SAP GRC Workflows

The standard LCM provisioning workflow does not support the SAP GRC integration. The following are the Custom workflows that are shipped with IdentityIQ to support this integration:

  • SAP GRC Data Generator

  • SAP GRC Request Executor

SAP GRC Data Generator

This workflow fetches the following information from IdentityIQ:

  • Details of the user for whom access is requested.

  • Details of the user who is requesting for access.

  • Details of access that are requested.

The SAP GRC Data Generator subprocess has a custom script to fetch the values, which can be changed by you as per your requirements.

Important

The parameters and their respective descriptions of the parameters are mentioned in the following format:

Description of the parameter.

Name of the identity object being modified.

A master provisioning plan object required for building transient approval set for SAP GRC response.

A ProvisioningProject object describing the modifications to the identity. This may include a list of Question objects that causes the generation of a Form and a WorkItem to solicit additional information necessary for provisioning.

Display name for the identity.

Name of the application created of type SAPGRC.

These attributes are set during the Build Approval Set step, which builds this list by going through the ProvisioningPlan to build the line items that must be approved. This variable includes all ApprovalItems that are part of the request process. It is updated during the AfterScript of the approval process by assimilating the decisions and comments from the Approvals copy of the ApprovalItem.

Used for debugging this workflow. When set to true the trace is sent to stdout.

Requester who initiated the request.

A comma separated string of Report Types used for SAP GRC Proactive checks.

A comma separated string of Risk Level numbers for SAP GRC Proactive checks.

A Rule Set ID for SAP GRC Proactive check.

Map that contains the IdentityIQ Business roles and their associated startDate and endDate.

Map that contains key as an entitlement and value as a list of IdentityIQ Business role to which it belongs.

For more information about the support for additional parameters, refer to Configuring Additional Data Generator Workflow Parameters.

Map used to keep all other maps required by SAP GRC Request Executor.

Map used to provide details for the link to whom access request is created.

A map with details of roles which are requested for a link.

Map containing values of credential to connect to SAP GRC server.

Map containing values of requester.

Map containing user group details.

A list of SAP Direct AccountRequest which are qualified for SAP GRC violation check.

Map containing custom values of requester.

Map containing parameter values to be set.

Language used by requester. The default is English.

The Invoke SAP GRC Request Executor step of SAP GRC Data Generator workflow invokes the SAP GRC Request Executor workflow.

SAP GRC Request Executor

The SAP GRC Request Executor workflow proactively checks for Access Request Risk with the SAP GRC server. If risk is found, it then creates the request on the SAP GRC server and regularly checks the status of the request. Since this workflow checks the status of the response at a regular interval, variables related to such polling are defined here. You can change these variables as per your requirements.

Important

The parameters and their respective descriptions of the parameters are mentioned in the following format:

Description of the parameter.

The number of retries that will be attempted before failure of the provisioning activities.

A comma separated string that specifies errors which will be retried while getting the status of the request.

This attribute is set during the Build Approval Set step, which builds this list by going through the ProvisioningPlan to build the line items that must be approved. This variable includes all ApprovalItems that are part of the request process. It is updated during the AfterScript of the approval process by assimilating the decisions and comments from the Approvals copy of the ApprovalItem.

A master provisioning plan object required for building transient approval set for SAP GRC response.

Display name for identity.

The map containing UserGroup data required as an input for SAP GRC User Access Web service.

The map containing CustomFieldsVal data required as an input for SAP GRC User Access Web service.

A list containing Parameter data required as an input for SAP GRC User Access Web service.

A map containing RequestHeaderData required as an input for SAP GRC User Access Web service.

A map to store credential information which is gathered from SAP GRC application.

A list containing RequestedLineItem data required as an input for SAP GRC User Access Web service.

A list containing UserInfo data required as an input for SAP GRC User Access Web service.

SAP System Language.

The request status map containing the status information of the request received from the Request Detail Web service.

The Axis2 timeout for the Web service connection timeout. This field accepts the value in minutes.

The request number received after successful execution of the User Access Web service. This Request number is used by Request Detail Web service for polling.

The polling interval in minutes to check the status of the request.

Used for debugging this workflow. When set to true, the trace will be sent to stdout.

Holding user information and headerinfo to generate request detail stub.

ProvisioningProject which is a compiled version of the ProvisioningPlan.

Important

The parameters and their respective descriptions of the parameters are mentioned in the following format:

Description of the parameter.

This attribute is set during the Build Approval Set step, which builds this list by going through the ProvisioningPlan to build the line items that must be approved. This variable includes all ApprovalItems that are part of the request process. It is updated during the AfterScript of the approval process by assimilating the decisions and comments from the Approvals copy of the ApprovalItem.

The request status map containing the status information of the request received from the Request Detail Web service.

Audit Log for the particular request.

Skipping the Proactive Access Request Check

You can configure IdentityIQ to skip the proactive access check by setting the skipProactiveCheck attribute to true. By default, this attribute is set to false.

If you skip the proactive check, IdentityIQ doesn't execute the ARA web service, GracIdmRiskWoutNoServices. As a result, request IDs are created for all roles awaiting assignment by the GRAC_USER_ACCES_WS service, even if the roles don't have any risks.

To configure IdentityIQ to skip the proactive access request check:

  1. Add the following to the SAP GRC XML file:

    Copy 
    <entry key="skipProactiveCheck"> 
        <value> 
            <Boolean>true</Boolean> 
        </value> 
    </entry>

Integration workflows

The following are the custom workflows to interact with SAP GRC:

  • SAP GRC Data Generator

    • Gathers all provisioning request from IdentityIQ.

    • Filters the plans (which contain roles) from the SAP Direct application that have the SAP GRC checkbox enabled.

    • Creates a map of all the requested items which are required by SAP GRC Request Executor.

      Note
      The step to create a map from the plan can be customized as required.

  • SAP GRC Request Executor

    For a proactive check performed on the Access Request. If there is no risk found for the particular Access Request the request is provisioned and the following takes place:

    • Creates a request on SAP GRC Server.

    • Polling is done for the request till it is in pending status.

    • Receives the response back from SAP GRC Server.

    • Based on the response, this workflow takes decision whether to provision the request on SAP Server or not.

Note
A proactive check on Access Request displays the risks even if they are mitigated earlier. Each time mitigated risks get calculated, a request is created on SAP GRC for approval.

Import Workflow_SAPGRC_Integration.xml which contains SAP GRC Data Generator and SAP GRC Request Executor workflows located at ../WEB-INF/config file.

These workflow must be integrated in LCM provisioning workflow in Provisioning Approval Subprocess sub-process as mentioned below:

  1. Change Provisioning Approval Subprocess by performing the following:

    1. Go to process designer and select Add A Step.

    2. Select Stop.

    3. Drag and drop the Stop step (in Auto Layout) after the end step.

    4. Right-click End Step and select Change Icon.

    5. Select Generic and select Save.

    6. Right-click end and select Edit Step.
      Provide the following values in the Details section:

      • Name: Invoke SAP GRC Data Generator.

      • Subprocess: (select under Action section) SAP GRC Data Generator.

        Save the form.

    7. Right-click Stop Step, select Edit Step and in the Details section provide the name as end.

      Save and close the workflow.

    8. Right-click the Invoke SAP GRC Data Generator step and perform the following:

      1. Start the transition and end that transition on End Step.

      2. Save the changes.

    9. Open the Provisioning Approval Subprocess, right-click Invoke SAP GRC Data Generator and edit the step.
      In the Arguments section of this step, search for identityName, identityDisplayName, project, approvalSet and enter the values as identityName, identityDisplayName, project, and approvalSet respectively for Reference fields.

    10. Save the changes.

    11. Go to the application debug page and search for the following in Provisioning Approval Subprocess workflow:

      Step icon="Default" name="Invoke SAP GRC Data Generator"

      Perform the following change:

      <Step icon="Default" name="Invoke SAP GRC Data Generator" posX="320" posY="196" resultVariable="approvalSet">

      After all the <Arg> tags add the following before invoking the SAP GRC Data Generator workflow:

      <Return name="approvalSet" to="approvalSet"/>

      <Return name="project" to="project"/>

  2. Open the SAP GRC Data Generator process and perform the following:

    In the Process Variable section open the applicationNameSAPGRC variable and in the Initial value section select String and provide value as the name of application of type SAP GRC configured in IdentityIQ.

  3. For support of sunrise and sunset date, ensure that the complete the configuration as mentioned in Support for Sunrise and Sunset Date.

Note
These are sample workflows which can be customized as required.

  1. Import Workflow_SAPGRC_LifeCycle_Events.xml located at ../WEB-INF/config, which includes the New Account - Joiner and Mover - Process workflows.

  2. These Lifecycle events are triggered in case of joiner and change attribute events respectively.