This document contains a common example, how to connect SAP GRC Access Control to Microsoft Active Directory. SAP note 1584110 and GRC SCN WIKI provides instructions on how to configure LDAP connector in Access Controls 10.X releases. The LDAP connector can be used as user data source in GRC and also for provisioning to AD. Let’s explain group field and parameter mapping, when there is Active Directory behind the LDAP connector.

Key success factor is to be familiar with ‘Find’ operation in the LDAP transaction and know search filter syntax, LDAP attributes and the Active Directory Schema. Own customizing can be created following the guidelines below.

/wp-content/uploads/2016/05/ldap_945009.png

/wp-content/uploads/2016/05/group_parameter_945864.png

Starting with group parameter mapping, it determines the corresponding objectclass to users and roles in the LDAP directory, as well as the member attribute of the groups. In Active Directory group is the counterpart of role in GRC and maintained as ‘Roles:OC’. To search for users only in access request, map ‘User:OC’ to ‘user’ in group parameter mapping and assign the custom objectclass attributes to the LDAP connector, as ‘OBJECTCLASS1’ with value ‘(OBJECTCLASS=USER)’ and ‘OBJECTCLASS2’ with value ‘(OBJECTCATEGORY=PERSON)’. See also KBA notes 2311746 and 2312009.

/wp-content/uploads/2016/05/conn_attribute_949730.png

/wp-content/uploads/2016/05/group_field_942937.png

In group field mapping the AC field names are the standard including custom fields. Here you can assign the suitable LDAP attributes to fit any environment. Most of these AC field names are corresponding to fields of the user details tab in the access request, which can be also customized in EUP. See on the following screenshot:

/wp-content/uploads/2016/05/ac_fields_942374.png

Based on User Object User Interface Mapping of Microsoft Active Directory, following example is an ordinary group field mapping to be maintained in SAP GRC Access Control 10.X. Make sure field mapping is in upper case!

AC Field Name System Field Name
BUILDING PHYSICALDELIVERYOFFICENAME
COMPANY COMPANY
DEPARTMENT DEPARTMENT
DESCRIPTION DESCRIPTION
EMAIL MAIL
FIRSTNAME GIVENNAME
FUNCTION TITLE
LASTNAME SN
LOCATION L
MANAGERID MANAGER
MEMBER_OF MEMBEROF
ROLE_NAME CN
TELEPHONE TELEPHONENUMBER
USERID SAMACCOUNTNAME
VALIDTO ACCOUNTEXPIRES

The AC field ‘ROLE_NAME’ has to be mapped to the attribute, which represents the name of the AD groups. It can be mapped ether to ‘CN‘ meaning common-name or to ‘NAME‘ meaning relative distinguished name in Active Directory. Mapping of ‘DESCRIPTION‘ stands for role description in backend system, which is displayed in access request and existing assignments. With the objectclass maintained in Roles:OC these attributes will be used by role repository sync to retrieve roles (AD groups) from LDAP. ‘MEMBER_OF’ is mapped to ‘MEMBEROF‘, this attribute is needed to fetch user – role relationships during repository object sync.

/wp-content/uploads/2016/05/testuser1_944809.png

AC field ‘VALIDTO’ can be mapped to ‘ACCOUNTEXPIRES‘ attribute, so the expiry date of the account will be considered in the access request adding systems, when LDAP connector is set as user detail data source. To get this correctly working SAP note 2275679 needs to be implemented in the GRC system.

/wp-content/uploads/2016/05/validto_944813.png

When in Active Directory the users and/or groups reside in a particular organizational unit, ‘USER PATH’ and/or ‘GROUP PATH’ attribute can be assigned to the LDAP connector. This will improve performance also, as in this case not the whole domain will be searched. Attribute value is the distinguished name of the OU, if it is longer than 30 characters, refer to KBA note 1995382.

/wp-content/uploads/2016/05/ldap_ou_944253.png/wp-content/uploads/2016/05/assign_attributes_944787.png

Before starting to provision groups in Active Directory with SAP GRC, it is recommended to test the ‘Modify’ operation in LDAP transaction. When both ‘Add’ and ‘Delete’ could be carried out successfully, then GRC Access Control will be able to provision AD groups.

/wp-content/uploads/2016/05/ldap2_945063.png

After successful full repository object sync, Active Directory groups can be imported in GRC either as roles or as groups, depending on if they need to be subject to risk analysis. Being imported as roles, non-PFCG authorizations can be also imported. See example to set role or group type in RoleAttributesTemplate.txt:

/wp-content/uploads/2016/05/template_945110.png

/wp-content/uploads/2016/05/import_945111.png

Finally check the imported roles and groups in ‘Role Maintenance’. These can be added in access request if the role status is set to production and provisioning is allowed.

/wp-content/uploads/2016/05/brm_945112.png

Hope this document and the linked resources could bring SAP GRC AC and MS Active Directory closer to each other.

Best Regards,

Zoltan Galik

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Manjunath Indrakumar

    Hi Zoltan,

     

    Very useful post.Thanks for sharing.

    Could you please provide more details on how to test the “modify” operation in LDAP tcode.

     

    Regards,

    Manju

    (0) 
    1. Zoltan Galik Post author

      Hi Manju,

       

      You enter LDAP transaction, select server and connector, then execute logon with option use system user. After successful logon all operations will be available. You select modify, fill out the fields like on the screenshot, then click execute.

       

      Regards,

      Zoltan

      (0) 
    1. Zoltan Galik Post author

      Hi Salim,

       

      This SNC name format is required for Kerberos, right? I had to think about how to achieve this in GRC, as the variables which can be used in EUP suit SNC names for Secude. Mapping can be maintained for AC field ‘SNCNAME’, which is easy if there is an LDAP attribute, which contains the SNC name exactly. In case ‘SNCNAME’ is mapped to ‘USERPRINCIPALNAME‘ from Active Directory, then it is still needed to add ‘p:’ before it. This could be done by Enhancement implementation, creating a post-exit method to the method FILL_ADSTRUCTURE in the class CL_GRAC_AD_ACCESS_MGMT_LDAP in my opinion.

       

      Best Regards,

      Zoltan

      (0) 
      1. Salim Assaf

        Yes – it is for Kerberos. 

         

        For whatever reason, I was thinking we could use LDAPMAP to make this conversion.  I will check with our developers to make the required modifications. I really appreciate the response Zoltan!

        (0) 

Leave a Reply