FAQs
This Frequently Asked Questions (FAQs) section provides answers to the most commonly asked questions for ServiceNow Catalog for
What is SAP GRC IAG Bridge?
Answer: With the ongoing digital transformation, there is a considerable shift of business functionalities from on-premise to the cloud systems. SAP IAG Bridge connects SAP Access Control (GRC) solution with SAP Cloud Identity Access Governance (IAG), to extend access governance functionality into the cloud. This solution is built on the SAP cloud platform powered by HANA database.
A GRC IAG Bridge connection enables SAP Access Control to create access requests and perform risk analysis for a hybrid landscape. The access risks of the user (SOD risks and critical access risks) are shown on the GRC UI. For more information, refer to the SAP IAG product documentation.
How does the functionality compare between the modules for SAP GRC and IAG?
The following table provides a high-level comparison of the interrelated modules and some brief information about each of them.
|
SAP Access Control |
Function |
SAP IAG |
Function |
|---|---|---|---|
|
Access risk analysis (ARA) |
Access analysis for on-premise systems, ruleset management. |
Access analysis |
Access analysis for on-premise and cloud, limitation to user and roles, ruleset management. |
|
Business role management (BRM) |
Role management and business roles |
Role design |
Business roles for hybrid landscapes. |
|
Access request management (ARM) |
Fully customizable and extendable access request workflows. |
Access request |
Predefined set of workflows with limited configuration capabilities. |
|
Emergency access management (EAM) |
Firefighter for ABAP on-premise SAP systems (for example, ABAP-based systems or SAP HANA database). |
Privileged access management |
Firefighter for ABAP systems. |
|
User access review (UAR) and SOD risk review |
Customizable UAR and SOD risk review workflows through ARM. |
Access certification |
Campaigns to review user access. |
Does GRC IAG Bridge setup require licenses for both GRC and IAG?
Answer: Yes, there has to be separate license procured from SAP for both SAP GRC and IAG instances for maintaining bridge setup.
How can leaver use cases be handled in the SAP GRC IAG Bridge setup?
Answer: SAP does not support the Disable operation for the GRC IAG Bridge setup, but it does support the Delete operation. SailPoint
The following is a reference of a before provisioning rule:
{lifecycle_state_name} - Your Lifecycle state name
try {
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.Operation;
import sailpoint.object.Identity;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AccountRequest.Operation;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import sailpoint.object.Link;
import sailpoint.api.IdentityService;
List accountRequests = plan.getAccountRequests();
application.setAttribute("isDeleteUser", true);
if (accountRequests != null) {
for (AccountRequest accountRequest: accountRequests) {
AccountRequest.Operation op = accountRequest.getOperation();
if (op == null) continue;
Identity identity = plan.getIdentity();
if (identity != null && op == AccountRequest.Operation.Disable) {
// Check if account has entitlements
IdentityService is = new IdentityService(context);
List links = is.getLinks(identity, application);
if (links != null){
for (Link link : links) {
if (link != null) {
Object rolesAssigned = link.getAttribute("Roles");
if (rolesAssigned != null) {
throw new UnsupportedOperationException("Unable to delete account "+identity.getName()+" please remove all entitlements and try again.");
}
}
}
}
accountRequest.setOperation(AccountRequest.Operation.Delete);
}
}
}
} catch (UnsupportedOperationException ex) {
throw ex;
} catch (Exception e) {}Answer: SAP doesn’t support valid from/valid to dates to be set up for connected cloud applications. Reference SAP KBA 3357215.
Is the nesting of business roles supported in SAP GRC IAG Bridge?
Answer: According to SAP, IAG bridge configuration does not support nested business roles, so it's recommended to avoid placing one business role inside another.