Skip to Content

Enterprise Portal Integration with SAP GRC 10.0

Access Request Management (ARM) can connect to ABAP-based SAP systems such as SAP ERP (ECC), SAP SCM, SAP CRM, SAP  Business Intelligence (BI) to create users and assign roles with pre-delivered ABAP-based programs. Enabling the same functionality with a Java-based system such as the SAP Enterprise Portal requires a different procedure and separate configuration. To connect to Java-based systems, you use pre-delivered Web services installed on the SAP Enterprise Portal for integration.

A step-by-step guide demonstrates the required configuration to integrate SAP Enterprise Portal with GRC 10.0.

Step 1:-Deploy the AC 10.0 web service and you will find the following in WS Navigaton.


Step 2:Create a G type SM59 connector. This will connect to the above web service for AUTH extraction and password generation.


Step 3:-Create a G type SM59 connector. This will connect to EP’s SPML interface for PROV.


Step 4:-Maintain the Logical port for WS connector in tx LPCONFIG.



Step 5:-Maintain Connector and Connection Types.


WS will be attached to the LPCONFIG end point SPML1 logical port will be same as Target Connector

Step 6:-Define the EP Group (this will be used in field mapping). See SAPNote 0001981001


Step 7:-Attach both the connectors (WS and SPML) to AUTH scenario.


Make sure that the following classes are attached to the scenario.

Step 8:-Do same for PROV scenario.


Step 9:- And for ROLMG scenario.


Step 10:-Set as Production system.


Step 11:-Create the group field mapping.


Default connector is the one which will make a runtime call to get the F4 for system field names in figure below.


Define the field mapping for the group applicable to all the system in that group (F4 from default connector)


Define the technical parameter mapping .

Step 12:Synchronize EP SPML Schema.


Connector is the one for SPML we earlier created

Step 13:-Now sync user, roles, auths from EP.

As once you start provisioning if you continue to sync using the inconsistencies. You should switch to use  ‘GRAC_ROLEREP_ROLE_SYNC’ program.

Following important points needs to be considered:

1.You don’t need to sync Profiles with NetWeaver Java as they don’t exist on Java Stacks.

2.If you continue to sync Users after your initial sync, i.e. after you start provisioning from GRC, then your GRC data will become inconsistent. These inconsistencies are caused because GRC maintains validity dates for User, Role, and the relationships between these, whereas the NetWeaver Java does not include this same detail and a future User sync will overwrite validity information in GRC with blank entries.


This is from WS connector.

Step 14:- Deploy GRC Portal Content -add-on portal business package GRC_POR which contains  the GRC Portal UI elements to access the GRC suite.

Step 15:Deploy GRC Portal Plugin(GRCPIEP)(Must for GRC AC)

Step 16:- Set the system Alias for GRC system in SAP Netweaver Enterprise Portal as  follows:



                  SAP_GRC(in case of issue-faced by me in SP8)

                  SAP_GRC_AC(in case of issue-faced by me in SP8)

*In case of GRC PC is activated then system alias must be SAP-GRC & SAP-GRC-PC,for GRC RM SAP-GRC & SAP-GRC-RM.

Step 17:-Create a same user both in GRC and EP and assign  following Portal Roles to the user.

                a.GRC Access Control

                b.ERP Common

       Assign Required GRC Roles to the user in the GRC System.

*In case of GRC PC or RM activated  assign GRC SUITE  & ERP COMMON Portal Role to the user,additionally GRC Internal Audit Management if required by the user.

Procedure for creating user in the Portal for  Accessing GRC Roles.

1.Log on as portal user administrator and access the User Administration function.

2.If the user has been created by the User Management Engine (UME) that is connected to the GRC ABAP system, you do not need to create the user in the portal system.

If not, create a new portal user and assign the system to the user in the User Mapping for System Access tab, along with a mapped user ID and password.

3.After creating the user, go to the Assigned Roles tab and assign the role GRC Access Control  to the user who has the power user role SAP_GRAC_FN_ALL in the ABAP system, to enable viewing of all the Work Centers.[Only in case of GRC AC is activated].

Hope this  was useful. Please use the comments section to share your feedback and questions.

You must be Logged on to comment or reply to a post.
  • Pradeep,

    I have not yet configured EP with GRC. However, thought to appreciate your effort for sharing this document. Hopefully, I will follow this soon.



  • In addition to the note 1607232 describing parts of the above, you may want to double check your Portal whether note 1647157 is applicable. That solved the 'no data found' message with us whilst trying fetching the IDM schema from the Portal.

    Other relevant notes:






    • Hi Rajesh,

      Yep bit of a hidden one:

      SAP ACCESS CONTROL 10.0 (Support Packages and Patches) -> Entry by Component -> GRC Java Components -> SAP GRC PORTAL 10.0 -> # OS independent -> GRCPOR1010_0-20007573.SCA would give you SP10 of it.

      Note if it is 10.1 GRCPOR you are looking for, it would lead you also to the same one as above.

      As it is JAVA it is not incremental, you always deploy the full works (so via SDM no need for an installation one and then a support pack one etc etc).

      You may want to consult the attachment in note 1352498 to determine correct SP level. Only thing that bothered me there is that for GRCPOR (when looking in 10;0 tab) they speak of latest SP11; Whilst via path above I could only find SP10 as latest. But OK perhaps not relevant to you.



  • Pradeep

    I have a couple of questions:

    1. If we only have Access Control, do we have to setup only the Alias for SAP-GRC-AC, or do we have to also create SAP-GRC?
    2. The user we have to create, what's the purpose of it? Where do we have to reference it?



    • Thanks Somik.

      You can always raise questions or feel free to suggest, which you think can be added to this document for better understanding of new learners like you.



  • Dear all,

    Regarding 'assigning group parameter mapping' above: in case your Enterpise Portal has a user data source that does not allow  you to create users (typically corporate LDAP) then please consider note 1958231, which instructs you to leave out the entries CREATE_USER:OC and CREATE_USER:password.

    This prevents errors showing in the prov log and requests from never finishing.

    This as the parameters in essence are SPML instructions fed to your portal's provisioning engine. E.g if you wouldn't use request type 'Delete user' then also you could kick out the parameter 'DELETE_USER:OC' etc etc

    May the force be with you.


  • Hi Jonathan,

    Thanks for the suggestions.I have incorporated the same in the document.Please feel free to suggest any other  valuable points.



  • Hi Pradeep,

    Thanks for a nice, informative post.

    Quick query: while your post talks about user provisioning for java-based NW AS system, is there any specific reason to title this post as "Enterprise Portal Integration with GRC"? Surely it should have a title "Java AS Integration with GRC" for user-provisioning?

    Sorry for being pedantic, but available SAP notes and documents too mention EP integration with GRC, and not Java AS integration with GRC.  Does all of this mean the user-provisioning is available only for a Java AS that has the EP software component?

    I hope the GRC user-provisioning is not limited only to those Java AS with EP software component. 

    Per my understanding the underlying Java UME is same for all NW Java AS systems, and is independent of the software components (say EP, PI, NWDI to name few) applied on top of it.

    Could you kindly clarify?

    Thanks and best regards,


    • Hi Shaji,

      Thanks for the comment.

      But the above document was very specific to EP integration with GRC and the user provisioning as I talked specifically of deploying web-services and Software package of EP.

      For other Java AS integration I am not sure which all Java AS GRC supports.But I am sure PI and other Java AS can be integrated with GRC provided there plug-ins/software packages are made available by SAP.

      Hope this answers your query.Please feel free to provide more suggestions to make this a better and comprehensive document for EP integration with GRC.



  • HI Pradeep,

    Hope all is well at your end!

    We have followed all the steps .

    We can access GRC Hope pagein our Portal  under GRC Access Control Role. But whenever we cllick on any link in GRC Home page in our portal we get Page not found error. Please refer screenshot.


    Could you help me to resolve this issue please.


    Thank You.

    • /
    • /
    • Hi Gaurav,

      I think I am missing the issue over here.Could you please put it step by step what you trying to and what exactly the issues are with screenshots.That way I or anyone in this forum can help you in a better way.




        Hi Pradeep,

        Thank You for your response.


        We have a requirement  to integrate GRC Work inbox Application  in our SAP Portal. We had successfully integrated work inbox Application in our portal, we were able to see  work item in Work inbox application in our portal using the GRC Access control Role after deploying GRC portal plugin and creating System object as mentioned in your document . But whenever we click on any Work item in work inbox in our portal, we were getting page not found exception as shown in attachment.


        Though we have resolved this issue now. But Thank You for your help and detailed document


        Best regards,

        Gaurav Sahu