How to Simplify Business Role Integration in SAP Identity Management and SAP Access Control
IT organizations typically use identity management solutions to handle a large amount of personnel changes to provision and de-provision users throughout an enterprise. The process contains technical roles that manage different resources. SAP Access Control provides a business role concept that users define (i.e., users or administrators manage the roles) and use to manage a group of technical roles per business. This simplified integration of SAP Identity Management (SAP ID Management) and SAP Access Control enables you to leverage the business role management life cycle for identity-managed technical roles.
Before this solution, there was no mechanism available to synchronize roles definition in both SAP ID Management and SAP Access Control. Now this solution enables you to synchronize roles definition on both ends (i.e., SAP ID Management and SAP Access Control Business Role Management). You need to import the technical roles definition part of SAP ID Management to SAP Access Control Business Role Management and export the simplified business role definition from SAP Access Control Business Role Management to SAP ID Management using an asynchronized communication channel with SAP ID Management’s web service application programming interface (API).
An automated synchronous process is triggered from SAP Access Control to receive the technical role definition from the SAP ID Management system.
Configure the Application Type
The first step in synchronizing role definition in SAP ID Management and SAP Access Control Business Role Management is to complete configuration of the application type. To complete this step, execute transaction code SM30. In the screen that the system displays enter Table/View GRACV_APPLTYPE and click the Maintain button as shown in Figure 1.
After you click the Maintain button, click the New Entries button (Figure 2) and enter data in the fields in the following columns:
- Appl Type: 18 (the value of 18 is for the IDM_NW system)
- Appl Type: IDM_NW
- Description: IDM NW GRC Integration
Click the save icon (not shown) to save your entries.
The system now shows that application type IDM_NW contains the relationship shown in Table 1.
Create a Connector
The next step is to create a connector. To complete this step, execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Common Component Settings > Integration Framework > Create Connectors.
In the screen that appears (Figure 3) select Connection Type G. Enter data in the RFC (Remote Function Call) destination, Description, Target Host, Path Prefix, and Service No. fields.
Select the Logon & Security tab and enter data in the User and Password fields. Click the save icon to save the entry.
Create a Connection Type
Now you are ready to create a connection type. To complete this step, execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types.
In the initial screen that appears, click the New Entries button and then enter data in these two fields:
- Connection Type: IDM_NW
- Description: IDM NW and GRC Integration
Now on the left side of the screen, click the Define Connectors folder and click the New Entries button. In the refreshed screen, assign the newly created connector to the newly created Connection Type, IDM_NW, and click the save icon.
Click the Define Connector Groups folder on the left side and click the New Entries button. In the refreshed screen enter the new connector group (e.g., IDM_NW_GRC) and in the field under the Con. Type column, enter the newly created connection type, IDM_NW.
Now select the created connector group and click the Assign Connectors to Connector Groups folder (Figure 4).
Click the New Entries button and enter the newly created connectors. Click the save icon to save your data.
Configure the Connection Setting and Scenario Handler
The next step is to configure the connection setting and set up the scenario handler. To complete this step, execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connection Settings.
In the screen that appears (Figure 5) select AUTH as the Work Area and click the enter icon (the green check mark).
Click Sub Scenario AUTH. Now on the left side of the screen click the Scenario-Connection Type link and click the New Entries button. Populate the following fields as shown in Figure 6.
- Con. Type (connection type): IDM_NW
- Class/Interface: CL_GRAC_AD_AUTH_MGMT_IDM_NW
Click the save icon to save your entries.
Configure the Scenario Connector
Now you are ready to configure the scenario connector. To complete this step, execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Common Component Settings > Integration Framework > Maintain Connection Settings.
In the screen that appears select ROLM from the list of options in the Integration Scenario field and then select ROLMG from the list of options in the Sub Scenario field instead of AUTH as shown in Figure 7. Now on the left side of the screen click the Scenario-Connection type Link folder and then click the New Entries button. In the refreshed screen enter the newly created connector as the target connector and select the newly created Connection type as shown in Figure 7.
Click the save icon to save your data.
Configure Settings for the Default Process for Role Management
Now you need to configure settings for the default process for role management. To complete this step, execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Access Control > Maintain Configuration Settings. In the screen that appears define settings as shown in Table 2.
Click the save icon.
Configure Connector Settings
Now you need to configure connector settings. To complete this step, execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Access Control > Maintain Connector Settings. In the screen that appears click the New Entries button and then enter the newly created connector and assign it to Application Type 18 and target connector IDM_NW as shown in Figure 8.
Configure Mapping for Actions and Connector Groups
To complete this next step, execute transaction code SPRO and follow menu path Governance, Risk and Compliance > Access Control > Maintain Mapping for Actions and Connector Groups.
In the screen that appears click the New Entries button and enter the newly created Connector Group. Assign it to Application Type 18 and connection group IDM_NW as shown in Figure 9.
Now on the left side of the screen click the Assign default connector to connector group folder and click the New Entries button. In the refreshed screen enter the newly created connector group and assign it Action 2, the newly created connector, and select it as default.
Click the save icon to save your settings.
Create an Application Log
Now you create an application log. To complete this step, execute transaction code SLG0, select object GRAC, and click the New Entries button. In the next screen enter data in the following fields:
- Sub object: BRM
- Sub object text: Business Role Management
Click the save icon to save your data.
The application log captures the process during Exporting Business Roles and Business Role Modification Notification.
Synchronize Jobs
There are three jobs:
- Role
- User and User Role Assignment
- Action (Authorization)
The jobs are carried out via the adapter engine (mainly in full mode per the SAP ID Management requirement).
Synchronize Technical Roles to the SAP Access Control Repository
Now you synchronize technical roles from SAP ID Management to obtain technical role definition from all SAP ID Management connectors. These connectors shall be properly defined in SAP Access Control and with the new connection type and connector group.
Currently, SAP ID Management does not contain authorization data; therefore, the technical role needs to be mapped as an Action for Risk Analysis.
Synchronize Users to the SAP Access Control Repository
Users and user role assignments are synchronized into the SAP Access Control Repository by calling REST API calls.
Synchronize Action to the SAP Access Control Repository
Call the REST API to retrieve the Role List and then map the Role Name to Action.
For doing the synchronization of user, role, and profile, the jobs are available under the IMG Configuration. I have the jobs available for doing the Action Usage Sync and Role Usage Sync as shown in Figure 10.
The details for repository object synchronization are shown in Figure 11. You can select the target system from where the data synchronization is required in the connector field and start the Role, Profile, and User Synchronization either in Incremental Sync Mode or Full Sync Mode as per the requirement.
After the synchronization jobs are finished, the roles data is imported into Business Role Management for the creation of business roles. This data is then pushed back to the SAP ID Management system.
The major building blocks for importing these roles are shown in Figure 12.
Export Business Roles
SAP Access Control provides a generic RFC to export the business role definition to SAP ID Management. The field mapping is done on the SAP ID Management side. There are two different modes:
- Full Load – The initial load, the input timestamp is initial
- Increment Load – The periodic job
After receiving the exported Business Roles, SAP ID Management initiates further processing on those roles accordingly.
The Overall Flow
Here is an overview of the process flow:
- Sync action
- Sync user and user assignment
- Sync the technical role — Enhance the current Repository Role Sync job to include Import Roles by defining an optional flag
- Business role export – Provide a generic RFC for exporting selected business roles
- Modify the UI for manually importing the role; send a notification when the business role is modified
Figure 13 diagrams the process flow.
Note that earlier business role definition synchronization from SAP ID Management to SAP Access Control was not supported, and users needed to maintain the business roles definition separately in SAP ID Management and SAP Access Control. These separate processes led to redundant maintenance and inconsistencies.
With this new implementation mechanism, business role definition is maintained at one place and is synchronized in the complete landscape.
This new approach provides users with two advantages:
- There is now one repository for maintaining the business roles across the user’s landscape. In most scenarios in which the user is connected to SAP ID Management, you need to maintain the role repository separately in both SAP ID Management and SAP Access Control. This process makes the integration maintenance very tedious and time- consuming. With this new approach, most users try to integrate SAP ID Management with SAP Access Control and take the advantage of both in solving their compliance issues.
- Using SAP ID Management and SAP GRC systems together enables you to manage roles effectively across your SAP landscapes.