Supported Features
The SAP GRC integration supports the following functions:
-
Aggregation of users from connected GRC systems of User Type - Dialog
Note
With the upgrade of GRC from AC12 SP19 and above, the SailPoint connector can showSystemas INACTIVE_USER for the accounts that are disabled on the highest priority system. For more information, refer to the Troubleshooting section. -
Additional attribute support in account aggregation and account provisioning:
-
Function
-
SNC Name
-
Multi-Valued User Group Assignments (multi-valued user group assignments are for account aggregation only. Use single use User Group Assignments for authorization checks).
-
Functional Area
These attributes are aggregated from a custom BAPI. For more information, refer to Creating a Custom Business Application Programming Interface (BAPI).
-
-
Aggregation of the following role types from SAP GRC:
-
Business, Composite, CUA Composite, Derived, and Single Role
-
Group
-
HANA Analytic Privileges
-
-
Create and Update User
-
Add and Remove Entitlement
-
Enable and Disable Account
-
Update the Valid From and/or Valid To dates when the account is enabled or disabled.
-
Update the User Group and/or User Group Assignments when the account is disabled.
-
Disable All Systems Connected to SAP GRC.
-
Read-only Systems to Bypass.
For more information, refer to Additional Information.
-
-
Remove All Roles When Account is Disabled.
-
For more information, refer to Additional Information.
-
-
Modify Account
-
Update of the following user attributes
-
FirstName
-
LastName
-
Email
-
Manager
-
EmployeeID
-
For more information, refer to Modify Account.
-
-
SailPoint SAP GRC Integration now supports Access Management Requests that are configured for Auto-Approval in the SAP GRC system.
SAP GRC Access Analysis
The SAP GRC connector supports the skipSystemItem attribute. The default value is false. When it is set to true in the application XML, the first item in RequestedLineItem containing the source name is skipped in the GracIdmUsrAccsReqServices API for the Create operation. You can use the skipSystemItem attribute when a user is created through request access. It is not mandatory to pass the source name (system name) in your environment.