Enterprise Portal Integration with SAP GRC 10.0
Access Request Management (ARM) can connect to ABAP-based SAP systems such as SAP ERP (ECC), SAP SCM, SAP CRM, SAP Business Intelligence (BI) to create users and assign roles with pre-delivered ABAP-based programs. Enabling the same functionality with a Java-based system such as the SAP Enterprise Portal requires a different procedure and separate configuration. To connect to Java-based systems, you use pre-delivered Web services installed on the SAP Enterprise Portal for integration.
A step-by-step guide demonstrates the required configuration to integrate SAP Enterprise Portal with GRC 10.0.
Step 1:-Deploy the AC 10.0 web service and you will find the following in WS Navigaton.
Step 2:–Create a G type SM59 connector. This will connect to the above web service for AUTH extraction and password generation.
Step 3:-Create a G type SM59 connector. This will connect to EP’s SPML interface for PROV.
Step 4:-Maintain the Logical port for WS connector in tx LPCONFIG.
Step 5:-Maintain Connector and Connection Types.
WS will be attached to the LPCONFIG end point SPML1 logical port will be same as Target Connector
Step 6:-Define the EP Group (this will be used in field mapping). See SAPNote 0001981001
Step 7:-Attach both the connectors (WS and SPML) to AUTH scenario.
Make sure that the following classes are attached to the scenario.
Step 8:-Do same for PROV scenario.
Step 9:- And for ROLMG scenario.
Step 10:-Set as Production system.
Step 11:-Create the group field mapping.
Default connector is the one which will make a runtime call to get the F4 for system field names in figure below.
Define the field mapping for the group applicable to all the system in that group (F4 from default connector)
Define the technical parameter mapping .
Step 12:–Synchronize EP SPML Schema.
Connector is the one for SPML we earlier created
Step 13:-Now sync user, roles, auths from EP.
As once you start provisioning if you continue to sync using the inconsistencies. You should switch to use ‘GRAC_ROLEREP_ROLE_SYNC’ program.
Following important points needs to be considered:
1.You don’t need to sync Profiles with NetWeaver Java as they don’t exist on Java Stacks.
2.If you continue to sync Users after your initial sync, i.e. after you start provisioning from GRC, then your GRC data will become inconsistent. These inconsistencies are caused because GRC maintains validity dates for User, Role, and the relationships between these, whereas the NetWeaver Java does not include this same detail and a future User sync will overwrite validity information in GRC with blank entries.
This is from WS connector.
Step 14:- Deploy GRC Portal Content -add-on portal business package GRC_POR which contains the GRC Portal UI elements to access the GRC suite.
Step 15:Deploy GRC Portal Plugin(GRCPIEP)(Must for GRC AC)
Step 16:- Set the system Alias for GRC system in SAP Netweaver Enterprise Portal as follows:
SAP-GRC
SAP-GRC-AC
SAP_GRC(in case of issue-faced by me in SP8)
SAP_GRC_AC(in case of issue-faced by me in SP8)
*In case of GRC PC is activated then system alias must be SAP-GRC & SAP-GRC-PC,for GRC RM SAP-GRC & SAP-GRC-RM.
Step 17:-Create a same user both in GRC and EP and assign following Portal Roles to the user.
a.GRC Access Control
b.ERP Common
Assign Required GRC Roles to the user in the GRC System.
*In case of GRC PC or RM activated assign GRC SUITE & ERP COMMON Portal Role to the user,additionally GRC Internal Audit Management if required by the user.
Procedure for creating user in the Portal for Accessing GRC Roles.
1.Log on as portal user administrator and access the User Administration function.
2.If the user has been created by the User Management Engine (UME) that is connected to the GRC ABAP system, you do not need to create the user in the portal system.
If not, create a new portal user and assign the system to the user in the User Mapping for System Access tab, along with a mapped user ID and password.
3.After creating the user, go to the Assigned Roles tab and assign the role GRC Access Control to the user who has the power user role SAP_GRAC_FN_ALL in the ABAP system, to enable viewing of all the Work Centers.[Only in case of GRC AC is activated].
Hope this was useful. Please use the comments section to share your feedback and questions.
Pradeep,
I have not yet configured EP with GRC. However, thought to appreciate your effort for sharing this document. Hopefully, I will follow this soon.
Regards,
Faisal
In addition to the note 1607232 describing parts of the above, you may want to double check your Portal whether note 1647157 is applicable. That solved the 'no data found' message with us whilst trying fetching the IDM schema from the Portal.
Other relevant notes:
1848215
2033753
1848095
1857609
1603438
Thanks George to provide more information which can be helpful to other users.
Regards
Pradeeep
will you please share business package GRC_POR download path from support.sap.com site
Hi Rajesh,
Yep bit of a hidden one:
SAP ACCESS CONTROL 10.0 (Support Packages and Patches) -> Entry by Component -> GRC Java Components -> SAP GRC PORTAL 10.0 -> # OS independent -> GRCPOR1010_0-20007573.SCA would give you SP10 of it.
Note if it is 10.1 GRCPOR you are looking for, it would lead you also to the same one as above.
As it is JAVA it is not incremental, you always deploy the full works (so via SDM no need for an installation one and then a support pack one etc etc).
You may want to consult the attachment in note 1352498 to determine correct SP level. Only thing that bothered me there is that for GRCPOR (when looking in 10;0 tab) they speak of latest SP11; Whilst via path above I could only find SP10 as latest. But OK perhaps not relevant to you.
Cheers,
George
Pradeep
I have a couple of questions:
Regards
Maria
Hi Maria,
Yes both the Alias as in my case I had to provide both.
User allows to Sync data ,therefore same userid is required between GRC and EP system.
Regards
Pradeep
Hi Pradeep,
could you share, which t-code or URL to launch Webservice Navigator.
Regards
Plaban
Hello Plaban,
Please refer SAP Note : 1607279.
Regards,
Reddy
that note does not say on WS. But another note 1607232, mentions point 3. Once deployed, you will see a web service called GRACAuthMgmtServiceOutBinding in Web Service Navigator
Hello Plaban,
Yes. According reference Note 1607232, once deployed then you will see the webservice.
Regards,
Reddy
i wanted to know where to find the Webservice tree structure(as shown in point 1 of this doc.). So, now, i see that, it will be available on EP. Could you let me know, if i am correct
Hi Plaban,
Yes. You are correct. you can create connector and maintain connector type, Logical port, Connector group, and Scenario-connector type link in GRC Server.
Regards,
Reddy
Hi Plaban,
Yes you are correct you see the webservice navigator in EP itself.
Let me know if you want any other details.
Regards
Pradeep
Hi Pradeep,
Nice document!
But it's a bit hard for new learners like us as we probably look for more details
Thanks Somik.
You can always raise questions or feel free to suggest, which you think can be added to this document for better understanding of new learners like you.
Regards
Pradeep
Dear all,
Regarding 'assigning group parameter mapping' above: in case your Enterpise Portal has a user data source that does not allow you to create users (typically corporate LDAP) then please consider note 1958231, which instructs you to leave out the entries CREATE_USER:OC and CREATE_USER:password.
This prevents errors showing in the prov log and requests from never finishing.
This as the parameters in essence are SPML instructions fed to your portal's provisioning engine. E.g if you wouldn't use request type 'Delete user' then also you could kick out the parameter 'DELETE_USER:OC' etc etc
May the force be with you.
George
Hi Jonathan,
Thanks for the suggestions.I have incorporated the same in the document.Please feel free to suggest any other valuable points.
Regards
Pradeep
Pradeep,
Can you kindly add the steps for uploading portal groups to GRC?
Hi Somik,
Please elaborate which Portal groups are you referring to ?
Regards
Pradeep
Hi Pradeep,
I meant portal roles only
Hi Somik,
role import can be seen here: Role Import - GRC 10
Regards,
Alessandro
Hi Pradeep,
Thanks for a nice, informative post.
Quick query: while your post talks about user provisioning for java-based NW AS system, is there any specific reason to title this post as "Enterprise Portal Integration with GRC"? Surely it should have a title "Java AS Integration with GRC" for user-provisioning?
Sorry for being pedantic, but available SAP notes and documents too mention EP integration with GRC, and not Java AS integration with GRC. Does all of this mean the user-provisioning is available only for a Java AS that has the EP software component?
I hope the GRC user-provisioning is not limited only to those Java AS with EP software component.
Per my understanding the underlying Java UME is same for all NW Java AS systems, and is independent of the software components (say EP, PI, NWDI to name few) applied on top of it.
Could you kindly clarify?
Thanks and best regards,
Shaji
Hi Shaji,
Thanks for the comment.
But the above document was very specific to EP integration with GRC and the user provisioning as I talked specifically of deploying web-services and Software package of EP.
For other Java AS integration I am not sure which all Java AS GRC supports.But I am sure PI and other Java AS can be integrated with GRC provided there plug-ins/software packages are made available by SAP.
Hope this answers your query.Please feel free to provide more suggestions to make this a better and comprehensive document for EP integration with GRC.
Regards
Pradeep
HI Pradeep,
Hope all is well at your end!
We have followed all the steps .
We can access GRC Hope pagein our Portal under GRC Access Control Role. But whenever we cllick on any link in GRC Home page in our portal we get Page not found error. Please refer screenshot.
Could you help me to resolve this issue please.
Thank You.
Hi Gaurav,
I think I am missing the issue over here.Could you please put it step by step what you trying to and what exactly the issues are with screenshots.That way I or anyone in this forum can help you in a better way.
Regards
Pradeep
Hi Pradeep,
Thank You for your response.
We have a requirement to integrate GRC Work inbox Application in our SAP Portal. We had successfully integrated work inbox Application in our portal, we were able to see work item in Work inbox application in our portal using the GRC Access control Role after deploying GRC portal plugin and creating System object as mentioned in your document . But whenever we click on any Work item in work inbox in our portal, we were getting page not found exception as shown in attachment.
Though we have resolved this issue now. But Thank You for your help and detailed document
Best regards,
Gaurav Sahu
Hi,
Does this procedure applies also to GRC Access Control 12.0 ?
Thanks for rapid response.
Izabela
Hi,
How to downlaod the role attribute file from Enterprise portal system to upload to GRC for role provisioning.
Thanks,
Jai