Skip to Content
Technical Articles
Author's profile photo Madhu Babu #MJ

SAP GRC 10.0/10.1/12.0 – Manual Provisioning for Non-SAP systems (e.g. ARIBA)

Purpose of the Document

SAP GRC system has out-of-box integration with lot of SAP applications and also supports provisioning to HANA DB, LDAP and Enterprise Portal applications.

As there are lot of changes happening with technology and customers also using applications built on various technologies it is always challenging for SAP GRC access control solution to support provisioning for Non-SAP systems. Also the integration with Non-SAP systems is not straightforward and will require certain level of customization in both target applications as well as in GRC system.

The purpose of this blog is to explain how user access provisioning to Non-SAP systems can be handled by GRC system using “Manual Provisioning” option in GRC without putting efforts on additional customization.

The details discussed below will be more on the technical setup and for illustration I have used “ARIBA” as the target system being integrated with GRC.

Let’s see how you can setup this functionality and can test in GRC 10/10.1/12.0 systems (End to End).

To enable manual provisioning for Non-SAP systems

Non-SAP Connector Setup

Create a connector in SM59 with connection type as “L” (Logical Destination). For illustration purpose, I have used ARIBA as the connector name.

Non-SAP Connector Config Setup in GRC

Define connectors in the following IMG path: Connection Type “FILE” will be used for the connector.

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types -> Define Connectors

Define connector groups in the following IMG path and assign ARIBA connectors to this connector group

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types ->Define Connector Groups

Maintain Connection Settings

Connector must be assigned to all AC related integration scenarios (ROLMG, SUPMG, AUTH, PROV) available as it is a good practice.

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings

For “AUTH” integration scenario, assign “ARIBA” connector

For “PROV” integration scenario, assign “ARIBA” connector

For “ROLMG” integration scenario, assign “ARIBA” connector

For “SUPMG” integration scenario, assign “ARIBA” connector

Maintain Connector Settings

Maintain connector settings in the following path:

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connector Settings

Maintain Mapping for Actions and Connector Groups

In this configuration, you can assign the actions to a connector group, and then select the default connector for each group

Configuring Logical and Physical paths for Non-SAP systems data upload

To enable manual provisioning and also to run risk analysis the pre-requisite is to load the User and Role data of your Non-SAP systems into GRC system.

For this data loading, we will follow the approach provided by SAP GRC for loading data for legacy systems.

Execute transaction FILE and following screenshot will be shown as below:

Define relevant Logical and Physical paths in the FILE transaction

Logical File name is file path at Operating system level which can be accessed using “FILE” transaction

Physical File name is file path at application server level which can be accessed using “AL11” transaction.

AL11 directories and associated paths

For all logical paths, maintain the same physical path which means that all relevant files which need to be used for syncing Non-SAP User and Role data need to be uploaded to the same physical path.

Logical file name definitioncrossclient – In this step you maintain logical filenames for all clients. The definition of a logical filename comprises the following values: Logical filename.

File Name highlighted below will be the actual filename in which the Non-SAP data will be maintained and uploaded to application server and can be viewed from AL11.

Configuring Logical file paths for Non-SAP system connectors

Maintain Connection Settings

In this configuration, you assign connectors to an integration scenario. The application uses the connectors to communicate with other systems in your landscape

For “AUTH” integration scenario, assign “ARIBA” connector

For “AUTH” integration scenario, we need to maintain logical paths defined in the previous step as the corresponding User and Role data will be retrieved from the files in this path.

Following File ID naming convention must be followed while configuring the logical paths in the connector configuration as these names are hard-coded in the corresponding program logic.

File Format and File Content details on which fields are Mandatory, Optional etc, for the above mentioned files can be followed as per the format specified in following SAP Note:

1594963 – GRC Access Controls 10 – How to configure Legacy connectors

Example:

Following screenshot shows “Get Action” Info method under class CL_GRAC_AD_AUTH_MGMT_FILE and you can see the File ID name harcoded. Just to highlight that SAP GRC has different classes for Authorization and Access Management based on different connector types like RFC, HDB, LDAP, WS, FILE, IDM_OB etc. Following screenshot is for FILE class related method:

Define the logical file path for User, Role, Profile, Action, Permission, User Action, User Permission, Role Action, Role Permission, Profile Action, Profile Permission. Hence, the logical path will be updated as shown below:

Prepare and Upload Non-SAP data text files to physical path

Sample files with content are shown below:

Actions File

User File

User Actions File

Role File

Role Actions File

For uploading the files to application server, we will use standard SAP function module “ARCHIVFILE_CLIENT_TO_SERVER”

Execute function module and provide inputs:

Path: Local path where files are stored in your PC

Target Path: Same as physical path used while configuring Logical path in FILE transaction

After executing the function module for all relevant files, all files will get uploaded to application server.

Once all files are uploaded, you can execute following SAP standard synchronization jobs:

PFCG Authorization Sync

Role Data Sync

User Data Sync

Once the above sync jobs are completed, the ARIBA roles will be uploaded to BRM and will be further used for provisioning.

ARIBA Roles Import

Import the ARIBA roles into GRC system

Set the provisioning settings for your Non-SAP system (in this scenario ARIBA) as”Manual Provisioning”

Submit “Access Request” for the ARIBA role and then handle provisioning manually.

ARIBA SoD Rules Setup

You also can define SoD rules for ARIBA system using the ACTIONS uploaded into GRC system.

I have implemented ARIBA SoD rules for one of our client.

Following approach was taken:

User and User Groups from ARIBA were updated to GRC repository tables using the approach described above.

E.g. Receiving Agent is a User Group in ARIBA for which following are the details that are uploaded to GRC.

User A – Role (Receiving Agent) – Action (Receiving Agent) – Permissions (Not required)

GRC repository tables have been updated with ARIBA roles and Actions.

Finally in the ruleset, functions are defined with System specific actions (i.e. S4HANA and ARIBA actions)

Thanks for reading.

Looking forward for your inputs in improving this blog with additional details or scenarios ?

Best Regards,

Madhu Babu Sai

 

Assigned Tags

      12 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Sagar Reddy
      Sagar Reddy

      Hi Madhu,

      Great work and keep it up.

      Regards,

      Sagar

       

       

      Author's profile photo Satish Penmatsa
      Satish Penmatsa

      Hi Madhu,

      Excellent Blog. But i think you missed one point which is sorting.

      Regards,

      Satish P

      Author's profile photo Satish Penmatsa
      Satish Penmatsa

      Hi Madhu,

      Thanks for reaching me out and yes you are right sorting is not required when we upload the files. 🙂

       

      Regards,

      Satish P

      Author's profile photo Shivendra Kumar Pandey
      Shivendra Kumar Pandey

      Nice Blog, it will be help us integrating ARIBA & GRC.

       

      Regards,

      Shivendra

      Author's profile photo Varaprasad Kuenderu
      Varaprasad Kuenderu

      Hi  Midhu

       

      Nice Blog . we are planning to Integrate  Non sap system to GRC 12.0 . Please guide the steps

       

      Regards

      Prasad

      Author's profile photo Akash Parekh
      Akash Parekh

      Hi Madhu,

      I am configuring connectors for Manual provisioning which allows to capture approvals. I followed all steps as per blog but when I am execute Roel Repository Sync job it fails and gives error Roles are not available. Can you please help?

      Regards,

      Akash Parekh

      Author's profile photo Plaban Sahoo
      Plaban Sahoo

      Hi Madhu,

      very Nice blog.

      Would you know, if GRC 10.1 can integrate/provision/FF with Informatica Cloud Services(ICS). The requirement is to have preferably GRC(or any other SAP system) provision/FF to Users of Informatica Cloud Platform

      Regards

      Plaban

       

      Author's profile photo dnyaneshwar yargalwad
      dnyaneshwar yargalwad

      Great Blog Madhu

      Keep up the good work !!

       

      Regards

      Author's profile photo Balamurugan Pandian
      Balamurugan Pandian

      Hello Madhu,

      Great blog and it is very helpful for us.

      We have implemented Manual Provisioning for few Cloud systems like SAC, Web IDE as per your blog and it is working as expected. But we need assistance on the below.

      The “Manual Provision” button is available in all stages. If this button is clicked by one of the approver but the role is rejected in later stage the user assignment is not getting removed from GRACUSERROLE entry. Is there any possibility to suppress that button in Manager and Role owner stage and show it up only on final Security approval stage.

      Awaiting for your kind help. Thanks in advance.

      Thanks, Bala

       

      Author's profile photo Roberto Gomez Diaz
      Roberto Gomez Diaz

      Hi Madhu,

       

      We are starting to integrating SAP IDM 8.0 with SAP GRC 12 for SAP and nos SAP System, Could you guide the steps. I haven't found documentation about that IDM and GRC versions.

      Could you advise plis,

       

      thanks in advance

      Roberto Gomez

      Author's profile photo Visctoria Fiedotin
      Visctoria Fiedotin

      Hi Madhu

      Thank you very much for this explanation, it´s excellent and very useful!

      I am clear about the access that i need in GRC to create the connection.

      The only doubt that i have is the access that i need to get in Ariba to create the connection.

       

      I hope you can read my question.

      Thank you very much!

      Regards.

       

      Author's profile photo Rohit Pahari
      Rohit Pahari

      Dear Madhu,

       

      Thank you for this blog! Very comprehensive and useful. We are planning to do a similar integration for Ariba in our project (since Cloud IAG does not fit our requirement).

       

      One question - in the repository sync, does it need to be full load every time? Or can we somehow do incremental load too? I am guessing that incremental isn't possible, since we do not have separate files or line items for create/update/delete. But a confirmation would be helpful, thanks! 🙂

       

      ~ Rohit