Skip to Content

Access Request Management (ARM) can connect to ABAP-based SAP systems such as SAP ERP (ECC), SAP SCM, SAP CRM, SAP  Business Intelligence (BI) to create users and assign roles with pre-delivered ABAP-based programs. Enabling the same functionality with a Java-based system such as the SAP Enterprise Portal requires a different procedure and separate configuration. To connect to Java-based systems, you use pre-delivered Web services installed on the SAP Enterprise Portal for integration.

A step-by-step guide demonstrates the required configuration to integrate SAP Enterprise Portal with GRC 10.0.


Step 1:-Deploy the AC 10.0 web service and you will find the following in WS Navigaton.

Pic1.jpg

Step 2:Create a G type SM59 connector. This will connect to the above web service for AUTH extraction and password generation.

/wp-content/uploads/2015/01/pic2_622781.jpg

Step 3:-Create a G type SM59 connector. This will connect to EP’s SPML interface for PROV.


Pic3.jpg

Step 4:-Maintain the Logical port for WS connector in tx LPCONFIG.

Pic4.jpg

Pic5.jpg


Step 5:-Maintain Connector and Connection Types.

Pic6.jpg

WS will be attached to the LPCONFIG end point SPML1 logical port will be same as Target Connector


Step 6:-Define the EP Group (this will be used in field mapping). See SAPNote 0001981001

Pic7.jpg


Step 7:-Attach both the connectors (WS and SPML) to AUTH scenario.


/wp-content/uploads/2015/01/pic9_624282.jpg

Make sure that the following classes are attached to the scenario.


Step 8:-Do same for PROV scenario.

Pic10.jpg

Step 9:- And for ROLMG scenario.

Pic11.jpg

Step 10:-Set as Production system.

Pic12.jpg

Step 11:-Create the group field mapping.

Pic13.jpg

Default connector is the one which will make a runtime call to get the F4 for system field names in figure below.

Pic14.jpg

Define the field mapping for the group applicable to all the system in that group (F4 from default connector)

Pic15.jpg

Define the technical parameter mapping .


Step 12:Synchronize EP SPML Schema.

Pic16.jpg


Connector is the one for SPML we earlier created


Step 13:-Now sync user, roles, auths from EP.

As once you start provisioning if you continue to sync using the inconsistencies. You should switch to use  ‘GRAC_ROLEREP_ROLE_SYNC’ program.

Following important points needs to be considered:

1.You don’t need to sync Profiles with NetWeaver Java as they don’t exist on Java Stacks.

2.If you continue to sync Users after your initial sync, i.e. after you start provisioning from GRC, then your GRC data will become inconsistent. These inconsistencies are caused because GRC maintains validity dates for User, Role, and the relationships between these, whereas the NetWeaver Java does not include this same detail and a future User sync will overwrite validity information in GRC with blank entries.

/wp-content/uploads/2015/01/pic17_624312.jpg

This is from WS connector.


Step 14:- Deploy GRC Portal Content -add-on portal business package GRC_POR which contains  the GRC Portal UI elements to access the GRC suite.


Step 15:Deploy GRC Portal Plugin(GRCPIEP)(Must for GRC AC)


Step 16:- Set the system Alias for GRC system in SAP Netweaver Enterprise Portal as  follows:

                  SAP-GRC

                  SAP-GRC-AC

                  SAP_GRC(in case of issue-faced by me in SP8)

                  SAP_GRC_AC(in case of issue-faced by me in SP8)


*In case of GRC PC is activated then system alias must be SAP-GRC & SAP-GRC-PC,for GRC RM SAP-GRC & SAP-GRC-RM.


Step 17:-Create a same user both in GRC and EP and assign  following Portal Roles to the user.

                a.GRC Access Control

                b.ERP Common

       Assign Required GRC Roles to the user in the GRC System.

*In case of GRC PC or RM activated  assign GRC SUITE  & ERP COMMON Portal Role to the user,additionally GRC Internal Audit Management if required by the user.

Procedure for creating user in the Portal for  Accessing GRC Roles.

1.Log on as portal user administrator and access the User Administration function.

2.If the user has been created by the User Management Engine (UME) that is connected to the GRC ABAP system, you do not need to create the user in the portal system.

If not, create a new portal user and assign the system to the user in the User Mapping for System Access tab, along with a mapped user ID and password.

3.After creating the user, go to the Assigned Roles tab and assign the role GRC Access Control  to the user who has the power user role SAP_GRAC_FN_ALL in the ABAP system, to enable viewing of all the Work Centers.[Only in case of GRC AC is activated].


Hope this  was useful. Please use the comments section to share your feedback and questions.

To report this post you need to login first.

24 Comments

You must be Logged on to comment or reply to a post.

  1. Faisal Khan

    Pradeep,

    I have not yet configured EP with GRC. However, thought to appreciate your effort for sharing this document. Hopefully, I will follow this soon.

    Regards,

    Faisal

    (0) 
  2. George Borghouts

    In addition to the note 1607232 describing parts of the above, you may want to double check your Portal whether note 1647157 is applicable. That solved the ‘no data found’ message with us whilst trying fetching the IDM schema from the Portal.

    Other relevant notes:

    1848215

    2033753

    1848095

    1857609

    1603438

    (0) 
    1. George Borghouts

      Hi Rajesh,

      Yep bit of a hidden one:

      SAP ACCESS CONTROL 10.0 (Support Packages and Patches) -> Entry by Component -> GRC Java Components -> SAP GRC PORTAL 10.0 -> # OS independent -> GRCPOR1010_0-20007573.SCA would give you SP10 of it.

      Note if it is 10.1 GRCPOR you are looking for, it would lead you also to the same one as above.

      As it is JAVA it is not incremental, you always deploy the full works (so via SDM no need for an installation one and then a support pack one etc etc).

      You may want to consult the attachment in note 1352498 to determine correct SP level. Only thing that bothered me there is that for GRCPOR (when looking in 10;0 tab) they speak of latest SP11; Whilst via path above I could only find SP10 as latest. But OK perhaps not relevant to you.

      Cheers,

      George

      (0) 
  3. Maria Piedra

    Pradeep

    I have a couple of questions:

    1. If we only have Access Control, do we have to setup only the Alias for SAP-GRC-AC, or do we have to also create SAP-GRC?
    2. The user we have to create, what’s the purpose of it? Where do we have to reference it?

    Regards

    Maria

    (0) 
    1. Pradeep Agarwal Post author

      Hi Maria,

      Yes both the Alias as in my case I had to provide both.

      User allows to Sync data ,therefore same userid is required between GRC and EP system.

      Regards

      Pradeep

      (0) 
          1. Plaban Sahoo

            that note does not say on WS. But another note 1607232, mentions point  3. Once deployed, you will see a web service called GRACAuthMgmtServiceOutBinding in Web Service Navigator

            (0) 
              1. Plaban Sahoo

                i wanted to know where to find the Webservice tree structure(as shown in point 1 of this doc.). So, now, i see that,  it will be available on EP.  Could you let me know, if i am correct

                (0) 
                1. reddy Visu

                  Hi Plaban,

                  Yes. You are correct. you can create connector and maintain connector type, Logical port, Connector group, and Scenario-connector type link in GRC Server.

                  Regards,

                  Reddy

                  (0) 
    1. Pradeep Agarwal Post author

      Thanks Somik.

      You can always raise questions or feel free to suggest, which you think can be added to this document for better understanding of new learners like you.

      Regards

      Pradeep

      (0) 
  4. George Borghouts

    Dear all,

    Regarding ‘assigning group parameter mapping’ above: in case your Enterpise Portal has a user data source that does not allow  you to create users (typically corporate LDAP) then please consider note 1958231, which instructs you to leave out the entries CREATE_USER:OC and CREATE_USER:password.

    This prevents errors showing in the prov log and requests from never finishing.

    This as the parameters in essence are SPML instructions fed to your portal’s provisioning engine. E.g if you wouldn’t use request type ‘Delete user’ then also you could kick out the parameter ‘DELETE_USER:OC’ etc etc

    May the force be with you.

    George

    (0) 
  5. Pradeep Agarwal Post author

    Hi Jonathan,

    Thanks for the suggestions.I have incorporated the same in the document.Please feel free to suggest any other  valuable points.

    Regards

    Pradeep

    (0) 
  6. Shaji Narayanan

    Hi Pradeep,

    Thanks for a nice, informative post.


    Quick query: while your post talks about user provisioning for java-based NW AS system, is there any specific reason to title this post as “Enterprise Portal Integration with GRC”? Surely it should have a title “Java AS Integration with GRC” for user-provisioning?


    Sorry for being pedantic, but available SAP notes and documents too mention EP integration with GRC, and not Java AS integration with GRC.  Does all of this mean the user-provisioning is available only for a Java AS that has the EP software component?


    I hope the GRC user-provisioning is not limited only to those Java AS with EP software component. 


    Per my understanding the underlying Java UME is same for all NW Java AS systems, and is independent of the software components (say EP, PI, NWDI to name few) applied on top of it.


    Could you kindly clarify?


    Thanks and best regards,

    Shaji

    (0) 
    1. Pradeep Agarwal Post author

      Hi Shaji,

      Thanks for the comment.

      But the above document was very specific to EP integration with GRC and the user provisioning as I talked specifically of deploying web-services and Software package of EP.

      For other Java AS integration I am not sure which all Java AS GRC supports.But I am sure PI and other Java AS can be integrated with GRC provided there plug-ins/software packages are made available by SAP.

      Hope this answers your query.Please feel free to provide more suggestions to make this a better and comprehensive document for EP integration with GRC.

      Regards

      Pradeep

      (0) 

Leave a Reply