Integrating SailPoint with SAP GRC

This integration is used to leverage SAP GRC's ability to perform SOD (Separation of Duties) checks and take remediation or mitigation decisions within the SAP GRC. The mitigation decision must be taken in SAP GRC so that SAP GRC is aware of the mitigation controls, which are applied on risks, and would not report these risks until the time mitigation is applicable.

The SAP GRC connector enables checking for risk in the request placed in IdentityIQ (containing SAP Direct Roles and Profiles) using the following method:

1. Request is sent to SAP GRC for proactive check.

2. ARA Web Service checks for risk present in the request, if no risk is returned then IdentityIQ continues provisioning the request.

3. If ARA Web Service returns a risk in the request, then a corresponding request is created in SAP GRC using the ARM Web Service.

4. IdentityIQ continues polling the request until a response issued by SAP GRC.

5. On the basis of the response returned in the previous step (approval or rejection by SAP GRC), IdentityIQ continues with provisioning or rejects the request.

This integration is used to aggregate all the Users and Roles from the systems (SAP SCM, JAVA, SAP ERP HCM, and so on) connected to SAP GRC and facilitates their provisioning by creating requests in GRC irrespective if there is risk present or not, as illustrated in the following figure:

The figure explains the following methods:

1. User Aggregated from the GRC connected system.

2. Roles Aggregated from the GRC connected system.

3. Request sent for adding or removing access to the connected system.

4. Access Request ID created in GRC.

5. Requests wait and are queued until a response is issued by SAP GRC.

6. On the basis of the response returned from SAP GRC (approval or rejection in GRC ), SAP GRC provisions or rejects the request and the corresponding status is maintained in the SAP GRC source.

The Risk Management Integration performs risk analysis which helps to find whether the requested access has violations on IdentityIQ. When a Risk Management mode is selected, only the Access Risk Analysis (ARA) module is required as compared to the Risk Analysis mode, where both the Access Risk Analysis(ARA) and the Access Request Management (ARM) modules were required. In the Access Risk Analysis and Access Request Management modules integration, when the end user requests access from IdentityIQ the request goes though IdentityIQ approvals. Once it is approved on the IdentityIQ side, it goes to SAP GRC for a risk analysis check. If a violation is shown, the integration creates a request in the SAP GRC ARM for further processing. If no risk is found, the request goes ahead for provisioning the access. In the Risk Management Integration, whenever a new access request is raised it goes to the SAP GRC ARA module for risk analysis. If the requested access has any violations, a policy violation message is raised on IdentityIQ before creating the access request ticket in IdentityIQ . The requester will receive an option to remove risky entitlements, and the approver can also view the violations before approving or denying the access.

Note
SAP GRC IAG Bridge is an additional optional feature provided in the existing SailPoint SAP GRC connector. An existing SailPoint SAP GRC connector set up is a prerequisite for this feature.

SAP GRC IAG Bridge is an additional setup on top of an existing SAP Access Control (GRC) on-premise solution, which communicates with SAP Cloud Identity Access Governance (IAG). This feature extends access governance functionality to cloud systems in a hybrid landscape.

IAG Bridge is a SAP suggested approach for the customers who have invested heavily in SAP GRC access control, but now want to provide support for cloud applications as well. This configuration helps to perform risk analysis of user requests in IAG for connected SAP cloud systems using the SAP GRC system as a bridge.

The major benefit for this integration is that the source of truth for access requests and risk analysis remains to be SAP GRC, and IAG acts as secondary system to communicate with cloud applications. Separate licenses must be procured from SAP for both GRC and IAG systems to use this feature.

• The SAP GRC connector has been enhanced to support user IDs with mixed-case and special characters, along with the support for custom delimiter characters, making it even more resilient and adaptable to a wide range of customer use cases.

• The SAP GRC Connector is undergoing expansion to encompass non-ABAP SAP systems. In this latest release, we have achieved full compatibility between SAP GRC integration and SAP Enterprise Portal.

• The SAP GRC Connector has been enhanced and is fully compatible with another non-ABAP system - SAP Process Orchestration.

• The integration of SAP GRC now provides enhanced visibility by displaying the actual requester details for associated tickets. This valuable enhancement equips approvers with comprehensive context and specific information regarding the request's purpose and origin. Consequently, this improvement streamlines the approval process, empowering approvers to make more informed and efficient decisions.

• The SAP GRC connector now offers enhanced functionality for modifying attributes associated with a user during the disable operation. This critical enhancement allows Account Disable requests to be distinguished between inactive users (leavers) and active users (leave of absence). The upgrade also ensures a seamless clean exit process by facilitating the removal of:

  • User roles

  • Configuring specific user groups during the disable operation

  • Setting a user's end date

  • Selectively disabling the account on specified systems

  In addition to streamlining the account management process, these advanced features provide greater flexibility and precision in handling different scenarios; ultimately enhancing the overall user experience and administrative control within the SAP GRC system.

• SailPoint’s SAP GRC Integration now supports Access Management Requests that are configured for Auto-Approval in the SAP GRC system.

• As a result of the table and sync job changes in SAP GRC12 SP19 and above, the Disable only master system feature in the SAP GRC connector source configuration is being deprecated. It is recommended that customers utilize the Disable All Systems Connected to SAP GRC feature for account deprovisioning instead.

• The SAP GRC integration has been improved to exclude certain systems linked to GRC from user aggregation, provisioning, and attribute update operations.

• SailPoint's SAP GRC integration now includes seamless integration with SAP ARA Service, enabling robust SOD Checks and Risk Analysis through GRC. This enhancement allows managers in IdentityIQ to view and address potential risks before submitting provisioning requests. Identified risks are displayed as Policy Violations, empowering managers to take proactive measures or engage with relevant stakeholders such as Requesters, Role Owners, and Risk Owners.

• The SailPoint SAP GRC integration for SAP GRC has been enhanced to integrate with SAP IAG. The configuration helps customers to request user and entitlement provisioning, remove user access, and perform risk analysis of user requests in IAG for connected SAP cloud systems using the SAP GRC system as a bridge.

• The SAP GRC connector now supports SAP GRC Access Control 12.0 SP26.