Purpose of the Document
SAP GRC system has out-of-box integration with lot of SAP applications and also supports provisioning to HANA DB, LDAP and Enterprise Portal applications.
As there are lot of changes happening with technology and customers also using applications built on various technologies it is always challenging for SAP GRC access control solution to support provisioning for Non-SAP systems. Also the integration with Non-SAP systems is not straightforward and will require certain level of customization in both target applications as well as in GRC system.
The purpose of this blog is to explain how user access provisioning to Non-SAP systems can be handled by GRC system using "Manual Provisioning" option in GRC without putting efforts on additional customization.
The details discussed below will be more on the technical setup and for illustration I have used "ARIBA" as the target system being integrated with GRC.
Let’s see how you can setup this functionality and can test in GRC 10/10.1/12.0 systems (End to End).
To enable manual provisioning for Non-SAP systems
Non-SAP Connector Setup
Create a connector in SM59 with connection type as “L” (Logical Destination). For illustration purpose, I have used ARIBA as the connector name.
Non-SAP Connector Config Setup in GRC
Define connectors in the following IMG path: Connection Type "FILE" will be used for the connector.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types -> Define Connectors
Define connector groups in the following IMG path and assign ARIBA connectors to this connector group
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types ->Define Connector Groups
Maintain Connection Settings
Connector must be assigned to all AC related integration scenarios (ROLMG, SUPMG, AUTH, PROV) available as it is a good practice.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings
For "AUTH" integration scenario, assign "ARIBA" connector
For "PROV" integration scenario, assign "ARIBA" connector
For "ROLMG" integration scenario, assign "ARIBA" connector
For "SUPMG" integration scenario, assign "ARIBA" connector
Maintain Connector Settings
Maintain connector settings in the following path:
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connector Settings
Maintain Mapping for Actions and Connector Groups
In this configuration, you can assign the actions to a connector group, and then select the default connector for each group
Configuring Logical and Physical paths for Non-SAP systems data upload
To enable manual provisioning and also to run risk analysis the pre-requisite is to load the User and Role data of your Non-SAP systems into GRC system.
For this data loading, we will follow the approach provided by SAP GRC for loading data for legacy systems.
Execute transaction
FILE and following screenshot will be shown as below:
Define relevant Logical and Physical paths in the FILE transaction
Logical File name is file path at Operating system level which can be accessed using "FILE" transaction
Physical File name is file path at application server level which can be accessed using "AL11" transaction.
AL11 directories and associated paths
For all logical paths, maintain the same physical path which means that all relevant files which need to be used for syncing Non-SAP User and Role data need to be uploaded to the same physical path.
Logical file name definition,
cross-
client - In this step you maintain logical filenames for all clients. The definition of a logical filename comprises the following values: Logical filename.
File Name highlighted below will be the actual filename in which the Non-SAP data will be maintained and uploaded to application server and can be viewed from AL11.
Configuring Logical file paths for Non-SAP system connectors
Maintain Connection Settings
In this configuration, you assign connectors to an integration scenario. The application uses the connectors to communicate with other systems in your landscape
For "AUTH" integration scenario, assign "ARIBA" connector
For "AUTH" integration scenario, we need to maintain logical paths defined in the previous step as the corresponding User and Role data will be retrieved from the files in this path.
Following File ID naming convention must be followed while configuring the logical paths in the connector configuration as these names are hard-coded in the corresponding program logic.
File Format and File Content details on which fields are Mandatory, Optional etc, for the above mentioned files can be followed as per the format specified in following SAP Note:
1594963 - GRC Access Controls 10 - How to configure Legacy connectors
Example:
Following screenshot shows "Get Action" Info method under class CL_GRAC_AD_AUTH_MGMT_FILE and you can see the File ID name harcoded. Just to highlight that SAP GRC has different classes for Authorization and Access Management based on different connector types like RFC, HDB, LDAP, WS, FILE, IDM_OB etc. Following screenshot is for FILE class related method:
Define the logical file path for User, Role, Profile, Action, Permission, User Action, User Permission, Role Action, Role Permission, Profile Action, Profile Permission. Hence, the logical path will be updated as shown below:
Prepare and Upload Non-SAP data text files to physical path
Sample files with content are shown below:
Actions File
User File
User Actions File
Role File
Role Actions File
For uploading the files to application server, we will use standard SAP function module "ARCHIVFILE_CLIENT_TO_SERVER"
Execute function module and provide inputs:
Path: Local path where files are stored in your PC
Target Path: Same as physical path used while configuring Logical path in FILE transaction
After executing the function module for all relevant files, all files will get uploaded to application server.
Once all files are uploaded, you can execute following SAP standard synchronization jobs:
PFCG Authorization Sync
Role Data Sync
User Data Sync
Once the above sync jobs are completed, the ARIBA roles will be uploaded to BRM and will be further used for provisioning.
ARIBA Roles Import
Import the ARIBA roles into GRC system
Set the provisioning settings for your Non-SAP system (in this scenario ARIBA) as"Manual Provisioning"
Submit "Access Request" for the ARIBA role and then handle provisioning manually.
ARIBA SoD Rules Setup
You also can define SoD rules for ARIBA system using the ACTIONS uploaded into GRC system.
I have implemented ARIBA SoD rules for one of our client.
Following approach was taken:
User and User Groups from ARIBA were updated to GRC repository tables using the approach described above.
E.g. Receiving Agent is a User Group in ARIBA for which following are the details that are uploaded to GRC.
User A - Role (Receiving Agent) - Action (Receiving Agent) - Permissions (Not required)
GRC repository tables have been updated with ARIBA roles and Actions.
Finally in the ruleset, functions are defined with System specific actions (i.e. S4HANA and ARIBA actions)
Looking forward for your inputs in improving this blog with additional details or scenarios ?
Best Regards,
Madhu Babu Sai