Purpose of the Document

SAP GRC system has out-of-box integration with lot of SAP applications and also supports provisioning to HANA DB, LDAP and Enterprise Portal applications.

As there are lot of changes happening with technology and customers also using applications built on various technologies it is always challenging for SAP GRC access control solution to support provisioning for Non-SAP systems. Also the integration with Non-SAP systems is not straightforward and will require certain level of customization in both target applications as well as in GRC system.

The purpose of this blog is to explain how user access provisioning to Non-SAP systems can be handled by GRC system using "Manual Provisioning" option in GRC without putting efforts on additional customization.

The details discussed below will be more on the technical setup and for illustration I have used "ARIBA" as the target system being integrated with GRC.

Let’s see how you can setup this functionality and can test in GRC 10/10.1/12.0 systems (End to End).

To enable manual provisioning for Non-SAP systems

Non-SAP Connector Setup

Create a connector in SM59 with connection type as “L” (Logical Destination). For illustration purpose, I have used ARIBA as the connector name.

Non-SAP Connector Config Setup in GRC

Define connectors in the following IMG path: Connection Type "FILE" will be used for the connector.

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types -> Define Connectors





Define connector groups in the following IMG path and assign ARIBA connectors to this connector group

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connectors and Connection Types ->Define Connector Groups





Maintain Connection Settings

Connector must be assigned to all AC related integration scenarios (ROLMG, SUPMG, AUTH, PROV) available as it is a good practice.

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connection Settings

For "AUTH" integration scenario, assign "ARIBA" connector





For "PROV" integration scenario, assign "ARIBA" connector



For "ROLMG" integration scenario, assign "ARIBA" connector



For "SUPMG" integration scenario, assign "ARIBA" connector



Maintain Connector Settings

Maintain connector settings in the following path:

SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Connector Settings



Maintain Mapping for Actions and Connector Groups

In this configuration, you can assign the actions to a connector group, and then select the default connector for each group

Configuring Logical and Physical paths for Non-SAP systems data upload

To enable manual provisioning and also to run risk analysis the pre-requisite is to load the User and Role data of your Non-SAP systems into GRC system.

For this data loading, we will follow the approach provided by SAP GRC for loading data for legacy systems.

Execute transaction FILE and following screenshot will be shown as below:





Define relevant Logical and Physical paths in the FILE transaction

Logical File name is file path at Operating system level which can be accessed using "FILE" transaction



Physical File name is file path at application server level which can be accessed using "AL11" transaction.

AL11 directories and associated paths





For all logical paths, maintain the same physical path which means that all relevant files which need to be used for syncing Non-SAP User and Role data need to be uploaded to the same physical path.

Logical file name definition, cross-client - In this step you maintain logical filenames for all clients. The definition of a logical filename comprises the following values: Logical filename.



File Name highlighted below will be the actual filename in which the Non-SAP data will be maintained and uploaded to application server and can be viewed from AL11.

Configuring Logical file paths for Non-SAP system connectors

Maintain Connection Settings

In this configuration, you assign connectors to an integration scenario. The application uses the connectors to communicate with other systems in your landscape

For "AUTH" integration scenario, assign "ARIBA" connector



For "AUTH" integration scenario, we need to maintain logical paths defined in the previous step as the corresponding User and Role data will be retrieved from the files in this path.

Following File ID naming convention must be followed while configuring the logical paths in the connector configuration as these names are hard-coded in the corresponding program logic.



File Format and File Content details on which fields are Mandatory, Optional etc, for the above mentioned files can be followed as per the format specified in following SAP Note:

1594963 - GRC Access Controls 10 - How to configure Legacy connectors

Example:

Following screenshot shows "Get Action" Info method under class CL_GRAC_AD_AUTH_MGMT_FILE and you can see the File ID name harcoded. Just to highlight that SAP GRC has different classes for Authorization and Access Management based on different connector types like RFC, HDB, LDAP, WS, FILE, IDM_OB etc. Following screenshot is for FILE class related method:



Define the logical file path for User, Role, Profile, Action, Permission, User Action, User Permission, Role Action, Role Permission, Profile Action, Profile Permission. Hence, the logical path will be updated as shown below:

Prepare and Upload Non-SAP data text files to physical path

Sample files with content are shown below:

Actions File



User File



User Actions File



Role File



Role Actions File



For uploading the files to application server, we will use standard SAP function module "ARCHIVFILE_CLIENT_TO_SERVER"



Execute function module and provide inputs:

Path: Local path where files are stored in your PC

Target Path: Same as physical path used while configuring Logical path in FILE transaction



After executing the function module for all relevant files, all files will get uploaded to application server.



Once all files are uploaded, you can execute following SAP standard synchronization jobs:

PFCG Authorization Sync







Role Data Sync







User Data Sync







Once the above sync jobs are completed, the ARIBA roles will be uploaded to BRM and will be further used for provisioning.

ARIBA Roles Import

Import the ARIBA roles into GRC system



Set the provisioning settings for your Non-SAP system (in this scenario ARIBA) as"Manual Provisioning"



Submit "Access Request" for the ARIBA role and then handle provisioning manually.