Skip to content

Integrating with Your ERP System

Integrate Access Risk Management with SAP and SuccessFactors to mitigate risk by automating and governing access to these systems. To facilitate the integration, you will need to create the users and roles within those ERP systems and pull that information into Access Risk Management.

Integrating with SAP

In order to integrate SAP and Access Risk Management, you must install the provided agent and enter your SAP system details. The agent extracts security-related data from a company’s ERP system(s) and securely transmits that data to Access Risk Management to identify potential risks and violations. See the prerequisites and agent installation directions below.

After the agent is set up you can use Access Risk Management to set the SAP role details and block list.

Agent Prerequisites

You must have a VM that meets the system requirements to run the agent and set up the SAP system User ID. The agent will run as a Windows Service, start when the machine starts, and stay running even if nobody is logged in to the machine. The agent is designed to be the only agent necessary in a company’s infrastructure and ideally should be installed on a virtual machine (VM) as a service.

System Requirements for the VM

The agent requires:

  • 64-bit Windows operating system (Server 2012 or later)

  • 6GB RAM (8-16 preferable)

  • 10GB disk space (30+GB preferred. Exceptionally large or complex ERP systems may need more disk space.)

  • Broadband connection to the Internet

  • Microsoft .NET Framework 4.7.2+ (can be downloaded and installed here).

Setting Up the SAP System User ID

  1. Configure a Windows 64-bit VM on the same network as the SAP environment.
  2. Create an SAP System User ID within each target system. The ID is used for Remote Function Call communications between the target system and the agent. You can use any user if they have prior authorizations, but we recommend you use the following user specifications:

Note

Contact your SAP administrator if you need assistance using transaction PFCG to upload the roles.

Using the Agent to Integrate with SAP

Using an account with administrative privileges, install the agent and enter your SAP system details to connect it to Access Risk Management.

  1. Contact support to get the agent file.
  2. Install the agent on the VM.
  3. Log in to the VM as an administrator and run the agent.exe.
  4. Select the configuration desktop icon or go to http://localhost:5000
  5. Select I am a customer and enter the sysjob user ID and password provided by Access Risk Management.
  6. Select Add to register a new SAP System.
  7. Fill in the SAP system details.

  8. Select Test Connection to check the agent’s connection to your SAP system.

  9. Select Save to complete the installation and configuration.

Note

You can edit the agent system settings. When making a change, you must re-enter the username and password for the agent connector user.

Setting Utilization Options

When setting up your ERP System, you can select the source of the utilization data used when generating an Emergency Access Management (EAM) Utilization Overview report.

Select ERP SYSTEMS and choose the system for which you want to set utilization options. In the Utilization Options section, choose the type of STAD source you want to use.

Important

If you are using EAM, we highly encourage you to also use SM20 for utilization date. Refer to the next section to see how to set SM20 up in your SAP system.

Setting up SM20 Utilization Data

SM20 is a more accurate and faster way to generate data than using STAD alone. If you are using EAM, we highly recommend using SM20.

Important

Do not select the SM20 box if the SAP Security Audit Log has not been configured (via SM19) in your SAP system. Please reach out to support before activating SM20 in your SAP system.

To enable SM20 for EAM Utilization reporting:

  1. Scroll down to the Utilization Options section and select the expand icon .

    • If you are running any SAP 4.x version, select STAD – use SAPWL_WORKLOAD_GET_STATISTIC
    • If you are running any SAP ECC version 5.0 or later, select STAD – use SWNC_COLLECTOR_GET_AGGREGATES
  2. Select the corresponding Use SM20 for Utilization Data options based on the version you’re running.

  3. Choose the EAM log collection delay. We recommend you keep the default 30 minutes unless instructed by support to change this value.
  4. Do not change the EAM Log Collection Buffer setting unless instructed to by support.
  5. In the Application Server Connections section, select + Connection and enter the Host IP and Instance Number of each application server you want to track EAM utilization data for.
  6. Add the Instance Name. You can find this information by going to TCode ST03N in your Workload Monitor and looking in the ABAP Instance Name column.

    Important

    You must add every application server connection you have to ensure that all EAM activity is tracked. SM20 will not work without these connections.

  7. Repeat this process for every application server connection you have and select Save.

Troubleshooting

I can’t log in with the sysJob ID and password provided.

If you can’t log in with the credentials provided, verify whether you need to use a proxy.

If you are required to connect through a proxy server for external communication (i.e., to the Access Risk Management Cloud Service), and you are running the agent as a Windows service, you may need to manually configure the agent to communicate through it using the command-line interface (CLI).

  1. Shut down the agent service.
  2. From a CLI with administrative access, navigate to the Agent binary folder. This folder will have the file ErpMaestro.Agents.Application.exe in it.
  3. Execute the following command:

    ./ErpMaestro.Agents.Application.exe proxy set --hostname {Proxy Server Host}
    --port {Proxy Server Port} --username {Username} --password {Password}
    

    Note

    If your proxy server does not require a username or password, do not include that parameter.

  4. Restart the agent service.

  5. To remove the proxy configuration, shut down the agent and delete the proxy.settings file from the parent directory of the agent. Restart the agent.

Note

The local encryption key for securing the proxy server credentials is autogenerated based upon the machine name and several other factors. If a significant system change occurs, the encryption key may be rendered unusable.

I can’t validate the connection to SAP

If you can’t validate the connection between the agent and SAP, verify that the SAP system info is correct. If it is correct but the connection still fails, add the following URLs to the server’s allow list:

  • app.erpmaestro.com
  • dataserver01.erpmaestro.com
  • dashsvc.erpmaestro.com
  • authsvc.erpmaestro.com
  • api.erpmaestro.com
  • rulebooks.erpmaestro.com
  • jobsvc.erpmaestro.com

Managing SAP Role Details

After your SAP roles are incorporated using the agent, you can view and edit the role approvers, owners, location, and description within Access Risk Management.

Note

The location is not related to the SAP role but can be helpful for filtering between roles.

Select the menu icon in the top right and choose SAP ROLES to view the roles that have been pulled in from your SAP account.

You can edit the role details by editing an .xlsx file or using the Access Risk Management UI.

To edit role details in the .xlsx file:

  1. Select Export to download the .xlsx template to use.

  2. Use the template to update the approvers, owners, location, description, and whether the description should be retained from your .xlsx file or updated the next time you pull from SAP.

  3. Save your changes to the template and select Import to upload your updated .xlsx file to see those changes in Access Risk Management.

To edit role details within Access Risk Management:

  1. Select the edit icon next to the role name.

  2. Update the approvers, owners, location, description, and if the description should be retained from your .xlsx file or updated the next time you pull from SAP.

  3. Select Save to update the role details.

Select Refresh from Extract if the automatic role update job fails as part of the security extract. This will take you to the Activity History to see the successful job.

Blocking SAP Users and Roles

You can exclude SAP users and roles from reports, filters, and analyses.

  1. Select the menu icon in the top right and select SAP SYSTEM BLACKLISTS.

  2. Use the dropdown menu next to Type to select User or Role.

  3. Select Add.

  4. Enter the user or role names to exclude using comma-separated values or new lines.

For example, you may want to exclude roles with temporary elevated access since there are already controls in place for managing emergency access requests.

Integrating with SuccessFactors

Integrate Access Risk Management with SuccessFactors to pull the information needed for reports to show risks in the ERP system. Once you meet the prerequisites, you can use the Access Risk Management UI to add the system.

Note

The SuccessFactors integration can run all reports except the Emergency Access Management Excel reports. Refer to Viewing Activity for all available reports.

SuccessFactors Prerequisites

Before you can integrate SuccessFactors with Access Risk Management, you must meet the following prerequisites:

Assigning User Permissions

In SuccessFactors, you will need to set up the user permissions and gather the information you need to integrate with SuccessFactors using the Access Risk Management UI.

In your SuccessFactors system, assign the following RBP permissions to the user who will be using Access Risk Management:

  • Manage Integration Tools -> Allow Admin to Access Odata API through Basic Authentication

  • Manage User -> Employee Export

Additionally, the user must be added to the Manage Role-Based Permission Access listing. The Allow access to this page option is not required.

Gathering Information

Before integrating, review your SuccessFactors system to make sure you have the name of your Success Factors system, CompanyId, Server, username for the person making the connection to Access Risk Management, that user's password, and the language you want to use.

Note

You can find your CompanyId on the login page in SuccessFactors. If it is not there, you may need to ask your administrator for this information.

Adding SuccessFactors System

  1. Select the menu icon in the top right and choose ERP SYSTEMS.

  2. Select the New dropdown menu and choose SuccessFactors.

  3. Enter a name for the SuccessFactors system.

  4. Enter the CompanyId used to identify your organization in SuccessFactors.

  5. Enter your server URL. This can be found by matching the beginning of your login page URL to the SuccessFactors server list. For example, if your login URL is  https://pmsalesdemo8.successfactors.com/login?company=ABCDEF000020#/login, you will search for the corresponding data center number in the server list. In this case, it is DC8 to match the 8 in the URL. Enter the Production, SalesDemo, or Preview system URL in the Server field.

  6. In the Login and Password fields, enter the username and password of the user who has the Access Risk Management-specific permissions required to administer Access Risk Management and your SuccessFactors instance.

  7. The Locale field is set to English and is not editable.

  8. Select Validate Connection Info to test the connection.

  9. If the information provided allows Access Risk Management to successfully connect to your SuccessFactors instance, select Submit to save this information.

If testing the connection fails, correct any errors in the information entered and select Validate Connection Info to test it again. You won't be able to use the integration until Access Risk Management can successfully connect with your SuccessFactors instance.

Configuring SSO

You can contact support to request SSO integration with Access Risk Management. The available integrations are for Azure AD and SAML 2.0 Identity Providers (IdP). After you have configured your ERP account and users in Access Risk Management, those users can log in to the application using their corporate credentials.

Before contacting support, you will need to gather the following information from your IdP:

Azure AD

  • Azure AD Issuer: https://sts.windows.net/AzureADDirectoryID

  • Email addresses or User Principal Names (UPN) for all users in Access Risk Management.

SAML 2.0 Identity Providers

  • URL to download your IdP metadata OR the metadata file for Access Risk Management. Ensure the metadata includes the public key of the certificate that will be used to sign the SAML response.

  • User Name Identifiers for all Access Risk Management users.

After you've collected the above information, please contact support to activate the SSO feature on your account.

Note

If your organization is using a SAML 2.0 IdP and the metadata can only be provided in a file format, include the metadata file in your request to support.