Skip to Content

In SAP GRC Access Control it is common practice to provision SNC Name via Access Request. As the SNC name will be different for each user, the core question is, how to populate the correct SNC name in the Access Request form to provision in the plug-in SAP systems. The SNC name in SU01 is the name recognized by the external security software and is also known as printable name. Besides there is length limitation of SNC names, the printable name has different format for SECUDE and Kerberos.

Example for SECUDE printable SNC-Name: p:CN=TESTUSER, O=SAP-AG, C=DE

This scenario uses End User Personalization for the SNC name in access request. Default value of the SNC name in EUP can contain the following variables, which will be replaced at provisioning with their corresponding value.

#!#COMPANY#!#

EUP1.png

SNC name could be assembled from one or more variables, depending on which part of the string can have fixed values in the environment.

p:CN=#!#USERID#!#, O=SAP-AG, C=DE

p:CN=#!#USERID#!#, O=#!#COMPANY#!#, C=#!#LOCATION#!#

Variables have their equivalent AC fields, which have to to be filled from the user detail data source. In case LDAP connector is used as data source, group field mapping needs to be maintained.

For the above example using Microsoft Active Directory:

‘USERID’ mapped to ‘SAMACCOUNTNAME’

‘COMPANY’ mapped to ‘COMPANY’

‘LOCATION’ mapped to ‘C’

#!#DEPARTMENT#!#
#!#EMAIL#!#
#!#EMPLOYEETYPE#!#
#!#FIRSTNAME#!#
#!#FUNCTIONALAREA#!#
#!#LASTNAME#!#
#!#LOCATION#!#
#!#TELEPHONE#!#
#!#USERID#!#
#!#USERID_L#!#
(USERID in lower case)

AR1.png

Example for Kerberos 5 printable SNC-Name: p:TESTUSER@DEV61.DEV-WDF.SAP.CORP

Even default value of the SNC name in EUP can be set as p:#!#USERID#!#@DEV61.DEV-WDF.SAP.CORP, another approach might be required. In the following scenario the LDAP connector is Microsoft Active Directory and the LDAP connector has been maintained as user detail data source in SAP GRC customizing.

AD1.png

Group field mapping can be maintained for AC field ‘SNCNAME’, which is easy if there is an LDAP attribute, which contains the SNC name exactly. When ‘SNCNAME’ is mapped to ‘USERPRINCIPALNAME‘ from Active Directory, then it is still needed to add ‘p:’ before it. This could be done by enhancement implementation, creating a post-exit method to the method FILL_ADSTRUCTURE in the class CL_GRAC_AD_ACCESS_MGMT_LDAP. This WIKI provides guidance how to create a simple enhancement:

/wp-content/uploads/2016/05/class_960788.png

  METHOD ipo_z_snc~fill_adstructure.

*”————————————————————————*

*” Declaration of POST-method, do not insert any comments here please!

*”

*”methods FILL_ADSTRUCTURE

*”  importing

*”    !IV_GROUP_MAP type GRAC_T_GRPFLDMAP

*”    !IV_VALUE_TABLE type CL_GRAC_AD_ACCESS_MGMT_LDAP=>YT_SYSTEM_FIELD_VALUE

*”  changing

*”    !ES_USER_DETAIL type GRAC_S_USER_DETAIL .

*”————————————————————————*

    FIELD-SYMBOLS <fs_snc> TYPE grac_s_user_snc.

    ASSIGN COMPONENT ‘snc’ OF STRUCTURE es_user_detail TO <fs_snc>.

    IF sysubrc = 0.

      TRANSLATE <fs_snc>pname TO UPPER CASE.

      CONCATENATE ‘p:’ <fs_snc>pname INTO <fs_snc>pname.

    ENDIF.

    UNASSIGN <fs_snc>.

  ENDMETHOD.

SNC name for Kerberos is fetched in the access request using User-Principal-Name attribute from Active Directory.

AR2.png

Best Regards,

Zoltan Galik

To report this post you need to login first.

9 Comments

You must be Logged on to comment or reply to a post.

  1. Salim Assaf

    Hi Zoltan,

    This works great.  I also tried to use this same method to update the “Communication Method” field.  This seemed to work fine for regular access request, but I noticed this value was getting removed when using HR Triggers.

    Would you happen to have any suggestions?  I checked the settings in “Maintain Settings for HR trigger” & “Maintain User Defaults”, and there are no options to set a default communication method.  EUP settings also don’t apply to HR Triggers, so that is not an option.

    Any help would be greatly appreciated.

    Thanks,

    Salim Assaf

    (0) 
      1. Salim Assaf

        Thanks for pointing me in the right direction.  I realized the Communication Method (COMM_TYPE) variable  is not present in the  cl_grac_hr_trigger=>fill_reqowner_user_data method. When I debugged & modified that variable it appears to work fine. 

        (0) 
      2. Sujan Kumar

        Hi Zoltan,

        Our SNC name has both upper case and lower case. So is there way to enable GRC provision mixed case to SNC field in SU01?

        Appreciate your guidance.

        Thanks,

        Sujan

        (0) 
        1. Salim Assaf

          Sujan,

          The field mapping for the SNCNAME field should be to the SAMACCOUNTNAME which should get you the case sensitive results.

          Also, in the method, make sure you don’t have the “Translate <

          fs_snc>-pname to UPPER CASE”, as I would assume that could possible cause your issue as well.

          Thanks,

          Salim

          (0) 
          1. Sujan Kumar

            Thanks Salim, but mapping samaccountname will only pull user ID but not the domain extension. We need something like “p:userid@example.com” in the SNC name.

            mapping the field SAP_USER_ID in LDAP also converts the user ID field into case sensitive but when provisioning to SNC field in SU01, GRC is converting all characters to upper case.

            I tried maintaining SNC name field within EUP field settings, but no luck.

            Please advise.

            (0) 

Leave a Reply