Supported Features

The SAP GRC integration supports the following functions:

  • Aggregation of users from connected GRC systems of User Type - Dialog

    Note
    With the upgrade of GRC from AC12 SP19 and above, the SailPoint connector can show System as INACTIVE_USER for the accounts that are disabled on the highest priority system. For more information, refer to the Troubleshooting section.

  • Additional attribute support in account aggregation and account provisioning:

    • Function

    • SNC Name

    • Multi-Valued User Group Assignments (multi-valued user group assignments are for account aggregation only. Use single use User Group Assignments for authorization checks).

    • Functional Area

      These attributes are aggregated from a custom BAPI. For more information, refer to Creating a Custom Business Application Programming Interface (BAPI).

  • Aggregation of the following role types from SAP GRC:

    • Business, Composite, CUA Composite, Derived, and Single Role

    • Group

    • HANA Analytic Privileges

  • Create and Update User

  • Add and Remove Entitlement

  • Enable and Disable Account

    • Update the Valid From and/or Valid To dates when the account is enabled or disabled.

    • Update the User Group and/or User Group Assignments when the account is disabled.

    • Disable All Systems Connected to SAP GRC.

    • Read-only Systems to Bypass.

    For more information, refer to Additional Information.

  • Remove All Roles When Account is Disabled.

  • Modify Account

    • Update of the following user attributes

      • FirstName

      • LastName

      • Email

      • Manager

      • EmployeeID

    For more information, refer to Modify Account.

  • SailPoint SAP GRC Integration now supports Access Management Requests that are configured for Auto-Approval in the SAP GRC system.

SAP GRC Access Analysis

The SAP GRC connector supports the skipSystemItem attribute. The default value is false. When it is set to true in the application XML, the first item in RequestedLineItem containing the source name is skipped in the GracIdmUsrAccsReqServices API for the Create operation. You can use the skipSystemItem attribute when a user is created through request access. It is not mandatory to pass the source name (system name) in your environment.

IAG Bridge Supported Features

SAP GRC IAG Bridge supports the following features for accounts:

  • Aggregation

    • Account

    • Groups

  • Provisioning

    • Create

    • Add / Remove Entitlement

Note

The following operations are not supported by the SAP GRC IAG Bridge configuration due to API limitations and IAG design by SAP:

  • Modify user attributes

  • Enable/Disable user accounts

  • Risk analysis/access violation visibility on the SailPoint platform

Workarounds:

  • Modify user attributes: There are no alternate options or APIs for managing user attributes, provided by SAP.

  • Enable/Disable user accounts: For de-provisioning accounts permanently or leaver use cases, a before provisioning rule can be used to map ‘Disable’ requests in SailPoint to the ‘Delete’ user request in IAG, as the IAG platform does not support disabling a user account.

  • Risk analysis/access violation visibility on the SailPoint platform: Due to the limitations of the SAP APIs, we cannot show the risk or access violations on the SailPoint platform. Administrators need to log into GRC or IAG to check and mitigate the risks. This is in accordance with the SAP application design (SAP KBA 3492795).