GRC Landscape OS Migration

Similar Messages

• GRC Landscape Design

  Hello Experts,
  Appreciate if you can please share your views on following points about GRC landscape:
  SAP recommendations, 3 tier landscape (or at least 2 tier) for GRC Access Control -->
  what is the use of having 3 tier landscape >>
  a. Will there be any sort of transports from DEV -> QA -> PRD, if yes then what kind of data can be moved from one system to another (rules/risks,etc..)
  b. Can we connect QA and PRD to backend SAP and Oracle PRD systems?
  How the data flow is from GRC applications to backend systems.
  As per my understanding, in RAR and SPM - data flows only from backend system to GRC side but not vice versa (please correct me if i am wrong).
  So similar to this, how is the data flow for other applications.
  Would highly appreciate if you can share your experiences !!!!
  Thanks
  Davinder

  D P,
    Please find my response below:
  a. Will there be any sort of transports from DEV -> QA -> PRD, if yes then what kind of data can be moved from one system to another (rules/risks,etc..) You can follow same standard what you have at the client side. You can transfer most of the configuration but not data in CUP and RAR.
  b. Can we connect QA and PRD to backend SAP and Oracle PRD systems?
  Yes.
  How the data flow is from GRC applications to backend systems.
  As per my understanding, in RAR and SPM - data flows only from backend system to GRC side but not vice versa (please correct me if i am wrong).
  You are right about RAR and SPM. In the case of CUP and ERM, it is vice versa as CUP and ERM provisions users and roles in the SAP backend systems.
  So similar to this, how is the data flow for other applications.
  Regards,
  Alpesh

• GRC 10 Upgrade: Migration Tool Problem

  Hi All,
  I am in a process to migrate the GRC 5.3 data to GRC 10.0. I have successfully installed migration tool GRCACMIG00_0.sca. I accessed this tool and found the below option on the initial page:
  1. DAta Export: Export AC 5.3 Configuration and Master Data
  2. Reports: Export Migration Data+Quick Links
  3. Administration: Administer Data Export Processes+Quick Links
  I have successfully exported the configuration data. However, when I am trying to export the transactional data, much to my surprise, I found that, the option Export AC 5.3 Transactional Data is not available under Data Export.
  This link is clearly shown in the migration guide. However, I am unable to get it.
  Has anyone got inot such problem? If yes, please share the solution to this problem.
  Woiuld appreciate help
  Regards,
  Faisal

  Hi Prashant,
  We are already on higher SP level on 5.3. What else can be causing this issue.
  Where can we get more information on this. Transacional data export option is NOT VISIBLE when migration URL or application is executed

• GRC: Landscape and Installation

  Dear All,
  My Company want to implement SAP GRC Access Control, in many of source i've found that SAP GRC is divided into 3 sequences:
  1. Get Clean
  2. Stay in Clean
  3. Stay in Control
  My Question is:
  1. What is the software files to implement each of them sequences?
  Actually i've read the master guide and installation guide from market place for this installation but still confused about this landscape of this installation, Please help me to install fresh SAP GRC 5.3 all above sequences? any other references?
  Thanks in advance.

  Hello
  You are right, that the SAP GRC Access controls implementation is generally shown in three stages.
  1.Get clean
  2.Stay clean
  3.Stay-in-control
  We have four products / modules in SAP GRC Access controls :
  1. Risk Analysis and Remediation (RAR)
  2. Enterprise Role Management (ERM)
  3.Compliant User Provisioning(CUP)
  4.Superuser Privilege Management (SPM)
  GET-CLEAN : The access and authorization management starts with installation and configuration of RAR. RAR helps to identify all the existing SOD (segregation of duty) violations in the backend ERP systems. Once the SOD violations are identified, these will be addressed either by removing the risks from the system or introducing mitigation controls for the risks.
  STAY-CLEAN : We have three products here to install and configure in this stage, i.e ERM, CUP and SPM.
  ERM : It helps in preventing further introduction of SOD violations in to the system, by making the risk analysis of roles at the point of creation itself.
  CUP : Ensures the user management (assignment of roles ) is free of SOD violations
  SPM : Ensures the actions of superusers free of SOD violations by tracking and controlling their activities effectively
  RAR, ERM, CUP and SPM have many more benefits which will be helpful in effective access and authorization management and I mentioned only the relevant points here.
  Further, all these four  products are independant of each other and the sequence of configuration depends on the client's requirement. However, the integration of these products helps to reap the complete benefits of access control suite.
  The general sequence of configuration would be:
  RAR -> SPM -> CUP -> ERM
  The  Master, security, configuration guides of these products can be found @ http://help.sap.com/  businessobjects/accesscontrols and  the best practices @ SDN
  STAY-IN-CONTORL : Involves continuous review of existing access and cuthorization managment to ensure that the ERPs are free of SOD violations.
  Regards
  Swarna

• Impliment GRC Access control in difffrent landscape

  Hi Friends,
  In our company we have different landscapes in SAP and now we are planning to implement Access control in all landscape.
  R/3 landscapes with out  any Java stack( both ECC6 and 4.7 EE)
  Solution manager landscape
  XI landscape.
  BW
  and EP.
  Our first target is R/3 Landscape. Can you please guide me. what will be the best approach to implement  AC in R/3 systems as they don't have any Java stack.
  I  will appreciate if you can guide me with other landscape also.
  Thanks,
  Satyabrat

  Satyabrat
  The GRC landscape is technically separate from the different SAP Application components you mention so technically, you can connect the GRC system to any of the other components but creating the appropriate JCOs and SLD entries.
  You will need to instal the RTAs in each of the required source systems (ERP, ECC, BW, XI, SM, CRM, SRM etc!) but they can all link to the sepearate GRC systems.
  The exact landscape setup is dependant on what you wish to use GRC for. For example, you may wish to only link production GRC to production backend systems for Risk analysis and SoD. However, if you wish to use ERM or use Role bases analysis, you may find it useful to connect your production GRC system to your development backend systems where the roles are actually defined!
  The architecture is deliverately flexible to allow you to do this.
  For the initial use cases, it may make sense to keep Production segregated away from Pre-production systems but in the future, you may find that you wish to re-assess this as your useage grows.
  Regards, Simon

• Best approrach for authorization clean up in GRC implemetation project

  we are implementing GRC AC 5.3, our basis people have created initial connections. we have 2system GRC landscape connecting to 3system ECC landscape where GRC Dev is connecting to ECC DEV, QA & GRC Prod is connecting to ECC prod. Now my question is
  what is the best approach for authorization clean up?
  1) Do i need to request for the Dev/QA system refresh from Prod before running GRC Dev RAR analysis for ECC dev/QA?
  or 2) can i clean up the auth data based on current Dev/QA system data?
  or 3) Do we need go for creation of new client in Dev/QA that has data copied from prod and then analyse & go modification and finally transport these changes to main ECC transport route?

  Hi,
  You can create a new client in the QA environment as a copy of user master from production. First you connect this client to your GRC DEV system and there you can run RAR Risk analysis to get a view of risks you have in production system. Then share the reports with business people and discuss it. After that do the modification in this QA client only. After you have corrected some roles then number of risks will go down. After running 2-3 runs of risk analysis in QA and get clear picture then you can think of moving changes in the production environment. Also depends upon your business requirement.
  Thanks
  Sunny

• Mitigation Control Migration From 53. to GRC10

  Hello,
  Can you please let me know where do I find a templete for downloading Mitigation Controls from 5.3 and how do I upload them in GRC 10?
  An early reply would be highly appreciated.
  Thank you.

  Hello,
  Can you share how you migrated the mitigation controls?
  While migration of the mitigation controls
  I get an error "Creation of object ID 00000000 is not allowed"
  I have different buisness processes for risks/functions and the mitigations...Is it something to do with that? or shoudl i create the business processes in GRC 10 before migration?
  I am pretty much stuck here...any help is really appreciated.
  Thanks,
  Raghav

• Use of Logical System

  Hi GRC Experts:
  I am currently defining my RAR landscape strategy. In the past, I have used logical systems for the same "type" of system. For example, we had 3 ECC environments so I created a logical system for the 3 ECC systems.
  Now we have 1 ECC, 1 APO and 1 SRM system. Are there any benefits of setting up a logical system within this landscape? I would imagine there are some benefits with creating a logical system and assigning the BASIS risks to that system because the risks exist across the different environments. But are there any others?
  Thank you,
  Grace Rae

  Hi Grace, Logical Systems would be an optimal design if you need to add more systems in the future to the GRC landscape to perform Risk analysis.
  Logical System 1: ECC Logical System
  All the ECC Physical Systems (PR1, PR2, etcu2026)
  Function Authorizations to be uploaded are r3_function_actions and r3_function_permissions files which excludes the Basis Functions
  Logical System 2: SRM Logical System
  All the SRM physical Systems (PS1, PS2, etc...)
  Function Authorizations to be uploaded are srm_function_actions and srm_function_permissions
  Logical System 3: APO Logical System
  All the APO physical Systems (PA1, PA2, etc...)
  Function Authorizations to be uploaded are apo_function_actions and apo_function_permissions
  Logical System 4: ALL Systems
  All the physical systems (PR1, PR2, PS1, PS2, PA1, PA2....)
  Function Authorizations to be uploaded are just the Basis Function Actions and permissions
  Bugesh

• ITS - A Specific Requirement

  Hi Experts,
  We have a specific requirement.
  Customer has a 3 Landscape System (ERP6.0).
  As of Kernel 700, ITS is included by default in the System.
  But customer does not want to use this System for ITS Functions
  He wants to make a separate Server for ITS alone.
  and the separate server to talk to the (existing)
  3 Landscape ERP6.0 System.
  1. Is this Possible ?
  2. What happens to the ITS in the (existing )ERP6.0 System.?
  ( If yes to Question 1, can the existing ERP 6.0 system's ITS be disabled. )
  Need your Advice.
  Thanks & Regards,
  Paguras

  hi paguras
  i don't know the help lines
  but i know the senario
  we have 4 dev ,4 qty , 4 prod
  with that we want only 1 dev, 1 prd ,1 qty
  by following the landscape by migrating the all different servers
  we will go for migration
  taking this as eg......
  1 dev server divided into 4 dev
  1 qty server divided into 4 dev
  1 prd server divided into 4 dev
  if u want logically
  u can divided these servers
  into different servers
  but the whole dividing part defined under the landscape structure permission...
  intially for it is there any there any migration is going or not. what i mean ...........

• Product system not in LMDB only in SMSY

  Hi Solman experts,
  I have a question regarding Solman products in LMDB and SMSY.
  After updating Solman 7.1 from SP08 to SP10, in Managed Systems Configuration, Assign Product step I get the following errors:
  (I am using ABC as SID)
  ABC00001~JAVA: part of product system ABC, which is not in LMDB but only in SMSY
  ABC~ABAP: part of product system ABC, which is not in LMDB but only in SMSY
  In SMSY i see that under ABC there is both ABAP and JAVA whereas under ABC00001 there is only Java (in Products system).
  The Diagnosis of Solman for this error is:
  Diagnosis
  The technical system ABC00001~JAVA is assigned to product system ABC, which was created in transaction SMSY and has not yet been migrated into the Landscape Management Database (LMDB).
  The technical system ABC~ABAP is assigned to product system ABC, which was created in transaction SMSY and has not yet been migrated into the Landscape Management Database (LMDB).
  System Response
  Procedure
  If the product system information in transaction SMSY is still required for your system landscape maintenance, migrate it to LMDB. You can do this in the SAP Solution Manager: Configuration work center under System Preparation -> Prepare Landscape Description -> Migrate SMSY Data into LMDB -> Migrate Product Systems. (For more information, refer to the help text in the UI.)
  If the product system information in transaction SMSY is no longer required for your system landscape maintenance, delete the product system information in SMSY.
  Could anybody who had the same experience share their opinion on this case. This LMDB<>SMSY change is very confusing at this step. Would be more meaningful to execute the optional migrate from SMSY step or delete the product. the second seems a little bit meaningless in this case.
  Thanks in advance.
  Regards

  Hi Shkëlzen,
  then that could be the reason why you have some system(s) in SMSY and LMDB.
  As far as I understood you need to migrate all your Landscape from SMSY to LMDB by using the step "2.4 migrate smsy to lmdb" as mentioned by Jansi Rani Murugesan at http://scn.sap.com/message/15079962#15079962
  It might happen that this transformation creates double system entries in LMDB by adding the 0000x to the SID. But this is only an visual "defect".
  Once you have done the conversion from SMSY to LMDB you should get this issue resolved.
  The conversion report took me more than 48 hours to complete. This is totally normal. You can execute some database statistics updates and/or check/optimize the profile parameters and hope the conversion runs faster.
  Hope this helps,
  Niklas

• Migratind ADFS 2 to ADFS 3

  Hi Guys
  we are looking into migrating our ADFS 2.0 to 3.0 One of our major concern is downtime as most of our infrastructure relies on this Server Role to authenticate.
  we would like to know if it's possible to run ADFS 2.0 and ADFS 3.0 simultaneously in our landscape then migrate our Rely Party Trusts one by one when it's more convenient for us (not sure if this is Microsoft Best Practice though), or it's a full
  migration that has to be done in 1 day as ADFS 2.0 can't coexist with ADFS 3.0
  Regards

  Hello,
  Please read this links:
  How to Build Your ADFS Lab Part4: Upgrading to Server 2012 R2 (Ask Premier Field Engineering (PFE) Platforms)
  Preparing to Migrate the AD FS Federation Server
  Regards

• Gaps between PGCG & ERM

  Hi All,
  We are in between of taking decision that either we should include the role generation step in your methology process or not for role creation process via ERM.
  We have Sp13 patch 2 installed in our landscape.
  we trying to find out if there some major gaps between pfcg & ERM.  or any major issue in SP13 patch 2 that should be kept in mind before including role generation step. Please share your experiances.
  Kind Regards,
  -Srinivasan

  Hey Srinivasan,
  Haven't heard from you in a while!
  I am not particularly fond of ERM...
  There is one limitation that I can think of if you have manually added objects in a role, they disappear after you make changes to the transaction in a role.  This was however fixed in SP14. Sometimes that can be problematic.
  Another thing that I would have liked ERM to do is to transport roles across the ERM landscape. That comes in handy if you have a 3 system GRC landscape. Other wise you just have to repeat the tasks if importing roles again.
  Regards,
  Chinmaya

• Duplicate e-mails for same request

  Hi all,
  The user  is getting almost 30 repeated e-mails for the same access approval in the GRC landscape?
  I am not sure about how the e-mail thing works in the GRC landscape? could someonw throw more light here and let me know hw i could stop this repeated e-mails getting generated for the same request?
  Regards
  Bharathwaj V

  Hello Bharathwaj,
  This issue was existing in some of the earlier SPs of AE 5.2 but was resolved in SP 08. Also, the original issue was happening for customers using  clustered environment. Now, I doubt that this can be an issue on AE side here. So, try the following recommendations and if the issue does not get resolved then raise an OSS message for this:
  1) Check the VIRS_AE_EMLLOG table and see if you have multiple entries for the notifications and reminders for requests. If feasible delete the OPEN entries. Do take assistance from your DBA on this.
  2) In the stage level settings, uncheck the Other Approvers option in the Notification configuration.
  3) Restart the system and see if you still face this issue.
  4) Run the email dispatcher jobs in immediate mode and see if you still receive multiple emails.
  Harleen
  SAP GRC RIG

• DMU at Openworld '12

  Folks,
  If you're attending Oracle OpenWorld in SF next month, you may be interested in the DMU session below. Come and learn how you can leverage DMU and the latest generation of database technology to lower the cost of Unicode migration while boosting the process efficiency. We will also give a sneak preview of the upcoming DMU release.
  Session ID: CON8286
  Session Title: Jump-start Your Global E-Business: Unicode Migration Strategies and Solutions
  Venue / Room: Moscone South - 200
  Date and Time: 10/1/12, 13:45 - 14:45
  Abstract
  As a key enabling technology for global e-business and cloud computing, Unicode has gained ubiquitous importance in recent years across the IT industry landscape. Migrating databases from legacy character sets to Unicode is a prerequisite for supporting the storage and processing of character data from all over the world. This session examines the common challenges and best practices for migrating your databases to Unicode. It gives an overview of Oracle Database Migration Assistant for Unicode, a free next-generation Unicode migration tool, and discusses the recommended strategies for applying it in specific migration scenarios such as Oracle Exadata consolidation to ensure data integrity and improve process efficiency.
  There will be a DMU demo booth in the Oracle DEMOgrounds throughout the conference for you to see the product in action. Please drop by and check it out.
  Hope to see you there!

  You may want to contact the developer.
  Be a Shepard and not an iSheep.

• CUA security question

  Hi,
  My company has decided to use only one cua for both productive and non productive systems (dev. , test, ...). What are the security issues or risks of this kind of set up? Same question for SAP SolMan for both production and non productive systems.
  Thanks.
  Regards.
  Philippe.

  Hi
  From a security point of view Julius is quite right, furthermore, by creating one CUA for Test and Developemnt, and another for productive use, you will also gain the option to test changes to your CUA landscape before migrating them to production.
  From a more pragmatic point of view I must admit that I have created many "only-one-CUA-Solutions". This will give you the advantage of a Single point of user maintenance, but if you do so, make sure that your master system is installed on a system with the highest possible security level, and that is I guess your productive system, or dedicated CUA System.
  And remember, a new client on test, development or solman, will not provide that level of security, unless your can ensure that level of security on all clients on the system.
  Regards
  Morten Nielsen