IAG Bridge Integration with Ariba Buying (and Invoicing)
Initially as a Security consultant and then Architect I have used and implemented SAP GRC Access Control tool for user provisioning and creation along with many other features for most of the SAP and some Non-SAP landscapes. SAP came out with new strategy for GRC AC and after Success Factors they will not extend standard integration of GRC AC with any new SAP cloud product.
As an alternative or new way SAP came with a new tool called Identity Access Governance (IAG)- which is kind of Cloud version of GRC AC with less more flexible and without GRC AC MSMP engine. The SAP Cloud Identity Access Governance solution (IAG) is built on the SAP Cloud Platform and it uses SAP NetWeaver APIs to fetch data from target systems and perform multiple actions.
There are many SAP customers like us who have GRC AC setup as their primary provisioning tool and with new cloud systems not part of standard GRC integration this is a big challenge. Also, moving completely from GRC AC is a long-term process.
This part of Blog will provide detailed Configuration steps required for Integrating IAG with ARIBA Cloud Application only.
In this blog I will go through the steps to Integrate GRC AC with IAG Bridge Integration with ARIBA. When we say SAP Cloud IAG integrates with SAP Ariba, it natively integrates with Ariba Buying (and Invoicing) module, and from there if the applications are suite integrated, it will also integrate the users and authorizations to Strategic Sourcing Suite applications too. and this is ideally the Best Practice too.
The IAG Integration Flow:
The technical communication between IAG and Ariba is based on SOAP API calls. IAG reads the users from Ariba via MDNI by accessing the fetchUsers and fetchGroups locations specified in the destination. IAG sends via MDNI provisioning requests (users creation request/authorization assignment operations) to SAP Ariba at the location defined under uploadXMLUserData.
I have broadly defined the Integration into 5 step process and will go through them:
- Complete the integration process for SAP Cloud Identity Access Governance and target cloud application, for instance, SAP Ariba.
- In the SAP Cloud Identity Access Governance launchpad, sync the repository data from target app to the IAG repository.
- Complete the integration process for the SAP Access Control on-premises system and SAP Cloud Identity Access Governance.
- In the SAP Access Control system, sync the repository data from the IAG repository to the SAP Access Control system.
- In the SAP Access Control system, create access requests for target cloud application.
- Complete the integration process for SAP Cloud Identity Access Governanceand target cloud application, for instance, SAP Ariba.
- In the SAP Cloud Platform, set up destination for the SAP Ariba solution.
Click Connectivity->Destinations, and then click New Destination
SAP BTP Destination Config.(Setup below properties):
|*URL||ARIBA team will provide|
|User||Create User in AribaEnd Point Configuration|
|Password:||Password of above created user|
|apiKey*||Generate the API key with your ARIBA DSC Contact|
|fetchGroups**||ARIBA team will provide|
|fetchUsers**||ARIBA team will provide|
|serviceURL||ARIBA team will provide|
|tenantId***||AN-Id provided as part of the Ariba system|
|uploadXMLUserData||ARIBA team will provide|
*You need to generate API key
**ARIBA Team needs to activate MDN
***ARIBA team will provide TenantID
Please refer this blog: SAP ARIBA Properties
Observation: In Cloud Integration with IAG this is very common that when you test connection it errors out but this works.
- Create an instance for SAP Ariba in the Systems app in IAG Launchpad
2. Sync User Data and Provision Access Requests
Open the Job Scheduler app. In the Job Category dropdown, schedule the Repository Sync job.
Steps 1 and 2 which is explained above allows the User Data to be synced from ARIBA to IAG.
The next steps will be how to sync Data from IAG to GRC.
3. Complete the integration process for the SAP Access Control on-premises system and SAP Cloud Identity Access Governance
Please make sure all the Prerequisite is completed and procced to next steps and Maintain Cloud Connector.
- In Cloud Connector Configuration:
- In IAG BTP Cockpit:
- Maintain RFC Destinations for the IAGTRIGGER App
Before setting up the RFC Destination you have to make sure that IAS is setup correctly please refer this blog for the configuration SAP Cloud Identity Access Governance – Initial Setup
For customers in the United States subscribing to the standard edition use the link in RFC: grc-iag-us10-grc-iag-core-us10-java-rest-authentication.cfapps.us10.hana.ondemand.com
User = PUSERID@IAG Subdomain
Password = IAS Password for P USER
- Destination for SOD check
For customers in the United States use the below link in another RFC:
- Destination for the ARIBA Destination
RFC Destination = This name should correspond to the one listed in the Systems app in IAGHost
URL – Same as the trigger URL from the previous step. (grc-iag-us10-grc-iag-core-us10-java-rest-trigger.cfapps.us10.hana.ondemand.com)
Leave the login blank (do not provide any user/password) and select SSL active.
Path Prefix= /com/sap/grc/iag/service/roleSimulationService.svc/
- Configure the Identity Authentication Service in SAP-BTP
- In SAP-BTP, create destination for Identity Authentication.
- Go to your subaccount and open Connectivity Destinations New Destinations.
- Create destinations as specified below.
- Configure Parameters for Cloud Integration in GRC AC
- Create Connectors and Connector Groups in GRC AC
Define Connector in GRC : Add the ARIBA RFC Just like any other system.
- Create Destinations for SAP Cloud Identity Access Governance Service
This delivered service is used by SAP Cloud Identity Access Governance to push provisioning status updates to SAP Access Control. This enables the proper and accurate display of provisioning status for access requests.
- Go to SPRO Governance, Risks and Compliance SAP NetWeaver SAP Gateway Administration General Settings Activate and Maintain Services.
- In the Service Catalog screen, select IAG_PROVISION_STATUS_UPDATE_SRV and activate it.
- In the System Aliases pane, choose Add System Alias, and add it as local host, and Save.
- In the ICF Nodes pane, choose SAP Gateway Client, and Execute.
- In the html pane, copy the href link. You need it for the next step.
- In the Cloud Connector, create a system mapping for the provisioning status update service.
- Open the SAP Cloud Platform Connector, select the subaccount, and choose Cloud To On-Premise.
- Go to the Access Control tab and choose the plus (+) sign to add a new system mapping.
- For Backend Type, select ABAP System and choose Next.
- For Protocol, select HTTPS, and choose Next.
- Enter the internal host and port information and choose Next. Also enter the virtual host (Please check screen shot)You can copy this information from the services URL. Refer to the step 5 of previous setup. Internal Host: enter the root URL; do not include the protocol(https) and Internal Port: enter the port number.
- For Principal Type, select X.509 Certificate (General Usage) and choose Next.
- Select the Check the Internal Host box and choose Finish.
- Add a resource path. In the Mapping Virtual To Internal System table, select the new mapping. In the ResourcesAccessible On section, choose the pencil icon to edit it.In the URL Path field, make sure /sap/opu/odata/sap/IAG_PROVISION_STATUS_UPDATE_SRV is entered, and save.
- Test the configuration. In the Mapping Virtual To Internal System table, select the new mapping, and choose then check-availability icon.
- In SAP-BTP, create a destination for the Provisioning Status Update virtual mapping.Go to Connectivity, choose Destinations and the plus sign (+) to add a destination. Add the destination. Enter the name as IAGProvisionStatusUpdate.For the URL , copy and paste the URL from the services configuration step and save.
4. In the SAP Access Control system, sync the repository data from the IAG repository to the SAP Access Control system
Go to SPRO Governance, Risks and Compliance Synchronization Jobs and run the Repository Object Sync.
- In Select Sync Job, select all three jobs.
- In Select Connector and Sync mode, select the cloud connector.
- In Advance Options, select IAG Import.
5. In the SAP Access Control system, create access requests for target cloud application
After the successful Sync job the ARIBA groups will be imported in GRC AC system. You need to make sure that groups are in PRODUCTION status to be selected in GRC Access Request form.
Once you have completed the Integration steps above ARIBA system and Groups will be available for provisioning .
You need to setup Provision Job in IAG to make sure the data and provisioning is consistent between ARIBA->IAG->GRC.
For troubleshooting in IAG you can check the Provisioning status of the GRC request number.
These steps completes the End to End Integration of ARIBA and GRC using IAG Bridge.
Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance or https://answers.sap.com/tags/01200615320800000796
Hi Trinetra Bhushan ,
This is a very good document to understand how IAG bridge can be used for Cloud Application Access Provisioning. Thank you.
I need help around SFEC integration with GRC AC through IAG bridge for HR triggers. Could you please share your email id or contact details, so that I can connect with you?
Hi Swapnil Chudaram Balharpure ,
SFEC HR Trigger Integration with IAG is altogether different setup than ARIBA. The core step should remain the same different property and SFEC specific setup.
I am in between the configuration and will create new Blog when it is completed.
This a very good post! Thank you for the detailed guide!
We tried to implement this scenario as well with ARIBA, but we failed to meet a specific requirement. In ARIBA, there is an additional authorization attribute for groups called "Purchasing Unit" which can be used to limit the access to certain organizational structures.
This field is supported by the standard interfaces and upload files ARIBA provides, but we did not find a possibility to also make it work for IAG. There does not seem to be a possibility to transfer purchasing unit attributes from IAG to ARIBA to limit group authorizations.
Do you have a suggestion maybe on how to include purchasing units?
We also faced the same issues, there is no standard way to include Purchasing Unit through IAG. Also the Other User info also can not be populated.
Thank you for detailed post.
Could you please let me know if you were able to generate password for created Ariba users.
We use SSO so do not need seperate password for user. I believe most of the organization will have same setup.