SAP GRC 12.0 – Adding Additional Systems To Provis...
Financial Management Blogs by Members
Dive into a treasure trove of SAP financial management wisdom shared by a vibrant community of bloggers. Submit a blog post of your own to share knowledge.
In this blog post, you will learn how to add additional system(s) to provisioning environment in SAP GRC 12.0
OVERVIEW
Recently, I was asked if it would be possible to add another environment (system) in SAP GRC Access Request as part of Provisioning Environment. So I thought of checking it out and see if it can be done.
By default, SAP Access Request will have four options for Provisioning Environment:
ALL
Production
Development
Testing
Requirement: To add Sandbox system to the above list so that users could be provisioned only to sandbox system
Access request Provisioning Environment list
Pre-requisites
To achieve this, you would a need ABAP developer to help and help from someone with S-user id that has authorizations to register object keys on support.sap.com portal
Object keys for Domain GRAC_SYS_TYPE and GRAC_ENVNNT
Note: No code change or enhancement (BADI / User Exit) is required
ABAP Developer Tasks
After you get the object keys for the two domains, you can have the ABAP developer add the Sandbox System
Add value SBX – Sandbox in both the domain GRAC_SYS_TYPE
Domain GRAC_SYS_TYPE
Add the value SBX – Sandbox in both the domain GRAC_ENVNNT
Note: This may not be needed. But since this also has the environments list, we added the system to this domain too
Domain GRAC_ENVNNT
After the domains are updated, activate screen 0011 (including screen painter layout) in Function Group GRAC_AD_MAINTAIN of program SAPLGRAC_AD_MAINTAIN
Go to transaction SE80 and enter Function Group GRAC_AD_MAINTAIN of program
Select screen 0011
Function Group GRAC_AD_MAINTAIN
Click on Activate icon
Next, click on Layout button to bring up the screen painter screen
Function Group GRAC_AD_MAINTAIN Screen 0011
Click on Activate icon
SECURITY / GRC Task
Update the Maintain Connector Setting and assign the Sandbox under Environment column for your sandbox connector
Go to SPRO --> SAP REFRENCE IMG --> GOVERANCE, RISK AND COMPLIANCE --> ACCESS CONTROL --> MAINTAIN CONNECTOR SETTINGS
Add or update the connector entry of your Sandbox system
Maintain Connector Settings
After mapping the target connector to sandbox environment, save the configuration change.
You will be prompted include the change in a transport request. Please create a transport so that the changes can be transported
Update view GRACV_ENRONMENT list with sandbox entry
View GRACV_ENRONMENT
You will be prompted include the change in a transport request. You will be prompted include the change in a transport request. Please create a transport so that the changes can be transported
Validation
Validate these changes by submitting an access request to provision a user in the Sandbox system
In our example, FE1 system (Connector FE1CLNT001) is our sandbox system
Maintain Connector Settings
But before we submit the request let us verify that the user id TESTUSERSBX2 that we want create does not exist in FE1 system
Validating User before submitting access request - SU01
Go to NWBC and submit an access request to provision the user in Sandbox system
Access Request Submission
Click on Submit button to submit the request
Access Request
Note: If you have workflow setup for provisioning users, please have the request approved.
Now let us go to FE1 and check if the user id was created
User Provisioning Validation - 1
The role(s) will be assigned too
User Provisioning Validation - 2
The steps described in this blog above are also described in the video below:
Summary
To summarize, to add additional systems to provisioning environment list, following activities needs to be performed:
Register object keys for domains GRAC_SYS_TYPE and GRAC_ENVNNT
Activate screen 0011 in Function Group GRAC_AD_MAINTAIN of program SAPLGRAC_AD_MAINTAIN
Activate screen 0011 layout
Update the Maintain Connector Setting and assign the Sandbox under Environment column for your sandbox connector
Update view GRACV_ENRONMENT list with sandbox entry
The idea of adding a additional system to the provisioning list seemed interesting and prompted me to check the possibility of implementing it. It also opens up the idea for provisioning setup where you can provision and deprovision user ids to specific system in your SAP landscape via SAP GRC Access Request
I hope you will find the idea interesting too.
Any feedback, thoughts and comments on this topic are welcome.