Introduction
Recently we have successfully upgraded GRC AC from10 to GRC 12 (SP 3). In this blog, I want to share my experiences which will give you a fair amount of ideas to resolve the key issues during and after the upgrade. Also, I will provide the list of key activities that have to be performed by the GRC AC consultant before and after the upgrade.
Update 05.02.2021: Recently I have managed to upgrade GRC 12 for some other clients. Updated a few new issues and resolutions
Key Pre-Upgrade Activities
Resolve all potential issues identified before the upgrade (Optional).
Create all necessary test scripts for regression testing (Mandatory).
Execute all the test scripts before the upgrade (Optional).
Identify the test scenario based on the business needs (Mandatory).
Download or screenshots all necessary connector settings in SPRO (Mandatory).
Backup all master data related information from NWBC or SAP standard table (Mandatory).
Backup all customization details should be backed up (Mandatory).
Close all opened workflows (Mandatory).
Key Post Upgrade Activities
Validate all required support pack in GRC and Plugin systems.
Validate all connector related configuration.
Check if all sync jobs are running as per expectations.
Execute all the test scripts with the same input used before the upgrade.
Make sure you should complete the SU25 step and role remediation before the testing.
Key Documents & Notes
It is recommended all GRC AC Consultants should read the below documents before going for an upgrade. These documents will give you technical details, prerequisites, dependencies, and troubleshooting techniques relevant to the GRC upgrade.
GRC 12 Upgrade Guide (Download the latest one from the service market place) ( This is the technical upgrade guide from SAP)
2648777 - FAQ: Access Control 12.0 Upgrade (Download the latest one from service market place) ( This is the FAQ related to upgrade. It provides several tips to resolve upgrade issues)
Please note this is not an exhaustive list. You need to go through the service marketplace if you can’t find the specific solutions related to your upgrade activity.
Key Issues & Resolutions
Issue#1: After upgrade, we are getting the below error when submitting the request: "Error while inserting the request reason"
Resolution: Please implement note 1843287 to resolve this. Also, check the note 2156904.
Issue#2: After upgrade, admin delegation has separate options: AC, PC, and BOTH. The delegation is not working when we select AC or PC.
Resolution: This is an enhancement feature provide by SAP in 10.1. Please read the below notes carefully and implement them. There are several mandatory manual steps that need to be completed.
2622846 - AC PC Harmonization for Delegation 2610477 - AC PC delegation enhancement
Issue#3: Risk Analysis is working for the specific connector. There is no result is shown after the risk analysis.
Resolution: This issue may occur due to subsequent connection settings in SPRO. Please implement the below note to resolve this. SAP Note 2720157 - Access risk analysis shows no results after the upgrade.
Issue#4: The default Risk Analysis option is changed after the upgrade. The default is remediation view. There are several steps to configure this view. If you have not executed the required configuration step then it will not work.
Resolution: Please update the parameter 1050 as per business requirement after the upgrade.
Issues#5: Error 403 occurring in NWBC after the upgrade.
Resolution: Deactivate all the GRC related services and activate them (using SICF) as per GRC Installation Guide.
Issues#6: No Connector in the drop-down list when extracting the reports in the reports and analytics tab after the upgrade.
Resolution: Update the authorization object GRAC_SYSTM as per note 2195080
Issue#6: Risk Analysis is working for the specific connector in the access request.
Resolution: The risk is not correctly mapped with the default ruleset. Make sure the rule should be mapped with the default ruleset (if you are expecting the result in the access request)
Issue#7: Wild character role search (e.g. Z*,*FI*, etc) are not working after the upgrade.
Resolution: Need to run the custom program as per note 2399690. Program name: ZGRACROLE_CONVERSION
Issue#8: After running risk analysis no SoD violation message was not populated for all connectors.
Resolution: Applied the correction instruction SAP Note 2434748.
Issue#9: Add note button is disabled in NWBC (using IE or Chrome) when approving an access request.
Resolution: Clear the cookies and restart the NWBC.
Issue#10: Approver was not able to approve the request and getting the error message “Risk analysis is mandatory for this stage”.
Resolution: This issue was due to parameter 1071. We have changed the 1071 parameter to 'Yes, Asynchronously’ and the issue got resolved.
Issue#11: Approver can’t execute risk analysis for locked and expired users.
Resolution: We have changed the below parameter value from NO to YES
1028-Include Expired Users 1029-Include Locked Users
Issue#12: Message "Add at least one role to the request" on the request submission or approval stage.
Resolution: Implemented configuration change as per SAP Note 2457218
Issue#13: Request approval stage movement taking more time than expected and GRC was getting hanged intermittently during the approval
Resolution: Run txn SWE2 and changed the settings as below screen.
Issue#14: Simplified view not configured and visible to the approver
Resolution: Disabled the simplified view using LPD_CUST transaction
Issue#15: Role Usage sync failed after upgrade with memory dump.
Resolution: Basis has tuned the parameter related to heap memory suggested in the ST22 dumps.
Issue#16: Action Usage job showing finished for the specific connector but in the SLG1 it was showing memory error.
Resolution: We have adjusted the input parameter “Time Period” and set it as a lower value (eg. 1000 sec). This setting reduced the memory load in the connector and the issue got resolved.
Issue#17 Requestor is not able to paste the user group in the access request.
Resolution: Implement 2802033 - User groups when entered manually are not saved when the request is copied or in normal request during tab switch
Update after upgrading to SP Level 8
Issue#18: After upgrade to SP level 8 mitigation control owner facing authorization issue to approve MC
Resolution: Check SU53. Need to update role with below values
GRFN_MSMP
ACTVT=70
GRFNMW_PRC=SAP_GRAC_CONTROL_MAINT
Issue#19:Dump while running Authorization Sync for HR connector. The dump contains 'SYNTAX_ERROR abap_bool unknown'
Resolution: Use the note 2951175 in the plugin connector (applicable ONLY for HR system)
GRC 10.1 &12 Features
In this section, I will discuss the new key features and functionalities which can be used to add value to the business based on the requirements.
Remediation View in ARA: These new functionalities offer a more user-friendly and intuitive layout, available help information, default information displayed, the layout of buttons, and functions to enable the approvers to make intelligent decisions about risk resolution.
Role Search Personalization: You can customize your searching criteria based on the Attributes configured for Role Search in Access Requests. This functionality will help them, access ambassadors, to search the role with predefined criteria.
Simplified Access Request: This is all a new functionality introduced in GRC AC 10.1. We can configure the new feature to enhance the user experience.
Fiori like screens for GRC Admins: This is a new feature of GRC 12. This feature provides enhanced the user experience for the GRC administrators.
Integration with the SAP Cloud Identity Access Governance (Cloud IAG): This feature will enable if the business has a plan to integrate cloud applications (e.g. Ariba, SF, etc.) with GRC AC.
Risk Analysis for S/4 HANA application: SAP has delivered an updated version of the ruleset for the S/4 HANA application which can be used if anyone has the plan to integrate GRC with S/4 HANA applications.
Emergency Access Management functionality into HANA: GRC 12 has the capability to control EAM for the HANA database. We can use this functionality if we have a plan to integrate HANA DB with GRC.
Mass Role Methodology Update: This functionality will enable you to select multiple roles at a time and update the methodology process.
I hope this blog will be useful for those who are planning to upgrade GRC AC to 12. If you encounter any other issues please share them to help our GRC AC community.
Recently we have successfully upgraded GRC AC from10 to GRC 12 (SP 3). In this blog, I want to share my experiences which will give you a fair amount of ideas to resolve the key issues during and after the upgrade. Also, I will provide the list of key activities that have to be performed by the GRC AC consultant before and after the upgrade.
Update 05.02.2021: Recently I have managed to upgrade GRC 12 for some other clients. Updated a few new issues and resolutions
Key Pre-Upgrade Activities
Resolve all potential issues identified before the upgrade (Optional).
Create all necessary test scripts for regression testing (Mandatory).
Execute all the test scripts before the upgrade (Optional).
Identify the test scenario based on the business needs (Mandatory).
Download or screenshots all necessary connector settings in SPRO (Mandatory).
Backup all master data related information from NWBC or SAP standard table (Mandatory).
Backup all customization details should be backed up (Mandatory).
Close all opened workflows (Mandatory).
Key Post Upgrade Activities
Validate all required support pack in GRC and Plugin systems.
Validate all connector related configuration.
Check if all sync jobs are running as per expectations.
Execute all the test scripts with the same input used before the upgrade.
Make sure you should complete the SU25 step and role remediation before the testing.
Key Documents & Notes
It is recommended all GRC AC Consultants should read the below documents before going for an upgrade. These documents will give you technical details, prerequisites, dependencies, and troubleshooting techniques relevant to the GRC upgrade.
GRC 12 Upgrade Guide (Download the latest one from the service market place) ( This is the technical upgrade guide from SAP)
2648777 - FAQ: Access Control 12.0 Upgrade (Download the latest one from service market place) ( This is the FAQ related to upgrade. It provides several tips to resolve upgrade issues)
Please note this is not an exhaustive list. You need to go through the service marketplace if you can’t find the specific solutions related to your upgrade activity.
Key Issues & Resolutions
Issue#1: After upgrade, we are getting the below error when submitting the request: "Error while inserting the request reason"
Resolution: Please implement note 1843287 to resolve this. Also, check the note 2156904.
Issue#2: After upgrade, admin delegation has separate options: AC, PC, and BOTH. The delegation is not working when we select AC or PC.
Resolution: This is an enhancement feature provide by SAP in 10.1. Please read the below notes carefully and implement them. There are several mandatory manual steps that need to be completed.
2622846 - AC PC Harmonization for Delegation 2610477 - AC PC delegation enhancement
Issue#3: Risk Analysis is working for the specific connector. There is no result is shown after the risk analysis.
Resolution: This issue may occur due to subsequent connection settings in SPRO. Please implement the below note to resolve this. SAP Note 2720157 - Access risk analysis shows no results after the upgrade.
Issue#4: The default Risk Analysis option is changed after the upgrade. The default is remediation view. There are several steps to configure this view. If you have not executed the required configuration step then it will not work.
Resolution: Please update the parameter 1050 as per business requirement after the upgrade.
Issues#5: Error 403 occurring in NWBC after the upgrade.
Resolution: Deactivate all the GRC related services and activate them (using SICF) as per GRC Installation Guide.
Issues#6: No Connector in the drop-down list when extracting the reports in the reports and analytics tab after the upgrade.
Resolution: Update the authorization object GRAC_SYSTM as per note 2195080
Issue#6: Risk Analysis is working for the specific connector in the access request.
Resolution: The risk is not correctly mapped with the default ruleset. Make sure the rule should be mapped with the default ruleset (if you are expecting the result in the access request)
Issue#7: Wild character role search (e.g. Z*,*FI*, etc) are not working after the upgrade.
Resolution: Need to run the custom program as per note 2399690. Program name: ZGRACROLE_CONVERSION
Issue#8: After running risk analysis no SoD violation message was not populated for all connectors.
Resolution: Applied the correction instruction SAP Note 2434748.
Issue#9: Add note button is disabled in NWBC (using IE or Chrome) when approving an access request.
Resolution: Clear the cookies and restart the NWBC.
Issue#10: Approver was not able to approve the request and getting the error message “Risk analysis is mandatory for this stage”.
Resolution: This issue was due to parameter 1071. We have changed the 1071 parameter to 'Yes, Asynchronously’ and the issue got resolved.
Issue#11: Approver can’t execute risk analysis for locked and expired users.
Resolution: We have changed the below parameter value from NO to YES
1028-Include Expired Users 1029-Include Locked Users
Issue#12: Message "Add at least one role to the request" on the request submission or approval stage.
Resolution: Implemented configuration change as per SAP Note 2457218
Issue#13: Request approval stage movement taking more time than expected and GRC was getting hanged intermittently during the approval
Resolution: Run txn SWE2 and changed the settings as below screen.
Issue#14: Simplified view not configured and visible to the approver
Resolution: Disabled the simplified view using LPD_CUST transaction
Issue#15: Role Usage sync failed after upgrade with memory dump.
Resolution: Basis has tuned the parameter related to heap memory suggested in the ST22 dumps.
Issue#16: Action Usage job showing finished for the specific connector but in the SLG1 it was showing memory error.
Resolution: We have adjusted the input parameter “Time Period” and set it as a lower value (eg. 1000 sec). This setting reduced the memory load in the connector and the issue got resolved.
Issue#17 Requestor is not able to paste the user group in the access request.
Resolution: Implement 2802033 - User groups when entered manually are not saved when the request is copied or in normal request during tab switch
Update after upgrading to SP Level 8
Issue#18: After upgrade to SP level 8 mitigation control owner facing authorization issue to approve MC
Resolution: Check SU53. Need to update role with below values
GRFN_MSMP
ACTVT=70
GRFNMW_PRC=SAP_GRAC_CONTROL_MAINT
Issue#19:Dump while running Authorization Sync for HR connector. The dump contains 'SYNTAX_ERROR abap_bool unknown'
Resolution: Use the note 2951175 in the plugin connector (applicable ONLY for HR system)
GRC 10.1 &12 Features
In this section, I will discuss the new key features and functionalities which can be used to add value to the business based on the requirements.
Remediation View in ARA: These new functionalities offer a more user-friendly and intuitive layout, available help information, default information displayed, the layout of buttons, and functions to enable the approvers to make intelligent decisions about risk resolution.
Role Search Personalization: You can customize your searching criteria based on the Attributes configured for Role Search in Access Requests. This functionality will help them, access ambassadors, to search the role with predefined criteria.
Simplified Access Request: This is all a new functionality introduced in GRC AC 10.1. We can configure the new feature to enhance the user experience.
Fiori like screens for GRC Admins: This is a new feature of GRC 12. This feature provides enhanced the user experience for the GRC administrators.
Integration with the SAP Cloud Identity Access Governance (Cloud IAG): This feature will enable if the business has a plan to integrate cloud applications (e.g. Ariba, SF, etc.) with GRC AC.
Risk Analysis for S/4 HANA application: SAP has delivered an updated version of the ruleset for the S/4 HANA application which can be used if anyone has the plan to integrate GRC with S/4 HANA applications.
Emergency Access Management functionality into HANA: GRC 12 has the capability to control EAM for the HANA database. We can use this functionality if we have a plan to integrate HANA DB with GRC.
Mass Role Methodology Update: This functionality will enable you to select multiple roles at a time and update the methodology process.
I hope this blog will be useful for those who are planning to upgrade GRC AC to 12. If you encounter any other issues please share them to help our GRC AC community.
- SAP Managed Tags:
12 Comments
