What you need to know and benefits to expect David J.

Denson
from implementing SAP GRC release 12.0 PricewaterhouseCoopers

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2019 Wellesley Information Services. All rights reserved.
Agenda for GRC 10.x to 12.0 Migration Presentation

• SAP Governance Risk and Compliance – Overview

• New Features in SAP GRC 12.0
• SAP GRC 12.0 Upgrade Pre-requisites
• GRC AC 12.0 Architecture
• GRC 12.0 Component Implementation Sequence & Migration Timeline
• GRC 12.0 Integration Opportunities
• Wrap-up

1
 GRC 12.0 Overview

2
SAP Governance Risk & Compliance Solution

• SAP Governance Risk and Compliance (GRC) Solutions offers an organization a preventative
approach towards governance risk and compliance in real-time.
• With automated features to perform SAP user provisioning, risk analysis, control monitoring, etc.;
GRC helps in maintaining consistency in processes and aids well in audit activity.
• SAP GRC versions have evolved from GRC AC 5.3 to GRC 12.0 over the course of time
• We shall cover in this presentation, key points for migration/upgrade of GRC 10.x to 12.0 system

3
New Features in GRC 12.0

• Firefighter login capability is made available for HANA DB

• Persona-based navigation for better end user experience
• New dashboards and reporting enhance visibility to compliance metrics and KPIs
• Integration with SAP Cloud IAG to expand support to cloud applications
• Integration with SuccessFactors allows Event Driven Employee Lifecycle Management
• Repository Sync job execution is optimized to schedule parallel jobs as well as
dependent jobs to reduce job execution time
• Updated risk definition for S/4 HANA & Fiori
• Continuous Control Monitoring Integration with SAP S/4 HANA Cloud
• Ad-hoc business rules can be triggered for Continuous Control Monitoring Subprocess
Design Assessment workflow
• Allows manual maintenance of compliance test results for (semi) automated tests
4
 GRC 12.0 Access Control - New
 Features

5
Enhanced UI: Personas-based Launchpad

Improved user experience and simplified navigation with persona-based Launchpad

SP3 introduces the ability to run
risk analysis in the background
after each step in the access
request workflow.

6
Enhanced Reporting and Dashboards

EAM and Role Overview pages to visualize key metrics for greater insights

7
Firefighter ID Review

• Automated access reviews for Firefighter IDs

• Ability to run batch jobs for Firefighter ID periodic reviews and create custom workflows
for the review process.
Make sure to assign a
request type to the
new FF ID Review
requests!

Also available in 10.1

SP16 (Note –
2413723)

8
Role Mass Maintenance Enhancements

Enhanced Role mass maintenance functionalities for generating roles, analyzing

risks, deriving roles and updating Org values, role methodology update

9
Simplified Firefighter Administration

Simplified Firefighter Owner & Controller maintenance and Mass maintenance

10
Risk Owner / Mitigating Control Owner Mass Maintenance

Risk Owner Mass Maintenance and Reassign Mitigating Control Owner Mass Maintenance

11
 GRC 12.0 Process Control - New
 Features

12
GRC12 Process Control

• Enhanced End-User Experience

⬧ New UI theme that improves PC navigation and look

⬧ Delegation harmonization between AC, PC and RM

⬧ Ability to customize default assignment method for subprocess assignments

⬧ Email notifications for jobs that end in error

• Integration between PC Functionality

⬧ Continuous monitoring and tests of effectiveness can be leveraged for a single
control
• Continuous Controls Monitoring
⬧ Ability to monitor SAP cloud solutions

⬧ Enhanced functionality for business rule sub-scenarios

⬧ New features to assist with business rule validation during design/build

13
GRC12 Process Control Highlights

• Partial Automation of Manual Control Testing

⬧ Assign business rules AND manual test plans to controls to increase the efficiency of control
testing and the consistency and completeness of data used in tests of effectiveness
⬧ Business rule exceptions are an input to the assessment of control operating effectiveness

Related configuration is activated

via Test plan steps and business rule
SPRO > GRC > Process Control results appear in workflow item
> Evaluation Setup > Enable
Test Plan Assignment for Auto &
Semi-Auto Controls

14
GRC12 Process Control Highlights

• Continuous Controls Monitoring (CCM) Improvements

⬧ Ability to monitor SAP S/4 HANA Cloud

⬧ Increased functionality for ABAP Report rules

⬧ Queries Center enables more detailed validation of business rules

⬧ Standalone jobs for ad-hoc monitoring

⬧ Enhanced email notifications

15
GRC12 Process Control Highlights

• Fiori Apps for PC enhances end-user experience

⬧ GRC 12 SP00; SAP Fiori 1.0

 Monitor Control Status

 Monitor Issue Status

 My Compliance Tasks

 Test Control Effectiveness

16
 GRC 12.0 Upgrade Pre-requisites

17
GRC 12.0 Upgrade Pre-Requisites: GRC System

• Mentioned below are the technical system components needed for GRC 12.0 System

Required or Optional Component/Version Description

Required SAP NetWeaver 7.52 SP00 Foundation application layer on GRC system
Required SAP Access Control 12.0 SP00 Access control application on GRC system
Optional UIGRAC01 100 SAP Fiori UI component on frontend system
Versions 7.02 -7.31 use the 7.02 Plug-In
Optional SAP Enterprise Portal 7.x Version 7.31 and above use the 7.31 Plug-In

18
GRC 12.0 Upgrade Pre-Requisites: Plugin System

• Mentioned below are the technical plugin components needed for the system to be
integrated with GRC 12.0
Required or Component Version Description
Optional
Optional GRCPINW V1200_750 SAP GRC PLUGIN NW 7.50 Access control integration with ERP non-HR functions for
NW 7.50
Optional GRCPIERP V1200_S4 SAP GRC PLUGIN S4HANA 1610+ Access control integration with S4HANA/ERP HR functions
Optional GRCPIERP V1100_700 SAP GRC 10.1 Plug-in ERP 7.00 Access control integration with ERP HR functions
Optional GRCPINW V1100_710 SAP GRC 10.1 Plug-in NW 7.10 Access control integration with ERP non-HR functions for
NW 7.10
Optional GRC 10.1 Java Components SAP GRC AC Portal Plug-in Portal integration for back-end systems.
Note
There is no Portal plug-in for AC12, therefore use the GRC
10.1 plug-in.
Optional HCO_GRC_PI SAP GRC 10.1 Plug-in for HANA SAP GRC 10.1 Plug-in for HANA

The supported internet browser depends on the NW version installed (i.e. NW 7.52 requires IE11).
To determine the supported web browser, check the SAP Product Availability Matrix (PAM) for
your NW version, then navigate to Technical Release Information > Web Browser Platforms.

19
 GRC AC 12.0 Architecture

20
Architecture – Access Control 12.0 Release
Web Browser
SAP GUI/
Web GUI for Mobile Fiori Launchpad BOBJ Client
HTML NWBC Portal
Fiori App. WDA/SAP GUI HTML

<R
IDM/(Other IDM Web Service Access Control 12.0 Release
Vendors) <R> Front End Server NW BI
Access Control UI Component

(SAP UI5 1.52)

Web Service
SAP Portal Access Control 12.0 Backend
<R
SAP HANA Analytics
Foundation for SAP
SAP ERP/NW Access Risk Analysis GRC

RFC GRC Search

ERP Plugin
<R Business Role Management
NW Plugin

Access Request Management

S/4 HANA OP RFC
NW Plugin <R Emergency Access Management
SAP HANA
JCO DB
(AC HANA
SAP Cloud PlugIn)
Ariba
Conn. R>
NW 7.52
Concur
Identity Access
Governance

S/4 HANA
SAP HANA DB
Cloud Edition
Other Business Any DB
SuccessFactor Application
(GL Adapter)

21
 GRC 12.0 Component Implementation
 Sequence & Migration Timeline

22
GRC 12.0 Component Implementation Sequence
Step Required/Optional Action Reference
Install NetWeaver 7.52 SP00 on the GRC
1 Required system https://help.sap.com/viewer/p/SAP_NETWEAVER
Install GRCFND_A V1200: Add-on
2 Required Installation on the GRC system For more information, see SAP Note: 2602131
Install SAP Access Control 12.0 NetWeaver
Plug-In (GRCPINW V1200_750) on the
3 Required Plug-in system For more information, see SAP Note: 2602564
Install SAP Access Control ERP Plug-In on
the Plug-In system (GRCPIERP For more information, see SAP Note 1855405
4 Optional V1100_700) If SAP HR is installed, you must install GRCPIERP.
Install SAP GRC PLUGIN for S4HANA
5 Optional 1610+ (GRCPIERP V1200_S4) For more information, see SAP Note: 2602825
6 Optional Install SAP Enterprise Portal 7.x https://help.sap.com/viewer/p/SAP_NETWEAVER

23
SAP GRC 10.x to 12.0 Migration Timeline

• A GRC 10.x to12.0 upgrade project could take 11-15 weeks for end to end implementation
• The phases mainly consists for planning, requirement gathering, component installation,
integration with a new solution if needed, testing, implementation and support.
• The migration timeline could differ if there’s an integration activity of GRC 12 with any
new solution(s)

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7 Week 8 Week 9 Week 10 Week 11 Week 12 Week 13 Week 14 Week 15
Technical
Post Upgrade Implementation
Planning Requirement Gathering Component Integration of GRC 12 with a new solution Testing Hyper-care Support
Activities in Production
Upgrade

GRC 12.0 Upgrade Timeline

24
 Integration Opportunities

25
End-to-end integration with SAP SuccessFactors
• Expanded integration
with SuccessFactors to
enable event driven
Employee Lifecycle
Management SuccessFactors
Employee Central
HR Trigger Actions
- New Hire
- Rehire
- Termination
- Leave of Absence
- Transfer
Existing Access
Determine user’s existing
Access access to be added to risk Provision Access
Determine access roles analysis simulation Access is provisioned in
based on position / user
target system
attributes
SAP GRC
Access Risk Analysis
Control 12.0 Perform risk analysis on
user’s access
Target
System
Approval / Compliance
Workflows
Access exceptions / mitigating
controls are approved by
responsible parties
You can now manage
static group assignments
for SF users in GRC.
26
Firefighter for HANA DB

• Expands Firefighter Log

Review functionality to
the HANA database
• Limited to the WebIDE –
Firefighter cannot
access HANA Studio

27
 SAP Cloud Identity Access Governance (IAG) Bridge

• SAP Cloud IAG integration

expands GRC umbrella to
cloud applications
• Perform risk simulations
during access requests
via the IAG Access
Analysis Service (Oauth
Service Client)
• Mitigating control
assignments are synced
between GRC & IAG
• Provisioning jobs sync
requested cloud access in
GRC AC 12.0 to Cloud IAG
28
 Wrap-up

29
Where to Find More Information

• https://help.sap.com/doc/8e4687084c55465c85a653023b8ceab3/12.0.00/en-
US/loiob418d62abab34473a573adf94bc3daf6_en.pdf
⬧ Upgrade: SAP Access Control 10.0/10.1 to 12.0

• https://launchpad.support.sap.com/#/notes/2602131
⬧ SAP Note 2602131

• https://launchpad.support.sap.com/#/notes/2612335
⬧ SAP Note 2612335

• https://www.linkedin.com/pulse/new-features-sap-grc-ac-120-rakesh-ram
• https://help.sap.com/viewer/f77342ea45c24d3f81032575e6f50d8b/12.0.00/en-
US/290167512a602166e10000000a441470.html
⬧ New Features in GRC 12.0

30
Your Turn!

David J. Denson
Thank You
Any Questions?

david.j.denson@pwc.com 
Please remember to complete
t your session evaluation

31
Disclaimer

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

32
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2019 Wellesley Information Services. All rights reserved.