Financial Management Blogs by Members
Dive into a treasure trove of SAP financial management wisdom shared by a vibrant community of bloggers. Submit a blog post of your own to share knowledge.
cancel
Showing results for 
Search instead for 
Did you mean: 
sparvathaneni
Discoverer
In this blog post, you will learn how to add additional system(s) to provisioning environment in SAP GRC 12.0

OVERVIEW


Recently, I was asked if it would be possible to add another environment (system) in SAP GRC Access Request as part of Provisioning Environment. So I thought of checking it out and see if it can be done.

By default, SAP Access Request will have four options for Provisioning Environment:

  1. ALL

  2. Production

  3. Development

  4. Testing


Requirement: To add Sandbox system to the above list so that users could be provisioned only to sandbox system


Access request Provisioning Environment list



Pre-requisites


To achieve this, you would a need ABAP developer to help and help from someone with S-user id that has authorizations to register object keys on support.sap.com portal

  • Object keys for Domain GRAC_SYS_TYPE and GRAC_ENVNNT


Note: No code change or enhancement (BADI / User Exit) is required

ABAP Developer Tasks


After you get the object keys for the two domains, you can have the ABAP developer add the Sandbox System

Add value SBX – Sandbox in both the domain GRAC_SYS_TYPE

 


Domain GRAC_SYS_TYPE


 

Add the value SBX – Sandbox in both the domain GRAC_ENVNNT

Note: This may not be needed. But since this also has the environments list, we added the system to this domain too


Domain GRAC_ENVNNT


 

After the domains are updated, activate screen 0011 (including screen painter layout) in Function Group GRAC_AD_MAINTAIN of program SAPLGRAC_AD_MAINTAIN

Go to transaction SE80 and enter Function Group GRAC_AD_MAINTAIN of program

Select screen 0011


Function Group GRAC_AD_MAINTAIN


Click on Activate icon

Next, click on Layout button to bring up the screen painter screen


Function Group GRAC_AD_MAINTAIN Screen 0011


 

Click on Activate  icon

SECURITY / GRC Task


Update the Maintain Connector Setting and assign the Sandbox under Environment column for your sandbox connector

Go to SPRO --> SAP REFRENCE IMG  --> GOVERANCE, RISK AND COMPLIANCE --> ACCESS CONTROL --> MAINTAIN CONNECTOR SETTINGS

Add or update the connector entry of your Sandbox system


Maintain Connector Settings


 

After mapping the target connector to sandbox environment, save the configuration change.

You will be prompted include the change in a transport request. Please create a transport so that the changes can be transported

Update view GRACV_ENRONMENT list with sandbox entry


View GRACV_ENRONMENT


 

You will be prompted include the change in a transport request. You will be prompted include the change in a transport request. Please create a transport so that the changes can be transported

 

Validation


Validate these changes by submitting an access request to provision a user in the Sandbox system

In our example, FE1 system (Connector FE1CLNT001) is our sandbox system


Maintain Connector Settings


 

But before we submit the request let us verify that the user id TESTUSERSBX2 that we want create does not exist in FE1 system


Validating User before submitting access request - SU01


 

Go to NWBC and submit an access request to provision the user in Sandbox system


Access Request Submission


 

Click on Submit button to submit the request


Access Request


 

Note: If you have workflow setup for provisioning users, please have the request approved.

Now let us go to FE1 and check if the user id was created


User Provisioning Validation - 1


 

The role(s) will be assigned too


User Provisioning Validation - 2


 

The steps described in this blog above are also described in the video below:



 

Summary


To summarize, to add additional systems to provisioning environment list, following activities needs to be performed:

  1. Register object keys for domains GRAC_SYS_TYPE and GRAC_ENVNNT

  2. Activate screen 0011 in Function Group GRAC_AD_MAINTAIN of program SAPLGRAC_AD_MAINTAIN

  3. Activate screen 0011 layout

  4. Update the Maintain Connector Setting and assign the Sandbox under Environment column for your sandbox connector

  5. Update view GRACV_ENRONMENT list with sandbox entry


The idea of adding a additional system to the provisioning list seemed interesting and prompted me to check the possibility of implementing it. It also opens up the idea for provisioning setup where you can provision and deprovision user ids to specific system in your SAP landscape via SAP GRC Access Request

I hope you will find the idea interesting too.

Any feedback, thoughts and comments on this topic are welcome.

Also, please follow these links too

SAP GRC Access Approver

Post and answer questions about SAP GRC Access Approver

Read other posts on SAP GRC Access Approver