Access Control: – Create Access Request Using Web Service in GRC10

 

 

In this blog I would like to share my experience how Web service can be tested and create Access Request from GRC system when you are integrating with IDM system.

 

Suppose you have integrated GRC10 with IDM 7.2 and wanted to submit access request from IDM to GRC. Being a GRC consultant you can test Web Service used to create Access Request from GRC side. It helps to check Web Service is working and you are able to submit request and its following MSMP workflow created in GRC10 by you. Once this is tested from GRC side it’s easier to use same inputs from IDM side and submit Access Request to GRC.

 

 

Web Service used to create access request from GRC is GRAC_USER_ACCES_WS (User Access Request Service) .

 

Follow below steps to execute Web Service.

 

Execute Tcode SE80 and double click on Repository Information System

 

/wp-content/uploads/2014/01/1_368387.png

 

Expand Enterprise Services under Repository Information System and double click on Service Definitions .

 

/wp-content/uploads/2014/01/2_368388.png

 

In Application Component enter GRC-AC and Execute.

Now you will be able to see all Web Service used for IDM- GRC Integration

Here double click on highlight Web Service GRAC_USER_ACCES_WS (User Access Request Service ) .

 

 

/wp-content/uploads/2014/01/3_368389.png

 

And execute GRAC_USER_ACCES_WS (User Access Request Service) from below screen

 

/wp-content/uploads/2014/01/4_368390.png

 

Below pop up will come. Select Generate Request Template and execute./wp-content/uploads/2014/01/5_368391.png

 

 

Below output will come. From here click on XML editor and provide required details in XML tags. And execute. This will create access request in response if you have provided all the details correct. If details are not correct then you will receive Error in response .

 

/wp-content/uploads/2014/01/6_368392.png

 

 

In above Web Service there are 5 Sections as below.

 

  1. CustomFieldsVal
  2. Parameter
  3. RequestHeaderData
  4. User Info
  5. Requested Line Item

 

Mandatory fields and User information are determined based on End user Personalization (EUP) in SPRO.  ReqInitSystem in Request Header data is mandatory filed and you need to provide IDM connector information in this.

 

 

Fill details in Header data , Line Item and User Info based on your configuration

 

Header DATA-

 

<RequestHeaderData>
<Reqtype>String 12</Reqtype>
<Priority>String 13</Priority>
<ReqDueDate>String 14</ReqDueDate>
<ReqInitSystem>String 15</ReqInitSystem>
<Requestorid>String 16</Requestorid>
<Email>String 17</Email>
<RequestReason>String 18</RequestReason>
<Funcarea>String 19</Funcarea>
<Bproc>String 20</Bproc>
</RequestHeaderData>

 

Line Item Details-

 

<item>
<ItemName>String 21</ItemName>
<Connector>String 22</Connector>
<ProvItemType>String 23</ProvItemType>
<ProvType>String 24</ProvType>
<AssignmentType>String 25</AssignmentType>
<ProvStatus>String 26</ProvStatus>
<ValidFrom>String 27</ValidFrom>
<ValidTo>String 28</ValidTo>
<FfOwner>String 29</FfOwner>
<Comments>String 30</Comments>
<ProvAction>String 31</ProvAction>
<RoleType>String 32</RoleType>
</item>

 

 

 

User Info

 

</item>
</UserGroup>
<UserInfo>
<item>
<Userid>String 49</Userid>
<Title>String 50</Title>
<Fname>String 51</Fname>
<Lname>String 52</Lname>
<SncName>String 53</SncName>
<UnsecSnc>String 54</UnsecSnc>
<Accno>String 55</Accno>
<UserGroup>String 56</UserGroup>
<ValidFrom>String 57</ValidFrom>
<ValidTo>String 58</ValidTo>
<Empposition>String 59</Empposition>
<Empjob>String 60</Empjob>
<Personnelno>String 61</Personnelno>
<Personnelarea>String 62</Personnelarea>
<CommMethod>String 63</CommMethod>
<Fax>String 64</Fax>
<Email>String 65</Email>
<Telnumber>String 66</Telnumber>
<Department>String 67</Department>
<Company>String 68</Company>
<Location>String 69</Location>
<Costcenter>String 70</Costcenter>
<Printer>String 71</Printer>
<Orgunit>String 72</Orgunit>
<Emptype>String 73</Emptype>
<Manager>String 74</Manager>
<ManagerEmail>String 75</ManagerEmail>
<ManagerFirstname>String 76</ManagerFirstname>
<ManagerLastname>String 77</ManagerLastname>
<StartMenu>String 78</StartMenu>
<LogonLang>String 79</LogonLang>
<DecNotation>String 80</DecNotation>
<DateFormat>String 81</DateFormat>
<Alias>String 82</Alias>
<UserType>String 83</UserType>
</item>

 

 

 

Kind Of Error / SUCCESS message you can get in response.

 

1.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <MsgNo>4</MsgNo>

  <MsgType>ERROR</MsgType>

  <MsgStatement>Invalid request initiation system</MsgStatement>

  </MsgReturn>

  <RequestId />

  <RequestNo />

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

2.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <   MsgNo>4</MsgNo>

  <MsgType>ERROR</MsgType>

  <MsgStatement>Invalid request type</MsgStatement>

  </MsgReturn>

  <RequestId />

  <RequestNo />

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

3.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <MsgNo>4</MsgNo>

  <MsgType>ERROR</MsgType>

  <MsgStatement>Invalid priority type</MsgStatement>

  </MsgReturn>

  <RequestId />

  <RequestNo />

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

4.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <MsgNo>4</MsgNo>

  <MsgType>ERROR</MsgType>

  <MsgStatement>Invalid Provision Action in line no 1</MsgStatement>

  </MsgReturn>

  <RequestId />

  <RequestNo />

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

5. When you provide al the required detail correct. SUCCESS response will be received.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <MsgNo>0</MsgNo>

  <MsgType>SUCCESS</MsgType>

  <MsgStatement>Request created successfully</MsgStatement>

  </MsgReturn>

  <RequestId>ACCREQ/984BE1639ED01ED3A0D7D9B2BE664366</RequestId>

  <RequestNo>1000001159</RequestNo>

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

6. One strange issue I have seen. If you are creating access request with user missing with GRAC_SYS auth object then you can get “Connector not configured Error”

 

 

Same type of error message you can get in IDM- VDS logs when Access Request is submitted via IDM.

 

Hope this will help you to understand Access Request creation using Web Service and test Web Service.

 

Regards

Dilip Jaiswal

To report this post you need to login first.

25 Comments

You must be Logged on to comment or reply to a post.

  1. Deepak Jaiswal

    Thanks Dilip, it is really very helpful.

    Just curious on one point, if we are testing this  through SOAPGUI , Is it the same thing  you explained happening in backend?

    (0) 
  2. GOPAL KISHAN RAO BASAWARAJU

    Thanks a lot Dilip in important useful knowledge regarding Access Control

    The information in the document is very useful to SAP GRC consultants to know how to create Access Request using Web Service GRC10 is very helpful and presented the doc excellently

    (0) 
  3. Vinod Kumar

    Dilip, I think you have mastered the GRC 10 AC and have created a good content document to share with us, its helpful in implementing/using the same in our organization.

    Thank you.

    (0) 
  4. Deepak Gupta

    Hello Dilip

    Thanks for the document, I tried testing GRC webservice as you explained but getting below error:

    <MsgStatement>Invalid Provision Action in line no
    1
    </MsgStatement
    >

    In XML editor i passed this value as “ASSIGN”  but its failing, What value I should give there ?

    It would be great if you can provide the possible solutions for the errors you mentioned.

    Regards

    Deepak Gupta

    (0) 
    1. Dilip Jaiswal Post author

      Hi,

      Please check table GRACREQTYPACT  – Request Type and Action Association in your system

      And pass value in XML.

      Regards

      Dilip

      (0) 
      1. Deepak Gupta

        Thanks Dilip

        I checked that and provided the value : 006 in XML but still its gives me the same error.

        in VDS Logs I get below error when I assign role to a user in IDM using standard SAP GRC Provisioning framework ( AC Validation)

           

        Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR

           

        Exception: (GRC User Access Request:82:Script execution failed)

         

        Regards

        Deepak Gupta

        (0) 
        1. Dilip Jaiswal Post author

          Hi, Provide correct role name(Item name) in this field and check you have particular role in sync from plugin system. Regards Dilip

          (0) 
  5. VIVEK NAGAL

    Hi Dilip,

    This is useful document AND I will definitely want to get this done in my project.

    Looking forward for good docs like these from you.

    Regards

    Vivek Nagal

    (0) 
  6. Vikas Bansal

    Hi Dilip,

    This is really helpful.

    But can you please share a valid request template.

    Actually i am providing connectr name in template , and also provded the user with the authorisation objct you mentioned,

    even then I am getting the same error “Connector Not Configured”.

    I am attaching my request template , which has all test values except  <ReqInitSystem> and  <Connector>

    <n0:GracIdmUsrAccsReqServices xmlns:n0=“urn:sap-com:document:sap:soap:functions:mc-style”>

      <CustomFieldsVal>

       <item>

        <Fieldname>String 1</Fieldname>

        <Value>String 2</Value>

       </item>

       <item>

        <Fieldname>String 3</Fieldname>

        <Value>String 4</Value>

       </item>

      </CustomFieldsVal>

      <Language>String 5</Language>

      <Parameter>

       <item>

        <Parameter>String 6</Parameter>

        <ParameterValue>String 7</ParameterValue>

        <ParameterDesc>String 8</ParameterDesc>

       </item>

       <item>

        <Parameter>String 9</Parameter>

        <ParameterValue>String 10</ParameterValue>

        <ParameterDesc>String 11</ParameterDesc>

       </item>

      </Parameter>

      <RequestHeaderData>

       <Reqtype>String 12</Reqtype>

       <Priority>String 13</Priority>

       <ReqDueDate>String 14</ReqDueDate>

      <ReqInitSystem>SAPGRC</ReqInitSystem>

       <Requestorid>String 16</Requestorid>

       <Email>String 17</Email>

       <RequestReason>String 18</RequestReason>

       <Funcarea>String 19</Funcarea>

       <Bproc>String 20</Bproc>

      </RequestHeaderData>

      <RequestedLineItem>

       <item>

        <ItemName>String 21</ItemName>

        <Connector>SAP_NETWEAVER1</Connector>

        <ProvItemType>String 23</ProvItemType>

        <ProvType>String 24</ProvType>

        <AssignmentType>String 25</AssignmentType>

        <ProvStatus>String 26</ProvStatus>

        <ValidFrom>String 27</ValidFrom>

        <ValidTo>String 28</ValidTo>

        <FfOwner>String 29</FfOwner>

        <Comments>String 30</Comments>

        <ProvAction>String 31</ProvAction>

        <RoleType>String 32</RoleType>

       </item>

      

      </RequestedLineItem>

      <UserGroup>

       <item>

        <UserGroup>String 45</UserGroup>

        <UserGroupDesc>String 46</UserGroupDesc>

       </item>

       <item>

        <UserGroup>String 47</UserGroup>

        <UserGroupDesc>String 48</UserGroupDesc>

       </item>

      </UserGroup>

      <UserInfo>

       <item>

        <Userid>String 49</Userid>

        <Title>String 50</Title>

        <Fname>String 51</Fname>

        <Lname>String 52</Lname>

        <SncName>String 53</SncName>

        <UnsecSnc>String 54</UnsecSnc>

        <Accno>String 55</Accno>

        <UserGroup>String 56</UserGroup>

        <ValidFrom>String 57</ValidFrom>

        <ValidTo>String 58</ValidTo>

        <Empposition>String 59</Empposition>

        <Empjob>String 60</Empjob>

        <Personnelno>String 61</Personnelno>

        <Personnelarea>String 62</Personnelarea>

        <CommMethod>String 63</CommMethod>

        <Fax>String 64</Fax>

        <Email>String 65</Email>

        <Telnumber>String 66</Telnumber>

        <Department>String 67</Department>

        <Company>String 68</Company>

        <Location>String 69</Location>

        <Costcenter>String 70</Costcenter>

        <Printer>String 71</Printer>

        <Orgunit>String 72</Orgunit>

        <Emptype>String 73</Emptype>

        <Manager>String 74</Manager>

        <ManagerEmail>String 75</ManagerEmail>

        <ManagerFirstname>String 76</ManagerFirstname>

        <ManagerLastname>String 77</ManagerLastname>

        <StartMenu>String 78</StartMenu>

        <LogonLang>String 79</LogonLang>

        <DecNotation>String 80</DecNotation>

        <DateFormat>String 81</DateFormat>

        <Alias>String 82</Alias>

        <UserType>String 83</UserType>

       </item>

     

      </UserInfo>

    </n0:GracIdmUsrAccsReqServices>

    Response what i am getting is

    <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style>

    <MsgReturn>

    <MsgNo>4</MsgNo>

    <MsgType>ERROR</MsgType>

    <MsgStatement>Connector is not configured</MsgStatement>

    </MsgReturn>

    <RequestId />

    <RequestNo />

    </n0:GracIdmUsrAccsReqServicesResponse>


    So Please let me know, what all request should i send, so that i dont get this error.


    Thanks

    riju Bhasker

    (0) 
  7. Jens Klingelh.fer

    Hey Dilip,

    Thank you for the document. It helped me to create a valid request. One more question: Do you know how to request references to application objects for users? E.g. create entries in table USAPPLREF which link KNA1-KUNNR to BNAME.

    Kind regards,

    Jens

    (0) 
    1. Baithi Srinivas

      Hello Plaban,

      You can try this procedure

      1. Execute transaction SE37.
      2. Enter the function module name GRAC_IDM_USR_ACCS_REQ_SERVICES
      3. Click the Test/Execute (F8) icon.
      4. Fill in the data as you would do it in the access request.
      5. Click the Execute button. A request number will be generated.
      6. Login to the GRC system and go to Access Management and search for the request.

      Regards

      Baithi

      (0) 
  8. Tisha Dharod

    Hello All

    I am using FM GRAC_IDM_USR_ACCS_REQ_SERVICES for business role removal . Provision environment should be ALL and not specific environment but there is no option to pass Environment values to this FM . Please suggest how can I resolve this issue ?

    Thanks

     

    (0) 

Leave a Reply