Integrating SailPoint with SAP GRC

Revised Date: 22 March 2024

Note

IdentityIQ connector information is now available as online help and PDF. The online help describes the latest updates for the connector.

To find documents related to a specific version of IdentityIQ, refer to the Supported Connectors for IdentityIQ page on Compass.

Configuration details for connectors may vary not only by release version but also by patch version. Be sure to refer to the correct documentation for your specific release and patch level.

Warning
Our SAP integration does not currently support SAP GRC12 SP19 and above. If you are planning to upgrade your GRC instance to SP19 or above, the upgrade will break your existing integration. Aggregation and provisioning workflows will not work properly. For more information, refer to SAP GRC Critical Update.

This document is designed to provide the information required to configure a working instance of a SAP GRC connector for SailPoint. This connector supports:

This integration is used to leverage SAP GRC's ability to perform SOD (Separation of Duties) checks and take remediation or mitigation decisions within the SAP GRC. The mitigation decision must be taken in SAP GRC so that SAP GRC is aware of the mitigation controls, which are applied on risks, and would not report these risks until the time mitigation is applicable.

The SAP GRC connector enables checking for risk in the request placed in IdentityIQ (containing SAP Direct Roles and Profiles) using the following method:

  1. Request is sent to SAP GRC for proactive check.

  2. ARA Web Service checks for risk present in the request, if no risk is returned then IdentityIQ continues provisioning the request.

  3. If ARA Web Service returns a risk in the request, then a corresponding request is created in SAP GRC using the ARM Web Service.

  4. IdentityIQ continues polling the request until a response issued by SAP GRC.

  5. On the basis of the response returned in the previous step (approval or rejection by SAP GRC), IdentityIQ continues with provisioning or rejects the request.

This integration is used to aggregate all the Users and Roles from the systems (SAP SCM, JAVA, SAP ERP HCM, and so on) connected to SAP GRC and facilitates their provisioning by creating requests in GRC irrespective if there is risk present or not, as illustrated in the following figure:

The figure explains the following methods:

  1. User Aggregated from the GRC connected system.

  2. Roles Aggregated from the GRC connected system.

  3. Request sent for adding or removing access to the connected system.

  4. Access Request ID created in GRC.

  5. Requests wait and are queued until a response is issued by SAP GRC.

  6. On the basis of the response returned from SAP GRC (approval or rejection in GRC ), SAP GRC provisions or rejects the request and the corresponding status is maintained in the SAP GRC source.

  • Supports user IDs with mixed-case and special characters, along with the support for custom delimiter characters.

  • Support for SAP Portal as connected systems.

  • Allows users to update the Valid From or Valid To date when enabling or disabling an account.

  • Displays the actual requester details for associated tickets.

  • Is fully compatible with another non-ABAP system; SAP Process Orchestration.

  • Enhanced functionality for modifying attributes associated with a user during the disable operation.