Recently we have successfully upgraded GRC AC from10 to GRC 12 (SP 3). In this blog I want to share my experiences which will give you a fair amount of idea to resolve the key issues during and after upgrade. Also I will provide list of key activities which have to be performed by GRC AC consultant before and after upgrade.
Key Pre-Upgrade Activities
Resolve all potential issues identified before upgrade (Optional).
Create all necessary test scripts for regression testing (Mandatory).
Execute all the test script before upgrade (Optional).
Identify the test scenario based on the business needs (Mandatory).
Download or screenshots all necessary connector settings in SPRO (Mandatory).
Backup all master data related information from NWBC or SAP standard table (Mandatory).
Backup all customization details should be backed up (Mandatory).
Close all opened workflows (Mandatory).
Key Post Upgrade Activities
Validate all required support pack in GRC and Plugin systems.
Validate all connector related configuration.
Check if all sync job are running as per expectations.
Execute all the test script with the same input used before the upgrade.
Make sure you should complete the SU25 step and role remediation before the testing.
Key Documents & Notes
It is recommended all GRC AC Consultant should read the below documents before going for upgrade. These documents will give you technical details, prerequisites, dependencies and troubleshooting techniques relevant to GRC upgrade.
GRC 12 Upgrade Guide (Download the latest one from service market place) ( This is the technical upgrade guide from SAP)
2648777 – FAQ: Access Control 12.0 Upgrade (Download the latest one from service market place) ( This is the FAQ related to upgrade. It provides several tips to resolve upgrade issues)
Please note this is not the exhaustive list. You need to go through service market place if you can’t find the specific solutions related to your upgrade activity.
Key Issues & Resolutions
Issue#1: After upgrade we are getting below error when submitting the request: “Error while inserting the request reason”
Resolution: Please implement the note 1843287 to resolve this. Also check the note 2156904.
Issue#2: After upgrade admin delegation has separate option :AC, PC and BOTH. The delegation is not working when we select AC or PC.
Resolution: This is an enhancement feature provide by SAP in 10.1. Please read below notes carefully and implement it. There are several mandatory manual steps need to completed.
2622846 – AC PC Harmonization for Delegation 2610477 – AC PC delegation enhancement
Issue#3: Risk Analysis is working for specific connector. There is no result is shown after risk analysis.
Resolution: This issue may occur due to subsequent connection settings in SPRO. Please implement below note to resolve this. SAP Note 2720157 – Access risk analysis shows no results after upgrade.
Issue#4: Default Risk Analysis option is changed after upgrade. The default is remediation view. There are several steps to configure this view. If you have not executed the required configuration step then it will not work.
Resolution: Please update the parameter 1050 as per business requirement after upgrade.
Issues#5: Error 403 occurring in NWBC after upgrade.
Resolution: Deactivate all the GRC related services and activate it (using SICF) as per GRC Installation Guide.
Issues#6: No Connector in the drop down list when extracting the reports in reports and analytics tab after upgrade.
Resolution: Update the authorization object GRAC_SYSTM as per note 2195080
Issue#6: Risk Analysis is working for specific connector in the access request.
Resolution: The risk is not correctly mapped with the default ruleset. Make sure rule should be mapped with default ruleset (if you are expecting the result in the access request)
Issue#7: Wild character role search (e.g. Z*,*FI* etc) are not working after upgrade.
Resolution: Need to run custom program as per note 2399690. Program name: ZGRACROLE_CONVERSION
Issue#8: After running risk analysis no SoD violation message was not populated for all connectors.
Resolution: Applied the correction instruction SAP Note 2434748.
Issue#9: Add note button is disabled in NWBC (using IE or Chrome) when approving an access request.
Resolution: Clear the cookies and restart the NWBC.
Issue#10: Approver was not able to approve request and getting error message “Risk analysis is mandatory for this stage”.
Resolution: This issue was due to parameter 1071. We have changed 1071 parameter to ‘Yes, Asynchronously’ and issue got resolved.
Issue#11: Approver can’t execute risk analysis for locked and expired users.
Resolution: We have changed the below parameter value from NO to YES
1028-Include Expired Users 1029-Include Locked Users
Issue#12: Message “Add at least one role to the request” on request submission or approval stage.
Resolution: Implemented configuration change as per SAP Note 2457218
Issue#13: Request approval stage movement taking more time than expected and GRC was getting hanged intermittently during approval
Resolution: Run txn SWE2 and changed the settings as below screen.
Issue#14: Simplified view not configured and visible to the approver
Resolution: Disabled the simplified view using LPD_CUST transaction
Issue#15: Role Usage sync failed after upgrade with memory dump.
Resolution: Basis has tuned the parameter related to heap memory suggested in the ST22 dumps.
Issue#16: Action Usage job showing finished for specific connector but in the SLG1 it was showing memory error.
Resolution: We have adjusted the input parameter “Time Period” and set as lower value (eg. 1000 sec). This setting reduced the memory load in the connector and issue got resolved.
Issue#17 Requestor is not able to paste user group in the access request.
Resolution: Implement 2802033 – User groups when entered manually are not saved when request is copied or in normal request during tab switch
GRC 10.1 &12 Features
In this section I will discuss on the new key features and functionalities which can be used to add value to the business based on the requirements.
Remediation View in ARA:This new functionalities offer more user-friendly and intuitive layout, available help information, default information displayed, layout of buttons and functions to enable the approvers to make intelligent decisions about risk resolution.
Role Search Personalization: You can customize your searching criteria based on the Attributes configured for Role Search in Access Requests. This functionality will help the access ambassadors to search the role with predefined criteria.
Simplified Access Request: This is all a new functionality introduced in GRC AC 10.1. We can configure the new feature to enhance the user experience.
Fiori like screens for GRC Admins: This is a new feature of GRC 12. This feature provides enhance user experience for the GRC administrators.
Integration with the SAP Cloud Identity Access Governance (Cloud IAG):This feature will enable if the business has plan to integrate cloud applications (e.g. Ariba, SF etc.) with GRC AC.
Risk Analysis for S/4 HANA application: SAP has delivered updated version of ruleset for S/4 HANA application which can be used if anyone has plan to integrate GRC with S/4 HANA applications.
Emergency Access Management functionality into HANA:GRC 12 has capability to control EAM for HANA database. We can use this functionality if we have a plan to integrate HANA DB with GRC.
Mass Role Methodology Update: This functionality will enable you to select multiple roles at a time and update the methodology process.
I hope this blog will be useful for those who are planning to upgrade GRC AC to 12. If you encounter any other issues please share it to help our GRC AC community.