Integration of GRC and C-IAG

GRC / IAC

Integrating SAP Access Control 12.0 with SAP Cloud Identity Access Governance: A Step-by-Step Guide

This guide provides a comprehensive overview of integrating SAP Access Control 12.0 (GRC AC) with SAP Cloud Identity Access Governance (IAG). The integration allows GRC AC to facilitate access requests and perform risk analysis for cloud applications. If you do not have a GRC AC system, consider using the IAG Standard edition.

Prerequisites

Before beginning the integration, ensure the following steps are completed:

  1. IAG Initial Setup: Ensure that SAP Cloud Identity Access Governance is properly set up.
  2. Cloud Application Connection: Connect at least one cloud application (e.g., SAP Ariba).
  3. Repository Synchronization: Run the repository sync job in IAG for the target cloud application.
  4. Cloud Connector Setup: Complete the initial configuration, including user credentials.

Integration Process Overview

1. Connect Cloud Connector with IAG Subaccount

ActionDetails
Log in to Cloud Connector- Navigate to Connector and click Add Subaccount.
Enter Subaccount Details- Region: Specify the region of your IAG Subaccount.
- Subaccount ID: Find this in the Overview Page.
- Display Name: Free text.
- Login Email: SAP user email.
- Password: SAP user password.
- Location ID: Optional.
- Description: Free text.
Create RFC Connection- Go to Cloud to On-Premise and add a new connection.
- Select ABAP System and RFC protocol.
- Enter GRC AC server details.
- Save configuration.
- Add the following resources:
- Function Name: RFC_READ_TABLE
- Naming Policy: GRAC_IAG

2. Maintain Destination for GRC AC in IAG Subaccount

ActionDetails
Create Destination- Log in to IAG Subaccount.
- Navigate to Connectivity > Destinations > New Destinations.
- Set type to RFC.
- Choose OnPremise as Proxy Type.
- Enter RFC user credentials.
- Add the following properties:
- jco.client.ashost
- jco.client.client
- jco.client.lang
- jco.client.sysnr
- Verify connection status.

3. Certificate Management

ActionDetails
Download Certificates- IAG Certificate: Download from IAG tenant URL.
- GRC AC Certificate: Download via STRUST transaction in GRC AC.
- Cloud Connector Certificate: Download from Cloud Connector configuration.
Upload Certificates- Upload IAG and Cloud Connector certificates to GRC AC via STRUST.
- Upload GRC AC and IAG certificates to Cloud Connector.

4. Create Authorization Credentials for RFC Connection in GRC AC

ActionDetails
Setup P User- Create a P user in the IAS system with administrator access.
- Configure user ID and password for RFC connection.
- Ensure logon alias settings allow user ID logon in IAS.

5. Create RFC Connections in GRC AC

ActionDetails
Authentication RFC Connection- Use SM59 to create an HTTP RFC connection.
- Set Host and Port from IAG URL.
- Configure Basic Authentication.
- RFC Destination: IAG_SOD_AUTH
- Path: /authentication
- Select SSL as Active.
SOD Check RFC Connection- Create an HTTP RFC connection using SM59.
- Set Host and Port from IAG URL.
- Leave Login blank.
- RFC Destination: IAG_SOD
- Path: /
- Select SSL as Active.
Cloud Application RFC Connection- Create an HTTP RFC connection using SM59.
- Set Host and Port from IAG URL.
- Leave Login blank.
- RFC Destination: Match the name listed in Application Apps.
- Path: /com/sap/grc/iag/service/roleSimulationService.svc/
- Select SSL as Active.

6. Maintain IAS Service in IAG Subaccount

ActionDetails
Create Destination- Go to Connectivity > Destinations > New Destinations.
- Set type to HTTP.
- URL: <IAS URL>/service/users/password.
- Proxy Type: Internet.
- Authentication: No Authentication.
- Check connection status.

7. Configure Parameters for Cloud Integration

ActionDetails
Update GRC AC Configuration- Log in to GRC AC.
- Go to SPRO > Governance, Risks and Compliance > Access Control > Maintain Configuration Settings.
- Set parameters such as IAG_SOD and IAG_SOD_AUTH.

8. Create Connectors and Connector Groups

ActionDetails
Define Connectors- Go to SPRO > Governance, Risks and Compliance > Common Component Settings > Integration Framework.
- Create connector definitions and assign them to groups.
- Note: Systems and Business Function Group apps in SAP IAG must have 10 characters or less.

9. Create Destination for Provisioning Status Updates

ActionDetails
Activate Service- In SPRO, activate the IAG_PROVISION_STATUS_UPDATE_SRV service.
- Configure system alias.
- Create a destination for provisioning status updates in the Cloud Connector.
- Test configuration.

10. Synchronize Data

ActionDetails
Sync Repository Data- Log in to GRC AC.
- Go to SPRO > Governance, Risks and Compliance > Synchronization Jobs.
- Run the Repository Object Sync job.
Sync Access Control Data- Log in to IAG.
- Run jobs for Access Control Risk Definition, Mitigation Control Transfer, and Repository Sync in the Job Scheduler.

Conclusion

Following these steps will integrate SAP Access Control 12.0 with SAP Cloud Identity Access Governance, enabling effective management of access requests and risk analysis for cloud applications. For detailed documentation and additional support, refer to the SAP help documentation.

References:

Comments

Post a Comment

Popular posts from this blog

How to Use MDS_LOAD_COCKPIT - a Quick View

How to Use MDS_LOAD_COCKPIT for Synchronizing Business Partners with Customers/Vendors Many customers often inquire about how to effectively use the MDS_LOAD_COCKPIT tool to synchronize Business Partners (BP) with Customers or Vendors in SAP. In this article, I will guide you through the step-by-step process to achieve this synchronization using the MDS_LOAD_COCKPIT transaction. Step 1: Launching MDS_LOAD_COCKPIT To begin the synchronization process, you first need to run the transaction code MDS_LOAD_COCKPIT in SAP. This transaction is specifically designed for synchronizing master data between Business Partners and Customers/Vendors. Step 2: Selecting the Synchronization Process Once you enter the MDS_LOAD_COCKPIT, you will see the "Synchronization Process" section in the top-left corner of the screen. This is where you can choose the synchronization process that fits your requirements. Before proceeding, it's essential to ensure that the desired synchronization proces...
Read more

How to Check Error Logs in MDS_PPO2 - Quick View

 How to Check Error Logs in MDS_PPO2 for Synchronization Issues in SAP In a previous blog, I introduced how to use the transaction code MDS_LOAD_COCKPIT for synchronizing Business Partner (BP) data with Customer or Vendor data in SAP. However, when working with S/4HANA systems or after activating Customer Vendor Integration (CVI) in an ERP system, you might encounter issues where changes made to a BP in the customer/vendor role are not saved correctly. These issues are often due to errors in the synchronization process. To troubleshoot these issues, you can use the transaction code MDS_PPO2 to check error logs. In this article, I will guide you through the steps to identify and analyze synchronization errors using MDS_PPO2 . Scenario: Failed Synchronization of Customer Data Imagine you’ve just made a change to the house number for Customer 100430 and saved it. However, upon checking, you notice that the corresponding BP data hasn’t been updated successfully. This indicates that a...
Read more