UPGRADE GUIDE | PUBLIC

2019-04-04

Upgrade: SAP Access Control 10.0/10.1 to 12.0

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

THE BEST RUN

Content

1 Document History. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 About This Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Product Availability Matrix. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3 Support Pack Numbering and Compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.4 SAP Notes for Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.5 SAP Fiori Apps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3 Product Technical Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3.1 Software Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2 Component Diagram. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.3 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.4 Overall Implementation Sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

4 Relevant Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.1 Configuration Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
4.2 Master Data - BC Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
4.3 Transactional Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

5 Verifying Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6 System Upgrade. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

7 Post-Upgrade Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.1 Adjust Portal System Aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.2 Add NWBC Role to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.3 Adjusting PFCG Model Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.4 Activating Business Configuration (BC) Sets. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
7.5 Setting Up SAP Fiori Launchpad Content for Front-end System. . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Business Catalogs and Roles for the Fiori Launchpad. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
7.6 Run Role Name Conversion Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.7 Implement SAP Note: 2641804. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
7.8 Configuring the SAP NetWeaver Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7.9 Adjusting Customer Menu Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
7.10 Resubmit Open Workflow Items. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Upgrade: SAP Access Control 10.0/10.1 to 12.0

2 PUBLIC Content
1 Document History

Version Date Description

1.0.0 2018-03-28 Initial release

1.1.0 2018-04-24 Revised to clarify the information and

procedures are also applicable to up­
grade from SAP Access Control 10.0.

1.1.1 2018-05-23 Updated description for BC Set.

1.1.2 2018-06-13 Clarified procedure for System Up­

grade.

1.2.0 2018-08-03 Added topic: Support Pack Numbering

and Compatibility

1.3.0 2018-08-15 Updated System Upgrade section. Re­

placed specific mention of plug-ins with
references to relevant SAP notes.

Added Technical Product Overview sec­

tion.

Updated procedure to setup Fiori busi­

ness catalogs

1.3.1 2018-08-28 Corrected typo for front-end compo­

nent: UIGRC001 to UIGRAC01

1.3.2 2018-10-12 Added SP02 Master SAP Note

Added SP information for GRC 10.1

Plug-ins

Updated component diagram

Updated Prerequisites to include mini­

mum SP level for upgrade from AC10.1

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Document History PUBLIC 3
Version Date Description

1.3.3 2019-01-11 Updated SAP Notes for Upgrade:

added Release Information Note for
SP03

Updated SAP Fiori Apps: changed de­

scription for apps bundle

Updated Software Components:

Added information for SP03

Updated Overall Implementation Se­

quence: Added information for SP03

Updated Prerequisites: Added informa­

tion for SP03

1.3.5 2019-07-17 Updated Prerequisites: Added informa­

tion for customers on SP24 of 10.1

Upgrade: SAP Access Control 10.0/10.1 to 12.0

4 PUBLIC Document History
2 Getting Started

This guide is intended for customers who currently use SAP Access Control 10.0 or 10.1 and wish to upgrade to
SAP Access Control 12.0.

2.1 About This Document

Purpose

This guide describes how to upgrade SAP Access Control 10.0 or 10.1 to SAP Access Control 12.0. The
document provides the following information.

● An overview of the type of data required for the upgrade

● Prerequisite information for configuring upgrade requirements for the SAP Access Control 12.0
environment
● Steps to verify data and perform post-upgrade tasks

Constraints

This Upgrade Guide is a standalone document; it has the following list of constraints.

● This guide discusses the upgrade process of the SAP Access Control 10.0 and 10.1 application to SAP
Access Control 12.0. Any attempt to use this guide for other product versions is not supported
.

This guide does not provide information for the following uses:

● Installing SAP Access Control 12.0

○ For more information about installation, see the SAP Access Control Admin Guide at https://
help.sap.com/grc-ac

2.2 Product Availability Matrix

https://apps.support.sap.com/sap/support/pam

SAP regularly publishes the following information about SAP software releases through the Product Availability
Matrix (PAM):

● Release type (for example, standard release, early adoption release, or focused business solution release)
● Planned availability
● Maintenance durations
● Upgrade paths

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Getting Started PUBLIC 5
● Platform availability, including database platforms and operating systems

For more information, see Product Availability Matrix for SAP Access Control 12.0 .

2.3 Support Pack Numbering and Compatibility

The support pack numbering of SAP Access Control support packs is dependent on the platform (Java or
ABAP) as well as the Basis version of the back-end ( 700+). The differences in numbering between these
components makes it difficult to ascertain which support packs to apply.

It is very important that the support pack level of the Foundation system and back-end ABAP Real-Time Agent
(RTA) are in sync. Use the information in the following SAP Note to ensure your system is appropriately
patched and in synch: 1352498 Support Pack Numbering - SAP Access Control.

2.4 SAP Notes for Upgrade

Review the following notes before you perform the upgrade.

Note Number Note Description

2620641 SAP Access Control 12.0 - Release Information Note

2622112 Access Control 12.0 Support Package 01 - Master Note

2663021 SAP Access Control12.0 SP02 Master Note

2731873 SAP Access Control 12.0 SP03 - Release Information Note

2647067 Release Information Note for SAP Fiori for SAP AC 1.0

2602131 Release strategy and Maintenance Information for the ABAP

add-on GRCFND_A V1200

2612335 Release strategy and Maintenance Information for the ABAP

add-on GRCFND_A V8100

2602825 Release strategy and Maintenance Information for the ABAP

add-on GRCPIERP V1200_S4

2602564 Release strategy and Maintenance Information for the ABAP

add-on GRCPINW V1200_750

986996 Explanation of delivered risk analysis and remediation rules.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

6 PUBLIC Getting Started
 Note Number Note Description

2641804 ESH: Accesses to search-related metadata take a long time:

Symptoms may include long response time or even timing

out when opening NWBC, Enterprise Portal, or Fiori Launch­
pad.

2672441 AC12 IMG Additional Documentation

Documentation nodes accompany each IMG activity to ex­

plain the functionality. In rare instances where the documen­
tation node is missing or insufficient, you can find the docu­
mentation in this SAP note.

2.5 SAP Fiori Apps

For more information about available SAP Fiori apps for SAP Access Control 12.0 , see SAP Fiori for SAP AC 1.0
on the SAP Access Control product page: http://help.sap.com/grc-ac .

For information about installation of the SAP Fiori Launchpad, and the business catalogs and roles for access
control, see chapter Creating Catalogs and Controlling User Access in the Fiori Launchpad in the SAP Access
Control 12.0 Administration Guide.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Getting Started PUBLIC 7
3 Product Technical Overview

3.1 Software Components

The following table illustrates the software component matrix for the application:

Required or Op­ Component/Version Description

tional

Required SAP NetWeaver 7.52 SP0x (For specific SP levels, Foundation application layer on GRC system
see Prerequisites chapter.)

Required SAP UI Component 7.52 SP0x (For specific SP lev­ Foundation UI layer on GRC system
els, see Prerequisites chapter.)

Required SAP Access Control 12.0 SP0x (For specific SP lev­ Access control application on GRC system
els, see Prerequisites chapter.)

Optional UIGRAC01 100 SP02 SAP Fiori for SAP AC 1.0 SP02 (version 4.0
2019-01)

Bundle of SAP Fiori apps for SAP Access Control

12.0 SP03

Optional SAP Enterprise Portal 7.x Versions 7.02 -7.31 use the 7.02 Plug-In

Version 7.31 and above use the 7.31 Plug-In

The following table lists the plug-in components for target systems.

 Note

For the most updated information on plug-ins and support pack levels, see SAP note: 1352498 - Support
Pack Numbering GRC Access Control.

Required or Op­ Component Version Description

tional

Optional GRCPINW V1200_750 SAP GRC PLUGIN NW 7.50 Access control integration
with ERP non-HR functions
for NW 7.50

Upgrade: SAP Access Control 10.0/10.1 to 12.0

8 PUBLIC Product Technical Overview
 Required or Op­ Component Version Description
tional

Optional GRCPIERP V1200_S4 SAP GRC PLUGIN S4HANA 1610+ Access control integration
with S4HANA/ERP HR
functions

Optional GRCPIERP V1100_700 SAP GRC 10.1 SP20 Plug-in ERP 7.00 Access control integration
with ERP HR functions

Optional GRCPINW V1100_710 SAP GRC 10.1 SP21 Plug-in NW 7.10 Access control integration
with ERP non-HR functions
for NW 7.10

Optional GRC 10.1 Java Components SAP GRC AC Portal Plug-in Portal integration for back-
end systems.

 Note
There is no Portal
plug-in for AC12,
therefore use the GRC
10.1 plug-in.

Optional HCO_GRC_PI SAP GRC 10.1 Plug-in for HANA SAP GRC 10.1 Plug-in for
HANA

 Note

3.2 Component Diagram

The following figure illustrates the technical landscape for the SAP Access Control solution.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Product Technical Overview PUBLIC 9
  Recommendation

As a best practice, we recommend implementing the access control solution in three phases, with separate
systems for each:

● Development
● Testing
● Production

 Caution

We strongly recommend that you use a minimal system landscape for test and demonstration purposes
only. For performance, high availability, and security reasons, do not use a minimal system landscape as
your production landscape.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

10 PUBLIC Product Technical Overview
3.3 Prerequisites

Use

The following are required for upgrade to AC 12.0.

● SAP NetWeaver 7.52 SP0x

● SAP UI Component 7.52 SP005

 Note

If you are on SP24 of 10.1, you must upgrade to 12.0 SP05.

More Information

For more information about SAP NetWeaver, see the SAP Help Portal at http://help.sap.com/netweaver

3.4 Overall Implementation Sequence

Use

This section describes the sequential implementation steps required to install the application. It includes
references to the relevant installation documentation and SAP Notes.

The following table lists all the software components that you need for the installation. To implement a specific
access control scenario, you may need only a subset of the software components.

The access control solution supports all the operating and database software systems that are supported by
SAP NetWeaver.

 Note

For more information, see the product availability matrix posted https://support.sap.com/en/release-
upgrade-maintenance.html .

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Product Technical Overview PUBLIC 11
Procedure

To install the application, use the steps described below.

Step Required/ Action Reference

Optional

1 Required Install NetWeaver 7.52 SP0x on the GRC sys­ https://help.sap.com/viewer/p/

tem. (For specific SP level requirements, see SAP_NETWEAVER
Prerequisites.

2 Required Install SAP UI component 7.52 SP0x. (For https://help.sap.com/viewer/p/

specific SP level requirements, see Prereq­ SAP_NETWEAVER
uisites.

3 Required Install GRCFND_A V1200: Add-on Installa­ For more information, see SAP Note:
tion on the GRC system 2602131

4 Required Install SAP Access Control 12.0 NetWeaver For more information, see SAP Note:
Plug-In (GRCPINW V1200_750 SP21) on the 2602564
Plug-in system

5 Optional Install SAP Access Control ERP Plug-In on For more information, see SAP Note
the Plug-In system (GRCPIERP V1100_700 1855405
SP20)
If SAP HR is installed, you must install
GRCPIERP.

6 Optional Install SAP GRC PLUGIN for S4HANA 1610+ For more information, see SAP Note:
(GRCPIERP V1200_S4) 2602825

7 Optional Install SAP Enterprise Portal 7.x https://help.sap.com/viewer/p/

SAP_NETWEAVER

Upgrade: SAP Access Control 10.0/10.1 to 12.0

12 PUBLIC Product Technical Overview
4 Relevant Data

This section discusses how to convert the existing SAP Access Control 10.0 or 10.1 application to SAP Access
Control 12.0. The upgrade process involves the conversion of the data types listed below.

4.1 Configuration Data

Use

Configuration data includes the configuration parameters that you specify within Customizing (IMG
transaction SPRO). The following new Customizing activities are available as of SAP Access Control 12.0:

Activity Description IMG Path

Maintain Settings for Simplified Ac­ Governance, Risk, and Compliance Access Control User Provisioning Simplified Access Request
cess Request processing
Sections

Maintain Settings for Simplified Ac­ Governance, Risk, and Compliance Access Control User Provisioning Simplified Access Request
cess Request processing
Labels

Maintain Settings for Simplified Ac­ Governance, Risk, and Compliance Access Control User Provisioning Simplified Access Request
cess Request processing
Page

Maintain Settings for Simplified Ac­ Governance, Risk, and Compliance Access Control User Provisioning Simplified Access Request
cess Request processing
Reasons

Disable Link Functionality in Attach­ Governance, Risk, and Compliance General Settings Disable Link Functionality in Attachments and
ments and Link

Configure Side Panel for My Process Governance, Risk, and Compliance General Settings UI Settings Configure Side Panel for My Proc

Define Audit Groups Governance, Risk, and Compliance Common Component Settings Internal Audit Management De

Maintain Firefighter ID Role Name Governance, Risk, and Compliance Access Control Emergency Access Management Maintain Fire
Per Connector
Per Connector

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Relevant Data PUBLIC 13
Additional Rule Upload Governance, Risk, and Compliance Access Control Access Risk Analysis SoD Rules Additional

Additional Rules Download Governance, Risk, and Compliance Access Control Access Risk Analysis SoD Rules Additional

Organization Rule Creation Wizard Governance, Risk, and Compliance Access Control Access Risk Analysis SoD Rules Organizatio

Wizard

Configure Attributes for Role Search Governance, Risk, and Compliance Access Control User Provisioning Configure Attributes for Rol
Criteria in Access Requests
Access Requests

More Information

● For more information about configuration, see the Configuration Parameters Guide Control at https://
help.sap.com/viewer/p/SAP_ACCESS_CONTROL .
● For more information about each IMG activity, see the IMG documentation that accompanies each IMG
activity.

4.2 Master Data - BC Sets

The BC Sets below are new to SAP Access Control 12.0. They are optional, and are applicable only for S/4HANA
implementations.

BC Set Name Description

GRAC_RA_RULESET_S4HANA_ALL Rule set for risk analysis integration with Fiori Apps on S/4HANA on-
premise systems.

For an explanation of delivered risk analysis and remediation rules, see 986996 .

For more information about activating BC sets, see the Administrator Guide for SAP Access Control 12.0 at
https://help.sap.com/viewer/p/SAP_ACCESS_CONTROL.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

14 PUBLIC Relevant Data
4.3 Transactional Data

Use

Transactional data are transaction-based records related to the audit trail, workflow items, and so on. If any
changes are necessary for transactional data, the system handles them automatically using XPRA during the
SAP Access Control 12.0 deployment.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Relevant Data PUBLIC 15
5 Verifying Data

Use

To verify your data after the upgrade, we recommend that you perform the following list of tasks:

● View the Upgrade Logs

You can check the upgrade logs to verify that the programs ran successfully.
● Use the SAP Access Control user interfaces to verify that data integrity is maintained after the upgrade.
Compare the information from version 10.0 and 10.1 to the information in 12.0 user interface.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

16 PUBLIC Verifying Data
6 System Upgrade

Use

Upgrading from SAP Access Control 10.0/10.1 to SAP Access Control 12.0 is a same-box upgrade process. To
perform a system upgrade, complete the following steps.

 Note

ABAP Add-ons can be installed via STACK.XML either with SUM or with SAINT only.

Procedure

Complete the following tasks on the SAP Access Control component system:

1. Close all open workflow instances and all open survey instances.
2. Back up the AC 10.0 /10.1 system.
3. Delete all Datamart data. (if applicable)
4. Upgrade the SAP Access Control system to SAP NetWeaver version 7.52 SP00 (or higher).
5. Install the GRC 12.0 component GRCFND_A_V1200 and the latest SAP Access Control support packages.
6. Back up the system again.
7. (optional) Activate the latest BC sets.

 Note

The latest BC set will overwrite any previous BC set in your system. To ensure the the existing BC sets
are not overwritten, choose the option DO NOT OVERWRITE DEFAULTS VALUES.

8. Perform configuration for new and optional SAP Access Control 12.0 features.
9. Refill the Datamart. (if applicable)
10. (If you are using the SAP Portal) Upgrade the SAP NetWeaver Portal to 7.0 EHP 2 SP06 or higher.
Deploy the GRC 12.0 Portal package GRC_POR.
And assign GRC users the portal roles GRC Suite and ERP Common.
11. On the plug-in systems, deploy the GRC12.0 Plug-in (RTA) package for SAP Access Control 12.0.
To determine the GRC Plug-in package version for your ERP/NW releases, see SAP note: 1352498 -
Support Pack Numbering - GRC Access Control.

 Note

The GRC NW plug-ins are required to be installed before installation of the respective GRC ERP plug-
ins.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

System Upgrade PUBLIC 17
12. Use transaction SICF to activate NWBC and Web Dynpro services beginning with the grpc and grfn, at /
default host/sap/bc/nwbc, /sap/public/, /sap/bc.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

18 PUBLIC System Upgrade
7 Post-Upgrade Tasks

After completing the upgrade, you must perform the following list of post-upgrade tasks:

● Adjust the SAP NetWeaver Portal system aliases (if applicable)

● Add NWBC role to users
● Adjust the PFCG model roles
● Activate new Business Configuration (BC) sets
● Adjust the customer menu link (if applicable)
● Resubmit open workflow items

7.1 Adjust Portal System Aliases

For SAP Access Control system aliases, use aliases SAP-GRC (foundation application) and SAP-GRC-AC.

7.2 Add NWBC Role to Users

If you want to launch SAP Business Client (NWBC) using SAP GUI, you need to assign users the role
SAP_GRC_NWBC using transaction SU01.

7.3 Adjusting PFCG Model Roles

Use

The delivered SAP Access Control 12.0 model roles are templates. You can use them to create your own access
control roles. Ensure the you roles you use for access control contain the authority of display regulation.
To do so, follow the procedure below to update the authorization object GRFN_API:

 Note

The authorization object GRFN_API is applicable for access control, process control, and risk management
solutions.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Post-Upgrade Tasks PUBLIC 19
Procedure

1. Log on to the ABAP server for SAP Access Control 12.0.

2. Enter the transaction PFCG.
The Role Maintenance screen appears.
3. In the Role field, enter the role ID of a custom model role. Click Change.
The Change Role screen appears.
4. Click the Authorizations tab.
5. Click Change Authorization Data and then click Enter.
The Change Role: Authorizations screen appears.
6. Click Manual Entry of Authorization Objects.
The dialog box Manual selection of authorizations appears.
7. Enter the Authorization Object GRFN_API and click Enter.
8. Expand the hierarchy for Governance, Risk, and Compliance.
9. Expand the hierarchy for Authorization for access via GRC APIs.
10. Enter the following values in the first node of the expanded hierarchy:
○ Activity: 03 (display)
○ Data Part for GRC Object Types: * (asterisk)
○ Authorization Entity
: REGULATION, REG_GROUP, REG_REQ
○ Subentity:* (asterisk)
11. Click Save.
12. Click Generate to update the authority profile of the role.

7.4 Activating Business Configuration (BC) Sets

For information about Business Configuration Sets, see the Administrator Guide at https://help.sap.com/grc-
ac .

7.5 Setting Up SAP Fiori Launchpad Content for Front-end

System

The SAP Fiori Launchpad is a shell that hosts SAP Fiori apps, and provides the apps with services such as
navigation, personalization, embedded support, and application configuration. SAP Access Control 12.0 SP00
delivers a set of SAP Fiori business catalogs that enable you to open the Web Dynpro Access Control
applications in the launchpad.

This section describes the procedure to add the access control business catalogs to your launchpad. The
procedure is relevant only for landscapes using SAP Fiori Launchpad.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

20 PUBLIC Post-Upgrade Tasks
The access control back-end component contains the technical catalog containing information about the tiles,
which we call the app descriptors. The front-end component UIGRAC01 100 contains the business catalogs
and business roles. We replicate the technical catalog from the back end into the front end to establish a
connection between the technical catalog and the business catalog.

Prerequisite

You have installed the front-end component UIGRAC01 100. The component contains the contains the
business catalogs and business roles for SAP Access Control 12.0.

There are three main steps to configuring the business catalogs for access control:

1. Create RFC Connections

2. Map the RFC Connections
3. Replicate the Technical Catalog from the Back-end System

These steps are described in more detail in the sections below.

For additional information, see Implementation Tasks on the Front-end Server in the UI Technology Guide for
S/4HANA.

Create RFC Connections

1. In the front-end system start transaction SM59.

2. Create two RFC connections: one of type ABAP Connection and one of type H - HTTP connection to
ABAP System
Use the following naming conventions:
○ ABAP connection: <Logical System Alias>_RFC
○ HTTP connection: <Logical System Alias>_HTTP or <Logical System Alias>_HTTPS

 Recommendation

We recommend using an HTTPS connection. Set the SSL option to Active.

For the ABAP connection, set Trusted Relationship set to Yes, and set the Current User to True.
For each connection, enter the Target Host under Technical Settings, and configure the settings under
Logon & Security.

Map the RFC Connections

1. Open the maintenance view /UI2/V_ALIASMAP.

2. Map the connections in table: /UI2/SYSALIASMAP .
Map the connections as follows:

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Post-Upgrade Tasks PUBLIC 21
 Client Source System Alias Target System Alias

<Your Front-end Client> SOHGRAC <Logical System Alias>

Replicate the Technical Catalog from the Back-end System

1. Launch the report /UI2/GET_APP_DESCR_REMOTE_DEV.

2. 2. Enter the following values:
Replication System Alias: SOHGRAC
Back-end Technical Catalog ID: SAP_TC_GRC_AC_BE_APPS
3. Select the Test Mode, and choose Execute to test the configuration. The catalogs are not be replicated in
test mode. A log is displayed showing the results.
4. If the log does not contain any errors, deselect Test Mode and choose Execute to replicate the business
catalogs.

 Recommendation

We recommend scheduling the report to run daily. As the report needs to run after every system
update, scheduling the report to run daily ensures that you have up-to-date information in the SAP Fiori
launchpad designer.

7.5.1 Business Catalogs and Roles for the Fiori Launchpad

The following business catalogs and business roles are delivered as part of the front-end component UIGRAC01
100.

Delivered Business Catalog Roles

Depending on your business requirement you can assign the following delivered roles to your users:

 Note

These roles are examples. You can copy them to your own namespace or create your own.

Delivered Business Catalog Role Description

SAP_GRAC_BCR_CMPLNCMGR_T Compliance Manager

SAP_GRAC_BCR_EMPLOYEE_T Access Control Employee

Upgrade: SAP Access Control 10.0/10.1 to 12.0

22 PUBLIC Post-Upgrade Tasks
 Delivered Business Catalog Role Description

SAP_GRAC_BCR_MANAGER_T Request Approver

SAP_GRAC_BCR_REQADMINTR_T Access Control Administrator

SAP_GRAC_BCR_SCRTYMGR_T Security Manager

Delivered Business Catalogs

These are the corresponding delivered business catalogs.

Delivered Business Catalog Role Description

SAP_GRAC_BCR_CMPLNCMGR_T Compliance Manager

SAP_GRAC_BCR_EMPLOYEE_T Access Control Employee

SAP_GRAC_BCR_MANAGER_T Request Approver

SAP_GRAC_BCR_REQADMINTR_T Access Control Administrator

SAP_GRAC_BCR_SCRTYMGR_T Security Manager

7.6 Run Role Name Conversion Program

Customers may use varied standards when naming roles in their landscape. This may result in failed role
searches when submitting access requests. The below program is used to convert roles into upper case to
improve search.

Run the GRAC_ROLE_NAME_SH_CONVERSION program to improve search capabilities and resolve potential
issues from role name mismatch.

7.7 Implement SAP Note: 2641804

After installation or upgrade you may need to refresh the CDS configuration.

Symptoms may include Fiori Launchpad or applications via NWBC taking a long time to open or the session
timing out.

To resolve the issue, implement SAP Note 2641804 .

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Post-Upgrade Tasks PUBLIC 23
7.8 Configuring the SAP NetWeaver Gateway

Use

In order to use some of the functionality in SAP Access Control 12.0, such as the Remediation View in access
risk analysis, an SAP NetWeaver Gateway connection must be established. Follow these steps to maintain or
verify the connector.

Procedure

1. Logon to an SAP NetWeaver system and access the SAP Reference IMGas follows: from the SAP Easy
Access menu, choose Tools Customizing IMG Execute Project (transaction SPRO) .
2. Choose SAP Reference IMG SAP NetWeaver Gateway OData Channel Configuration
Connection Settings SAP NetWeaver Gateway to SAP System .
3. Choose Manage RFC Destinations and create an RFC (communication) destination that points to the
system itself.

 Caution

Be sure to specify the proper RFC Type, client, and user information using the naming convention:

<System SID>CLNT<Client Number>; for example, GD1CLNT200.

4. If you are using Single-Signon, choose Define Trust for SAP Business Systems. Complete the fields with
information you provided in the Step 3.

 Note

This step only applies if you are using Single-Signon.

5. Choose Manage SAP System Aliases to create the system alias for the RFC destination that you created in
Step 3.
6. Choose New Entries and enter the following values:

Field Name What You Enter

SAP System Alias Enter the name of the RFC destination that you created in
Step 3.

Description Enter a description that is meaningful to your installation.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

24 PUBLIC Post-Upgrade Tasks
 Field Name What You Enter

RFC Destination Enter the name of the RFC destination that you created in
Step 3.

Software Version Choose the value DEFAULT from the drop down list.

7. Save your entries.

8. If required, choose Activate or Deactivate SAP NetWeaver Gateway to activate the SAP NetWeaver Gateway
Services.
9. Choose SAP NetWeaver Gateway OData Channel Administration General Settings .
10. Choose Activate and Maintain Services. The system displays a list of all the services that have been created
in the backend system.
11. Click to select the Technical Service GRAC_GW_VIOLSUMM_REM_SRV.
12. In the System Aliases section (bottom right-hand corner), click Add System Alias.
13. Enter GRAC_GW_VIOLSUMM_REM_SRV_0001 as the Service Doc. Identifier.
14. For the SAP System Alias, enter the system alias name that you created in Step 6.
15. Click the check box for Default System.
16. Save your entries.
17. On the Activate and Maintain Services screen, in the ICF Node section (bottom left-hand corner), verify that
the traffic light in front of the ICF Node is green. If it is not, click the ICF Node field and select Activate from
the ICF Node dropdown menu.
18. If required, Save your settings.
19. On the Activate and Maintain Services screen, repeat steps 11 through 18 for the following services:

Technical Service Name External Service Name Service Doc Identifier

/IWFND/SG_MED_CATALOG CATALOGSERVICE /IWFND/SG_MED_CATALOG_0001

/IWFND/SG_USER_SERVICE USERSERVICE /IWFND/SG_USER_SERVICE_000

More Information

For more information, see the SAP Help portal at http://help.sap.com and search for: SAP NetWeaver
Gateway Developer Guide. Then choose OData Channel Basic Features Service Life-Cycle Activate and
Maintain Services .

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Post-Upgrade Tasks PUBLIC 25
7.9 Adjusting Customer Menu Links

Use

If you have any custom menus, make the necessary adjustments.

More Information

For more information about custom menus, see the SAP Help Portal at http://help.sap.com/saphelp_bpc75/
helpdata/en/3b/b5df48130f44fb8e9537701f09c960/frameset.htm .

7.10 Resubmit Open Workflow Items

Use

If you had any open workflow items before the upgrade, make sure that you restart any items that were not
completed.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

26 PUBLIC Post-Upgrade Tasks
Important Disclaimers and Legal Information

Hyperlinks
Some links are classified by an icon and/or a mouseover text. These links provide additional information.
About the icons:

● Links with the icon : You are entering a Web site that is not hosted by SAP. By using such links, you agree (unless expressly stated otherwise in your
agreements with SAP) to this:

● The content of the linked-to site is not SAP documentation. You may not infer any product claims against SAP based on this information.
● SAP does not agree or disagree with the content on the linked-to site, nor does SAP warrant the availability and correctness. SAP shall not be liable for any
damages caused by the use of such content unless damages have been caused by SAP's gross negligence or willful misconduct.

● Links with the icon : You are leaving the documentation for that particular SAP product or service and are entering a SAP-hosted Web site. By using such
links, you agree that (unless expressly stated otherwise in your agreements with SAP) you may not infer any product claims against SAP based on this
information.

Beta and Other Experimental Features

Experimental features are not part of the officially delivered scope that SAP guarantees for future releases. This means that experimental features may be changed by
SAP at any time for any reason without notice. Experimental features are not for productive use. You may not demonstrate, test, examine, evaluate or otherwise use
the experimental features in a live operating environment or with data that has not been sufficiently backed up.
The purpose of experimental features is to get feedback early on, allowing customers and partners to influence the future product accordingly. By providing your
feedback (e.g. in the SAP Community), you accept that intellectual property rights of the contributions or derivative works shall remain the exclusive property of SAP.

Example Code
Any software coding and/or code snippets are examples. They are not for productive use. The example code is only intended to better explain and visualize the syntax
and phrasing rules. SAP does not warrant the correctness and completeness of the example code. SAP shall not be liable for errors or damages caused by the use of
example code unless damages have been caused by SAP's gross negligence or willful misconduct.

Gender-Related Language
We try not to use gender-specific word forms and formulations. As appropriate for context and readability, SAP may use masculine word forms to refer to all genders.

Videos Hosted on External Platforms

Some videos may point to third-party video hosting platforms. SAP cannot guarantee the future availability of videos stored on these platforms. Furthermore, any
advertisements or other content hosted on these platforms (for example, suggested videos or by navigating to other videos hosted on the same site), are not within
the control or responsibility of SAP.

Upgrade: SAP Access Control 10.0/10.1 to 12.0

Important Disclaimers and Legal Information PUBLIC 27
www.sap.com/contactsap

© 2019 SAP SE or an SAP affiliate company. All rights reserved.

No part of this publication may be reproduced or transmitted in any form

or for any purpose without the express permission of SAP SE or an SAP
affiliate company. The information contained herein may be changed
without prior notice.

Some software products marketed by SAP SE and its distributors

contain proprietary software components of other software vendors.
National product specifications may vary.

These materials are provided by SAP SE or an SAP affiliate company for

informational purposes only, without representation or warranty of any
kind, and SAP or its affiliated companies shall not be liable for errors or
omissions with respect to the materials. The only warranties for SAP or
SAP affiliate company products and services are those that are set forth
in the express warranty statements accompanying such products and
services, if any. Nothing herein should be construed as constituting an
additional warranty.

SAP and other SAP products and services mentioned herein as well as
their respective logos are trademarks or registered trademarks of SAP
SE (or an SAP affiliate company) in Germany and other countries. All
other product and service names mentioned are the trademarks of their
respective companies.

Please see https://www.sap.com/about/legal/trademark.html for

additional trademark information and notices.

THE BEST RUN