SNC Name in Access Request
In SAP GRC Access Control it is common practice to provision SNC Name via Access Request. As the SNC name will be different for each user, the core question is, how to populate the correct SNC name in the Access Request form to provision in the plug-in SAP systems. The SNC name in SU01 is the name recognized by the external security software and is also known as printable name. Besides there is length limitation of SNC names, the printable name has different format for SECUDE and Kerberos.
Example for SECUDE printable SNC-Name: p:CN=TESTUSER, O=SAP-AG, C=DE
This scenario uses End User Personalization for the SNC name in access request. Default value of the SNC name in EUP can contain the following variables, which will be replaced at provisioning with their corresponding value.
| #!#COMPANY#!# |
SNC name could be assembled from one or more variables, depending on which part of the string can have fixed values in the environment. p:CN=#!#USERID#!#, O=SAP-AG, C=DE p:CN=#!#USERID#!#, O=#!#COMPANY#!#, C=#!#LOCATION#!# Variables have their equivalent AC fields, which have to to be filled from the user detail data source. In case LDAP connector is used as data source, group field mapping needs to be maintained. For the above example using Microsoft Active Directory: ‘USERID’ mapped to ‘SAMACCOUNTNAME’ ‘COMPANY’ mapped to ‘COMPANY’ ‘LOCATION’ mapped to ‘C’ |
| #!#DEPARTMENT#!# | |
| #!#EMAIL#!# | |
| #!#EMPLOYEETYPE#!# | |
| #!#FIRSTNAME#!# | |
| #!#FUNCTIONALAREA#!# | |
| #!#LASTNAME#!# | |
| #!#LOCATION#!# | |
| #!#TELEPHONE#!# | |
| #!#USERID#!# | |
| #!#USERID_L#!# (USERID in lower case) |
Example for Kerberos 5 printable SNC-Name: p:TESTUSER@DEV61.DEV-WDF.SAP.CORP
Even default value of the SNC name in EUP can be set as p:#!#USERID#!#@DEV61.DEV-WDF.SAP.CORP, another approach might be required. In the following scenario the LDAP connector is Microsoft Active Directory and the LDAP connector has been maintained as user detail data source in SAP GRC customizing.
Group field mapping can be maintained for AC field ‘SNCNAME’, which is easy if there is an LDAP attribute, which contains the SNC name exactly. When ‘SNCNAME’ is mapped to ‘USERPRINCIPALNAME‘ from Active Directory, then it is still needed to add ‘p:’ before it. This could be done by enhancement implementation, creating a post-exit method to the method FILL_ADSTRUCTURE in the class CL_GRAC_AD_ACCESS_MGMT_LDAP. This WIKI provides guidance how to create a simple enhancement: ℹ
METHOD ipo_z_snc~fill_adstructure.
*”————————————————————————*
*” Declaration of POST-method, do not insert any comments here please!
*”
*”methods FILL_ADSTRUCTURE
*” importing
*” !IV_GROUP_MAP type GRAC_T_GRPFLDMAP
*” !IV_VALUE_TABLE type CL_GRAC_AD_ACCESS_MGMT_LDAP=>YT_SYSTEM_FIELD_VALUE
*” changing
*” !ES_USER_DETAIL type GRAC_S_USER_DETAIL .
*”————————————————————————*
FIELD-SYMBOLS <fs_snc> TYPE grac_s_user_snc.
ASSIGN COMPONENT ‘snc’ OF STRUCTURE es_user_detail TO <fs_snc>.
IF sy–subrc = 0.
TRANSLATE <fs_snc>–pname TO UPPER CASE.
CONCATENATE ‘p:’ <fs_snc>–pname INTO <fs_snc>–pname.
ENDIF.
UNASSIGN <fs_snc>.
ENDMETHOD.
SNC name for Kerberos is fetched in the access request using User-Principal-Name attribute from Active Directory.
Best Regards,
Zoltan Galik
Hi Zoltan,
This works great. I also tried to use this same method to update the "Communication Method" field. This seemed to work fine for regular access request, but I noticed this value was getting removed when using HR Triggers.
Would you happen to have any suggestions? I checked the settings in "Maintain Settings for HR trigger" & "Maintain User Defaults", and there are no options to set a default communication method. EUP settings also don't apply to HR Triggers, so that is not an option.
Any help would be greatly appreciated.
Thanks,
Salim Assaf
Hi Salim,
Check the WIKI Debugging HR Trigger - GRAC_HR_TRIGGER_EVENT_RECIEVER - Governance, Risk and Compliance - SCN Wiki. Debugging HR trigger I would focus on the following methods to find the root cause: cl_grac_hr_trigger=>fill_request_structure ; cl_grac_hr_trigger=>fill_reqowner_user_data
Best Regards,
Zoltan
Thanks for pointing me in the right direction. I realized the Communication Method (COMM_TYPE) variable is not present in the cl_grac_hr_trigger=>fill_reqowner_user_data method. When I debugged & modified that variable it appears to work fine.
Hi Zoltan,
Our SNC name has both upper case and lower case. So is there way to enable GRC provision mixed case to SNC field in SU01?
Appreciate your guidance.
Thanks,
Sujan
Sujan,
The field mapping for the SNCNAME field should be to the SAMACCOUNTNAME which should get you the case sensitive results.
Also, in the method, make sure you don't have the "Translate <
fs_snc>-pname to UPPER CASE", as I would assume that could possible cause your issue as well.
Thanks,
Salim
Thanks Salim, but mapping samaccountname will only pull user ID but not the domain extension. We need something like "p:userid@example.com" in the SNC name.
mapping the field SAP_USER_ID in LDAP also converts the user ID field into case sensitive but when provisioning to SNC field in SU01, GRC is converting all characters to upper case.
I tried maintaining SNC name field within EUP field settings, but no luck.
Please advise.
The method could be adjusted for the domain extension as shown below. CONCATENATE 'p:' -pname '@DOMAIN.COM' INTO -pname.
Thank you Salim, this resolved our issue. We updated the method and now we are able to provision SNC name in mixed case 🙂
Regards,
Sujan
Hi
If sAM name (as mentioned in blue font), to be fetched what enhancement to be done ? Thanks
Thanks