SAP GRC system has out-of-box integration with lot of SAP applications and also supports provisioning to HANA DB, LDAP and Enterprise Portal applications.
As there are lot of changes happening with technology and customers also using applications built on various technologies it is always challenging for SAP GRC access control solution to support provisioning for Non-SAP systems. Also the integration with Non-SAP systems is not straightforward and will require certain level of customization in both target applications as well as in GRC system.
The purpose of this blog is to explain how user access provisioning to Non-SAP systems can be handled by GRC system using "Manual Provisioning" option in GRC without putting efforts on additional customization.
The details discussed below will be more on the technical setup and for illustration I have used "ARIBA" as the target system being integrated with GRC.
Let’s see how you can setup this functionality and can test in GRC 10/10.1/12.0 systems (End to End).
To enable manual provisioning for Non-SAP systems
Non-SAP Connector Setup
Create a connector in SM59 with connection type as “L” (Logical Destination). For illustration purpose, I have used ARIBA as the connector name.
Non-SAP Connector Config Setup in GRC
Define connectors in the following IMG path: Connection Type "FILE" will be used for the connector.
Following screenshot shows "Get Action" Info method under class CL_GRAC_AD_AUTH_MGMT_FILE and you can see the File ID name harcoded. Just to highlight that SAP GRC has different classes for Authorization and Access Management based on different connector types like RFC, HDB, LDAP, WS, FILE, IDM_OB etc. Following screenshot is for FILE class related method:
Define the logical file path for User, Role, Profile, Action, Permission, User Action, User Permission, Role Action, Role Permission, Profile Action, Profile Permission. Hence, the logical path will be updated as shown below:
Prepare and Upload Non-SAP data text files to physical path
Sample files with content are shown below:
User Actions File
Role Actions File
For uploading the files to application server, we will use standard SAP function module "ARCHIVFILE_CLIENT_TO_SERVER"
Execute function module and provide inputs:
Path: Local path where files are stored in your PC
Target Path: Same as physical path used while configuring Logical path in FILE transaction
After executing the function module for all relevant files, all files will get uploaded to application server.
Once all files are uploaded, you can execute following SAP standard synchronization jobs:
PFCG Authorization Sync
Role Data Sync
User Data Sync
Once the above sync jobs are completed, the ARIBA roles will be uploaded to BRM and will be further used for provisioning.
ARIBA Roles Import
Import the ARIBA roles into GRC system
Set the provisioning settings for your Non-SAP system (in this scenario ARIBA) as"Manual Provisioning"
Submit "Access Request" for the ARIBA role and then handle provisioning manually.
ARIBA SoD Rules Setup
You also can define SoD rules for ARIBA system using the ACTIONS uploaded into GRC system.
I have implemented ARIBA SoD rules for one of our client.
Following approach was taken:
User and User Groups from ARIBA were updated to GRC repository tables using the approach described above.
E.g. Receiving Agent is a User Group in ARIBA for which following are the details that are uploaded to GRC.
User A - Role (Receiving Agent) - Action (Receiving Agent) - Permissions (Not required)
GRC repository tables have been updated with ARIBA roles and Actions.
Finally in the ruleset, functions are defined with System specific actions (i.e. S4HANA and ARIBA actions)
1594963 - GRC Access Controls 10 - How to configure Legacy connectors 1613632 - Download Files for Legacy Risk Analysis 1654282 - Configuration connector for Legacy system in Access Control 10.0 1840261 - Repository Sync completed but no data is synchronized in Legacy system 1715476 - Problem with Systems No SAP Legacy Connectors 2580985 - How to Configure UAR for Legacy Systems 1742087 - Deleted users are not being removed for Legacy system
Thanks for reading.
Looking forward for your inputs in improving this blog with additional details or scenarios ?