Are you still running SAP GRC Access Controls 10.1? As quick as those who gave up on new years resolutions, others lost track that their SAP GRC 10.x platform reached its end of maintenance period at midnight on December 31, 2020. There was not a ticking timebomb, or a line of code waiting to invoke a self-destruct sequence, but there are implications to falling outside of the maintenance window.
In this short post, we’ll discuss what a maintenance period is, the impact of passing this deadline, what the options are, and highlight critical questions you should be asking yourself before embarking on this journey.
What is a maintenance period?
The customer-facing lifecycle of an SAP application consist of three phases: the release to customer (RTC), general availability, and end of mainstream maintenance. Customers can get extended maintenance, for an additional fee of course, but this maintenance window does not extend beyond the end of mainstream maintenance. During the mainstream maintenance period, SAP provides support to the customer as needed, defines release and upgrades, and more. Once the end of maintenance (EOM) period is reached, no additional enhancements or support is provided by SAP. Customers do have the option to enter customer-specific maintenance which has a restricted scope, limitations, and additional costs. To learn more about support after EOM reference SAP Note 52505.
Why was this one different?
When you returned to work after the holidays and accessed your GRC application it probably turned on as it always has. Or did it? This EOM deadline was slightly different than the prior with SAP GRC 5.3 which ended December 31, 2015. It is not that this period didn’t get an extension due to the pandemic, which was expected by some, it was the fact Adobe Flash also went out of support at the same time. Why is this important? Well, GRC 10.x dashboards are built utilizing the Adobe Flash technology and probably one reason maintenance was not extended. This does not mean at the stroke of midnight all the 10.x applications stop working. However, if you have not updated your 10.x application and Adobe Flash was removed from your browser, then you probably experienced this issue. For dashboarding and other reports, SAP has developed Fiori Overview Pages (OVP) as an alternative solution. As per SAP, “the OVP Card type reports are not and will not be an exact replica of existing NWBC dashboards”. For additional details on the GRC dashboard and Adobe Flash topic reference SAP Note 2947941.
What does this mean to mean to me?
Customers on GRC 10.x are recommended to migrate to SAP GRC 12. The move to GRC 12 can be quite confusing based on the options available. Customers have the option of implementing Fiori as the frontend or utilize the traditional NWBC interface which was updated to emulate the Fiori theme. Additionally, you do not have to run your new GRC 12 application on HANA. While they are optional, both are clearly the way of the future for SAP and critical if you are going to maximize the value of the application. If you have not embarked on the journey of Fiori and HANA just yet, be aware that these applications require new skillsets. HANA introduces a new non-ABAP security model while Fiori brings new security objects, web-facing applications, and other complexities compliance professionals need to be mindful of.
What are the options?
Many SAP GRC customers went through this just 5 years ago with GRC 5.3 reaching EOM at the end of 2015 invoking the migration to 10.x. You may decide on taking the technical upgrade approach by forgoing the Fiori and HANA options. You would need to ensure your NetWeaver and GRC applications are the minimum SP levels as a prerequisite. As highlighted above, there are implications for opting out of Fiori and HANA. The strategic direction of SAP is to release Fiori OVPs and reports as a solution to the Adobe Flash EOM. The alternative is to rollout GRC with a Fiori frontend and HANA backend taking advantage of the latest reporting solutions and faster performance times. This also entails ensuring the infrastructure is in place for Fiori and HANA as well as the educating resources on how to use and maintain the environment going forward.
Another option is to walk away from the cyclical upgrades and maintenance windows forever and embrace a software-as-a-service (SaaS) solution like Fastpath. Our compliance platform sits in the MS Azure cloud environment and can be spun up in a matter of hours, not weeks or months. Additionally, upgrades and patches are seamless and require little to no effort from our customers further reducing the total cost of ownership (TCO) for organizations. Never implement another note, workaround, or research an issue for your compliance application on your own again.
What is Fastpath?
Fastpath is a SaaS-based solution for monitoring and managing access risk across a variety of SAP and non-SAP applications. Focused on delivering value to our customers, we offer a variety of solutions to streamline and automate compliance across the organization. For maximum flexibility and cost savings, we empower our customers to tailor the solution that best meets their needs at that time. If provisioning is not a requirement, why should you pay for it? Acquired another company or want to start provisioning through Fastpath? Let us know and we can enable that too! Below is a high-level overview of capabilities we provide customers daily:
Segregation of Duties provides solutions to monitor segregation of duties and critical access conflicts across your landscape with fully customizable rulesets, dynamic reporting capabilities, control library for mitigations, and much more!
- Access Certifications automates and provides insights into the periodic review processes for user access, conflicts, role assignments, and role content reviews.
- Identity Manager delivers a robust provisioning and de-provisioning process with workflow-enabled approvals, embedded segregation of duties and critical access checks, audit logging, and additional customization capabilities.
- Emergency Access or better known as “Firefighter” in the SAP-world, leverages workflow-based or self-service firefighting with activity logging and review processes.
- Audit Trail introduces a unique capability that allows our customers to monitor and track changes to specific data and configurations within your SAP environments.
- SAP Custom Code Checker automates the review of your custom transactions and programs to provide ruleset placement recommendations that can be added with a simple click of a button.
- Integrations offers a variety of 3rd party connectors for other enterprise applications such as Oracle, Workday, PeopleSoft, Salesforce, and Coupa just to name a few.
When you select Fastpath you are not only gaining access to an award-winning compliance platform, but you are also getting unlimited access to our expert training and support teams. With our Valuepath methodology, we are with you every step of the way easing the burden and requirements on your resources. Do not hesitate to reach out today for demo!
Where do I go from here?
You have probably heard the quote from John Adams that “every problem is an opportunity in disguise”. While it may not be a problem, the fact is we are past the EOM for SAP GRC 10.x. At the end of the day, do not beat yourself up for missing the deadline. Many even strategically de-prioritized the upgrade for 2020 as organizations had to cut back on resources due to the pandemic.
Regardless of your situation or path forward, I would challenge you to leverage this as an opportunity to reevaluate your GRC program. Is there functionality you should be using but have not enabled yet? Are there additional systems or cross-system access risks going unmonitored? This is the time to address those questions whether it is with Fastpath or another compliance solution in the marketplace.
Have questions or want to learn more? Reach out and get connected to an expert today!