Additional Information
Enable and Disable Account
Update the Valid From and/or Valid To dates when the account is enabled or disabled
Note
The Valid From or Valid To date must be present in the provisioning plan in the format SystemName/yyyyMMdd to update the dates when the account is enabled or disabled.
-
Example AttributeRequest for single account disable/enable:
Copy<AttributeRequest name="Valid To" op="Set " value="systemName/20230101 "/>
-
Example Attribute Request for Multiple account disable/enable:
Copy<AttributeRequest name="Valid To" op="Set">
<Value>
<List>
<String>systemNameA/20501029</String>
<String>systemNameB/20231029</String>
<String>systemNameC/20301029</String>
</List>
</Value>
</AttributeRequest>
Update the User Group and/or User Group Assignments when the account is disabled
Note
The User Group or User Group Assignments must be present in the provisioning plan in the format SystemName/<Group name> to update the dates when the account is disabled. Existing groups will be replaced with those provided in the provisioning plan.
-
Example attribute request to update the User Group:
<AttributeRequest name="User Group" op="Set">
<Value>
<List>
<String>systemNameA/GroupName1</String>
<String>systemNameB/GroupName2</String>
</List>
</Value>
</AttributeRequest>-
Example attribute request to update the User Group Assignments:
<AttributeRequest name="User Group Assignments" op="Set">
<Value>
<List>
<String>systemNameA/GroupName1a</String>
<String>systemNameA/GroupName1b</String>
<String>systemNameB/GroupName2a</String>
<String>systemNameB/GroupName2b</String>
</List>
</Value>
</AttributeRequest>-
Systems to Bypass for Disable Operations: Provide the name(s) of systems that the connector should bypass during the disable operation. The requested line item for specified systems will not be created in the GRC portal.
Remove All Roles when account is disabled
To remove all of the roles when account is disabled, select Remove All Roles When Account is Disabled option. All of the roles from the GRC user account will be removed during the disable operation.
Note
Role(s) associated with bypass systems configured during System Bypass Configuration will also be removed when Remove All Roles When Account is Disabled option is selected.
Modify Account
Note
-
This is applicable for SAP GRC AC12 SP19 and above versions.
-
Modify Attributes only supports updating the values of the attributes on the user’s highest priority connector. For example, the
Systemvalue for the user.
SAP has introduced a new process where any modifications in the user attributes reflect in GRC tables only after completing a Repository Sync Job from the GRC side.
The following steps must be performed sequentially for a successful modify operation:
-
Configure the Attribute Sync request on the user in Identity Security Cloud for the GRC source. To configure the attribute sync request, refer to Synchronizing Attributes - SailPoint Identity Services.
-
Run the Repository Object Sync job on your GRC system
-
Execute User Aggregation on your GRC source to get the updated values of the user attributes.
Provisioning Multiple Systems using User Group Attribute
The SAP GRC connector supports modification of the User Group attribute for multiple systems. To enable this functionality, follow these steps:
-
Pass the User Group attribute as a list in the provisioning plan:
Copy<AttributeRequest name="User Group" op="Set">
<Value>
<List>
<String>systemNameA/GroupName1</String>
<String>systemNameB/GroupName2</String>
</List>
</Value>
</AttributeRequest> -
Set the
setUserGroupInUserInfoflag to true in the<entry key="setUserGroupInUserInfo" value="true"/>
The
setUserGroupInUserInfois a boolean attribute.Note
ThesetUserGroupInUserInfoflag must be set to true for the provisioning of multiple systems to be supported.