Supported Features

The SAP GRC integration supports the following functions:

  • Aggregation of users from connected GRC systems of User Type - Dialog

    Note
    With the upgrade of GRC from AC12 SP19 and above, the SailPoint connector can show System as INACTIVE_USER for the accounts that are disabled on the highest priority system. For more information, refer to the Troubleshooting section.

  • Additional attribute support in account aggregation and account provisioning:

    • Function

    • SNC Name

    • Multi-Valued User Group Assignments (multi-valued user group assignments are for account aggregation only. Use single use User Group Assignments for authorization checks).

    • Functional Area

      These attributes are aggregated from a custom BAPI. For more information, refer to Creating a Custom Business Application Programming Interface (BAPI).

  • Aggregation of the following role types from SAP GRC:

    • Business, Composite, CUA Composite, Derived, and Single Role

      Important
      Ensure business role names follow the standard naming convention with single spaces between words to avoid data loss during aggregation. For example, the role names should be like "BUPA Healthcare Manager" with single spacing between words.

    • Group

    • HANA Analytic Privileges

    • Firefighter ID Role Type (FireFighterID)

  • Create and Update User

  • Add / Remove Entitlement

  • Enable / Disable Account

    • Update the Valid From and/or Valid To dates when the account is enabled or disabled.

    • Update the User Group and/or User Group Assignments when the account is disabled.

    • Disable All Systems Connected to SAP GRC.

    • Read-only Systems to Bypass.

    For more information, refer to Additional Information.

  • Remove All Roles When Account is Disabled.

  • Modify Account

    • Update of the following user attributes

      • FirstName

      • LastName

      • Email

      • Manager

      • EmployeeID

    For more information, refer to Modify Account.

  • SailPoint SAP GRC Integration now supports Access Management Requests that are configured for Auto-Approval in the SAP GRC system.

  • Display actual requester details and description on access request.

SAP GRC Access Analysis

The SAP GRC connector supports the skipSystemItem attribute. The default value is false. When it is set to true in the source XML, the first item in RequestedLineItem containing the source name is skipped in the GracIdmUsrAccsReqServices API for the Create operation. You can use the skipSystemItem attribute when a user is created through request access. It is not mandatory to pass the source name (system name) in your environment.

IAG Bridge Supported Features

SAP GRC IAG Bridge supports the following features for accounts:

  • Aggregation

    • Account

    • Groups

  • Provisioning

    • Create

    • Add / Remove Entitlement

Note

The following operations are not supported by the SAP GRC IAG Bridge configuration due to API limitations and IAG design by SAP:

  • Modify user attributes

  • Enable/Disable user accounts

  • Risk analysis/access violation visibility on the SailPoint platform

Workarounds:

  • Modify user attributes: There are no alternate options or APIs for managing user attributes, provided by SAP.

  • Enable/Disable user accounts: For de-provisioning accounts permanently or leaver use cases, a before provisioning rule can be used to map ‘Disable’ requests in SailPoint to the ‘Delete’ user request in IAG, as the IAG platform does not support disabling a user account.

  • Risk analysis/access violation visibility on the SailPoint platform: Due to the limitations of the SAP APIs, we cannot show the risk or access violations on the SailPoint platform. Administrators need to log into GRC or IAG to check and mitigate the risks. This is in accordance with the SAP application design (SAP KBA 3492795).

Firefighter ID Role Type

The SAP GRC connector supports the FireFighterID attribute to manage critical or emergency tasks in SAP systems. The SAP GRC connector allows you to add or remove entitlements for FireFighterID role type. For more information, refer to Access Request Schema Attributes.

To add FirefighterID to the mapping, follow the instructions provided in step 5 of the Access Request Type Mapping configuration process. For more information, refer to Configuring Provisioning Settings .

Important
When Firefighter IDs (FFIDs) with expired validity are removed from the SAP GRC system based on the configured settings, SailPoint will process these changes in the next aggregation cycle. As a result, the removed FFIDs will continue to appear in SailPoint until the next successful aggregation is completed. This approach ensures continuity in tracking and managing FFIDs throughout the removal process, guaranteeing that the FFIDs are fully removed from all connected systems.