Skip to Content
Author's profile photo Dilip Jaiswal

Access Control: – Create Access Request Using Web Service in GRC10

Access Control: – Create Access Request Using Web Service in GRC10

 

 

In this blog I would like to share my experience how Web service can be tested and create Access Request from GRC system when you are integrating with IDM system.

 

Suppose you have integrated GRC10 with IDM 7.2 and wanted to submit access request from IDM to GRC. Being a GRC consultant you can test Web Service used to create Access Request from GRC side. It helps to check Web Service is working and you are able to submit request and its following MSMP workflow created in GRC10 by you. Once this is tested from GRC side it’s easier to use same inputs from IDM side and submit Access Request to GRC.

 

 

Web Service used to create access request from GRC is GRAC_USER_ACCES_WS (User Access Request Service) .

 

Follow below steps to execute Web Service.

 

Execute Tcode SE80 and double click on Repository Information System

 

/wp-content/uploads/2014/01/1_368387.png

 

Expand Enterprise Services under Repository Information System and double click on Service Definitions .

 

/wp-content/uploads/2014/01/2_368388.png

 

In Application Component enter GRC-AC and Execute.

Now you will be able to see all Web Service used for IDM- GRC Integration

Here double click on highlight Web Service GRAC_USER_ACCES_WS (User Access Request Service ) .

 

 

/wp-content/uploads/2014/01/3_368389.png

 

And execute GRAC_USER_ACCES_WS (User Access Request Service) from below screen

 

/wp-content/uploads/2014/01/4_368390.png

 

Below pop up will come. Select Generate Request Template and execute./wp-content/uploads/2014/01/5_368391.png

 

 

Below output will come. From here click on XML editor and provide required details in XML tags. And execute. This will create access request in response if you have provided all the details correct. If details are not correct then you will receive Error in response .

 

/wp-content/uploads/2014/01/6_368392.png

 

 

In above Web Service there are 5 Sections as below.

 

  1. CustomFieldsVal
  2. Parameter
  3. RequestHeaderData
  4. User Info
  5. Requested Line Item

 

Mandatory fields and User information are determined based on End user Personalization (EUP) in SPRO.  ReqInitSystem in Request Header data is mandatory filed and you need to provide IDM connector information in this.

 

 

Fill details in Header data , Line Item and User Info based on your configuration

 

Header DATA-

 

<RequestHeaderData>
<Reqtype>String 12</Reqtype>
<Priority>String 13</Priority>
<ReqDueDate>String 14</ReqDueDate>
<ReqInitSystem>String 15</ReqInitSystem>
<Requestorid>String 16</Requestorid>
<Email>String 17</Email>
<RequestReason>String 18</RequestReason>
<Funcarea>String 19</Funcarea>
<Bproc>String 20</Bproc>
</RequestHeaderData>

 

Line Item Details-

 

<item>
<ItemName>String 21</ItemName>
<Connector>String 22</Connector>
<ProvItemType>String 23</ProvItemType>
<ProvType>String 24</ProvType>
<AssignmentType>String 25</AssignmentType>
<ProvStatus>String 26</ProvStatus>
<ValidFrom>String 27</ValidFrom>
<ValidTo>String 28</ValidTo>
<FfOwner>String 29</FfOwner>
<Comments>String 30</Comments>
<ProvAction>String 31</ProvAction>
<RoleType>String 32</RoleType>
</item>

 

 

 

User Info

 

</item>
</UserGroup>
<UserInfo>
<item>
<Userid>String 49</Userid>
<Title>String 50</Title>
<Fname>String 51</Fname>
<Lname>String 52</Lname>
<SncName>String 53</SncName>
<UnsecSnc>String 54</UnsecSnc>
<Accno>String 55</Accno>
<UserGroup>String 56</UserGroup>
<ValidFrom>String 57</ValidFrom>
<ValidTo>String 58</ValidTo>
<Empposition>String 59</Empposition>
<Empjob>String 60</Empjob>
<Personnelno>String 61</Personnelno>
<Personnelarea>String 62</Personnelarea>
<CommMethod>String 63</CommMethod>
<Fax>String 64</Fax>
<Email>String 65</Email>
<Telnumber>String 66</Telnumber>
<Department>String 67</Department>
<Company>String 68</Company>
<Location>String 69</Location>
<Costcenter>String 70</Costcenter>
<Printer>String 71</Printer>
<Orgunit>String 72</Orgunit>
<Emptype>String 73</Emptype>
<Manager>String 74</Manager>
<ManagerEmail>String 75</ManagerEmail>
<ManagerFirstname>String 76</ManagerFirstname>
<ManagerLastname>String 77</ManagerLastname>
<StartMenu>String 78</StartMenu>
<LogonLang>String 79</LogonLang>
<DecNotation>String 80</DecNotation>
<DateFormat>String 81</DateFormat>
<Alias>String 82</Alias>
<UserType>String 83</UserType>
</item>

 

 

 

Kind Of Error / SUCCESS message you can get in response.

 

1.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <MsgNo>4</MsgNo>

  <MsgType>ERROR</MsgType>

  <MsgStatement>Invalid request initiation system</MsgStatement>

  </MsgReturn>

  <RequestId />

  <RequestNo />

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

2.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <   MsgNo>4</MsgNo>

  <MsgType>ERROR</MsgType>

  <MsgStatement>Invalid request type</MsgStatement>

  </MsgReturn>

  <RequestId />

  <RequestNo />

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

3.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <MsgNo>4</MsgNo>

  <MsgType>ERROR</MsgType>

  <MsgStatement>Invalid priority type</MsgStatement>

  </MsgReturn>

  <RequestId />

  <RequestNo />

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

4.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <MsgNo>4</MsgNo>

  <MsgType>ERROR</MsgType>

  <MsgStatement>Invalid Provision Action in line no 1</MsgStatement>

  </MsgReturn>

  <RequestId />

  <RequestNo />

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

5. When you provide al the required detail correct. SUCCESS response will be received.

 

<?xml version=”1.0″ encoding=”utf-8″ ?>

<n0:GracIdmUsrAccsReqServicesResponse xmlns:n0=”urn:sap-com:document:sap:soap:functions:mc-style“>

<MsgReturn>

  <MsgNo>0</MsgNo>

  <MsgType>SUCCESS</MsgType>

  <MsgStatement>Request created successfully</MsgStatement>

  </MsgReturn>

  <RequestId>ACCREQ/984BE1639ED01ED3A0D7D9B2BE664366</RequestId>

  <RequestNo>1000001159</RequestNo>

  </n0:GracIdmUsrAccsReqServicesResponse>

 

 

6. One strange issue I have seen. If you are creating access request with user missing with GRAC_SYS auth object then you can get “Connector not configured Error”

 

 

Same type of error message you can get in IDM- VDS logs when Access Request is submitted via IDM.

 

Hope this will help you to understand Access Request creation using Web Service and test Web Service.

 

Regards

Dilip Jaiswal

Assigned Tags

      25 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Deepak Jaiswal
      Deepak Jaiswal

      Thanks Dilip, it is really very helpful.

      Just curious on one point, if we are testing this  through SOAPGUI , Is it the same thing  you explained happening in backend?

      Author's profile photo Dilip Jaiswal
      Dilip Jaiswal
      Blog Post Author

      HI, Yes this is same but you need not to configure any thing additional to execute Web Service. Regards Dilip

      Author's profile photo Former Member
      Former Member

      Thanks for sharing this Dilip. It is a really helpful document.

      Cheers,
      Sabitha

      Author's profile photo ABHISHEK SINGH
      ABHISHEK SINGH

      Very Nice document

      Author's profile photo Anil Thakur
      Anil Thakur

      Its really very helpful document...!!!

      Author's profile photo Former Member
      Former Member

      Thanks a lot Dilip in important useful knowledge regarding Access Control

      The information in the document is very useful to SAP GRC consultants to know how to create Access Request using Web Service GRC10 is very helpful and presented the doc excellently

      Author's profile photo Former Member
      Former Member

      The document is very useful to GRC consultant . Thank you Dilip for sharing excellent presentation.

      Author's profile photo Former Member
      Former Member

      Informative document which is providing way to check system without dependency on connected system like IDM

      Author's profile photo Former Member
      Former Member

      Thank You very much for sharing such an informative, a realtime practical oriented document.

      Author's profile photo Former Member
      Former Member

      Dilip, I think you have mastered the GRC 10 AC and have created a good content document to share with us, its helpful in implementing/using the same in our organization.

      Thank you.

      Author's profile photo Former Member
      Former Member

      Very useful document

      Author's profile photo Former Member
      Former Member

      Hello Dilip

      Thanks for the document, I tried testing GRC webservice as you explained but getting below error:

      <MsgStatement>Invalid Provision Action in line no
      1
      </MsgStatement
      >

      In XML editor i passed this value as "ASSIGN"  but its failing, What value I should give there ?

      It would be great if you can provide the possible solutions for the errors you mentioned.

      Regards

      Deepak Gupta

      Author's profile photo Dilip Jaiswal
      Dilip Jaiswal
      Blog Post Author

      Hi,

      Please check table GRACREQTYPACT  - Request Type and Action Association in your system

      And pass value in XML.

      Regards

      Dilip

      Author's profile photo Former Member
      Former Member

      Thanks Dilip

      I checked that and provided the value : 006 in XML but still its gives me the same error.

      in VDS Logs I get below error when I assign role to a user in IDM using standard SAP GRC Provisioning framework ( AC Validation)

         

      Additional message = msgcode=4;msgdescription=Mandatory field ITEM NAME  is empty in line no 1 ;msgtype=ERROR

         

      Exception: (GRC User Access Request:82:Script execution failed)

       

      Regards

      Deepak Gupta

      Author's profile photo Dilip Jaiswal
      Dilip Jaiswal
      Blog Post Author

      Hi, Provide correct role name(Item name) in this field and check you have particular role in sync from plugin system. Regards Dilip

      Author's profile photo Former Member
      Former Member

      Very helpful document for beginners

      Author's profile photo Former Member
      Former Member

      Nice helpful blog.Keep posting.

      Thanks

      Katrice

      Author's profile photo Former Member
      Former Member

      Hi Dilip,

      This is useful document AND I will definitely want to get this done in my project.

      Looking forward for good docs like these from you.

      Regards

      Vivek Nagal

      Author's profile photo Former Member
      Former Member

      helpful information..thx

      Author's profile photo Former Member
      Former Member

      Dilip ,

           The doc is more informative . Many thanks

      Author's profile photo Vikas Bansal
      Vikas Bansal

      Hi Dilip,

      This is really helpful.

      But can you please share a valid request template.

      Actually i am providing connectr name in template , and also provded the user with the authorisation objct you mentioned,

      even then I am getting the same error "Connector Not Configured".

      I am attaching my request template , which has all test values except  <ReqInitSystem> and  <Connector>

      <n0:GracIdmUsrAccsReqServices xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style">

        <CustomFieldsVal>

         <item>

          <Fieldname>String 1</Fieldname>

          <Value>String 2</Value>

         </item>

         <item>

          <Fieldname>String 3</Fieldname>

          <Value>String 4</Value>

         </item>

        </CustomFieldsVal>

        <Language>String 5</Language>

        <Parameter>

         <item>

          <Parameter>String 6</Parameter>

          <ParameterValue>String 7</ParameterValue>

          <ParameterDesc>String 8</ParameterDesc>

         </item>

         <item>

          <Parameter>String 9</Parameter>

          <ParameterValue>String 10</ParameterValue>

          <ParameterDesc>String 11</ParameterDesc>

         </item>

        </Parameter>

        <RequestHeaderData>

         <Reqtype>String 12</Reqtype>

         <Priority>String 13</Priority>

         <ReqDueDate>String 14</ReqDueDate>

        <ReqInitSystem>SAPGRC</ReqInitSystem>

         <Requestorid>String 16</Requestorid>

         <Email>String 17</Email>

         <RequestReason>String 18</RequestReason>

         <Funcarea>String 19</Funcarea>

         <Bproc>String 20</Bproc>

        </RequestHeaderData>

        <RequestedLineItem>

         <item>

          <ItemName>String 21</ItemName>

          <Connector>SAP_NETWEAVER1</Connector>

          <ProvItemType>String 23</ProvItemType>

          <ProvType>String 24</ProvType>

          <AssignmentType>String 25</AssignmentType>

          <ProvStatus>String 26</ProvStatus>

          <ValidFrom>String 27</ValidFrom>

          <ValidTo>String 28</ValidTo>

          <FfOwner>String 29</FfOwner>

          <Comments>String 30</Comments>

          <ProvAction>String 31</ProvAction>

          <RoleType>String 32</RoleType>

         </item>

        

        </RequestedLineItem>

        <UserGroup>

         <item>

          <UserGroup>String 45</UserGroup>

          <UserGroupDesc>String 46</UserGroupDesc>

         </item>

         <item>

          <UserGroup>String 47</UserGroup>

          <UserGroupDesc>String 48</UserGroupDesc>

         </item>

        </UserGroup>

        <UserInfo>

         <item>

          <Userid>String 49</Userid>

          <Title>String 50</Title>

          <Fname>String 51</Fname>

          <Lname>String 52</Lname>

          <SncName>String 53</SncName>

          <UnsecSnc>String 54</UnsecSnc>

          <Accno>String 55</Accno>

          <UserGroup>String 56</UserGroup>

          <ValidFrom>String 57</ValidFrom>

          <ValidTo>String 58</ValidTo>

          <Empposition>String 59</Empposition>

          <Empjob>String 60</Empjob>

          <Personnelno>String 61</Personnelno>

          <Personnelarea>String 62</Personnelarea>

          <CommMethod>String 63</CommMethod>

          <Fax>String 64</Fax>

          <Email>String 65</Email>

          <Telnumber>String 66</Telnumber>

          <Department>String 67</Department>

          <Company>String 68</Company>

          <Location>String 69</Location>

          <Costcenter>String 70</Costcenter>

          <Printer>String 71</Printer>

          <Orgunit>String 72</Orgunit>

          <Emptype>String 73</Emptype>

          <Manager>String 74</Manager>

          <ManagerEmail>String 75</ManagerEmail>

          <ManagerFirstname>String 76</ManagerFirstname>

          <ManagerLastname>String 77</ManagerLastname>

          <StartMenu>String 78</StartMenu>

          <LogonLang>String 79</LogonLang>

          <DecNotation>String 80</DecNotation>

          <DateFormat>String 81</DateFormat>

          <Alias>String 82</Alias>

          <UserType>String 83</UserType>

         </item>

       

        </UserInfo>

      </n0:GracIdmUsrAccsReqServices>

      Response what i am getting is

      - <n0:GracIdmUsrAccsReqServicesResponse xmlns:n0="urn:sap-com:document:sap:soap:functions:mc-style">

      - <MsgReturn>

      <MsgNo>4</MsgNo>

      <MsgType>ERROR</MsgType>

      <MsgStatement>Connector is not configured</MsgStatement>

      </MsgReturn>

      <RequestId />

      <RequestNo />

      </n0:GracIdmUsrAccsReqServicesResponse>


      So Please let me know, what all request should i send, so that i dont get this error.


      Thanks

      riju Bhasker

      Author's profile photo Jens Klingelh.fer
      Jens Klingelh.fer

      Hey Dilip,

      Thank you for the document. It helped me to create a valid request. One more question: Do you know how to request references to application objects for users? E.g. create entries in table USAPPLREF which link KNA1-KUNNR to BNAME.

      Kind regards,

      Jens

      Author's profile photo Former Member
      Former Member

      Hi Dilip,

      Could you say, if i can test this service without IDM, as i do not have IDM

      Regards

      plaban

      Author's profile photo Baithi Srinivas
      Baithi Srinivas

      Hello Plaban,

      You can try this procedure

      1. Execute transaction SE37.
      2. Enter the function module name GRAC_IDM_USR_ACCS_REQ_SERVICES
      3. Click the Test/Execute (F8) icon.
      4. Fill in the data as you would do it in the access request.
      5. Click the Execute button. A request number will be generated.
      6. Login to the GRC system and go to Access Management and search for the request.

      Regards

      Baithi

      Author's profile photo Former Member
      Former Member

      Hello All

      I am using FM GRAC_IDM_USR_ACCS_REQ_SERVICES for business role removal . Provision environment should be ALL and not specific environment but there is no option to pass Environment values to this FM . Please suggest how can I resolve this issue ?

      Thanks