SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG

Applies to:

GRC 10.0 release, Process Control 10.0.

Summary

This document describes configuration and use of Content Lifecycle Management (CLM) for SAP GRC

Process Control (PC) 10.0 release. The document includes a Frequently Asked Questions section covering

discussion topics which have come up during presentations to partners and customers.

CLM use for PC has strong resemblances to its use for other GRC products such as Access Control (AC)

10.0, Risk Management (RM) 10.0 and Global Trade Services (GTS) 10.0, although some of the details

differ.

Authors: Jiran Ding, Atul Sudhalkar

Company: Governance, Risk, and Compliance

SAP BusinessObjects Division

Created on: 02 May 2011

Version 2.0

GRC Process Control 10.0

Content Lifecycle Management

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG

Document History

Document Version Description

2.0 Atul’s re-format to fit this template

1.10 Atul’s revisions to some descriptions

1.00 First draft

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG

Typographic Conventions

Type Style Description

Example Text Words or characters quoted

from the screen. These

include field names, screen

titles, pushbuttons labels,

menu names, menu paths,

and menu options.

Cross-references to other

documentation

Example text Emphasized words or

phrases in body text, graphic

titles, and table titles

Example text File and directory names and

their paths, messages,

names of variables and

parameters, source text, and

names of installation,

upgrade and database tools.

Example text User entry texts. These are

words or characters that you

enter in the system exactly as

they appear in the

documentation.

<Example

text>

Variable user entry. Angle

brackets indicate that you

replace these words and

characters with appropriate

entries to make entries in the

system.

EXAMPLE TEXT Keys on the keyboard, for

example, F2 or ENTER.

Icons

Icon Description

Caution

Note or Important

Example

Recommendation or Tip

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG

Table of Contents

1. Business Scenario............................................................................................................... 1

2. Background Information ..................................................................................................... 2

2.1 Customizing data .......................................................................................................... 2

2.2 Master data types managed by CLM ........................................................................... 4

2.3 Master data types NOT managed by CLM ................................................................... 4

3. Prerequisites ........................................................................................................................ 5

4. Step-by-Step Procedure ...................................................................................................... 7

4.1 Create RFC Connection in CLM ................................................................................... 7

4.2 System Registry in CLM ............................................................................................... 7

4.3 Extraction ...................................................................................................................... 8

4.3.1 Procedure ........................................................................................................ 8

4.4 View Content Group ................................................................................................... 12

4.4.1 Procedure ...................................................................................................... 12

4.5 Edit Content Group ..................................................................................................... 13

4.5.1 Procedure ...................................................................................................... 13

4.6 Clean up testing data (Optional) ................................................................................. 15

4.6.1 Procedure ...................................................................................................... 15

4.7 Deployment ................................................................................................................. 16

4.7.1 Procedure ...................................................................................................... 16

4.8 Mass Editor ................................................................................................................. 20

4.8.1 Downloading and Uploading with XML .......................................................... 20

4.8.2 Prerequisites .................................................................................................. 23

4.8.3 Procedure ...................................................................................................... 24

4.8.4 More Information ............................................................................................ 28

5. FAQ ..................................................................................................................................... 30

5.1 What is Content Lifecycle Management? What content does CLM manage? .......... 30

5.2 What is “mass-edit”? Which applications offer mass-editing via CLM? How does

this compare with MDUG? .......................................................................................... 31

5.3 How do I import business process models from BPM systems into GRC?................ 32

5.3.1 Master Data Exchange .................................................................................. 32

5.3.2 Runtime Integration ........................................................................................ 34

5.4 I merged vendor updates into my customized content, now it doesn’t deploy! .......... 35

5.5 I had three CLM instances in my landscape, now everything is all messed up! ........ 36

5.6 How do I use CLM to move content around within my landscape? ........................... 36

5.7 Is CLM licensed separately? Do partners need to purchase licenses for CLM?

How does SAP certify partner content? What channel does SAP provide for

getting partner content to customers? .................................................................. 37

6. Comments and Feedback ................................................................................................. 37

7. Appendix .................................................................................. Error! Bookmark not defined.

8. Copyright ............................................................................................................................ 38

SAP COMMUNITY NETWORK SDN - sdn.sap.com | BPX - bpx.sap.com | BOC - boc.sap.com

© 2009 SAP AG

IMPORTANT INFORMATION FOR THE "HOW-TO GUIDE" AUTHOR

Before using the template for the first time, copy it to your C:\Documents and

Settings\All Users\Templates folder and use only that copy. This

ensures that you use the same template for all your guides.

Do not delete any pages preceding this page.

Do not alter the layout of the pages preceding this page.

Make sure to delete this entire page before publishing your guide.

Check the GRC joint cRoom to see if you are using the latest template:

https://portal.wdf.sap.corp/irj/go/km/navigation/guid/90c9b481-51c5-2b10-6582-

9ec2783f880e

If you are new to this template, read the separate READ ME FIRST document for

more information about the macros and autotexts that are provided in the

template.

Use the outline provided in this template as a guideline for the structure of your

How-To Guide. You may delete it if it is not applicable.

Do NOT apply styles, create tables, or add notes manually. Use ONLY the

macros and autotexts in the two How-To Guide toolbars.

BEFORE YOU BEGIN WRITING

Make sure that the following toolbars are visible in the toolbar area of Word. If not,

in the View Toolbars menu, select HowToGuide_1 and HowToGuide_2.

• • •

By design, only horizontal border lines between each row are added to tables in

this template; vertical border lines between columns are not displayed.

To toggle the display of vertical and horizontal gridlines of tables, use the Show/Hide Table Gridlines action in the How-To Guide toolbar. In the final print version, your document will only print the horizontal border lines between rows.

Enter the title of the document and your name (or user ID) in the document

properties dialog box (File Properties menu; Summary tab, Title and Author

fields).

1. Business Scenario

SAP BusinessObjects Governance, Risk and Compliance (GRC) customers have long

indicated that the desire better content support from SAP. In this context, content typically

means GRC master data such as risks, controls, regulations, etc.—data which is typically

entered by experts during the implementation, before end-users can work with GRC products.

Some of this content is customer-independent: examples would include regulations, risks and

controls which encode requirements for Public Utility compliance such as NERC/FERC, SOX

compliance, FCPA compliance, etc. Many industry practitioners maintain a „database‟ of

such content, often in well-structured internal databases such as Access, shared with their

colleagues, or in personal notes. The value scenario here is to help such practitioners map this

content to GRC structures, and provide tools to facilitate re-use of such content with many

customers without painful and repetitive data entry.

Some content is necessarily customer-dependent: organizational structure and business

processes, user provisioning, etc are all customer specific. System landscape is another

clearly customer-specific configuration, although that tends to be a little tangential to GRC

PC usage.

Content Lifecycle Management (CLM) is a set of features included in every product which is

part of the SAP BusinessObjects Governance, Risk and Compliance (GRC) suite release 10.0.

This release entered ramp-up in December 2010, and was officially launched at SAP Insider

in March 2011. All four products in GRC—Access Control (AC), Process Control (PC), Risk

Management (RM) and Global Trade Services (GTS)—support CLM functionality.

Content Lifecycle Management (CLM) enables version control, extraction, deployment and

packaging/transport of GRC master data. It allows SAP customers to leverage application

content developed by the ecosystem.

CLM aims to address all types of content eventually. The use cases for customer-specific

content are slightly different from the ones for customer-independent content, but both sets

are necessary and relevant. We want to address all customer and partner needs in this area,

over time. This document explains what CLM does, what content it manages, what

limitations exist, etc.

2. Background Information

CLM helps content providers deliver application content and its subsequent changes via

content packages. Over the lifetime of any content, CLM highlights changes and helps users

manage the evolution of content as regulations change, companies undergo mergers,

acquisitions, reorganizations, expand into new regions, etc.

CLM helps customers bring in content authored across the ecosystem, test, customize and

maintain it in the face of evolving regulations and changes in the organization and business

practices of the company.

This document describes how SAP GRC Process Control 10.0 leverages CLM functionality.

PC CLM covers all the key master data entities which were previously addressed by the

experimental Master Data Upload Generator (MDUG) tool which was given to many partners

to support the PC 3.0 release. Given CLM‟s support for uploads, downloads, mass-edit,

version control and ID re-mapping to enable transport between GRC instances within and

across landscapes, SAP believes CLM supercedes MDUG in all respects.

Other documents describe implementation of the CLM functionality in general. The rest of

this document focuses on the specifics of configuring and using CLM for use with PC 10.0.

Target Audience

System administrators

Technology consultants

SAP GRC partners‟ consultants and business development officers

2.1 Customizing data

Technique Name Name IMG Path Structure Path

IMPACT Risk Impact GRC Shared Master Data Settings Risk and Opportunity Attributes

Maintain Impact Categories

DRVCAT Risk Driver Maintain Driver Categories

CO-OBJCAT Control Objective Category

GRCProcess ControlEdit Attribute Values

Attributes with Dependent Value

AC-ASS Account Group Assertion

Attributes TS-SAMPLING_METHOD

Test Plan Sampling Method

INDUSTRY Subprocess Industry

TR_TYPE Subprocess Traction Type

PR-CATEGORY Control Category

PR-SIG Control Significance

CN_EVIDENCE Control Evidence GRCProcess Control Scoping

Set Level of Evidence Value

CN_CNTR_RISK Control Risk Rating Set Control Rating Range

PR-AUTOM Control Automation

GRCProcess ControlEdit Attribute Values

Attributes with Fixed Values

PR-PURP Control Purpose

Attributes

PR-NATURE Control Nature

RELEVANCE Control Relevance

CN_GROUP Control Group

CN_SUBGROUP Control Subgroup

PR-FREQ Control Frequency

PR-TEST_AUTOM Control Test Automation

Attributes with Fixed Values

PR-TTECHNQ Control Test Technique Attributes

IELC-FREQ IELC Frequency

2.2 Master data types managed by CLM

Technique Name Name

REG_GROUP Regulation Group

REGULATION Regulation

REG_REQ Regulation Requirement

ORGUNIT Orgunit

CRGROUP Central Risk Group

CRISK Central Risk Template

COBJECTIVE Control Objective

ACC_GROUP Account Group

TESTPLAN Test Plan

XPROCESS Central Process

XSUBPROCESS Central Subprocess

XCONTROL Central Control

XECGROUP Central IELC Group

XECONTROL Central IELC

2.3 Master data types NOT managed by CLM

The so-called “local” entities are not managed by CLM in PC 10.0.

Technique Name Name

PROCESS Local Process

SUBPROCESS Local Subprocess

CONTROL Local Control

ECGROUP Local IELC Group

ECONTROL Local IELC

Business Rules and Data Sources are not managed by CLM, but there is a separate program to

help transport BRs and DSs using SAP ABAP transport.

3. Prerequisites

Important SAP Notes

Make sure that you have the up-to-date version of each SAP Note, which you can find on

SAP Service Marketplace at: http://service.sap.com/notes.

Additional Information

For more information about specific topics, see the Quick Links as shown in the table below.

Content Quick Link on the SAP Service Marketplace

Related SAP Notes service.sap.com/notes

Released platforms service.sap.com/platforms

SAP Solution Manager service.sap.com/solutionmanager

Note

SAP POA SBC Content Lifecycle Management for Process Control 10.0 supports Microsoft Excel 2003 and Microsoft Excel 2007. Examples in this document take Microsoft Excel 2007 as its context. Most content in this document applies to Microsoft Excel 2003 as well.

4. Step-by-Step Procedure

4.1 Create RFC Connection in CLM

As CLM will call PC API to extract or deploy content, it is necessary to create a RFC

connection firstly before using CLM.

In CLM system, create a RFC Connection by T-Code SM59, please notice you should have

the authority to do the operation.

4.2 System Registry in CLM

If you initially use CLM, it is necessary to configure the application connection on CLM side.

1. Go to IMG and select “Maintain System Registry” under “Content Lifecycle

Management”.

2. Double click “System Registry” in the left tree, then push button “New Entries” or

“Update” to maintain the registry. For each PC system client in which you want to

use CLM, it is necessary to create a configuration.

3. Create or update system registry entry for the chosen API group and specify the

following details:

a. Select an existing authoring domain

b. Provide a suitable name for the system registry entry.

c. Select the RFC destination.

d. Specify SAP system ID and client: System ID and client can be any text, but it

is best to include the ID and client of an actual SAP back-end system if the

system registry entry corresponds to one.

e. Provide a suitable description for the system registry entry. Here is an example configuration for GRC PC system GF2 client 930.

4.3 Extraction

Extraction pulls current content out of PC into CLM; for objects with date validity (most

master data types in PC have date validity), PC selects what‟s currently valid when CLM

requests an extraction.

The language (i.e., English, German, etc.) of extracted content depends on the RFC

connection logon properties.

4.3.1 Procedure

1. Go to CLM Portal Open Click “Manage Content Group”

2. Click on button “Extract”

3. Enter “Name”, “Description”, “Comment”, and select counterpart extraction system. The

systems listed in the dropdown depend on the system registry configured in back-end.

4. Press “Save”. Extraction executes as a background job, and while it’s running, the content

group icon is yellow.

After finished, the icon comes to green.

NOTE

While extraction is still executing in the background, the status is “initial” (yellow);

Once extraction completes, status changes to “valid” if there’s no error; refreshing the screen thereafter will change the icon’s color to green.

Extraction errors change the content group status to “error”, and a subsequent screen refresh will change the icon color to red.

After deployment, the status is “One or More Deployments Existing” (white).

5. You could go to CLM system log to see detail.

T-Code SLG1, enter the object ID as “/POA/CLM”, the subobject as “CHECKPOINT” to

search the log history.

You could also go to source system to see the extraction log.

T-Code SLG1 in the source system, entering the object as “GRFN”, and Subobject as

“IO_EXPORT” to search the extraction log.

4.4 View Content Group

You could view content group detail and the objects contained in this content group.

4.4.1 Procedure

1. Go to CLM Portal Open Click “Manage Content Group”

2. Select a content group, and click button “View”.

3. The content group is displayed.

Content group information is available to see.

The objects are displayed only for the general attributes, such as Entity Type, ID in the source,

name and description.

For the detail information, you need to use mass-editor to download content and see them.

4.5 Edit Content Group

You could edit content group name, description and comment.

4.5.1 Procedure

1. Go to CLM Portal Open Click “Manage Content Group”

2. Select a content group, and click button “Edit”

3. In the popped up window, content group name, description and comment are available

to edit.

If you want to edit the object in the content group, you could use mass-editor functionality to

support this.

4.6 Clean up testing data (Optional)

Before deploying the content to PC from CLM, if you want a clean-up your master data in the

deployment system, you can run these programs.

4.6.1 Procedure

1. Run T-code: SE38

2. Program Name: GRPC_CLM_CLEANUP.

Check the box before the entity which you want to delete.

Test Mode: when selected, system will do the simulation. All entities will be listed;

Uncheck the box the data will be deleted. The deleted status will be shown as green

when success. (Note: For double check after deleted successful, go back and repeat the

step in test mode to check if they have really been deleted. In theory, you should not see

any entities anymore.)

Text field: Only contains the substring: enter the string you want to deleted contains in

the Master Data

3. After all data deleted in PC, the data should also be deleted in deployment system.

4.7 Deployment

Deploying a content group pushes the contained objects into a PC instance.

4.7.1 Procedure

1. Go to CLM Portal Open Manage Content Group

2. Select the content group and click button “Deploy”

3. Select a target system to deploy.

Test Mode means it will not actually persist the changes in PC.

Valid from and valid to means the validity of the content you want to deploy in target

system. As noted earlier in this document, most PC master data types have date validity;

when deploying such content from CLM to PC, it is necessary to pick a validity date

range which PC should apply to the content. For content types with date validity, any

existing objects which are about to be “overwritten” by content being deployed from

CLM are not actually overwritten. Instead, currently valid settings for those objects are

truncated—that is, the “valid to” date of these is set to today, and the newly deployed

settings are made valid from today to 9999-12-31. These dates are the default; in fact, the

deployment screen (image below) offers the CLM user an opportunity to pick which

dates to use, with the constraint that the validity range must include today.

4. Click “Deploy”, then a background job will be scheduled to deploy. This avoids holding

up the CLM user while the potentially long-running deployment job (which typically

executes over the network for remote PC instances) completes.

5. Then you could close window and wait for a while. Once deployment completes,

successfully or otherwise, subsequent screen refreshes will update the status icon.

6. Then you go to CLM system log to see the deploy status. Enter the subobject as

“DEPLOYMENT”

You could also go to deployment target system to see detail log.

T-Code SLG1 in the target system, entering the object as “GRFN”, and Subobject as

“IO_IMPORT” to search the deployment log.

4.8 Mass Editor

Mass-edit addresses the oft-expressed desire of SAP customers to avoid creating or maintaining

master data object-by-object and screen-by-screen in a browser-based UI. Customers find it far more

productive to use desktop tools such as Microsoft Excel, by downloading vast selections of objects,

changing them using familiar desktop tools, and uploading after all changes are made and reviewed.

PC CLM supports mass-editing via an XML interface. This enables users to use their favorite

desktop XML data editor. Since MS Excel includes (limited) XML support, SAP has elected

to provide a shortcut to Excel for PC CLM customers. But note that the underlying mass-edit

support is more general, and partners and customers are encouraged to use XML editors of

their choice.

4.8.1 Downloading and Uploading with XML

You can download a content group to your local file system in XML format and analyze the

XML file using a third-party application. You can upload the content back into CLM (Content

Lifecycle Management).

4.8.1.1 Prerequisites

A content group must be available in CLM for download. Content must be available in the appropriate XML format for upload to CLM.

4.8.1.2 Procedure

CAUTION

You must not move content across landscapes using the download and upload functions. You

can download and upload content in the same CLM repository (system-wide instance) in the

form of content groups. More specifically, using the XML mass-edit channel, you should

only upload to a CLM instance, content that is newly authored, or changes to content which

was previously downloaded to XML from the same CLM instance.

For content shipment across CLM repositories and across landscapes, packages must be used.

Within a package, include existing content groups from CLM and use the packages for

content distribution.

While mass-edit XML download/upload across CLM instances (i.e., export to XML from one

instance, and upload to another after some change) could conceivably succeed, CLM IDs not

present in the target could cause errors. Also, CLM IDs are critical in content versioning, and

such misuse of mass edit features would cripple subsequent content change comparisons.

Mass Editing with XML

From the Content Lifecycle Management entry screen, go to Manage Content Groups.

1. Select a content group from the list and choose Mass Edit Download to XML.

You must specify the location on your local system where you want to save the content group. It is saved as a zip file.

2. Extract the content of the zip file to a folder.

The XML file and metadata is extracted.

3. You can analyze and edit the content of the XML file using a third-party application. 4. To upload the content back into CLM, you need to upload only the XML file.

In the Manage Content Groups screen, choose Mass Edit Upload from XML and select the XML file to upload back into CLM.

The uploaded content is represented as a new content group in the list.

4.8.1.3 Downloading and Uploading with Microsoft Excel

You can download a content group to your local file system in XML format and pass it to

Microsoft Excel to edit the contained content records directly. You can upload the content

back into Content Lifecycle Management (CLM).

EXAMPLE

There is a life science regulation under which you want to add or remove processes,

subprocesses, and controls. Each individual process, sub process, and control represents one

content record and is visible as a single row in the spreadsheet application.

4.8.2 Prerequisites

A content group must be available in CLM for download. Content must be available in the appropriate XML format for upload to CLM.

4.8.3 Procedure

Mass Editing with Microsoft Excel

1. From the Content Lifecycle Management entry screen, go to Manage Content Groups. 1) Select a content group from the list and choose Mass Edit Download to Excel.

2) Select the language that you want to display content records for from the Language Filter dropdown list and choose Download.

EXAMPLE

If content records are available in multiple languages (e.g., German and English), these languages appear as options in the dropdown list.

3) You can specify the location on your local system where you want to save the content group. It is saved as a zip file containing an XML file and the Microsoft Excel file; the metadata is embedded in the Microsoft Excel file.

2. Extract the content of the zip file to a folder.

3. To edit the content records, which have been downloaded in the XML file, open the Microsoft Excel file and enable macros, or in the developer tab, choose Import and import the relevant XML file.

NOTE

4. If developer tab is not displayed, please enable it in Excel Options (see below).

Another way to load content is: enabling the macro script in the file.

Nested hierarchies that are available in the XML file are flattened when you import the content into Microsoft Excel.

1) You can edit the content in Microsoft Excel: You can add or remove details, and edit the content records.

NOTE

The ID field for new content records obviously not CLM-generated. You must enter a new ID for the content record using a combination of letters and numbers. This should be unique across the content being uploaded for cross-references from other content records being uploaded together. Such user-supplied IDs do NOT persist in CLM (except in upload logs), and have no significance once the upload completes—CLM replaces all such IDs with internally generated CLM IDs.

5. When you are finished making changes, save the Microsoft Excel file under a new name in the original folder. Choose Export from the developer tab and save the XML file to the same folder.

CAUTION

Validation errors can occur when you try to export the content, for example, if you remove the ID column, you receive an error.

You must provide the same names for the XML and Microsoft Excel files or an error occurs.

6. In the Manage Content Groups screen in CLM, choose Mass Edit Upload from Excel and select the XML file to upload back into CLM.

The uploaded content is represented as a new content group in the list.

While our narration here always refers to content being downloaded, changed and

subsequently uploaded, note that it is possible to upload entirely new content from scratch.

That‟s just a special case, where the “downloaded” content is empty—and CLM UI makes

that explicit by providing a “Generate Template” option in the Mass-Edit dropdown (see

picture above).

4.8.4 More Information

NOTE

If you include a Microsoft Excel file in a package (manually in the zip folder as an

attachment), it is not uploaded as a content group in the CLM repository when you import the

package. It is available as an attachment only; CLM treats all attachments essentially as user-

facing documentation.

Generate Template

To be able to generate a template, the necessary application adapter must be registered on the

system.

To create an XML-based template on your local system, choose Generate Template.

Select an application from the list and choose Download. You can add and edit content in the

template and upload it back into CLM, for example HR organizational units for a particular

organization.

NOTE

It is possible to generate a template for registered applications even if no content groups exist in CLM.

No previous extract is required and a template can be generated as the first action within CLM.

Although CLM supports the idea of mass-edit templates for applications, Process Control 10.0 is the only GRC 10.0 application which supports this functionality. For the remaining applications, mass-edit in the PC sense is not supported.

5. FAQ

5.1 What is Content Lifecycle Management? What

content does CLM manage?

CLM enables partners and customers to take a holistic view of master data content in GRC

applications. The master data types includes PC controls, regulations, RM risks and KRIs, AC

rulesets, functions, etc., and GTS sanction party lists. A complete list of CLM-managed master data

types is given below, by GRC application.

Process Control Risk Management Access Control

Organization Impact Category Access Risk Central Risk Category Driver Category Function Central Risk Benefit Category Rule Set Control Objective Activity Type Global Trade

Account Group Response Type SPL Central Indirect Entity-Level Control Group Risk Category Delimiters Central Indirect Entity-Level Control Opportunity Category Aliases Regulation Group Risk Template Regulation Opportunity Template Regulation Requirements Activity Category Central Process

Central Subprocess

Central Control

Test Plan

Process Control Business Rules and Data Sources are not under CLM management, but there is an

IMG program which enables partners and customers to transport these without having to know

technical details of their persistence. The picture below shows the location of this functionality in IMG.

This IMG program helps customers and partners transport business rules and data sources between

GRC PC instances, and keeps tracks of their interdependencies. It also helps find and transport

underlying BRF+ rule definitions. Optionally, the program also remaps system-generated IDs if asked

to, which eliminates accidental collisions, especially if the transport is across landscapes (e.g., partner

to customer).

But the IMG program here uses Netweaver ABAP transports, and so does not offer advanced CLM

facilities such as version control, compare-and-merge, mass edit, etc.

5.2 What is “mass-edit”? Which applications offer

mass-editing via CLM? How does this compare

with MDUG?

The term “mass edit” refers to a feature of CLM which enables customers and partners to

import/export all managed master data en-masse. CLM offers an overview of all the managed data

types via an XML schema for each supporting application. This schema can be used as a template for

creating multiple instances of all the supported master data types, including their interdependencies

(cross-references). Users create XML documents with such data. These instances can all be

uploaded together to CLM, and thence to the target application.

Since these documents are based on an XML schema as template, customers and partners can use

any desktop XML tool (such as XMLSpy, or even Microsoft Office) to create and validate the data to

be uploaded.

The old PC 2.5 and 3.0 MDUG tool, and its equivalent in the old MIC product offered similar

functionality. But where the PC 3.0 MDUG tool only supported uploads, CLM mass edit enables

downloads of PC content as well. Along with CLM version control features, this allows users to

repeatedly use mass edit capabilities, without mistaken duplication or overwrites.

5.3 How do I import business process models from

BPM systems into GRC?

Since CLM works off a formal XML schema of all managed master data types in an application, this

also presents an interface for importing master data from other (non-GRC) systems. A popular

example is the need to import business process models from modeling tools.

5.3.1 Master Data Exchange

Customers can exchange master data such as business process models, organizational charts,

regulations, risks, controls, etc. between legacy or reference systems (e.g., ARIS) and GRC 10.0.

This exchange is mediated through the Content Lifecycle Management (CLM) functionality, new to the

10.0 release. CLM extracts master data from, and deploys it into, GRC applications. CLM maintains

its own versioned repository of such content in XML form. Such XML representations therefore serve

as the medium of exchange with other applications and repositories of master data content.

Since CLM can extract as well as deploy content from/to GRC applications, it provides a two-way

bridge for content between GRC and other systems. That is, master data content can be sent both

ways: from legacy or reference systems to GRC, and vice versa. As a practical matter, it is highly

unlikely that customers would want changes happening to key master data in more than one

application—how would parallel and conflicting changes in multiple applications be compared and

merged? CLM provides versioning, but only for GRC data schemas; and most modeling applications

(e.g., for BPM) do not support versioning at all.

Extracting structured data out of reference systems and transforming the data into a valid GRC XML

document remain the customer’s responsibility when provisioning GRC 10.0 from a legacy system.

For the reverse flow, transforming GRC XML data into a form suitable for upload to the legacy system

also remain the customer’s responsibility.

Since GRC versions of master data such as business process models are rather specialized for GRC

purposes, we expect customers to find it much more useful to bring such models into GRC from

reference systems, than the reverse.

The sequence of pictures below explains the issues via an example.

5.3.2 Runtime Integration

Runtime-, or live integration between such master data modeling systems and GRC is also possible,

but may require additional (custom) programming for the currently in-market and upcoming 10.0

releases. For instance, BPM users have been known to ask for a navigational link (URL) linking their

process maps to corresponding GRC PC process/subprocess nodes. Most entities in GRC

applications can have their details pulled up for display or edit via a parameterized URL string, as in

the example shown below. As a practical matter, though, this poses some challenges for customers:

they need to extract GRC entity IDs and other GRC specific parameters such as validity dates

(“timeframes”), and map these to their own IDs for corresponding entities. GRC applications lack APIs

for extracting such information. Furthermore, most customers will use GRC applications via the SAP

Portal or NWBC; these add another navigational layer, and requiring further coding.

As an example, the picture above shows the result of an experimental “deep link” to a SOX Control in

GRC PC 10.0. It shows that such deep linking is possible, but the picture below shows the required

parameters for constructing the URL.

Specifically, the technical ID of the entities in question, e.g. 50000654, is system-generated and

cannot be known to the referencing application until the control (in this example) is actually deployed

into the GRC system instance. As of release 10.0, neither CLM (which might mediate the initial

master data transfer) nor the GRC applications provide any API or other facility for easily extracting

this mapping.

Finally, only those GRC (or, more generally, Webdynpro) applications which have non-modal UIs

support such “deep linking”.

5.4 I merged vendor updates into my customized

content, now it doesn’t deploy!

Many master data types have cross-references between them. For instance, PC sub-processes refer

to their parent processes, and any attempts to deploy a subprocess from CLM to a PC instance would

fail, if the parent process wasn’t already deployed or being deployed concurrently.

When merging an update with an existing content group, CLM allows users to accept each change or

reject it. Clearly, rejecting some changes while accepting others can cause inconsistencies. For

instance, if a (parent) business process node is changed, then rejecting that change while accepting

changes to its child subprocesses would leave them orphaned.

So why does CLM allow users to make inconsistent changes? The point is that when there are

parallel changes (e.g., customer customizations versus vendor updates), it is difficult to predict which

set of changes is more extensive. Our goal is to provide tool support for the bigger set of changes,

and allowing customers to make the smaller set of updates by hand.

So while CLM merge functionality can lead the unwary into trouble, the experienced user will find such

incomplete merges to be significant time-savers when used properly. In any case, a botched merge

does not have any ill-effects: the resulting content group would fail to deploy due to inconsistencies,

and users would find themselves fixing the errors either via mass-edit, or by re-doing the merge.

5.5 I had three CLM instances in my landscape, now

everything is all messed up!

SAP customers and partners maintain many instances of SAP applications. The most common

example is separate systems for development, testing and production, but there are plenty of other

good reasons for this practice.

The goal of CLM is to provide a single, version-controlled repository of master data content of GRC

applications within a single (partner or customer) landscape. From this repository, customers or

partners can manage content in all GRC application instances.

In such cases, it clearly does not pay to have multiple instances of CLM repositories—that would be

like running ERP with multiple copies of the same database! Which one would be the correct, or most

recent?

Our recommendation is that, unlike almost all other SAP applications, CLM be operational in only ONE

instance within a landscape. In this case, please note that we mean only one SID/client be enabled

for CLM; all other application instances should be provisioned from this single CLM instance.

Of course, that only applies for one landscape—customers and partners will all have their own CLM

instance, but only one for each.

And, of course, this is only a guideline. Some partners who maintain multiple disjoint practices

(separated by geography, for instance, or by practice area) may have reason to maintain separate

repositories. This may also be true of multinational customers who maintain separate GRC instances

for different region’s business units. The point of this guidance is that CLM has been designed to

support clean separation between different system’s content, and to the extent possible, we believe

customers and partners will be best served by a single repository per landscape.

5.6 How do I use CLM to move content around within

my landscape?

For configuration and master data content, SAP Netweaver provides transport facilities which are well-

known to partners and customers. Configuration transport is relevant in this discussion because many

GRC master data types (somewhat different from what the term usually means for ERP applications)

are actually implemented as “C” tables in Process Control and Risk Management applications. Such

NW transports can still be used with GRC master data, which sets up an apparent conflict: CLM, or BC

Sets, or something else?

In general, NW transport methods are rather more technical than most CLM content administrators

can directly operate. Especially where HR Infotypes are involved (e.g., most of PC master data such

as controls, regulations, etc.), the transport methods which exist expose the user to much of the

underlying technical complexity in managing multiple date validity ranges and dependencies.

Where users have a choice, we believe CLM will always be found to be far more usable and traceable.

CLM always treats the content holistically, allowing users to do (extract, deploy, export, import) content

in bulk, whereas the NW tools require dropping down a level or two to fine-grained details. Sometimes

this is helpful, but for the most part it represents more pain than gain: CLM is simpler, easier, more

reliable (since CLM extraction requires applications to guarantee data consistency), and more robust

(since applications do extensive validations for consistency for deployment).

Our recommendation is for customers and partners to rely exclusively on CLM for data types managed

by CLM, and whatever Netweaver tools are suitable for the rest. Above all, users must avoid mixing

CLM and NW transport methods for CLM-managed data types—CLM maintains detailed trails of what

it has deployed where, and mixing CLM with NW transports will hopelessly confuse CLM and hence

users. Unintended duplication or overwrites of objects will quickly degrade the entire landscape!

5.7 Is CLM licensed separately? Do partners need to

purchase licenses for CLM? How does SAP

certify partner content? What channel does SAP

provide for getting partner content to

customers?

CLM is included in every GRC product package sold to customers or partners. In other words, it is

included in the license for every GRC 10.0 product. No separate license is required or available for

CLM, neither for partners nor for customers.

Partners also need to purchase licenses for GRC products, and any product license they purchase will

include CLM. They have no other means of obtaining a CLM license.

SAP does not certify partner content. The whole point of CLM, from SAP’s market perspective, is to

enable the ecosystem for content. SAP believes that partners are best suited to create relevant

industry, line-of-business or regional content, and customers are the best judges of what content they

need. SAP’s goal here is to provide the right tools to enable partners and customers to exchange,

customize and maintain content, and SAP does not expect to play gatekeeper on the content that

partners create for GRC.

Furthermore, although SAP provides certification services for partners who integrate with SAP APIs,

CLM content is created in SAP products (including CLM), packaged and exported from SAP products,

and ultimately consumed (imported in) by SAP products. Since there is no API integration with partner

products, there is no certification on the technical capabilities either.

As of this writing, SAP invites partners to declare their offerings on the SAP Ecohub. This is mainly an

information and marketing channel, not a clearinghouse for partner content. To effectively enable the

ecosystem, SAP believes it must respect the business relationships between customers and partners.

SAP’s enablement, through CLM or otherwise, must always stay neutral in this respect. As such SAP

encourages partners to find their own preferred means of leveraging the Ecohub for GRC content.

SAP will neither preclude partners from productizing content, nor requiring them to do so. As such,

channels for delivery of content remain entirely at the discretion of SAP GRC partners.

6. Comments and Feedback

Your feedback is very valuable and will enable us to improve our documents. Please take a few

moments to complete our feedback form. Any information you submit will be kept confidential.

You can access the feedback form at:

http://www.surveymonkey.com/s.aspx?sm=stdoYUlaABrbKUBpE95Y9g_3d_3d

7. Copyright

© 2011 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Oracle Corporation.

JavaScript is a registered trademark of Oracle Corporation, used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

These materials are provided “as is” without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

SAP shall not be liable for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials.

SAP does not warrant the accuracy or completeness of the information, text, graphics, links or other items contained within these materials. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third party web pages nor provide any warranty whatsoever relating to third party web pages.

Any software coding and/or code lines/strings (“Code”) included in this documentation are only examples and are not intended to be used in a productive system environment. The Code is only intended better explain and visualize the syntax and phrasing rules of certain coding. SAP does not warrant the correctness and completeness of the Code given herein, and SAP shall not be liable for errors or damages caused by the usage of the Code, except if such damages were caused by SAP intentionally or grossly negligent.

https://www.sdn.sap.com/irj/bpx/grc