Access Control: – Create Access Request Using Web Service in GRC10
Access Control: – Create Access Request Using Web Service in GRC10
In this blog I would like to share my experience how Web service can be tested and create Access Request from GRC system when you are integrating with IDM system.
Suppose you have integrated GRC10 with IDM 7.2 and wanted to submit access request from IDM to GRC. Being a GRC consultant you can test Web Service used to create Access Request from GRC side. It helps to check Web Service is working and you are able to submit request and its following MSMP workflow created in GRC10 by you. Once this is tested from GRC side it’s easier to use same inputs from IDM side and submit Access Request to GRC.
Web Service used to create access request from GRC is GRAC_USER_ACCES_WS (User Access Request Service) .
Follow below steps to execute Web Service.
Execute Tcode SE80 and double click on Repository Information System
Expand Enterprise Services under Repository Information System and double click on Service Definitions .
In Application Component enter GRC-AC and Execute.
Now you will be able to see all Web Service used for IDM- GRC Integration
Here double click on highlight Web Service GRAC_USER_ACCES_WS (User Access Request Service ) .
And execute GRAC_USER_ACCES_WS (User Access Request Service) from below screen
Below pop up will come. Select Generate Request Template and execute.
Below output will come. From here click on XML editor and provide required details in XML tags. And execute. This will create access request in response if you have provided all the details correct. If details are not correct then you will receive Error in response .
In above Web Service there are 5 Sections as below.
- CustomFieldsVal
- Parameter
- RequestHeaderData
- User Info
- Requested Line Item
Mandatory fields and User information are determined based on End user Personalization (EUP) in SPRO. ReqInitSystem in Request Header data is mandatory filed and you need to provide IDM connector information in this.
Fill details in Header data , Line Item and User Info based on your configuration
Header DATA-
<RequestHeaderData>
<Reqtype>String 12</Reqtype>
<Priority>String 13</Priority>
<ReqDueDate>String 14</ReqDueDate>
<ReqInitSystem>String 15</ReqInitSystem>
<Requestorid>String 16</Requestorid>
<Email>String 17</Email>
<RequestReason>String 18</RequestReason>
<Funcarea>String 19</Funcarea>
<Bproc>String 20</Bproc>
</RequestHeaderData>
Line Item Details-
<item>
<ItemName>String 21</ItemName>
<Connector>String 22</Connector>
<ProvItemType>String 23</ProvItemType>
<ProvType>String 24</ProvType>
<AssignmentType>String 25</AssignmentType>
<ProvStatus>String 26</ProvStatus>
<ValidFrom>String 27</ValidFrom>
<ValidTo>String 28</ValidTo>
<FfOwner>String 29</FfOwner>
<Comments>String 30</Comments>
<ProvAction>String 31</ProvAction>
<RoleType>String 32</RoleType>
</item>
User Info
</item>
</UserGroup>
<UserInfo>
<item>
<Userid>String 49</Userid>
<Title>String 50</Title>
<Fname>String 51</Fname>
<Lname>String 52</Lname>
<SncName>String 53</SncName>
<UnsecSnc>String 54</UnsecSnc>
<Accno>String 55</Accno>
<UserGroup>String 56</UserGroup>
<ValidFrom>String 57</ValidFrom>
<ValidTo>String 58</ValidTo>
<Empposition>String 59</Empposition>
<Empjob>String 60</Empjob>
<Personnelno>String 61</Personnelno>
<Personnelarea>String 62</Personnelarea>
<CommMethod>String 63</CommMethod>
<Fax>String 64</Fax>
<Email>String 65</Email>
<Telnumber>String 66</Telnumber>
<Department>String 67</Department>
<Company>String 68</Company>
<Location>String 69</Location>
<Costcenter>String 70</Costcenter>
<Printer>String 71</Printer>
<Orgunit>String 72</Orgunit>
<Emptype>String 73</Emptype>
<Manager>String 74</Manager>
<ManagerEmail>String 75</ManagerEmail>
<ManagerFirstname>String 76</ManagerFirstname>
<ManagerLastname>String 77</ManagerLastname>
<StartMenu>String 78</StartMenu>
<LogonLang>String 79</LogonLang>
<DecNotation>String 80</DecNotation>
<DateFormat>String 81</DateFormat>
<Alias>String 82</Alias>
<UserType>String 83</UserType>
</item>
Kind Of Error / SUCCESS message you can get in response.
1.
<?xml version=”1.0″ encoding=”utf-8″ ?>
– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>
– <MsgReturn>
<MsgNo>4</MsgNo>
<MsgType>ERROR</MsgType>
<MsgStatement>Invalid request initiation system</MsgStatement>
</MsgReturn>
<RequestId />
<RequestNo />
</n0:GracIdmUsrAccsReqServicesResponse>
2.
<?xml version=”1.0″ encoding=”utf-8″ ?>
– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>
– <MsgReturn>
< MsgNo>4</MsgNo>
<MsgType>ERROR</MsgType>
<MsgStatement>Invalid request type</MsgStatement>
</MsgReturn>
<RequestId />
<RequestNo />
</n0:GracIdmUsrAccsReqServicesResponse>
3.
<?xml version=”1.0″ encoding=”utf-8″ ?>
– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>
– <MsgReturn>
<MsgNo>4</MsgNo>
<MsgType>ERROR</MsgType>
<MsgStatement>Invalid priority type</MsgStatement>
</MsgReturn>
<RequestId />
<RequestNo />
</n0:GracIdmUsrAccsReqServicesResponse>
4.
<?xml version=”1.0″ encoding=”utf-8″ ?>
– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>
– <MsgReturn>
<MsgNo>4</MsgNo>
<MsgType>ERROR</MsgType>
<MsgStatement>Invalid Provision Action in line no 1</MsgStatement>
</MsgReturn>
<RequestId />
<RequestNo />
</n0:GracIdmUsrAccsReqServicesResponse>
5. When you provide al the required detail correct. SUCCESS response will be received.
<?xml version=”1.0″ encoding=”utf-8″ ?>
– <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>
– <MsgReturn>
<MsgNo>0</MsgNo>
<MsgType>SUCCESS</MsgType>
<MsgStatement>Request created successfully</MsgStatement>
</MsgReturn>
<RequestId>ACCREQ/984BE1639ED01ED3A0D7D9B2BE664366</RequestId>
<RequestNo>1000001159</RequestNo>
</n0:GracIdmUsrAccsReqServicesResponse>
6. One strange issue I have seen. If you are creating access request with user missing with GRAC_SYS auth object then you can get “Connector not configured Error”
Same type of error message you can get in IDM- VDS logs when Access Request is submitted via IDM.
Hope this will help you to understand Access Request creation using Web Service and test Web Service.
Regards
Dilip Jaiswal
Thanks Dilip, it is really very helpful.
Just curious on one point, if we are testing this through SOAPGUI , Is it the same thing you explained happening in backend?
HI, Yes this is same but you need not to configure any thing additional to execute Web Service. Regards Dilip
Thanks for sharing this Dilip. It is a really helpful document.
Cheers,
Sabitha
Very Nice document
Its really very helpful document...!!!
Thanks a lot Dilip in important useful knowledge regarding Access Control
The information in the document is very useful to SAP GRC consultants to know how to create Access Request using Web Service GRC10 is very helpful and presented the doc excellently
The document is very useful to GRC consultant . Thank you Dilip for sharing excellent presentation.
Informative document which is providing way to check system without dependency on connected system like IDM
Thank You very much for sharing such an informative, a realtime practical oriented document.
Dilip, I think you have mastered the GRC 10 AC and have created a good content document to share with us, its helpful in implementing/using the same in our organization.
Thank you.
Very useful document
Hello Dilip
Thanks for the document, I tried testing GRC webservice as you explained but getting below error:
<MsgStatement>Invalid Provision Action in line no
1</MsgStatement>
In XML editor i passed this value as "ASSIGN" but its failing, What value I should give there ?
It would be great if you can provide the possible solutions for the errors you mentioned.
Regards
Deepak Gupta
Hi,
Please check table GRACREQTYPACT - Request Type and Action Association in your system
And pass value in XML.
Regards
Dilip
Thanks Dilip
I checked that and provided the value : 006 in XML but still its gives me the same error.
in VDS Logs I get below error when I assign role to a user in IDM using standard SAP GRC Provisioning framework ( AC Validation)
Regards
Deepak Gupta
Hi, Provide correct role name(Item name) in this field and check you have particular role in sync from plugin system. Regards Dilip
Very helpful document for beginners
Nice helpful blog.Keep posting.
Thanks
Katrice
Hi Dilip,
This is useful document AND I will definitely want to get this done in my project.
Looking forward for good docs like these from you.
Regards
Vivek Nagal
helpful information..thx
Dilip ,
The doc is more informative . Many thanks
Hi Dilip,
This is really helpful.
But can you please share a valid request template.
Actually i am providing connectr name in template , and also provded the user with the authorisation objct you mentioned,
even then I am getting the same error "Connector Not Configured".
I am attaching my request template , which has all test values except <ReqInitSystem> and <Connector>
<n0:GracIdmUsrAccsReqServices xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style">
<CustomFieldsVal>
<item>
<Fieldname>String 1</Fieldname>
<Value>String 2</Value>
</item>
<item>
<Fieldname>String 3</Fieldname>
<Value>String 4</Value>
</item>
</CustomFieldsVal>
<Language>String 5</Language>
<Parameter>
<item>
<Parameter>String 6</Parameter>
<ParameterValue>String 7</ParameterValue>
<ParameterDesc>String 8</ParameterDesc>
</item>
<item>
<Parameter>String 9</Parameter>
<ParameterValue>String 10</ParameterValue>
<ParameterDesc>String 11</ParameterDesc>
</item>
</Parameter>
<RequestHeaderData>
<Reqtype>String 12</Reqtype>
<Priority>String 13</Priority>
<ReqDueDate>String 14</ReqDueDate>
<ReqInitSystem>SAPGRC</ReqInitSystem>
<Requestorid>String 16</Requestorid>
<Email>String 17</Email>
<RequestReason>String 18</RequestReason>
<Funcarea>String 19</Funcarea>
<Bproc>String 20</Bproc>
</RequestHeaderData>
<RequestedLineItem>
<item>
<ItemName>String 21</ItemName>
<Connector>SAP_NETWEAVER1</Connector>
<ProvItemType>String 23</ProvItemType>
<ProvType>String 24</ProvType>
<AssignmentType>String 25</AssignmentType>
<ProvStatus>String 26</ProvStatus>
<ValidFrom>String 27</ValidFrom>
<ValidTo>String 28</ValidTo>
<FfOwner>String 29</FfOwner>
<Comments>String 30</Comments>
<ProvAction>String 31</ProvAction>
<RoleType>String 32</RoleType>
</item>
</RequestedLineItem>
<UserGroup>
<item>
<UserGroup>String 45</UserGroup>
<UserGroupDesc>String 46</UserGroupDesc>
</item>
<item>
<UserGroup>String 47</UserGroup>
<UserGroupDesc>String 48</UserGroupDesc>
</item>
</UserGroup>
<UserInfo>
<item>
<Userid>String 49</Userid>
<Title>String 50</Title>
<Fname>String 51</Fname>
<Lname>String 52</Lname>
<SncName>String 53</SncName>
<UnsecSnc>String 54</UnsecSnc>
<Accno>String 55</Accno>
<UserGroup>String 56</UserGroup>
<ValidFrom>String 57</ValidFrom>
<ValidTo>String 58</ValidTo>
<Empposition>String 59</Empposition>
<Empjob>String 60</Empjob>
<Personnelno>String 61</Personnelno>
<Personnelarea>String 62</Personnelarea>
<CommMethod>String 63</CommMethod>
<Fax>String 64</Fax>
<Email>String 65</Email>
<Telnumber>String 66</Telnumber>
<Department>String 67</Department>
<Company>String 68</Company>
<Location>String 69</Location>
<Costcenter>String 70</Costcenter>
<Printer>String 71</Printer>
<Orgunit>String 72</Orgunit>
<Emptype>String 73</Emptype>
<Manager>String 74</Manager>
<ManagerEmail>String 75</ManagerEmail>
<ManagerFirstname>String 76</ManagerFirstname>
<ManagerLastname>String 77</ManagerLastname>
<StartMenu>String 78</StartMenu>
<LogonLang>String 79</LogonLang>
<DecNotation>String 80</DecNotation>
<DateFormat>String 81</DateFormat>
<Alias>String 82</Alias>
<UserType>String 83</UserType>
</item>
</UserInfo>
</n0:GracIdmUsrAccsReqServices>
Response what i am getting is
</MsgReturn>
</n0:GracIdmUsrAccsReqServicesResponse>
So Please let me know, what all request should i send, so that i dont get this error.
Thanks
riju Bhasker
Hey Dilip,
Thank you for the document. It helped me to create a valid request. One more question: Do you know how to request references to application objects for users? E.g. create entries in table USAPPLREF which link KNA1-KUNNR to BNAME.
Kind regards,
Jens
Hi Dilip,
Could you say, if i can test this service without IDM, as i do not have IDM
Regards
plaban
Hello Plaban,
You can try this procedure
Regards
Baithi
Hello All
I am using FM GRAC_IDM_USR_ACCS_REQ_SERVICES for business role removal . Provision environment should be ALL and not specific environment but there is no option to pass Environment values to this FM . Please suggest how can I resolve this issue ?
Thanks