SAP systems, enter a single system name here and repeat
Task 3 (steps 1 through 10) for each SAP system.
Local file Enter (or browse to) the file path for file SAPText.txt
GRC_5.2_Migration_Strategy_E.doc
Page 24 of 36
Local file Enter (or browse to) the file path for file SAPAuthObj.txt.
What is Converted: SoD Action Rules and Permission Level Rules, Mitigation Controls, Critical
Roles and Critical Profiles.
Whats NOT Converted: Critical Transactions, Matrix 1 to Matrix 5, SoD Supplementary Rules,
Alerts, Existing Management Report data, Configuration options, and Custom Utilities data.
o
Entries in Critical Transactions, Matrix 1 through Matrix 5 and SOD Supplementary Data
should be manually created in CC 5.x.
Critical actions should be grouped into logical groupings (HR Master Data) and a
function created containing those actions.
If permission data is known, that can now be included in the function, a Critical Action
risk is then created and the function assigned and rules generated.
If loaded to Matrix 1 -5, critical permissions can be grouped into a function and that
function added to a new Critical Permission risk and rules generated.
In 5.2 there are three types of risks - SoD, Critical Action and Critical Permission.
This is defined in the Risk. Critical Actions and Permissions may have only one
GRC_5.2_Migration_Strategy_E.doc
Page 25 of 36
1. Log in to the SAP originating back-end system that contains the data from Compliance Calibrator
you want to migrate.
o
GRC_5.2_Migration_Strategy_E.doc
Page 26 of 36
In the Default Rule Set ID field specify a name for your default rule set.
Step 7: Upload the Output Data to Your New SAP Compliance Calibrator
Installation
WARNING: When you upload data to the destination SAP Compliance Calibrator system, any existing
rules or mitigations data will be destroyed. Make sure you only upload to a new installation of Compliance
Calibrator.
Note: This conversion process immediately updates all data except Permission rules, which are sent to
the background job daemon. Permission rules will not be converted unless or until the background job
completes.
GRC_5.2_Migration_Strategy_E.doc
Page 27 of 36
3. In the Local File Name field, specify the path and file name you specified when exporting your
SAP Compliance Calibrator 4.0 data.
4. Click Import Rules. Your data is converted and imported to the new SAP Compliance Calibrator
system. Permission Rules may take a few minutes to be generated by the background job
daemon.
5. Once the background job is completed (Configuration-> Background Job -> Search, Job
PERM_RULE_GENERATION State is Complete) confirm the number of rules by comparing the
Rule Library in 5.2 to the Rule Library in 4.0.
o
Ensure the Number of Active Rules and Disabled Rules are the same
GRC_5.2_Migration_Strategy_E.doc
Page 28 of 36
7. Go to Mitigation. Open the Mitigated Users Tab and ensure the number of Mitigated Users
(record 1 of # is listed at the bottom) match the number of Mitigated Users in the Mitigating
Control Library of R/3.
GRC_5.2_Migration_Strategy_E.doc
Page 29 of 36
c.
User Synchronization
Role Synchronization
Profile Synchronization
d. Click the Schedule button. The Schedule Risk Analysis screen is displayed.
e. Complete the following field:
f.
g. Select Immediate.
h. Click the Schedule button.
If successful, the following message displays Background job scheduled successfully,
Job ID: XX
4. Perform Batch Risk Analysis
Note: This background job will pull master data and store in the internal CC tables; therefore,
perform this step after it has been determined which users, roles, and profile analysis should be
stored in Compliance Calibrator. After the initial full synchronization, it is best practice to
schedule a nightly batch job to run an Incremental Synchronization.
a. Go to the Batch Risk Analysis section, and then select Full Sync in the Batch Mode
field.
b. Select Report Type: Permission Level Analysis.
c.
User Analysis
Role Analysis
d. Click the Schedule button. The Schedule Risk Analysis screen is displayed.
e. Schedule the job to run immediately.
Note: To view instructions on how to run this job, refer to Step 3 above. Perform
User/Role/Profile Synchronization
GRC_5.2_Migration_Strategy_E.doc
Page 30 of 36
Note: To view instructions on how to run this job, refer to Step 3 above. Perform
User/Role/Profile Synchronization
Note: The management reports should now be populated with risk analysis data.
You have completed the post-installation and conversion process.
GRC_5.2_Migration_Strategy_E.doc
Page 31 of 36
Why:
When:
Perform these tasks when upgrading Role Expert from v5.1 to v5.2
GRC_5.2_Migration_Strategy_E.doc
Page 32 of 36
Why:
Pre-Requisites
When:
Perform these tasks when upgrading Role Expert from v4.0 to v5.2
Process Tasks
Role Expert 5.2 must be installed and configured to successfully migrate roles in RE 4.0 to
RE 5.2.
Role Type(S)
Role Name
Role Name
Short Description
Short Description
Local Owner
Owner/Approver 1
Global Owner
Alternative Owner/Approver 1
Critical Level
Module Name
Functional Area
Status
Project Name
Project / Release
Business Process
Business Process
Sub Process
Sub Process
Org Unit 1
GRC_5.2_Migration_Strategy_E.doc
Page 33 of 36
Org Unit 2
Org Unit 3
Org Unit 4
Org Unit 5
Org Unit 6
Transaction
Transaction
Detailed Description
Test Results
Tickets Information
Function Area
Functional Area
Primary Approver
Owner 2, 3, 4, etc.
Secondary Approver
Custom Attribute
Change History
Authorization Details 1
Authorization Details 2
Remarks 1
Remarks 2
Remarks 3
GRC_5.2_Migration_Strategy_E.doc
Page 34 of 36
Select the role type and the system landscape to be associated to the imported roles.
Note: Single and Composite role should be imported separately. If composite role have some
single roles, those roles should already exist in the Role Expert database. Therefore, single Roles
MUST be imported BEFORE Composite roles.
GRC_5.2_Migration_Strategy_E.doc
Page 35 of 36
Firefighter Conversion
Why:
Pre-Requisites
When:
Process Tasks:
1.
2.
3.
4.
Download the master data from Firefighter (refer to SAP Note 1006083)
NOTE: 5.2 supports multiple language, this program will split text data from the Master Tables to Text
Tables. Data which is moved:
2.
3.
GRC_5.2_Migration_Strategy_E.doc
Page 36 of 36