Skip to Content

In this blog post I would like to share with the community some experiences regarding the IdM 7.2 <-> GRC10 integration.

This integration can easily turn out to be a tedious topic, in particular if things don’t go smoothly from the beginning. The documentation (I’m referring to

SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration Guide)

contains some charts how the communication flow goes and where which protocol is used (e.g. in the chapter “Introduction”). Then, it also explains in detail the purpose of the various tasks which is certainly very helpful (in the chapter “Task execution process description” starting on page 35). Here in this document, I’d like to focus on 2 things to clarify things a bit more:

  • How does the communication between IdM and GRC really work? We’ll have a detailed look at that.
  • Something goes wrong with the communication between IdM and GRC. What should I do?

Let’s start with the first point. We know from the documentation that when IdM communicates to GRC it performs an LDAP write operation to the VDS. The VDS “translates” this call into a web service call to GRC (compare again chapter “introduction” of the documentation). But how does this really work?

to-ldap.PNG

In the above screenshot you can see the toLDAP pass that creates the GRC request.

Now the VDS will take the parameters IdM provides (user first name, lastname, requested roles, validity dates) in the LDAP call and submit a web service client call to GRC10. If all goes well, GRC10 will reply SUCCESS and provide the request ID in GRC10. And now comes the tricky part. What will VDS do with this information? The toLDAP pass type doesn’t allow to handle complex return information. It only tells you “write operation successful” or “write operation failed”. This is why the VDS doesn’t send the information back to the IdM runtime. Instead, the VDS will write all return information from the web services directly to the IdM database as context variables. If the runtime needs it, say for a check in a conditional task then it needs to go to the database and read it (using either a SQL query for mxpv_audit_variables or the script function uGetContextVar). So the information flow between 7.2 and GRC10 is like in the below figure.

/wp-content/uploads/2013/04/comm_path_200701.png

When IdM is querying information from GRC then the information can be returned to the IdM runtime. But even in that case the GRC provisioning framework uses context variables to store the information in the database.

2 examples

  • If the CUP request creation is successful the VDS creates the context variable MX_GRC_REQUEST_ID. In the above screenshot check the task “Write Request Id and opt. start polling” (the one right below “Submit AC Request”) will execute the script sap_grc10_WriteRequestId2PVO. The first thing this script does is to read the context variable and store it in the attribute MX_AC_REQUESTID of the pending value.
  • See the below screenshot. When IdM polls for the status (in this blog I only consider the polling scenario) it performs a LDAP read operation. The result is stored in the context variable GRCSTATUS where the subsequent conditional task picks it up. The SQL query is “SELECT VarValue FROM mxpv_audit_variables WHERE VarName=’GRCSTATUS’ and AuditID=%AUDITID%”.

check-status.PNG

So much about the IdM part of this interface. We’ll see in the second part how we can get more insight into the web services area. I’d like to mention that in the GRC provisioning framework there is a quite complex encapsulation of what we describe here with pending values and approval tasks etc. (for more information check one of my earlier blog posts). I guess the purpose of this encapsulation is to create a smooth integration with the privilege assignment process in IdM. But from a technical perspective you can also use the above toLDAP pass to create a CUP request independently of privilege assignments and pending values in IdM. I have done this for 2 customers. There, the GRC integrates into a custom request workflow scenario and the GRC part works completely without pending values. So much about part 1.

Now let’s cover the second item in our list: Something goes wrong with the communication between IdM and GRC. What should I do?

To illustrate how this can look like I’ve copied an error message I had to deal with a lot recently:

script-execution-failed.JPG

The error message doesn’t really tell you much. Unfortunately, there is no more specific information about what precisely went wrong. In addition, it is impossible to see how the data is manipulated before it is sent to GRC and which arguments in IdM map to which parameters in the web services.

If you get a very unspecific error message like above in the IdM log you should first open the VDS log. If configured appropriately (debug mode, see below screenshot) the VDS will print out the entire web service communication to the operations log.

vds-config.PNG

Open the operations log at <VDS install directory>\configurations\<your config name>\log\operation.trc, search for “<GracIdmUsrAccsReqServices” and you should get the below hit:

vds-log-1.PNG

What you see in the screenshot is the xml document that the VDS sends to GRC for creating the CUP request. It contains all information about the user, his attributes, the requested roles and so on. If you look at the trace file e.g. with Notepad you will have to check everything quite carefully because the xml document is stored as one big long string. Here is what it looks like if you configure notepad to use word wrap:

vds-log-2.PNG

Wouldn’t it be great to have this as well formatted xml file so that we can study it easily?

So what we could do is copy this xml into a text file, save it with file extension .xml and open it with Internet Explorer. If you do this, it will look like this:

xml.PNG

We can have a look now in detail which data is sent which is a good thing. But there is something missing here. If I know that with the values in the xml GRC will send back an error message I’d like to have a possibility to change these values slightly and resubmit in order to see if that also changes the result in GRC. So howcan I do that?

This is where soapUI comes into the picture. soapUI is a tool which allows you to submit web service client calls. It also allows you to do a lot more than that but what we’d like to do here is to submit the web service call to GRC ourselves. So please go ahead and download the free version of soapUI (http://www.soapui.org/). In order to leverage the power of soapUI we need one more small thing: The WSDL URL of the web service call that creates request in CUP. In order to get it, proceed as follows:

  • Log on to the GRC box with SAPGui
  • Start transaction soamanager
  • A browser window opens. Log on and then click on Web Service Configuration

soamanag-1.PNG

  • Enter “GRAC*” in the search field and hit search. In the result list select “GRAC_USER_ACCES_WS” and press “Apply Selection”

soamanag-2.PNG

  • Click on “Show / Hide selected bindings or …”

soamanag-3.PNG

  • WSDL URL is displayed. Take it into the clipboard

soamanag-4.PNG

Now let’s get back to soapUI. Now we can create a soapUI project with this WSDL URL. Start soapUI and then proceed as follows:

  • In the main menu, select File -> New soapUI project

soapUI-1.PNG

  • Select a name, “Create CUP Request”, for instance, and enter the WSDL URL in the second field.

soapUI-2.PNG

  • Press Ok. You’re asked to provide logon data. Then you should see something like in the screenshot.

soapUI-3.PNG

  • Double click on “Request 1”. Now a window opens that shows you the xml structure.

soapUI-4.PNG

For every question mark in the xml document you can enter a value. But we’re not going to find out which values we need to enter here. We’re simply going to use the xml document from above. So let’s replace the xml in the text pane by the xml we copied from the VDS operation log (see following screenshot):

soapUI-5.PNG

The xml is now again one long text line. Fortunately, we can format the xml by right-clicking in the document and then “Format XML”:

soapUI-6.PNG

Now, we’re almost there. We only need to maintain log on data:

soapUI-7.PNG.

Then we can start the call by clicking the green arrow:

soapUI-8.PNG

With the request data from my test system I get an error message saying:

Processing Error. More details in WS Error Log (transaction SRT_UTIL) by selection with UTC timestamp 20130402125633

soapUI-9.PNG

This is not a full explanation what went wrong but it gives me at least some information I can use to follow up. Furthermore, if I have a suspicion what the problem is I can modify the request and try again (in my example the problem is the German umlaut charater “ü” in the name which is wrongly encoded (see the last name in the screenshot)). I replace it by “u” and try again:

soapUI-10.PNG

This time it worked. What is a simple change and retry with soapUI would have been a lengthy procedure in IdM: Change the identity, clean up failed assignments in the person record, reassign the privilege.

Summary

This post shows you some insight how IdM communicates with GRC, how the web service calls are encapsulated by IdM and the VDS and how you can get more information about what actually happens on the web service channel and how to debug it.

To report this post you need to login first.

18 Comments

You must be Logged on to comment or reply to a post.

    1. Kai Ullrich Post author

      Hi Murali,

      thanks for your comment. Yes, you can test the web services in WS Navigator. But as far as I know there is no way to take the xml from the VDS log, modify it and submit it in WS Navigator.

      That is the crucial point here because when testing I want to make sure I stay as closed as possible to what the VDS submits.

      Cheers

      (0) 
      1. Murali Shanmugham

        Just another question. What happens when a request is sent from IdM and the GRC server or network is down. The request stays as pending in IdM. What should be the best approach to fix this type of issue. If there is a script which needs to be executed, could you please post that too.

        Thanks,

        Murali.

        (0) 
        1. Kai Ullrich Post author

          Hi Murali,

          what exactly do you mean when you say “request”. Are you talking about pending values? The GRC Prov Fwk has a “on chain fail handler” that should cleanup the pending values in case of failure. If that doesn’t happen then there must be some kind of misconfig.

          Maybe you can be a bit more specific what your problem is.

          (0) 
          1. Murali Shanmugham

            Hi Kai,

            Yes, I am talking about Pending Value. I am not able to locate any settings for “On chain fail handler”.  Should a task be set against the “chain result action” of the result handling tab ? Can you please elaborate on this.

            Thanks

            Murali

            (0) 
            1. Kai Ullrich Post author

              Hi. There is a fail handler on the AC Validation task. I even have a screenshot, but the editor doesn’t let me attach it.

              (0) 
  1. Ian Daniel

    HI Kai,

    A great blog, answering many of my unanswered questions about how the IdM to GRC interface works. From what I can tell, it is broadly the same from IdM 7.2 to GRC 5.3 too.

    Thanks for sharing this.

    Ian

    (0) 
  2. Deepak Verma

    Hi Kai,

    Firstly,I would like to appreciate you for actively helping and sharing your views on IDM in this blog.

    As you mentioned above:

    But from a technical perspective you can also use the above toLDAP pass to create a CUP request independently of privilege assignments and pending values in IdM. I have done this for 2 customers. There, the GRC integrates into a custom request workflow scenario and the GRC part works completely without pending values. So much about part 1.

    I just need your help in the scenario where IDM will b user to create Identity and no priv assignment will be done in IDM.

    Scenario should like : (correct me if I am wrong somewhere )

    1.Create User in IDM url.

    2.Access request should be created in GRC.

    3.Role assignment and Risk Analysis in done in GRC.

    4.Provisioning to Target SAP system.

    I believe it will be done independent of PVO. so do we need do perform ay changes in To Ldap request in Submit AC request.

    Best Regards

    Deepak

    (0) 
    1. Kai Ullrich Post author

      Hi Deepak,

      apologies for the late reply. Very busy and one week of vacation.

      What you need to do is create a copy of the toLDAP pass and then provide input from the user and not from the pending value group. Question is where the information which role is being requested comes from. Is that going to be hard coded?

      Also what is not clear to me: Provisioning to SAP System: In GRC or in IdM. If in IdM then you’ll need to assign privileges at some point…

      Cheers

      Kai

      (0) 
  3. Shweta Varma Bhatia

    Hi Kui,

    My client is receiving the below error while running the WS through VDS:

    1. javax.naming.NamingException: [LDAP: error code 1 – (GRC Lookup Service:1:Exception in GRC WS API call:(500)SRT)]; remaining name ”

    Could you please help me in resolving it?

    Regards,

    Shweta

    (0) 
      1. arivind balaji

        Hi Kai, very usefull blog!

        Do you know how to solve this error message?

        Invalid Provision Action

        on xml

        <ProvAction>000</ProvAction>

        instead of 006 (e.g)

        (0) 
        1. Kai Ullrich Post author

          Check the global variables. There are a lot of variables for GRC, one of them is the provisioning action. I believe it must be 006 or something.

          (0) 
  4. David BOUTIER

    Hello everyone,

    I have one question concerning “If the CUP request creation is successful the VDS creates the context variable MX_GRC_REQUEST_ID”. Where is it done ? Can we add another value ?

    I want to have RequestID in IDM in order to have the IDKey for BW reports to link IDM and GRC standart data reports.

    Thanks in advance.

    David

     

    (0) 
  5. Tisha Dharod

    Hello All

    I am using FM GRAC_IDM_USR_ACCS_REQ_SERVICES for business role removal . Provision environment should be ALL and not specific environment but there is no option to pass Environment values to this FM . Please suggest how can I resolve this issue ?

    Thanks

     

    (0) 

Leave a Reply