Skip to Content
Author's profile photo Former Member

Challenges during GRC 10.0 Support pack and Net weaver upgrade

This document talks about the challenges organizations face when upgrading Support pack/ Net weaver for SAP GRC 10.0. Organizations that upgrade support pack with Net weaver version for SAP GRC 10.0, might face many challenges at different stages of project. Here we are discussing some of the challenges faced in real time environment while upgrading GRC 10.0 to SP13 from existing SP07 and SAP Net Weaver 7.31 SPS 8 from existing SAP Net Weaver 7.02.

  • Backend Plugin Upgrade
    • If organization is planning to upgrading GRC 10.0 from SP level below SP10, they are require to plan and coordinate for GRC Plugin upgrade in backend systems also. GRC is normally connected to most of the system in any organization for user provisioning, risk analysis and emergency access…, which are at difference NW version and plugin level.
    • To avoid product compatibility issues, suggested to plan plugin upgrade before GRC system upgrade.
  • SU25 and Web dynpro components upgrade
    • It is tough for Security consultant to understand effect for authorization updates in SU25 steps 2a, 2b, 2c on GRC front end, as it don’t provide details for change in authorization check for  GRC front end application.
    • Suggested detail planning for testing strategy and scenario testing to cover all Authorization check changes and role charge requirement
  • Mass user locking
    • Normally in any ECC, BI… systems total number of user are in thousands, but in GRC system number of user is high, depending on number for systems connected to it and how user’s data is updated. While upgrade to avoid user to login, it is recommend to lock users.
    • In general SU10 is used for mass locking but for locking users in Lakhs via SU10 is not a suitable approach.
  • Agent not found access requests ending into error or completing without role owner approval
    • Post upgrade roles with approvers not defined in GRACOWNER table or not defined as owner in “Access control owner” in from end, will not be able to approve request. Post upgrade GRC started checking for approvers in GRACOWNER table. 
    • Before go live update all role approvers as Role Owners in Access control owner list.
  • Dumps in system while clicking on link in email received from GRC
    • Post NW and SP upgrade for GRC 10.0, users might start getting below ABAP dump in system

               ASSERTION FAILED

               Category           ABAP Programing Error

               Runtime Errors Assertion Failed

               ABAP Program  CL_GRFN_API_IDENT================CP

               Application Component GRC

    • Please check for OSS note 1888486 if applicable for your system to fix issue

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Thanks preeti. I would also check all sap notes related to the SP you are going to upgrade.

      --And side effects report.

      Author's profile photo Colleen Hebbert
      Colleen Hebbert

      Hi Preeti

      Fantastic to see you writing this article. I have been wondering how everyone is approaching support packs, etc where they already have a production system

      For the SU25 - you might want to add which parts GRC needs to SU24 for (i.e. Function Definition in Ruleset and BRM Authorisations)

      Heaps of questions and ideas on what you could include (or you or anyone cover in future topics).............

      How much time did you allow for the support pack upgrade from commencing activity (development) through to cut-over to production? Did you feel there was sufficient time?

      I realise your lock the users, but what sort of outage did you do for cut-over? Also, did you re-run full syncs on your job or continue delta?

      Did the support packs trigger a review of rule-set definitions or any other activity?

      What sort of testing did you do as part of your support pack approach and which people did you involve?

      This is most likely a new topic, but did you perform any system/client refreshes in Non-Production Systems that would cause a discrepancy between GRC and satellite system data?

      Do you have any key lessons learned for the approach you took and would you do anything differently next time round (there will be more SPs).



      Author's profile photo Trinadh Bokka
      Trinadh Bokka

      Very useful information and thanks for sharing.

      Trinadh Bokka

      Author's profile photo Former Member
      Former Member

      Very useful and knowledge sharing psot.

      I was wondering to know exactly the same info some time back, but managed somehow. Definitely this would be helpful to others.

      Thanks a lot.