Data import
General settings
| Parameter | Description |
|---|---|
| Enable password reset | Enable the system for self-service password reset |
| Password policy | Indicate a password policy for SAP GRC |
| Provisioning claims validity | Enter the number of days a provisioning claim is valid. If this field is set to 0 or empty, the provisioning claim is not valid and the provisioning call is sent once more. |
| Failed provisioning claims validity | Enter the number of days a failed provisioning claim is valid |
| Account deletion unsupported | Check this option if account deletion should not be supported |
Connection details
| Parameter | Description |
|---|---|
| Host name | Enter the full qualified host name or the IP address of the SAP GRC server.The port on which SAP GRC runs must also be specified, e.g., sapgrc.internal.com:8080. |
| Client | Specify the three-digit client number to use. |
| Username | The username of the SAP user to authenticate as against the SAP GRC Service. |
| Password | Password for the user. |
| Test connection | This field is optional.You can check this field to force the collector to test the defined connection before moving froward. |
Webservice settings
The Webservice settings allow you to set some optional parameters to control the connection to SAP GRC Server.
| Parameter | Description |
|---|---|
| Use SSL | Enable this flag when the SAP GRC service is configured to run using SSL. |
| Skip certificate check | This option can be enabled in the cases where a self-signed certificate is used. |
Request creation settings
Here you can define how the requests are created, and what default values are used for the required request parameters.
| Parameter | Description |
|---|---|
| Request type | Specify a 3-digit code for the request type to use for the request. The code can be found in the GRACREQTYPE table. Note that the value can be overridden through the RequestInformation.Reqtype property. |
| Initialization system | Provide a valid connector id which has the scenario assigned with “PROV”. For more details, refer to the SPRO transaction code. Note that the value can be overridden through the RequestInformation.ReqInitSystem property. |
| Request business process | Specify a code of the business process to use for the request. The code can be found in the GRACBPROC table. Note that the value can be overridden through the RequestInformation.Bproc property. |
| Request reason | This is used to specify the reason for the request. Note that the value can be overridden through the RequestInformation.RequestReason property. |
| Request priority | This is used to specify the priority for the request. The priority is a 3-digit number based on GRACPRIORITY table. Note that the value can be overridden through the RequestInformation.Priority property. |
| Requestor id | Specify a username of the default requestor. The id must be for an existing user. Note that the value can be overridden through the RequestInformation.Requestorid property. |
| Request email | Specify an email to use for requests correspondence. Note that the value can be overridden through the RequestInformation.Email property. |
| Language | Specify a language code, e.g., EN. |
Status evaluation settings
The SAP GRC connector queries SAP GRC system for the request status. These queries are performed with the frequency and intervals configured in the Advanced settings. The connector then analyses the returned Status field on each request line item using the settings below.
| Parameter | Description |
|---|---|
| Line item pending values | Here you can indicate the values that specify if the line item is still in a pending state.Multiple possible values are separated with comma. |
| Line item failed values | Here you can indicate the values that specify if the line item has failed. Multiple possible values are separated with comma. |
| Line item rejected values | Here you can indicate the values that specify if the line item was rejected. Multiple possible values are separated with comma. |
| Line item complete values | Here you can indicate the values that specify if the line item has been provisioned successfully. Multiple possible values are separated with comma. |
The Line item status is used to define individual status for each task. The status of the entire job is automatically determined by summarizing the status of all the tasks. Summarizing is performed in the following way:
- All tasks are complete > Job status is completed
- All tasks are failed > Job status is failed
- All tasks are either complete or failed -> Job status is partially completed
- One or more tasks is pending -> Job status is still Relayed
The status of the job can also be determined by looking at the returned request status instead of automatically analyzing the tasks. To do this, you need to enable the Requests status is determined by requests status flag instead of automatically checkbox. This opens additional options where you can specify values that should constitute the state of the job.
| Parameter | Description |
|---|---|
| Requests status is determined by requests status flag instead of automatically | This checkbox enables you to set the system to determine the job status by looking at the request status. |
| Request pending values | Here you can indicate the values that specify if the request is still in a pending state. Multiple possible values are separated with comma. |
| Request failed values | Here you can indicate the values that specify if the request has been rejected or it has failed in other ways. Multiple possible values are separated with comma. |
| Request completed values | Here you can indicate the values that specify if the request has been provisioned successfully. Multiple possible values are separated with comma. |
| Request partially completed values | Here you can indicate the values that specify if the request has been successfully partially completed. Multiple possible values are separated with comma. |
Data model
The SAP GRC Connector comes with a predefined data model. The primary object type in the data model is the SAPGRCRequestLineItem object. The properties of the object are divided into three categories, and each category is defined by the prefix of the name of the property:
- Properties prefixed with SAPGRCRequestLineItem are the property values that are used on individual request line items. Each task in an OPS job gets a request line item in the SAP GRC request.
- Properties prefixed with RequestInformation are the properties that can be used to override the default request properties defined in the Request creation task.
This override can be used to, for instance, specify a different request reason, requestor id, or priority.
If a RequestInformation property is specified for multiple tasks in the job, the connector uses the value from the first task only.
- Properties prefixed with UserInfo are the properties that are used to specify information about the user (create, update, or delete) or to assign or remove access from that user.
The connector supports the use of specification of a single user only. Moreover, if a Property is specified for multiple tasks in the job, the connector uses the value from the first task only.
Additional objects
The data model also contains two other object types: SAPGRCRequestInformation and SAPGRCUserInfo. These can be used to specify RequestInformation and UserInfo property values in a single separate task rather than adding it to the SAPGRCRequestLineItem object. Currently, delivering these tasks to OPS requires custom code.
Task mappings
There are two out-of-the-box task mappings delivered with the SAP GRC Relay connector: SAP GRC – User for users/accounts and SAP GRC - Role assignment for resource assignments.
-
The SAP GRC – User task mapping expects the following attributes on the resource type: FIRSTNAME, LASTNAME, EMAIL, VALIDFROM, and VALIDTO. This task mapping doesn’t consider Lock and Unlock scenarios.
-
The SAP GRC - Role assignment task mapping expects the following attributes on the resource type: VALIDFROM and VALIDTO. Both task mappings contain a set of empty expression mappings that can be used to fill RequestInformation properties.
Specify Parameters
In a SAP GRC request, the GracIdmUsrAccsReqServices. Parameter property allows you to specify a number of parameters. The connector maps the values through the multivalued Parameters. Parameter property in a task mapping. This mapping can be done for the user and role tasks. The connector expects values in the following format:
Parameter=<parameter>;ParameterValue=<value>;ParameterDesc=<description>
To assist in building the string, the SAPGRCExpressions. Parameter function can be used in an expression mapping. As the property is multivalued, multiple mappings can be made for it, for example:
<fieldMapping name="Parameters.Parameter" multiValued="true" dataType="stringType" action="add" mappingType="Expression">SAPGRCExpressions.Parameter("parameter1", "value", "description")</fieldMapping>
<fieldMapping name="Parameters.Parameter" multiValued="true" dataType="stringType" action="add" mappingType="Expression">SAPGRCExpressions.Parameter("parameter2", "value", "description")</fieldMapping>
Specify User groups
In a SAP GRC request, the GracIdmUsrAccsReqServices. UserGroup property allows you to specify a number of user groups. The connector maps the values through the multivalued UserGroups.UserGroup property in a task mapping. This mapping can be done for the user and role tasks. The connector expects values in the following format:
UserGroup=<group>;UserGroupDesc=<description>
To assist in building the string, the SAPGRCExpressions. UserGroup function can be used in an expression mapping. As the property is multivalued, multiple mappings can be made for it, for example:
<fieldMapping name="UserGroups.UserGroup" multiValued="true" dataType="stringType" action="add" mappingType="Expression">SAPGRCExpressions.UserGroup("group1", "description")</fieldMapping>
<fieldMapping name="UserGroups.UserGroup" multiValued="true" dataType="stringType" action="add" mappingType="Expression">SAPGRCExpressions.UserGroup("group2", "description")</fieldMapping>
Specify Custom fields
In a SAP GRC request, the GracIdmUsrAccsReqServices. CustomFieldsVal property allows you to specify a number of custom field values. The connector maps the values through the multivalued CustomFields.CustomFieldsVal property in a task mapping. This mapping can be done for the user and role tasks. The connector expects values in the following format:
Fieldname=<field>;Value=<value>
To assist in building the string, the SAPGRCExpressions. CustomField function can be used in an expression mapping. As the property is multivalued, multiple mappings can be made for, for example:
<fieldMapping name="CustomFields.CustomFieldsVal" multiValued="true" dataType="stringType" action="add" mappingType="Expression">SAPGRCExpressions.CustomField("field1", "value")</fieldMapping>
<fieldMapping name="CustomFields.CustomFieldsVal" multiValued="true" dataType="stringType" action="add" mappingType="Expression">SAPGRCExpressions.CustomField("field2", "value")</fieldMapping>
Expression function
The below set of expression functions is available in the SAPGRCExpression class that assists in writing task mappings for the SAP GRC Connector.
| Function | Description |
|---|---|
| DetermineUserAction(string operation, bool? locked) | This function is used in expressions for the RequestLineItem.ProvAction property. It can be used to determine the 3-digit provisioning action for user tasks. The function has two parameters: operation - what operation the task has locked - should the user be locked or unlocked. Pass null to update the user. The value is only considered for update operations. |
| DetermineRoleAction(string operation) | This function is used in expressions for the RequestLineItem.ProvAction property. It can be used to determine the 3-digit provisioning action for role tasks. The function has the following parameter: operation - what operation the task has |
| DateTimeString(DateTime dateTime) | This function is used in expressions for the ValidFrom/ValidTo properties. This function formats a date-time property to the format expected by SAP GRC. |
| UserGroup(string group, string description) | This function is used in expressions for the UserGroups.UserGroup property. It creates a user group string in the format which is expected by the SAP GRC connector. |
| Parameter(string name, string value, string description) | This function is used in expressions for the Parameters.Parameter property. It creates a parameter string in the format which is expected by the SAP GRC connector. |
| CustomField(string fieldName, string value) | This function is used in expressions for the CustomFields.CustomFieldsVal property. It creates a custom field string in the format which is expected by the SAP GRC connector. |
Advanced settings
The Advanced settings dialog for the SAP GRC Relay Connector features a special Relaying tab in.
| Parameter | Description |
|---|---|
| Poll frequency (hours) | Specify how often the OPS polls (asks) for the job status. |
| Poll timeout (days) | Specify the number of days after which the OPS will stop the above polling and set the job to failed. |
Additional connector configuration
This subchapter provides information on additional configuration of the SAP GRC Relay connector in Omada Identity.
The SAP GRC Connector has a set of settings that can be used to control the communication with the SAP GRC Web service. You can configure these settings by going to Setup > Administration > Connectors and selecting your added SAP GRC connector from the list.
The following settings are available to be set in the Connector configuration field.
| Parameter | Description |
|---|---|
| GRCCloseTimeout | Used to control the time allowed to close the connection to the webservice. The value must be specified as a time span. The default value is 00:01:00 |
| GRCOpenTimeout | Used to control the time allowed to open the connection to the webservice. The value must be specified as a time span. The default value is 00:01:00 |
| GRCReceiveTimeout | Used to control the time allowed to receive a response from the web service. The value must be specified as a time span. The default value is 00:10:00 |
| GRCSendTimeout | Used to control the time allowed to send a request to the web service. The value must be specified as a time span. The default value is 01:00:00 |
| GRCMaxReceivedMessageSize | Used to control how many bytes are allowed when receiving responses from the webservice. The default value is 2147483647 |