GRC integration with SAP HANA – Guide
1. PURPOSE
The purpose of this document is to define clear steps required to implement GRC on HANA plug in to integrate GRC 10.1 with HANALIVE DB for user provisioning.
2. SCOPE
This scope applies for Basis team who support SAP GRC on HANA configuration after will go live. This procedure applied for pre requisites, installation and post installation configuration of complete SAP GRC HANA “plug in” setup.
This document does not cover security setup that required for User provisioning on HANALIVE through SAP GRC system
3. Component details
Need at least GRC 10.1 with SAP NW 7.4 system to integrate this with HANA
SAP GRC ACCESS CONTROL 11 sap.com SAP ACCESS CONTROL 10.1
SAP NETWEAVER 7.4 sap.com SAP NET WEAVER 7.4
HANACLIENT SPS 8 Rev 82 Patch level 0
HANALIVE DB SPS8 Rev 82 Patch level 0
HCO_GRC_PI SP06 Patch level 0 (GRC Plugin)
4. Install SAP HANA CLIENT on GRC source system
Download required HANA client software compatible with OS where GRC installed
Software name -> IMDB_CLIENT100_82_0-10009663.SAR
Need SUDO or root user into source GRC system
Extract the HANA Client 82 version package in /software_repo/HANA_CLIENT directory
Check the extracting files
Create directory hdbclient under /user/sap/<SID> file system
Run hdbinst to install HANA client
Install the HANA Client with hdbinst command from ROOT user
Check the install files in /usr/sap/<SID>/hdbclient location
5. Set the PATH & LD_LIBRARY_PATH variables in sapenv.sh & sapenv.csh file
Check the ENV from <sid>adm user by opening a new session
Note – Take restart / bounce of SAP GRC application
6. Connectivity test from GRC to HANALIVE DB
A. Check the GRC system connectivity from hdbsql prompt
B. Check connection from GRC application level
Create connection user GRC_DBCO_PI in HANALIVE DB with below privileges (for connection test – you can use any existing user e.g. – SYSTEM)
Later you can create this user with below roles (this role will come after plugin deployment in HANALIVE DB) for permanent connection
Create DB connection through DBCO transaction code from GRC as below
7. Deploy D e l i v e r y U n i t with Content for the SAP HANA plug-in for GRC integration with HANA
- Start HANA Studio and Open Modeler perspective.
- Add System (where HCO_GRC_PI will be deployed) in the HANA Studio by providing
- Host Name, Instance Number, Description, HANA User ID and Password.
- Note: Use SYSTEM or Any HANA User with proper authorizations as User ID to connect to the HANA System where HCO_GRC_PI will be deployed. Mandatory, No exceptions.
- After System Registration is completed and Connection verified, Use “Select System” button in the Modeler perspective to select a System you just registered in the previous step.
- In the same Modeler Perspective Click “Import” link located under “Content” label and in the
- Open dialog select “Delivery Unit” under SAP HANA Content and Click “Next” button.
- In the opened window Select file location as “Client” and use “Browse” button to navigate to the location where you save file with SAP HANA plug-in you downloaded from SMP.
- Note: You may need to use SAPCAR to extract D e l i v e r y U n i t file with extension .T G Z from the archive you downloaded from SMP.
- When .TGZ file is selected you will see D e l i v e r y U n i t details in the Object import simulation.
- Click “Finish” button to complete D e l i v e r y U n i t deployment and Object Activation process.
- Verify deployment by navigating in the “Modeler” perspective to “SAP HANA Systems” where you registered HANA Server.
- Expend from Content node, following packages sap –> grc –> pi –> a c and under ac package you should be able to see two packages ara with 16 sql objects and arq with 11 sql objects and db with 2 objects and roles with 1 object.
- In this point D e l i v e r y U n i t was deployed successfully.
Now go to HANA Studio and login in HLR system with modeler perspective: Open Modeler perspective and select Delivery unit
Select HANALIVE DB system
Browse through the downloaded HCO_GRC_PI plugin software, click finish
Check the Job log once the Import is finished.
8. Install HANA Integration API to the SYSTEM catalog by using HANA Studio
In the main window of HANA Studio Click on Perspective Button and select SAP HANA Development
Go to Repositories
Select HANALIVE DB system and right click on it to choose ‘Create Repository Workspace’
Give workspace name as HCO_GRC_PI and click on Finish button:
Expend from Content node, following packages sap –> grc –> pi –> ac and under ac package two packages are there – ara with 16 sql objects and arq with 11 sql objects and db with 2 objects and roles with 1 object.
In this point D e l i v e r y U n i t was deployed successfully
For each file in the ara package.
- Double click on first sql file in the ara package and after sql file is open in the SQL Editor.
- Right Click in editor window and click on “Choose Connection” and in the open window select the same HANA System you registered above.
- Click “Execute” or F8 to create Stored Procedure for selected HANA API in the SAP_PI_GRC Catalog.
d. Repeat steps from a to c for rest of the sql files in the ara package.
e. Repeat steps from a to c for all of the sql files in the arq package only in the following order / sequence.
1. All sql files what name started from is_… and ins_… in any order.
2. Two sql files that name started from Grant_… and Revoke_… in any order.
Create GRC_DBCO_PI user in HANALIVE DB system
Set permanent password – ***************
9. Configure SAP GRC 10.1 central system with HANA integration
- Create new user (For Example: GRC_DBCO_PI) and grant to this user role s a p . g r c . p i . a c . r o l e s : : S A P _ G R C _ P I _ A D M I N activated in the step 1.
- Activate new user created in the step 1.
- Reset new user password to the permanent password by logging with this user in the HANA Studio.
- Use newly created GRC_DBCO_PI user in steps above for DBCO configuration in the SAP GRC 10.1 Central system.
Create a Logical RFC – HLR for HANALIVE system:
From SPRO check the connector Display IMG -> SAP customizing Implementing Guide ->Governance, Risk & Compliance -> Common Component Settings -> Integration Framework -> Maintain Connection and Connection Types
Validate the GRC to HANA DB connection from SA38 transaction of GRC system with program -> ADBC_TEST_CONNECTION
This completes all configuration for GRC & HANA DB integration.
10. APPENDIX
We have followed SAP note -> 1869912 – SAP GRC 10.1 Plug-In SAP HANA, SAP HANA Content for all required configuration (check the latest version of the SAP note from market place).
Hello,
Thank you for the post. We are in the process of implementing this.
Do you know if HANA provisioning works with GRC connected to CUA ?
Regards,
Christian
Hello Christian,
I’m currently encountering the same scenario where we are trying to provision to HANA DB through GRC application with CUA integrated.
We currently have CUA activated in our landscape and our provisioning thur GRC happens via CUA for all the current target systems, let us know how you have handled this scenario?
Thanks
This blog is now contains outdated informations. If you would like to implement a HANA Plugin, please follow Note 2589878 - "Installing or upgrading HANA GRC Plug-in", for the latest and updated informations.
Hi Pallabh,
Thanks for document. It is of great help.
I got plugin installed in SYSTEM DB and able to see repository and extract content in Catalog.
My doubt is, do we need to install plugin in TENANT DB or is there any way we can leverage content from SYSTEM DB into TENANT DB.
Each and every tenant (including SYSDB) need to be considered as a separate system in GRC, hence you need to implement the HANA Plugin to each of them, and you also need to configure it into GRC as a new connector.
Thank you Mate.
I have another question in same context.
I have enabled GRC for Access Setup in HDB, now when my user is setup, users get password on mail along with confirmation.
The password which they get doesn't works.
Could you please guide me, where I can configure password in GRC for HDB provisioning so that password which users receive on mail for HDB actually works.
Hi Experts,
I have enabled GRC for Access Setup in HDB, now when my user is setup, users get password on mail along with confirmation.
The password which they get doesn't works.
Could you please guide me, where I can configure password in GRC for HDB provisioning so that password which users receive on mail for HDB actually works.
Hi Himanshu,
there are no such configuration. For HDB GRC is generating a password using standard hard coded length and character elements and after it is altering the user's password. If the password not works that could be due to a password policy is stricter and the password is not meet the criteria, hence the password changed failed at HANA level, or the users are trying to logon to a wrong tenant. Also JDBC/ODBC logon can be disabled or the Password logon is not enabled. These are the most common root causes. If all tof them are fine, please open an SAP Case/Incident.