Skip to Content

1. PURPOSE

The purpose of this document is to define clear steps required to implement GRC on HANA plug in to integrate GRC 10.1 with HANALIVE DB for user provisioning.

2. SCOPE

This scope applies for Basis team who support SAP GRC on HANA configuration after will go live. This procedure applied for pre requisites, installation and post installation configuration of complete SAP GRC HANA “plug in” setup.

This document does not cover security setup that required for User provisioning on HANALIVE through SAP GRC system

3. Component details

Need at least GRC 10.1 with SAP NW 7.4 system to integrate this with HANA

SAP GRC ACCESS CONTROL        11          sap.com              SAP ACCESS CONTROL 10.1

SAP NETWEAVER            7.4          sap.com              SAP NET WEAVER 7.4

HANACLIENT SPS 8 Rev 82 Patch level 0

HANALIVE DB SPS8 Rev 82 Patch level 0

HCO_GRC_PI SP06 Patch level 0 (GRC Plugin)

4. Install SAP HANA CLIENT on GRC source system

Download required HANA client software compatible with OS where GRC installed

Software name -> IMDB_CLIENT100_82_0-10009663.SAR

Need SUDO or root user into source GRC system

Fig1.png

Extract the HANA Client 82 version package in /software_repo/HANA_CLIENT directory

Fig2.png

Check the extracting files

Create directory hdbclient under /user/sap/<SID> file system

Fig3.png

Run hdbinst to install HANA client

Fig4.png

Install the HANA Client with hdbinst command from ROOT user

Fig5.png

Check the install files in /usr/sap/<SID>/hdbclient location


    5. Set the PATH & LD_LIBRARY_PATH variables in sapenv.sh & sapenv.csh file

Fig6.png

Check the ENV from <sid>adm user by opening a new session

Fig7.png

Note – Take restart / bounce of SAP GRC application


    6. Connectivity test from GRC to HANALIVE DB


          A. Check the GRC system connectivity from hdbsql prompt


Fig10.png

          B. Check connection from GRC application level

Create connection user GRC_DBCO_PI in HANALIVE DB with below privileges (for connection test – you can use any existing user e.g. – SYSTEM)

Later you can create this user with below roles (this role will come after plugin deployment in HANALIVE DB) for permanent connection

Fig11.png

Create DB connection through DBCO transaction code from GRC as belowFig12.png

Fig13.png

Fig14.png

Fig15.png

Fig16.png

7.  Deploy D e l i v e r y U n i t with Content for the SAP HANA plug-in for GRC integration with HANA

  1. Start HANA Studio and Open Modeler perspective.
  2. Add System (where HCO_GRC_PI will be deployed) in the HANA Studio by providing
  3.   Host Name, Instance Number, Description, HANA User ID and Password.
  4. Note: Use SYSTEM or Any HANA User with proper authorizations as User ID to connect to the HANA System where HCO_GRC_PI will be deployed. Mandatory, No exceptions.
  5. After System Registration is completed and Connection verified, Use “Select System” button in the Modeler perspective to select a System you just registered in the previous step.
  6. In the same Modeler Perspective Click “Import” link located under “Content” label and in the
  7.   Open dialog select “Delivery Unit” under SAP HANA Content and Click “Next” button.
  8. In the opened window Select file location as “Client” and use “Browse” button to navigate to the location where you save file with SAP HANA plug-in you downloaded from SMP.
  9. Note: You may need to use SAPCAR to extract D e l i v e r y U n i t file with extension .T G Z from the archive you downloaded from SMP.
  10. When .TGZ file is selected you will see D e l i v e r y U n i t details in the Object import simulation.
  11. Click “Finish” button to complete D e l i v e r y U n i t deployment and Object Activation process.
  12. Verify deployment by navigating in the “Modeler” perspective to “SAP HANA Systems” where you registered HANA Server.
  13. Expend from Content node, following packages sap –> grc –> pi –> a c and under ac package you should be able to see two packages ara with 16 sql objects and arq with 11 sql objects and db with 2 objects and roles with 1 object.
  14. In this point D e l i v e r y U n i t was deployed successfully.

Now go to HANA Studio and login in HLR system with modeler perspective:  Open Modeler perspective and select Delivery unit


Fig17.png

Fig18.png

Select HANALIVE DB system

Fig19.png

Browse through the downloaded HCO_GRC_PI plugin software, click finish

Fig20.png

Check the Job log once the Import is finished.

Fig21.png

Fig22.png

8. Install HANA Integration API to the SYSTEM catalog by using HANA Studio


In the main window of HANA Studio Click on Perspective Button and select SAP HANA Development

Fig8_1.png

Fig8_2.png

Go to Repositories

Fig8_3.png

Fig8_4.png

Select HANALIVE DB system and right click on it to choose ‘Create Repository Workspace

Fig8_5.png

Give workspace name as HCO_GRC_PI and click on Finish button:

Fig8_6.png

Expend from Content node, following packages sap –> grc –> pi –> ac and under ac package two packages are there – ara with 16 sql objects and arq with 11 sql objects and db with 2 objects and roles with 1 object.

In this point D e l i v e r y U n i t was deployed successfully

Fig8_7.png

For each file in the ara package.

  1. Double click on first sql file in the ara package and after sql file is open in the SQL Editor.
  2. Right Click in editor window and click on “Choose Connection” and in the open window select the same HANA System you registered above.
  3. Click “Execute” or F8 to create Stored Procedure for selected HANA API in the SAP_PI_GRC Catalog.

    d. Repeat steps from a to c for rest of the sql files in the ara package.

    e. Repeat steps from a to c for all of the sql files in the arq package only in the following order / sequence.

1. All sql files what name started from is_… and ins_… in any order.

2. Two sql files that name started from Grant_… and Revoke_… in any order.

Fig8_8.png

Create GRC_DBCO_PI user in HANALIVE DB system

Fig8_9.png

Fig8_9.png

Set permanent password – ***************

Fig8_10.png

9. Configure SAP GRC 10.1 central system with HANA integration

    1. Create new user (For Example: GRC_DBCO_PI) and grant to this user role s a p . g r c . p i . a c . r o l e s : : S A P _ G R C _ P I _ A D M I N activated in the step 1.
    2. Activate new user created in the step 1.
    3. Reset new user password to the permanent password by logging with this user in the HANA Studio.
    4. Use newly created GRC_DBCO_PI user in steps above for DBCO configuration in the SAP GRC 10.1 Central system.

Create a Logical RFC – HLR for HANALIVE system:

From SPRO check the connector Display IMG -> SAP customizing Implementing Guide ->Governance, Risk & Compliance -> Common Component Settings -> Integration Framework -> Maintain Connection and Connection Types


Validate the GRC to HANA DB connection from SA38 transaction of GRC system with program -> ADBC_TEST_CONNECTION


This completes all configuration for GRC & HANA DB integration.


10. APPENDIX

We have followed SAP note -> 1869912 – SAP GRC 10.1 Plug-In SAP HANA, SAP HANA Content for all required configuration (check the latest version of the SAP note from market place).

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Christian Cabrita

    Hello,

    Thank you for the post. We are in the process of implementing this.

    Do you know if HANA provisioning works with GRC connected to CUA ?

    Regards,

    Christian

    (0) 

Leave a Reply