Creating Provisioning Workflows

The SAP GRC Integration supports provisioning the start and end date for role assignment. The start and end dates are the values set for the startDate and endDate variables in the SAP GRC DATA Generator workflow. These dates are passed to the SAP GRC integration and then to SAP Direct for provisioning.

If the sunset/sunrise dates in IdentityIQ are used for role assignment, then these dates have to be passed to the SAP GRC DATA Generator workflow and set to the startDate and endDate variables using additional customizations.

Note
The same start and end date is applied to all the roles requested.

Note
Precedence is given to Sunrise and Sunset Dates. To support this feature, import the ‘SAP GRC Data Generator’ workflow and ‘Set Date SAP GRC Role’ from the examplesRules.xml file. Ensure that the customizations are done.

Note
By default, if no dates are provided, then the startDate is the currentDate and endDate is 31/12/9999.

Perform the following changes on IdentityIQ workflows to support start and end date for role assignment:

  1. Go to the application debug page and select Workflow.

  2. Open Provisioning Approval Subprocess and add the following:

    • Workflow variables:

      Copy 
      <Variable name="endDate" output="true">
         <Description>End date of the role assignment.</Description>
      </Variable>
      <Variable name="startDate" output="true">
         <Description>Start date of the role assignment.</Description>
      </Variable>  

    • Search for SAP GRC Data Generator and add the following entries before <Workflowref> <Step> section:

      <Return name="endDate" to="endDate"/>

      <Return name="startDate" to="startDate"/>

  3. Open Approve and Provision Subprocess and add the following:

    • Workflow variables:

      Copy 
      <Variable name="endDate" output="true">        
         <Description>End date of the role assignment.</Description>
      </Variable>
      <Variable name="startDate" output="true">        
         <Description>Start date of the role assignment.</Description>
      </Variable>  

    • Search for the Provisioning Approval Subprocess entry and add the following entries before <Workflowref>:

      <Return name="endDate" to="endDate"/>

      <Return name="startDate" to="startDate"/>

    • Search for the Identity Request Provision entry and add the following arguments to the existing list of arguments in <Step> with name Provision:

      <Arg name="endDate" value="ref:endDate"/>

      <Arg name="startDate" value="ref:startDate"/>

  4. Open Identity Request Provision and add the following:

    • Workflow variables:

      Copy 
      <Variable name="endDate" output="true">        
         <Description>End date of the role assignment.</Description>
      </Variable><Variable name="startDate" output="true">        
         <Description>Start date of the role assignment.</Description>
      </Variable>  

    • Search for the Provision with retries entry and add the following arguments to the existing list of arguments in <Step> with name Provision:

      <Arg name="endDate" value="ref:endDate"/>

      <Arg name="startDate" value="ref:startDate"/>

  5. Go to Setup > Business Process > Provision with retries > Process Variables.

    • Select Add a New Variable and enter the data for the following:

      • Name: endDate

      • Description: End date of the role assignment

      • Select Output.

      • Save the form.

    • Select Add a New Variable and enter the data for the following:

      • Name: startDate

      • Description: Start date of the role assignment.

      • Select Output.

      • Save the form.

    • Right-click on Start Step and select Edit Step:

      • In the Arguments section, add arguments, endDate, and startDate with Reference fields respectively.

      • Save the step.

    • Select Add A Step.

      • Select Generic.

      • Drag and drop the Generic step (in Auto Layout) after the Start Step.

      • Select Save.

      • Right-click on Generic and select Edit Step and then provide the following values in the Details section:

        • Name: Set Dates for SAP Roles

        • Rule: (select under Action section) Set Date SAP GRC Role Assignment

        • In the Arguments section, add arguments, endDate, startDate, and project with Reference fields respectively.

        • Save the form.

      • Right-click Start Step and perform the following:

        • Start the transition and end that transition on the Set Dates for SAP Roles step.

        • Save the changes.

      • Right-click on the Set Dates for SAP Roles step and perform the following:

        • Start the transition and end that transition on the Initialize Retries step.

        • Save the changes.

      • Go to the application debug page, and search for the following in the Provision with retries workflow. After the <Arg> tags of Set Dates for SAP Roles step, before transitioning to the Initialize Retries step, add following return statement:

        <Return name="project" to="project"/>

  6. Import the Set Date SAP GRC Role Assignment rule from examplerules.xml, which is used to add date arguments to the provisioning project.

Upgrade Considerations

When upgrading IdentityIQ to version 8.2, 8.1 Patch 4, or 8.0 Patch 5, perform the steps above.

Note
Ensure that the steps mentioned in Support for Provisioning Start and End Date for Role Assignment are performed.

To configure provisioning of sunrise and sunset dates using role assignment:

  1. Request is sent to the SAP GRC for proactive check.

  2. ARA Web Service checks for the risk present in the request.

    • If no risk is returned then IdentityIQ continues provisioning the request setting the role start date as the sunrise date and the end date as the sunset date (once the sunrise date is reached).

    • If ARA Web Service returns the risk in the request, then the corresponding request is created in SAP GRC using the ARM Web Service. This is on the same date as when the request is triggered with the role start date as the sunrise date and the end date as the sunset date.

  3. IdentityIQ continues with polling the request until a response issued by SAP GRC.

  4. Based on the response, (approval or rejection by SAP GRC), IdentityIQ continues with the provisioning request by setting the role start date as the sunrise date and the end date as the sunset date once the sunrise date is reached or rejection of the request.

  5. If the request is approved and the sunset date is reached, IdentityIQ deprovisions the role.

Upgrade Considerations

This functionality is present out of the box for new integrations. For users upgrading to a release of IdentityIQ with this functionality, perform the steps mentioned above.