webinar - simplifying your sap grc 5.3 migration
TRANSCRIPT
‹#›1
22 January 2015BENIMBL.COM
Simplifying your GRC 5.3 MigrationGary Prewett, Security and Compliance Practice Lead, NIMBL
‹#›2
our Curriculum vitae
2009 14x
1Year Founded
Supporting both the Fortune 500 and Midmarket
Growth since inception
SAP Specialized – No other ERP
5280Headquartered in the Mile-High City – Denver, Colorado
174+ Amazing Customers… and counting!!
100+
7+
Consultants Strong
Average years of SAP Expertise per consultant
15+Market Verticals Supported
98%Client
Satisfaction
2
‹#›33
Our Services
Enhanced and consistent SAP User Experience across Computer, Tablet, and Smartphone.
Fiori
Denver-based SAP delivery for Break/Fix Enhancement, and Project.
SAP AMS
Harness the power of SAP HANA via Migration, Modeling, and Big Data.
hana
Empower your workforce and business via SAP mobilization.
Mobility
Leverage your existing SAP investment to achieve and maintain regulatory compliance
Regulatory Compliance
Run IT like a Factory thru Solution Manager’s ITIL ALM Product Suite.
Solution Manager
Classic Basis, TDMS, LVM, EHP, Netweaver, and landscape consulting.
ADMIN + INFRASTRUCTUREComprehensive SAP
risk management and mitigation via SAP toolset or pure consulting services.
SAP security
Delivery from idea thru hypercare whether laser-focused or complete project.
projects
‹#›4
AGENDA
1
2
3
4
5
Key feature Enhancements in Access Control 10.1
Minimizing Risk with Landscape Design
Migrating Access Control 5.3 Master Data
Building your Business Case
Questions
‹#›5
Feature Enhancements
‹#›6
Access Control Terminology
Virsa GRC 5.2 GRC 5.3 Access Control 10.x
Compliance Calibrator CC RAR Access Risk Analysis (ARA)
Access Enforcer AE CUP Access Request Management (ARM)
Firefighter FF SUP Emergency Access Management (EAM)
Role Expert RE ERM Business Role Management (BRM)
‹#›7
1 2
3 4
Key Feature Enhancements
Standardized Management on ABAPSimplified User Experience
Simplified Access Request Management Centralized EAM/Firefighter
• BASIS - Simplified management: integration with change control; and transport management, troubleshooting, archival
• Security - ABAP platform allows for more granular security access and support using tools you’re already familiar with
• Applications are combined into the same interface. • Focus is on combining potential investigation activity into
compliance reporting..• Tight integration between AC applications, tight integration
with IDM, integration with process control and risk management
• One central location for setting up EAM access• One central location for requesting EAM privileges• Workflow-based approvals allows for granular audit tracking• One central location for EAM reporting that incorporates
investigations• Simple SOD reporting on EAM/FF activity
• Process to request user access is significantly streamlined• Support for template based request creation for standard
user types (e.g., ESS users)• Online password reset functionality easily configured• Support for Fiori applications for mobile-based requests and
request tracking
Migrating to Access Control 10.1
‹#›8
Activity Integrated Into SOD Detail Reports
‹#›9
1 2
3 4
Key Feature Enhancements
Standardized Management on ABAPSimplified User Experience
Simplified Access Request Management Centralized EAM/Firefighter
• BASIS - Simplified management: integration with change control; and transport management, troubleshooting, archival
• Security - ABAP platform allows for more granular security access and support using tools you’re already familiar with
• Applications are combined into the same interface. • Focus is on combining potential investigation activity into
compliance reporting..• Tight integration between AC applications, tight integration
with IDM, integration with process control and risk management
• One central location for setting up EAM access• One central location for requesting EAM privileges• Workflow-based approvals allows for granular audit tracking• One central location for EAM reporting that incorporates
investigations• Simple SOD reporting on EAM/FF activity
• Process to request user access is significantly streamlined• Support for template based request creation for standard
user types (e.g., ESS users)• Online password reset functionality easily configured• Support for Fiori applications for mobile-based requests and
request tracking
Migrating to Access Control 10.1
‹#›10
EAM Consolidated Log Report
‹#›11
Landscape Recommendations
‹#›12
Landscape Recommendations
Sign off for Access Control Master DataCompliance Reporting
User Migration Compliance Approval for New Rule Sets
How can I ensure my workflows trigger as needed? How can I make sure approval requirements from managers, role owners, and risk owners between 5.3 and 10.1 is consistent to head off potential audit findings?
How can I ensure that the transition from my existing 5.3 reports to my 10.1 reports doesn’t cause compliance concerns or findings?
How can I incorporate rule set changes from my existing system so that my internal audit and compliance teams are comfortable with the findings?
How can I ensure seamless transition for CUP and/or ERM without impacting the business?
Risk Considerations
‹#›13
Example GRC 5.3 Landscape
CRM ProdCRM ProdCRM Prod
CRM QACRM QACRM QA
CRM QACRM QACRM QA
ECC QA
ECC Prod
ECC DEV
GRC 5.3 Prod
GRC 5.3 QA
GRC 5.3 Dev
‹#›14
Example Migration Landscape
CRM ProdCRM ProdCRM Prod
CRM QACRM QACRM QA
CRM QACRM QACRM QA
ECC QA
ECC Prod
ECC DEV
GRC 5.3 Prod
GRC 5.3 QA
GRC 5.3 Dev
AC 10.1 Dev
‹#›15
Managing Plugin (GRCPINW) coexistence
ECC DEV GRCPINW
• You can absolutely run compatible plugins for GRC 5.3, 10.0 and 10.1 systems
• Support for a variety of NW versions• Note GRC 10.1 is compatible with
GRCPINW 700, 710, 720, and 730• Key Notes:
• 1590030 – GRC 10.0, 10.1 and AC 5.3 coexistence
• 1680268 – Compatibility of Access Control Packages
‹#›16
Finalized Migration Landscape
CRM ProdCRM ProdCRM Prod
CRM QACRM QACRM QA
CRM QACRM QACRM QA
ECC QA
ECC Prod
ECC DEV
GRC 5.3 Prod
GRC 5.3 QA
GRC 5.3 Dev
AC 10.1 Dev
AC 10.1 QA
AC 10.1 PROD
‹#›17
Landscape After Cutting Over to AC 10.1
CRM ProdCRM ProdCRM Prod
CRM QACRM QACRM QA
CRM QACRM QACRM QA
ECC QA
ECC Prod
ECC DEV
GRC 5.3 Prod
GRC 5.3 QA
GRC 5.3 Dev
AC 10.1 Dev
AC 10.1 QA
AC 10.1 PROD
‹#›18
Mid to Long-Term Landscape
CRM ProdCRM ProdCRM Prod
CRM QACRM QACRM QA
CRM QACRM QACRM QA
ECC QA
ECC Prod
ECC DEV
GRC 5.3 Prod
AC 10.1 Dev
AC 10.1 QA
AC 10.1 PROD
‹#›19
Migrating Master Data
‹#›20
Migrating Data
GRC 5.3 Dev AC 10.1 Dev
• Import common configuration• Complete intra-migration tasks• Import data into AC 10.1• Complete post import tasks• Validate data
• Complete prerequisites• Export FF data• Export Config, Master and
Transactional Data to .CSV
‹#›21
Importing Your Data
AC 10.1 Dev
• Common configuration data• RAR data – rule sets, risks, mitigation controls, org
rules, business unit data• ERM repository data• CUP repository data• SPM data• All are imported using tcode GRAC_DATA_MIGRATION
in your GRC 10.1 system.
http://service.sap.com/instguides > Analytics > Governance, Risk and Compliance > Access Control > Release 10.1
‹#›22
Basic Approach to Migrating Data to Production
AC 10.1 Dev
AC 10.1 QA
AC 10.1 Prod
Flat Files
1
1. Import GRC 5.3 data to DEV2. Perform Post-import tasks (Transportable
Config)3. Validate Data4. Import GRC 5.3 data to QA5. Import transports from DEV (for intra-migration
tasks)6. Validate!7. Import GRC 5.3 data to Production8. Import transports9. Validate
2
Flat Files
3
4
5
Flat Files
6
7
8
9
‹#›23
Merging Rule Sets
Custom? GRC 5.3 Rule Set
SAP-Delivered 10.1 Rule
Set
2013 and 2014 Rule
Set Updates
Custom10.1 Rule
Set
Basic Strategies for merging rule sets• Manually Merge in 10.1• Manually Merge in 5.3 and Export• Export from GRC 5.3, and update .CSV files with
merged data
Delta Rule Set Update Notes:• 1809810: GRC - Access Control - Access Risk Management Rule Update Q4, 2012• 1960531: GRC - Access Control - Access Risk Management Rule Update Q4, 2013• Look for 2014 updates in Q1/Q2!
Blog on Merging Rule Sets:http://scn.sap.com/community/grc/blog/2014/04/21/download-modify-and-upload-the-access-risk-analysis-rule-set-in-sap-access-control-10x
‹#›24
Workflow Migration
• export your existing data from 5.3• import using transaction GRAC_WF_MIG
in your Access Control 10.1 system. • May need to spend some time working
on or recreating initiators• You have SAP-delivered workflows you
can use for reference if needed
SAP’s “Migration Guide SAP Access Control from 3.0/5.3 to 10.1” in the INSTGUIDES hotlink outlines these steps in detail.
‹#›25
Building your Business Case
‹#›26
Key Benefits to Migrating to 10.1 Include:§ No need to purchase extended support for 5.3
§ De facto support has ended (customers opening notes are being told to migrate to 10.1 now)
§ Centralized EAM and ARM simplifies end user support§ Mobile device support via SAP-delivered Fiori Apps
§ Audit compliance is significantly easier§ Reduced time to investigate findings
§ More granular audit tracking
§ SOD reports against EAM activity reduce significant risk with 5.3 SUP/FF
§ Improved Organizational flexibility; Significantly better integration with:§ Identity Management
§ Other GRC Applications within the Suite
§ Password Reset Management can significantly reduce Level 1 support time
Building Your Business Case
‹#›27
Effort to Migrate to 10.1§ 2 weeks of BASIS Time to Stand up new Landscape§ 4-6 Weeks of Configuration Time for Access Control
§ Requirements gathering§ Data Migration from 5.3 Landscape§ 10.1 Configuration
§ Additional Time for:§ Change Control for 10.1 go-live§ Internal Audit Sign-off on Rule Set and Access Control Reports
§ Training§ Fiori Application Configuration
What you can expect
