Skip to Content
Technical Articles

GRC Access Control 12.0 ARM setup for provisioning HANA DB users

In this blog, I will cover configuration steps to connect GRC Access Control to HANA DB.  I am outlining only steps that are required for HANA DB connection.  There are common config steps to setup Access Request Management (ARM) such as config parameters, define request types, define EUP, provisioning settings, data source setup etc. that are not in scope for this blog.  You also need to have MSMP Workflow setup specific to your requirements for approval routing(s). 

Let’s first go over an example of a HANA DB role request and then show that role provisioned in HANA DB through GRC Access Control.  First screenshot below is an access request for HANA DB role ABAP_ADMIN. Once the request is submitted and goes through the approvals, the role gets assigned to user ID.  The second screenshot shows the assignment in HANA DB.

Both repository and catalog HANA DB role types along with ‘Analytic privileges’ can be provisioned through GRC Access Control.

Now, let me cover primary HANA DB specific configuration steps.  First two are Basis tasks and are usually performed by Basis consultant and rest are performed by GRC consultant.

  1. First step is to download SAP GRC Plug-in for HANA DB from SAP Market Place.
  2. Then you will need to deploy delivery unit with content for the SAP HANA Plug-in for GRC Integration with HANA by using HANA Studio:

SAP note 1969912 provides steps on how to deploy delivery unit and then install HANA Integration API to the system catalog.

https://launchpad.support.sap.com/#/notes/1869912

Note: This step is to be performed in HANA DB that is to be connected to GRC and where access will be provisioned.

3.  Next you need to configure SAP GRC Access Control system with HANA Integration. Below steps need to be performed in HANA DB:

  • Create a user GRC_DBCO_PI. This user must have role sap.grc.pi.ac.roles::SAP_GRC_PI_ADMIN.  Then, go ahead and deploy (activate) this user.
  • Now login with this new user and change password. This is to set a permanent password for the user.
  • User GRC_DBCO_PI should be used in next step to create DBCO connector.

4.  Create HANA connector by using DBCO transaction code and configure this connector to connect to HANA DB. Below are the steps and all these steps are performed in GRC system:

  • Create a HANA connector using DBCO

  • Create a logical connector. Note that this logical connector must be of the same name as DBCO connection created in step i.. above.  You can either use transaction SM59 or SPRO path SPRO > SAP Customizing Implementation Guide > Governance, Risk, and Compliance > Common Component Settings > Integration Framework > Create Connector

  • Now, you need to integrate HANA connector to GRC using Integration Framework as shown below. Please follow SPRO path SPRO > Governance, Risk, and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types. Note that Connection type is ‘HDB’ for HANA DB.

  • This connector must be assigned to Integration Scenario ‘PROV’ through SPRO path SPRO à Governance, Risk, and Compliance >Common Component Settings > Maintain Connection Settings. Please also assign this to other Integration Scenarios as necessary such as AUTH, ROLMG, SUPMG.

5. Import Roles and assign approvers

Last step in this process is to import HANA DB roles and analytics privileges to GRC Access Control. This is necessary to make roles available to select and request in access request. Roles import steps are like ABAP roles provided that you have selected correct application type, Landscape, and Source system and they need to be specific to HANA DB.  Role type for Analytic privileges is ‘HAP’ and it is ‘SIN’ for roles.  When importing Analytic privilege, you need to use File on Desktop or File on Server option for ‘ImportSource’ and modify role type to ‘HAP’ in attribute file before importing it.

With successful completion of above steps, you have connected GRC Access Control to HANA DB for access provisioning and roles and Analytics privileges are available to request.  I look forward to your comments and feedback.

Be the first to leave a comment
You must be Logged on to comment or reply to a post.