Access Control: – Create Access Request Using Web Service in GRC10

January 21, 2014 | 1,244 Views |

Dilip Jaiswal

Retagging required

Analytics SAP Identity Management ac10 access access control arm cup governance risk and compliance sap grc grac user acces

Access Control: – Create Access Request Using Web Service in GRC10

In this blog I would like to share my experience how Web service can be tested and create Access Request from GRC system when you are integrating with IDM system.

Suppose you have integrated GRC10 with IDM 7.2 and wanted to submit access request from IDM to GRC. Being a GRC consultant you can test Web Service used to create Access Request from GRC side. It helps to check Web Service is working and you are able to submit request and its following MSMP workflow created in GRC10 by you. Once this is tested from GRC side it’s easier to use same inputs from IDM side and submit Access Request to GRC.

Web Service used to create access request from GRC is GRAC_USER_ACCES_WS (User Access Request Service) .

Follow below steps to execute Web Service.

Execute Tcode SE80 and double click on Repository Information System

Expand Enterprise Services under Repository Information System and double click on Service Definitions .

In Application Component enter GRC-AC and Execute.

Now you will be able to see all Web Service used for IDM- GRC Integration

Here double click on highlight Web Service GRAC_USER_ACCES_WS (User Access Request Service ) .

And execute GRAC_USER_ACCES_WS (User Access Request Service) from below screen

Below pop up will come. Select Generate Request Template and execute.

Below output will come. From here click on XML editor and provide required details in XML tags. And execute. This will create access request in response if you have provided all the details correct. If details are not correct then you will receive Error in response .

In above Web Service there are 5 Sections as below.

CustomFieldsVal
Parameter
RequestHeaderData
User Info
Requested Line Item

Mandatory fields and User information are determined based on End user Personalization (EUP) in SPRO. ReqInitSystem in Request Header data is mandatory filed and you need to provide IDM connector information in this.

Fill details in Header data , Line Item and User Info based on your configuration

Header DATA-

<RequestHeaderData>
<Reqtype>String 12</Reqtype>
<Priority>String 13</Priority>
<ReqDueDate>String 14</ReqDueDate>
<ReqInitSystem>String 15</ReqInitSystem>
<Requestorid>String 16</Requestorid>
<Email>String 17</Email>
<RequestReason>String 18</RequestReason>
<Funcarea>String 19</Funcarea>
<Bproc>String 20</Bproc>
</RequestHeaderData>

Line Item Details-

<item>
<ItemName>String 21</ItemName>
<Connector>String 22</Connector>
<ProvItemType>String 23</ProvItemType>
<ProvType>String 24</ProvType>
<AssignmentType>String 25</AssignmentType>
<ProvStatus>String 26</ProvStatus>
<ValidFrom>String 27</ValidFrom>
<ValidTo>String 28</ValidTo>
<FfOwner>String 29</FfOwner>
<Comments>String 30</Comments>
<ProvAction>String 31</ProvAction>
<RoleType>String 32</RoleType>
</item>

User Info

</item>
</UserGroup>
<UserInfo>
<item>
<Userid>String 49</Userid>
<Title>String 50</Title>
<Fname>String 51</Fname>
<Lname>String 52</Lname>
<SncName>String 53</SncName>
<UnsecSnc>String 54</UnsecSnc>
<Accno>String 55</Accno>
<UserGroup>String 56</UserGroup>
<ValidFrom>String 57</ValidFrom>
<ValidTo>String 58</ValidTo>
<Empposition>String 59</Empposition>
<Empjob>String 60</Empjob>
<Personnelno>String 61</Personnelno>
<Personnelarea>String 62</Personnelarea>
<CommMethod>String 63</CommMethod>
<Fax>String 64</Fax>
<Email>String 65</Email>
<Telnumber>String 66</Telnumber>
<Department>String 67</Department>
<Company>String 68</Company>
<Location>String 69</Location>
<Costcenter>String 70</Costcenter>
<Printer>String 71</Printer>
<Orgunit>String 72</Orgunit>
<Emptype>String 73</Emptype>
<Manager>String 74</Manager>
<ManagerEmail>String 75</ManagerEmail>
<ManagerFirstname>String 76</ManagerFirstname>
<ManagerLastname>String 77</ManagerLastname>
<StartMenu>String 78</StartMenu>
<LogonLang>String 79</LogonLang>
<DecNotation>String 80</DecNotation>
<DateFormat>String 81</DateFormat>
<Alias>String 82</Alias>
<UserType>String 83</UserType>
</item>

Kind Of Error / SUCCESS message you can get in response.

<?xml version=”1.0″ encoding=”utf-8″ ?>

– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

– <MsgReturn>

<MsgType>ERROR</MsgType>

<MsgStatement>Invalid request initiation system</MsgStatement>

</MsgReturn>

</n0:GracIdmUsrAccsReqServicesResponse>

<?xml version=”1.0″ encoding=”utf-8″ ?>

– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

– <MsgReturn>

< MsgNo>4</MsgNo>

<MsgType>ERROR</MsgType>

<MsgStatement>Invalid request type</MsgStatement>

</MsgReturn>

</n0:GracIdmUsrAccsReqServicesResponse>

<?xml version=”1.0″ encoding=”utf-8″ ?>

– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

– <MsgReturn>

<MsgType>ERROR</MsgType>

<MsgStatement>Invalid priority type</MsgStatement>

</MsgReturn>

</n0:GracIdmUsrAccsReqServicesResponse>

<?xml version=”1.0″ encoding=”utf-8″ ?>

– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

– <MsgReturn>

<MsgType>ERROR</MsgType>

<MsgStatement>Invalid Provision Action in line no 1</MsgStatement>

</MsgReturn>

</n0:GracIdmUsrAccsReqServicesResponse>

5. When you provide al the required detail correct. SUCCESS response will be received.

<?xml version=”1.0″ encoding=”utf-8″ ?>

– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

– <MsgReturn>

<MsgType>SUCCESS</MsgType>

<MsgStatement>Request created successfully</MsgStatement>

</MsgReturn>

<RequestId>ACCREQ/984BE1639ED01ED3A0D7D9B2BE664366</RequestId>

</n0:GracIdmUsrAccsReqServicesResponse>

6. One strange issue I have seen. If you are creating access request with user missing with GRAC_SYS auth object then you can get “Connector not configured Error”

Same type of error message you can get in IDM- VDS logs when Access Request is submitted via IDM.

Hope this will help you to understand Access Request creation using Web Service and test Web Service.

Regards

Dilip Jaiswal

To report this post you need to login first.

25 Comments

You must be Logged on to comment or reply to a post.

Deepak Jaiswal January 22, 2014 at 6:21 am

Thanks Dilip, it is really very helpful.

Just curious on one point, if we are testing this through SOAPGUI , Is it the same thing you explained happening in backend?

like (0)
1. Dilip Jaiswal Post authorJanuary 22, 2014 at 6:26 am
  
  HI, Yes this is same but you need not to configure any thing additional to execute Web Service. Regards Dilip
  
  like (0)
Sabitha Subashkumar Puri January 23, 2014 at 5:40 am

Thanks for sharing this Dilip. It is a really helpful document.

Cheers,
Sabitha

like (0)
ABHISHEK SINGH January 23, 2014 at 6:36 pm

Very Nice document

like (0)
Anil Thakur January 24, 2014 at 6:05 am

Its really very helpful document…!!!

like (0)
GOPAL KISHAN RAO BASAWARAJU January 29, 2014 at 7:27 pm

Thanks a lot Dilip in important useful knowledge regarding Access Control

The information in the document is very useful to SAP GRC consultants to know how to create Access Request using Web Service GRC10 is very helpful and presented the doc excellently

like (0)
GOPAL KISHAN RAO BASAWARAJU January 29, 2014 at 7:33 pm

The document is very useful to GRC consultant . Thank you Dilip for sharing excellent presentation.

like (0)
Nishant Chourasia February 1, 2014 at 8:30 pm

Informative document which is providing way to check system without dependency on connected system like IDM

like (0)
yogesh arora February 3, 2014 at 12:50 pm

Thank You very much for sharing such an informative, a realtime practical oriented document.

like (0)
Vinod Kumar February 7, 2014 at 4:11 am

Dilip, I think you have mastered the GRC 10 AC and have created a good content document to share with us, its helpful in implementing/using the same in our organization.

Thank you.

like (0)
surabhi mahajan February 26, 2014 at 12:40 pm

Very useful document

like (0)
Deepak Gupta March 19, 2014 at 6:06 am

Hello Dilip

Thanks for the document, I tried testing GRC webservice as you explained but getting below error:

<MsgStatement>Invalid Provision Action in line no
1</MsgStatement>

In XML editor i passed this value as “ASSIGN” but its failing, What value I should give there ?

It would be great if you can provide the possible solutions for the errors you mentioned.

Regards

Deepak Gupta

like (0)
1. Dilip Jaiswal Post authorMarch 19, 2014 at 6:21 am
  
  Hi,
  
  Please check table GRACREQTYPACT – Request Type and Action Association in your system
  
  And pass value in XML.
  
  Regards
  
  Dilip
  
  like (0)
  1. Deepak Gupta March 19, 2014 at 6:56 am
    Thanks Dilip
    
    I checked that and provided the value : 006 in XML but still its gives me the same error.
    
    in VDS Logs I get below error when I assign role to a user in IDM using standard SAP GRC Provisioning framework ( AC Validation)
    
    Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME is empty in line no 1 ;msgtype=ERROR
    
    Exception: (GRC User Access Request:82:Script execution failed)
    
    Regards
    
    Deepak Gupta
    like (0)
    1. Dilip Jaiswal Post authorMarch 19, 2014 at 7:08 am
      
      Hi, Provide correct role name(Item name) in this field and check you have particular role in sync from plugin system. Regards Dilip
      
      like (0)
Vinayalaxmi Bayar May 9, 2014 at 8:36 am

Very helpful document for beginners

like (0)
Katrice Hawkins May 11, 2014 at 7:00 am

Nice helpful blog.Keep posting.

Thanks

Katrice

like (0)
VIVEK NAGAL August 29, 2014 at 12:52 pm

Hi Dilip,

This is useful document AND I will definitely want to get this done in my project.

Looking forward for good docs like these from you.

Regards

Vivek Nagal

like (0)
Mukesh S November 6, 2014 at 1:40 pm

helpful information..thx

like (0)
Sashi Bhusan November 17, 2014 at 1:31 pm

Dilip ,

The doc is more informative . Many thanks

like (0)
Vikas Bansal April 6, 2015 at 2:00 pm

Hi Dilip,

This is really helpful.

But can you please share a valid request template.

Actually i am providing connectr name in template , and also provded the user with the authorisation objct you mentioned,

even then I am getting the same error “Connector Not Configured”.

I am attaching my request template , which has all test values except <ReqInitSystem> and <Connector>

<n0:GracIdmUsrAccsReqServices xmlns:n0=“urn:sap-com:document:sap:soap:functions:mc-style”>

<CustomFieldsVal>

   <item>

    <Fieldname>String 1</Fieldname>

    <Value>String 2</Value>

   </item>

   <item>

    <Fieldname>String 3</Fieldname>

    <Value>String 4</Value>

   </item>

</CustomFieldsVal>

<Language>String 5</Language>

<Parameter>

   <item>

    <Parameter>String 6</Parameter>

    <ParameterValue>String 7</ParameterValue>

    <ParameterDesc>String 8</ParameterDesc>

   </item>

   <item>

    <Parameter>String 9</Parameter>

    <ParameterValue>String 10</ParameterValue>

    <ParameterDesc>String 11</ParameterDesc>

   </item>

</Parameter>

<RequestHeaderData>

   <Reqtype>String 12</Reqtype>

   <Priority>String 13</Priority>

   <ReqDueDate>String 14</ReqDueDate>

<ReqInitSystem>SAPGRC</ReqInitSystem>

   <Requestorid>String 16</Requestorid>

   <Email>String 17</Email>

   <RequestReason>String 18</RequestReason>

   <Funcarea>String 19</Funcarea>

   <Bproc>String 20</Bproc>

</RequestHeaderData>

<RequestedLineItem>

   <item>

    <ItemName>String 21</ItemName>

    <Connector>SAP_NETWEAVER1</Connector>

    <ProvItemType>String 23</ProvItemType>

    <ProvType>String 24</ProvType>

    <AssignmentType>String 25</AssignmentType>

    <ProvStatus>String 26</ProvStatus>

    <ValidFrom>String 27</ValidFrom>

    <ValidTo>String 28</ValidTo>

    <FfOwner>String 29</FfOwner>

    <Comments>String 30</Comments>

    <ProvAction>String 31</ProvAction>

    <RoleType>String 32</RoleType>

   </item>



</RequestedLineItem>

<UserGroup>

   <item>

    <UserGroup>String 45</UserGroup>

    <UserGroupDesc>String 46</UserGroupDesc>

   </item>

   <item>

    <UserGroup>String 47</UserGroup>

    <UserGroupDesc>String 48</UserGroupDesc>

   </item>

</UserGroup>

<UserInfo>

   <item>

    <Userid>String 49</Userid>

    <Title>String 50</Title>

    <Fname>String 51</Fname>

    <Lname>String 52</Lname>

    <SncName>String 53</SncName>

    <UnsecSnc>String 54</UnsecSnc>

    <Accno>String 55</Accno>

    <UserGroup>String 56</UserGroup>

    <ValidFrom>String 57</ValidFrom>

    <ValidTo>String 58</ValidTo>

    <Empposition>String 59</Empposition>

    <Empjob>String 60</Empjob>

    <Personnelno>String 61</Personnelno>

    <Personnelarea>String 62</Personnelarea>

    <CommMethod>String 63</CommMethod>

    <Fax>String 64</Fax>

    <Email>String 65</Email>

    <Telnumber>String 66</Telnumber>

    <Department>String 67</Department>

    <Company>String 68</Company>

    <Location>String 69</Location>

    <Costcenter>String 70</Costcenter>

    <Printer>String 71</Printer>

    <Orgunit>String 72</Orgunit>

    <Emptype>String 73</Emptype>

    <Manager>String 74</Manager>

    <ManagerEmail>String 75</ManagerEmail>

    <ManagerFirstname>String 76</ManagerFirstname>

    <ManagerLastname>String 77</ManagerLastname>

    <StartMenu>String 78</StartMenu>

    <LogonLang>String 79</LogonLang>

    <DecNotation>String 80</DecNotation>

    <DateFormat>String 81</DateFormat>

    <Alias>String 82</Alias>

    <UserType>String 83</UserType>

   </item>

</UserInfo>

</n0:GracIdmUsrAccsReqServices>

Response what i am getting is

– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

– <MsgReturn>

<MsgNo>4</MsgNo>

<MsgType>ERROR</MsgType>

<MsgStatement>Connector is not configured</MsgStatement>

</MsgReturn>

<RequestId />

<RequestNo />

</n0:GracIdmUsrAccsReqServicesResponse>

So Please let me know, what all request should i send, so that i dont get this error.

Thanks

riju Bhasker

like (0)
Jens Klingelh.fer June 5, 2015 at 12:09 pm

Hey Dilip,

Thank you for the document. It helped me to create a valid request. One more question: Do you know how to request references to application objects for users? E.g. create entries in table USAPPLREF which link KNA1-KUNNR to BNAME.

Kind regards,

Jens

like (0)
Plaban Sahoo August 21, 2015 at 4:59 am

Hi Dilip,

Could you say, if i can test this service without IDM, as i do not have IDM

Regards

plaban

like (0)
1. Baithi Srinivas December 18, 2015 at 9:59 am
  Hello Plaban,
  
  You can try this procedure
  
  Execute transaction SE37.
  
  Enter the function module name GRAC_IDM_USR_ACCS_REQ_SERVICES
  
  Click the Test/Execute (F8) icon.
  
  Fill in the data as you would do it in the access request.
  
  Click the Execute button. A request number will be generated.
  
  Login to the GRC system and go to Access Management and search for the request.
  
  Regards
  
  Baithi
  like (0)
Tisha Dharod April 14, 2017 at 5:19 am

Hello All

I am using FM GRAC_IDM_USR_ACCS_REQ_SERVICES for business role removal . Provision environment should be ALL and not specific environment but there is no option to pass Environment values to this FM . Please suggest how can I resolve this issue ?

Thanks

like (0)