Connecting SAP GRC AC 10.X to Microsoft Active Directory
This document contains a common example, how to connect SAP GRC Access Control to Microsoft Active Directory. SAP note 1584110 and GRC SCN WIKI provides instructions on how to configure LDAP connector in Access Controls 10.X releases. The LDAP connector can be used as user data source in GRC and also for provisioning to AD. Let’s explain group field and parameter mapping, when there is Active Directory behind the LDAP connector.
Key success factor is to be familiar with ‘Find’ operation in the LDAP transaction and know search filter syntax, LDAP attributes and the Active Directory Schema. Own customizing can be created following the guidelines below.
Leaving the requested attributes blank will retrieve all attributes of the filtered objects. Base entry should be the distinguished name of the root node of the directory tree. If there is no result in LDAP transaction, data cannot be fetched by GRC either. Check LDAPRC error codes in SAP note 511141.
Starting with group parameter mapping, it determines the corresponding objectclass to users and roles in the LDAP directory, as well as the member attribute of the groups. In Active Directory group is the counterpart of role in GRC and maintained as ‘Roles:OC’. To search for users only in access request, map ‘User:OC’ to ‘user’ in group parameter mapping and assign the custom objectclass attributes to the LDAP connector, as ‘OBJECTCLASS1’ with value ‘(OBJECTCLASS=USER)’ and ‘OBJECTCLASS2’ with value ‘(OBJECTCATEGORY=PERSON)’. See also KBA notes 2311746 and 2312009.
In group field mapping the AC field names are the standard including custom fields. Here you can assign the suitable LDAP attributes to fit any environment. Most of these AC field names are corresponding to fields of the user details tab in the access request, which can be also customized in EUP. See on the following screenshot:
Based on User Object User Interface Mapping of Microsoft Active Directory, following example is an ordinary group field mapping to be maintained in SAP GRC Access Control 10.X. Make sure field mapping is in upper case!
|AC Field Name||System Field Name|
The AC field ‘ROLE_NAME’ has to be mapped to the attribute, which represents the name of the AD groups. It can be mapped ether to ‘CN‘ meaning common-name or to ‘NAME‘ meaning relative distinguished name in Active Directory. Mapping of ‘DESCRIPTION‘ stands for role description in backend system, which is displayed in access request and existing assignments. With the objectclass maintained in Roles:OC these attributes will be used by role repository sync to retrieve roles (AD groups) from LDAP. ‘MEMBER_OF’ is mapped to ‘MEMBEROF‘, this attribute is needed to fetch user – role relationships during repository object sync.
AC field ‘VALIDTO’ can be mapped to ‘ACCOUNTEXPIRES‘ attribute, so the expiry date of the account will be considered in the access request adding systems, when LDAP connector is set as user detail data source. To get this correctly working SAP note 2275679 needs to be implemented in the GRC system.
When in Active Directory the users and/or groups reside in a particular organizational unit, ‘USER PATH’ and/or ‘GROUP PATH’ attribute can be assigned to the LDAP connector. This will improve performance also, as in this case not the whole domain will be searched. Attribute value is the distinguished name of the OU, if it is longer than 30 characters, refer to KBA note 1995382.
Before starting to provision groups in Active Directory with SAP GRC, it is recommended to test the ‘Modify’ operation in LDAP transaction. When both ‘Add’ and ‘Delete’ could be carried out successfully, then GRC Access Control will be able to provision AD groups.
After successful full repository object sync, Active Directory groups can be imported in GRC either as roles or as groups, depending on if they need to be subject to risk analysis. Being imported as roles, non-PFCG authorizations can be also imported. See example to set role or group type in RoleAttributesTemplate.txt:
Finally check the imported roles and groups in ‘Role Maintenance’. These can be added in access request if the role status is set to production and provisioning is allowed.
Hope this document and the linked resources could bring SAP GRC AC and MS Active Directory closer to each other.
Very useful post.Thanks for sharing.
Could you please provide more details on how to test the "modify" operation in LDAP tcode.
You enter LDAP transaction, select server and connector, then execute logon with option use system user. After successful logon all operations will be available. You select modify, fill out the fields like on the screenshot, then click execute.
Thanks for the clarification Zoltan
Is there a way to map the SNC field to active directory without using EUP? The issue I have is converting the system field name to the correct format "p:firstname.lastname@example.org"
This SNC name format is required for Kerberos, right? I had to think about how to achieve this in GRC, as the variables which can be used in EUP suit SNC names for Secude. Mapping can be maintained for AC field 'SNCNAME', which is easy if there is an LDAP attribute, which contains the SNC name exactly. In case 'SNCNAME' is mapped to 'USERPRINCIPALNAME' from Active Directory, then it is still needed to add 'p:' before it. This could be done by Enhancement implementation, creating a post-exit method to the method FILL_ADSTRUCTURE in the class CL_GRAC_AD_ACCESS_MGMT_LDAP in my opinion.
Yes - it is for Kerberos.
For whatever reason, I was thinking we could use LDAPMAP to make this conversion. I will check with our developers to make the required modifications. I really appreciate the response Zoltan!
I have created an article to provide detailed insight in SNC Name in Access Request
Great Article!! Can you please let me know if following action is possible using SAP GRC in MS AD, Also I would like to limit these action for user who exist on a specific folder within AD.
Yes, all the 3 activities mentioned are possible and in fact there were lot of bugs in LOCK and UNLOCK functionality and recently i have worked with SAP support to get most of the issues resolved.
Any response on my questions?
I am able to complete lock and unlock (although in SLGI log-Error in changing user in system) the users are getting locked or unlocked. My issues is validity date and password change of user. I have added SYSTEM and changed the validity of user and also changed the password but this is not working. Do you have similar issues or any guidance on how to resolve?
Also for password reset I maintained password manually into the scree shot above for ABAP system as well but it is not working, to reset password I added system in Change and Unlock action.In global provisioning I maintained Email as YES and added notification on stage not sure what is the issue.
We have configured for LDAP Group provisioning via GRC Access request,but we are receiving error message from plugin for system LDAP: " LDAP server cannot execute operation". Please advice.