Access Request Management (ARM) can connect to ABAP-based SAP systems such as SAP ERP (ECC), SAP SCM, SAP CRM, SAP  Business Intelligence (BI) to create users and assign roles with pre-delivered ABAP-based programs. Enabling the same functionality with a Java-based system such as the SAP Enterprise Portal requires a different procedure and separate configuration. To connect to Java-based systems, you use pre-delivered Web services installed on the SAP Enterprise Portal for integration.

A step-by-step guide demonstrates the required configuration to integrate SAP Enterprise Portal with GRC 10.0.

Step 1:-Deploy the AC 10.0 web service and you will find the following in WS Navigaton.

Step 2:-Create a G type SM59 connector. This will connect to the above web service for AUTH extraction and password generation.

Step 3:-Create a G type SM59 connector. This will connect to EP’s SPML interface for PROV.

Step 4:-Maintain the Logical port for WS connector in tx LPCONFIG.

Step 5:-Maintain Connector and Connection Types.

WS will be attached to the LPCONFIG end point SPML1 logical port will be same as Target Connector

Step 6:-Define the EP Group (this will be used in field mapping). See SAPNote 0001981001

Step 7:-Attach both the connectors (WS and SPML) to AUTH scenario.

Make sure that the following classes are attached to the scenario.

Step 8:-Do same for PROV scenario.

Step 9:- And for ROLMG scenario.

Step 10:-Set as Production system.

Step 11:-Create the group field mapping.

Default connector is the one which will make a runtime call to get the F4 for system field names in figure below.

Define the field mapping for the group applicable to all the system in that group (F4 from default connector)

Define the technical parameter mapping .

Step 12:-Synchronize EP SPML Schema.

Connector is the one for SPML we earlier created

Step 13:-Now sync user, roles, auths from EP.

As once you start provisioning if you continue to sync using the inconsistencies. You should switch to use  'GRAC_ROLEREP_ROLE_SYNC' program.

Following important points needs to be considered:

1.You don't need to sync Profiles with NetWeaver Java as they don't exist on Java Stacks.

2.If you continue to sync Users after your initial sync, i.e. after you start provisioning from GRC, then your GRC data will become inconsistent. These inconsistencies are caused because GRC maintains validity dates for User, Role, and the relationships between these, whereas the NetWeaver Java does not include this same detail and a future User sync will overwrite validity information in GRC with blank entries.

This is from WS connector.

Step 14:- Deploy GRC Portal Content -add-on portal business package GRC_POR which contains  the GRC Portal UI elements to access the GRC suite.

Step 15:Deploy GRC Portal Plugin(GRCPIEP)(Must for GRC AC)

Step 16:- Set the system Alias for GRC system in SAP Netweaver Enterprise Portal as  follows:

                  SAP-GRC

                  SAP-GRC-AC

                  SAP_GRC(in case of issue-faced by me in SP8)

                  SAP_GRC_AC(in case of issue-faced by me in SP8)

*In case of GRC PC is activated then system alias must be SAP-GRC & SAP-GRC-PC,for GRC RM SAP-GRC & SAP-GRC-RM.

Step 17:-Create a same user both in GRC and EP and assign  following Portal Roles to the user.

                a.GRC Access Control

                b.ERP Common

       Assign Required GRC Roles to the user in the GRC System.

*In case of GRC PC or RM activated  assign GRC SUITE  & ERP COMMON Portal Role to the user,additionally GRC Internal Audit Management if required by the user.

Procedure for creating user in the Portal for  Accessing GRC Roles.

1.Log on as portal user administrator and access the User Administration function.

2.If the user has been created by the User Management Engine (UME) that is connected to the GRC ABAP system, you do not need to create the user in the portal system.

If not, create a new portal user and assign the system to the user in the User Mapping for System Access tab, along with a mapped user ID and password.

3.After creating the user, go to the Assigned Roles tab and assign the role GRC Access Control  to the user who has the power user role SAP_GRAC_FN_ALL in the ABAP system, to enable viewing of all the Work Centers.[Only in case of GRC AC is activated].

Hope this  was useful. Please use the comments section to share your feedback and questions.