Companies that want to implement multiple SAP BusinessObjects GRC applications may be able to lower their total cost of ownership (TCO) by reaping the following benefits offered by version 10.0 of SAP BusinessObjects GRC solutions’ significantly simplified system component architecture:

• Delivery of version 10.0 of SAP BusinessObjects Access Control, version 10.0 of SAP BusinessObjects Process Control, and version 10.0 of SAP BusinessObjects Risk Management as a single highly harmonized software component running on a single server. 
• No SAP NetWeaver Portal is required.
• No SAP BusinessObjects server components such as SAP BusinessObjects Explorer (BOE) XI 3.1 for Crystal Reports are required anymore because the required server components for standard reporting were embedded in SAP NetWeaver Application Server ABAP 7.0 enhancement package 2.
• SAP BusinessObjects Process Control and SAP BusinessObjects Access Control share the same plug-ins in your target SAP systems.
• There are fewer individual system components to patch.

In addition to a simplified overall architecture, the SAP BusinessObjects Access Control application has internally been harmonized. The former release’s redundancies have been removed, including multiple creation of connectors pointing to the same system or master data elements (e.g., business processes or functional area) in risk analysis and remediation (RAR), compliant user provisioning (CUP), enterprise role management (ERM), and superuser privilege management (SPM). The four constituent application components run now as different capabilities in a single monolithic application. They can’t be distributed over multiple application servers anymore, as was formerly possible in release 5.3. Thus, the names RAR, CUP, ERM, and SPM have been retired. The capabilities are now referred to as Access Risk Analysis, Access Request Management, Business Role Management, and Emergency Access Management, respectively.

Simplified System Component Architecture

Figure 1 displays a synopsis of the overall system component architecture of version 10.0 of SAP BusinessObjects GRC solutions. Initially, it looks fairly complex, but the only required component is the box in the middle representing the SAP NetWeaver Application Server ABAP 7.0 enhancement package 2 (aka 7.02) Support Package 6 or higher hosting one or multiple SAP BusinessObjects GRC applications at the same time. All other components are optional in the sense that they depend on which SAP BusinessObjects GRC application and which specific use cases you plan on implementing. Because version 10.0 of SAP BusinessObjects applications all run on SAP’s NetWeaver platform, they support all combinations of operation systems, databases, and client components as does SAP NetWeaver release 7.0. Refer to the Product Availability Matrix (PAM) for details available in SAP Service Marketplace at https://service.sap.com/pam. I’ll explain each of the system components in the subsequent subsections.

Figure 1

Version 10.0 of SAP BusinessObjects GRC Solutions — System Component Architecture

Run Multiple GRC Applications on a Single Installation

Version 10.0 of SAP BusinessObjects GRC applications is deployed as four software components to be installed as needed on the SAP NetWeaver Application Server ABAP 7.02 Support Package 6 or higher (Tables 1 and 2):

• GRCFND_A: Contains the applications SAP BusinessObjects Access Control, SAP BusinessObjects Process Control, and SAP BusinessObjects Risk Management
• SLL-LEG: Contains version 10.0 of the SAP BusinessObjects Global Trade Services application
• SLL-NFE: Contains version 10.0 of the SAP Electronic Invoicing for Brazil (aka Nota Fiscal Eletronica) application
• POASBC: Contains Shared Business Components, currently only Content Lifecycle Management (CLM). Content providers and recipients can use the CLM application to package, control versions, inspect, and deploy GRC content. CLM is a key element in SAP’s strategy to deliver SAP BusinessObjects GRC content through the ecosystem and partners with specific domain expertise and credibility.

Table 1

Required Support Package levels and relevant SAP Notes for the installation of SAP BusinessObjects GRC software components

Table 2

Relevant SAP notes covering the upgrade of SAP BusinessObjects GRC applications as well as the combined upgrade of the target SAP back-end systems, including the release 10.0 plug-ins

Each one of the four software components is updated by a sequence of Support Packages – that is, SAP BusinessObjects Access Control, SAP BusinessObjects Process Control, and SAP BusinessObjects Risk Management are patched simultaneously with a single support package. For details on these support packages refer to Table 3.

Table 3

SAP Notes containing information on the Support Packages of version 10.0 of SAP BusinessObjects GRC software components

In theory, deploying all four components on a single box is possible, but it is a best practice to run SAP BusinessObjects Global Trade Services and Electronic Invoicing for Brazil (Nota Fiscal Eletronica) on a separate application server. Companies always install the entire software component GRCFND_A, but activate in the IMG the applications for which they have purchased a license. If you want to take advantage of the integration scenarios that SAP BusinessObjects Access Control, SAP BusinessObjects Process Control, and SAP BusinessObjects Risk Management support owing to their common data model, you need to activate SAP BusinessObjects Access Control, SAP BusinessObjects Process Control, and SAP BusinessObjects Risk Management in the same system client. A distributed deployment of the three applications across multiple system clients or application servers leads to a siloed operation of each one of the SAP BusinessObjects GRC applications with redundant master data structures and little integration.

Choose Your Front-End Client

Your business users can access SAP BusinessObjects Access Control, SAP BusinessObjects Process Control, and SAP BusinessObjects Risk Management through three different user interfaces because they are offered as Web Dynpro applications:

• Embedded SAP NetWeaver Business Client (NWBC): Runs embedded in the SAP NetWeaver Application Server ABAP 7.02 and only requires a browser as a front-end client (Figure 2).
• SAP NetWeaver Business Client 3.0 (NWBC 3.0): Runs as a rich desktop client and requires a desktop installation. It provides a very similar UI as the embedded NWBC, but it can be configured to connect to multiple SAP systems (Figure 3).
• SAP NetWeaver Portal 7.02: The new SAP BusinessObjects GRC release comes with portal content, including portal roles for portal integration. The portal requires no more than a browser as a front-end client (Figure 4).

Figure 2

Version 10.0 of SAP BusinessObjects Access Control accessed via the embedded NWBC

Figure 3

Version 10.0 of SAP BusinessObjects Access Control accessed via the embedded NWBC 3.0 fat desktop client

Figure 4

Version 10.0 of SAP BusinessObjects Access Control accessed via the SAP NetWeaver Portal 7.02

SAP GUI for Windows is needed only for customizing activities in the IMG. SAP GUI 7.10 Patch Level 15 is the minimum requirement, but note that SAP GUI 7.20 is recommended owing to the end of maintenance of SAP GUI 7.10 as stated in SAP Note 147519. Version 10.0 of SAP BusinessObjects Global Trade Services, however, is an SAP GUI application with the exception of a new Web Dynpro component application called sanctioned party list (SPL) screening being part of the compliance management capability.

All of SAP BusinessObjects Global Trade Services can be accessed through the SAP GUI for Windows or via either of the transaction NWBC-based versions. In addition, the SAP BusinessObjects GRC portal content includes a portal role for SPL screening. Version 10.0 of Electronic Invoicing for Brazil (Nota Fiscal Eletronica) is a Web Dynpro ABAP application running in either of the two NWBC versions, but it doesn’t come with any pre-delivered portal content. Again, SAP GUI is required for customizing and administration tasks.

Version 10.0 of SAP BusinessObjects GRC applications comes with predelivered dashboards that require Adobe Flash Player 10 as a browser plug-in. An additional desktop client component called Crystal Reports Adapter (CR Adapter) is required, if the integration of Crystal Reports into the Advanced List Viewer (ALV) is used such that the out-of-the-box reports can be displayed as Crystal Reports. Alternatively, reports can always be displayed solely with the ALV, which doesn’t require the CR Adapter. Finally, version 10.0 of SAP BusinessObjects GRC solutions contains several use cases that use Adobe offline forms, which require Adobe Acrobat Reader 9.0 on the client side.

Integrate with Your SAP NetWeaver Portal

There are two different SAP BusinessObjects GRC-specific software components that can be deployed on your SAP NetWeaver Portal 7.02 Support Package 6 as needed:

• GRC_POR: Contains an SAP BusinessObjects GRC suite portal role, an SAP BusinessObjects Access Control-only portal role, and a portal role for SPL screening. Before deploying this component on your portal server, you need to deploy the business package BP ERP05 COMMON PARTS version 1.51 containing UI technology components such as the Launchpad.
• GRCPIEP: Portal plug-in required for SAP BusinessObjects Access Control, if you want to include portal content and users in your scope for risk analysis and provisioning, respectively.

Leverage SAP BusinessObjects Business Intelligence (BI) Content for Reporting

SAP NetWeaver Business Warehouse (BW) 7.02 can be leveraged for reporting via SAP BusinessObjects BI Content, planned to be shipped with the SAP BusinessObjects BI Content release 7.06. This option can be useful for customers who heavily rely on SAP NetWeaver BW as a reporting platform.

Establish Connectivity to Your Business Systems

Version 10.0 of SAP BusinessObjects Access Control and version 10.0 of SAP BusinessObjects Process Control share the same two plug-ins — formerly known as Real-Time-Agents (RTAs) — to be installed on each target SAP ERP system:

If your SAP target system isn’t an ERP release, you need to install only the first plug-in. Note that for version 10.0 of SAP BusinessObjects Process Control, the plug-ins are only required for very specific control monitoring sub-scenarios and that you may not need the plug-ins at all. Each plug-in comes in a version that matches the Basis release level of the SAP target system.

Each plug-in requires the presence of certain support package levels on the target system. For details refer to Table 1, but also check for availability of new Attribute Change Packages (ACP) on the SAP Service Marketplace, which may lower the import restrictions with respect to the required SP levels. Each plug-in is patched separately and needs to be on the same SP level as the main application component GRCFND_A. For details on the support packages for the plug-ins, refer to Table 3. If you want to upgrade your SAP back-end system at a later point in time, you need to include the corresponding plug-in upgrade into the overall upgrade procedure (Table 2).

Version 10.0 of SAP BusinessObjects Risk Management doesn’t need plug-ins, whereas version 10.0 of SAP BusinessObjects Global Trade Services does need one plug-in on SAP ERP systems: SLL-PI900_<REL> with <REL> = 46C, 470, 500, 600.

The preceding comments also apply to the SAP BusinessObjects Global Trade Services plug-in accordingly. Again, for details refer to Tables 1-3.

Install Additional System Components as Needed

You may need to install a number of additional system components depending on the scope of your SAP BusinessObjects GRC solutions implementation:

• TREX 7.10, revision 27 or higher: You can install the stand-alone version of TREX if you want to use Enterprise Search for document search in version 10.0 of SAP BusinessObjects Process Control, version 10.0 of SAP BusinessObjects Risk Management, and SPL screening.
• Adobe Document Services (ADS): The ADS runs as a service on a SAP NetWeaver Application Server Java 7.02 and can be operated as a shared component in your system landscape used by SAP BusinessObjects GRC solutions and other applications. If you have SAP NetWeaver Portal, you can also run ADS on its Java instance. SAP BusinessObjects GRC applications use the ADS to generate PDF documents for ALV report printing. Version 10.0 of SAP BusinessObjects Process Control and SAP BusinessObjects Risk Management require the ADS to generate offline test plans and surveys, respectively, whereas version 10.0 of SAP BusinessObjects Global Trade Services requires the ADS for offline forms used for Customs Management.
• SAP NetWeaver Process Integration (PI) 7.00 Support Package 14+: Version 10.0 of SAP BusinessObjects Electronic Invoicing for Brazil, (SAP BusinessObjects Nota Fiscal Eletronica) requires SAP NetWeaver PI for data exchange with Brazilian authorities. It uses the same release of SAP NetWeaver PI as previous versions of SAP BusinessObjects Electronic Invoicing for Brazil.
• Identity Management Solutions (IdM): Version 10.0 of SAP BusinessObjects Access Control 10.0 integrates with IdM solutions from SAP and other vendors, providing a combined application for compliant identity management. The integration works bidirectional, is based on Web services, and is optimized for SAP NetWeaver Identity Management (SAP NetWeaver ID Management). The full range of integration scenarios requires SAP NetWeaver ID Management 7.2 Support Package 1 or higher.

Frank Rambo, PhD

Frank Rambo, PhD, is managing a team within SAP’s Customer Solution Adoption (CSA) organization working with customers in the SAP analytics area with the objective to drive adoption of new, innovative solutions. Prior to this position, he worked eight years for SAP Germany as a senior consultant focusing on SAP security and identity management. Before he joined SAP in 1999, Frank worked as a physicist in an international research team. He lives in Hamburg, Germany.

You may contact the author at frank.rambo@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.