Technical Articles
SAP GRC 10.0/10.1/12.0 – Manual Provisioning for Non-SAP systems (e.g. ARIBA)
Purpose of the Document
SAP GRC system has out-of-box integration with lot of SAP applications and also supports provisioning to HANA DB, LDAP and Enterprise Portal applications.
As there are lot of changes happening with technology and customers also using applications built on various technologies it is always challenging for SAP GRC access control solution to support provisioning for Non-SAP systems. Also the integration with Non-SAP systems is not straightforward and will require certain level of customization in both target applications as well as in GRC system.
The purpose of this blog is to explain how user access provisioning to Non-SAP systems can be handled by GRC system using “Manual Provisioning” option in GRC without putting efforts on additional customization.
The details discussed below will be more on the technical setup and for illustration I have used “ARIBA” as the target system being integrated with GRC.
Let’s see how you can setup this functionality and can test in GRC 10/10.1/12.0 systems (End to End).
To enable manual provisioning for Non-SAP systems
Non-SAP Connector Setup
Create a connector in SM59 with connection type as “L” (Logical Destination). For illustration purpose, I have used ARIBA as the connector name.
Non-SAP Connector Config Setup in GRC
Define connectors in the following IMG path: Connection Type “FILE” will be used for the connector.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types -> Define Connectors
Define connector groups in the following IMG path and assign ARIBA connectors to this connector group
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types ->Define Connector Groups
Maintain Connection Settings
Connector must be assigned to all AC related integration scenarios (ROLMG, SUPMG, AUTH, PROV) available as it is a good practice.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings
For “AUTH” integration scenario, assign “ARIBA” connector
For “PROV” integration scenario, assign “ARIBA” connector
For “ROLMG” integration scenario, assign “ARIBA” connector
For “SUPMG” integration scenario, assign “ARIBA” connector
Maintain Connector Settings
Maintain connector settings in the following path:
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connector Settings
Maintain Mapping for Actions and Connector Groups
In this configuration, you can assign the actions to a connector group, and then select the default connector for each group
Configuring Logical and Physical paths for Non-SAP systems data upload
To enable manual provisioning and also to run risk analysis the pre-requisite is to load the User and Role data of your Non-SAP systems into GRC system.
For this data loading, we will follow the approach provided by SAP GRC for loading data for legacy systems.
Execute transaction FILE and following screenshot will be shown as below:
Define relevant Logical and Physical paths in the FILE transaction
Logical File name is file path at Operating system level which can be accessed using “FILE” transaction
Physical File name is file path at application server level which can be accessed using “AL11” transaction.
AL11 directories and associated paths
For all logical paths, maintain the same physical path which means that all relevant files which need to be used for syncing Non-SAP User and Role data need to be uploaded to the same physical path.
Logical file name definition, cross–client – In this step you maintain logical filenames for all clients. The definition of a logical filename comprises the following values: Logical filename.
File Name highlighted below will be the actual filename in which the Non-SAP data will be maintained and uploaded to application server and can be viewed from AL11.
Configuring Logical file paths for Non-SAP system connectors
Maintain Connection Settings
In this configuration, you assign connectors to an integration scenario. The application uses the connectors to communicate with other systems in your landscape
For “AUTH” integration scenario, assign “ARIBA” connector
For “AUTH” integration scenario, we need to maintain logical paths defined in the previous step as the corresponding User and Role data will be retrieved from the files in this path.
Following File ID naming convention must be followed while configuring the logical paths in the connector configuration as these names are hard-coded in the corresponding program logic.
File Format and File Content details on which fields are Mandatory, Optional etc, for the above mentioned files can be followed as per the format specified in following SAP Note:
1594963 – GRC Access Controls 10 – How to configure Legacy connectors
Example:
Following screenshot shows “Get Action” Info method under class CL_GRAC_AD_AUTH_MGMT_FILE and you can see the File ID name harcoded. Just to highlight that SAP GRC has different classes for Authorization and Access Management based on different connector types like RFC, HDB, LDAP, WS, FILE, IDM_OB etc. Following screenshot is for FILE class related method:
Define the logical file path for User, Role, Profile, Action, Permission, User Action, User Permission, Role Action, Role Permission, Profile Action, Profile Permission. Hence, the logical path will be updated as shown below:
Prepare and Upload Non-SAP data text files to physical path
Sample files with content are shown below:
Actions File
User File
User Actions File
Role File
Role Actions File
For uploading the files to application server, we will use standard SAP function module “ARCHIVFILE_CLIENT_TO_SERVER”
Execute function module and provide inputs:
Path: Local path where files are stored in your PC
Target Path: Same as physical path used while configuring Logical path in FILE transaction
After executing the function module for all relevant files, all files will get uploaded to application server.
Once all files are uploaded, you can execute following SAP standard synchronization jobs:
PFCG Authorization Sync
Role Data Sync
User Data Sync
Once the above sync jobs are completed, the ARIBA roles will be uploaded to BRM and will be further used for provisioning.
ARIBA Roles Import
Import the ARIBA roles into GRC system
Set the provisioning settings for your Non-SAP system (in this scenario ARIBA) as”Manual Provisioning”
Submit “Access Request” for the ARIBA role and then handle provisioning manually.
ARIBA SoD Rules Setup
You also can define SoD rules for ARIBA system using the ACTIONS uploaded into GRC system.
I have implemented ARIBA SoD rules for one of our client.
Following approach was taken:
User and User Groups from ARIBA were updated to GRC repository tables using the approach described above.
E.g. Receiving Agent is a User Group in ARIBA for which following are the details that are uploaded to GRC.
User A – Role (Receiving Agent) – Action (Receiving Agent) – Permissions (Not required)
GRC repository tables have been updated with ARIBA roles and Actions.
Finally in the ruleset, functions are defined with System specific actions (i.e. S4HANA and ARIBA actions)
References
1594963 – GRC Access Controls 10 – How to configure Legacy connectors
1613632 – Download Files for Legacy Risk Analysis
1654282 – Configuration connector for Legacy system in Access Control 10.0
1840261 – Repository Sync completed but no data is synchronized in Legacy system
1715476 – Problem with Systems No SAP Legacy Connectors
2580985 – How to Configure UAR for Legacy Systems
1742087 – Deleted users are not being removed for Legacy system
Thanks for reading.
Looking forward for your inputs in improving this blog with additional details or scenarios ?
Best Regards,
Madhu Babu Sai
Hi Madhu,
Great work and keep it up.
Regards,
Sagar
Hi Madhu,
Excellent Blog. But i think you missed one point which is sorting.
Regards,
Satish P
Hi Madhu,
Thanks for reaching me out and yes you are right sorting is not required when we upload the files. 🙂
Regards,
Satish P
Nice Blog, it will be help us integrating ARIBA & GRC.
Regards,
Shivendra
Hi Midhu
Nice Blog . we are planning to Integrate Non sap system to GRC 12.0 . Please guide the steps
Regards
Prasad
Hi Madhu,
I am configuring connectors for Manual provisioning which allows to capture approvals. I followed all steps as per blog but when I am execute Roel Repository Sync job it fails and gives error Roles are not available. Can you please help?
Regards,
Akash Parekh
Hi Madhu,
very Nice blog.
Would you know, if GRC 10.1 can integrate/provision/FF with Informatica Cloud Services(ICS). The requirement is to have preferably GRC(or any other SAP system) provision/FF to Users of Informatica Cloud Platform
Regards
Plaban
Great Blog Madhu
Keep up the good work !!
Regards
Hello Madhu,
Great blog and it is very helpful for us.
We have implemented Manual Provisioning for few Cloud systems like SAC, Web IDE as per your blog and it is working as expected. But we need assistance on the below.
The “Manual Provision” button is available in all stages. If this button is clicked by one of the approver but the role is rejected in later stage the user assignment is not getting removed from GRACUSERROLE entry. Is there any possibility to suppress that button in Manager and Role owner stage and show it up only on final Security approval stage.
Awaiting for your kind help. Thanks in advance.
Thanks, Bala
Hi Madhu,
We are starting to integrating SAP IDM 8.0 with SAP GRC 12 for SAP and nos SAP System, Could you guide the steps. I haven't found documentation about that IDM and GRC versions.
Could you advise plis,
thanks in advance
Roberto Gomez
Hi Madhu
Thank you very much for this explanation, it´s excellent and very useful!
I am clear about the access that i need in GRC to create the connection.
The only doubt that i have is the access that i need to get in Ariba to create the connection.
I hope you can read my question.
Thank you very much!
Regards.
Dear Madhu,
Thank you for this blog! Very comprehensive and useful. We are planning to do a similar integration for Ariba in our project (since Cloud IAG does not fit our requirement).
One question - in the repository sync, does it need to be full load every time? Or can we somehow do incremental load too? I am guessing that incremental isn't possible, since we do not have separate files or line items for create/update/delete. But a confirmation would be helpful, thanks! 🙂
~ Rohit