sap access control 10.0 interface for identity...
TRANSCRIPT
SAP Access Control 10.0 Interface for Identity Management
SAP Access Control 10.0 Interface for Identity Management
2
TABLE OF CONTENTS
1. BUSINESS SCENARIO .............................................................................................................................. 5
2. BACKGROUND INFORMATION ............................................................................................................... 5
3. PREREQUISITES ....................................................................................................................................... 5
4. CALLING WEB SERVICES FROM IDM .................................................................................................... 6 4.1 Application Web Service – GRAC_SELECT_APPL_WS ........................................................................ 6 4.2 Firefighter Object Web Service – GRAC_FIRE_FIGHTER_WS ............................................................. 8 4.3 Lookup Web Service - GRAC_LOOKUP_WS ........................................................................................ 10 4.4 Search Role Web Service – GRAC_SEARCH_ROLES_WS ................................................................. 20 4.5 User’s Existing Assignment Web Service – GRAC_USER_EXISTING_ASSIGN_WS ....................... 23 4.6 Role Details Web Service – GRAC_ROLE_DETAILS_WS.................................................................... 25 4.7 Submit User Access Request Web Service – GRAC_USER_ACCESS_WS ...................................... 29 4.8 Organization Assignment Request Web Service – GRAC_ORG_ASSGN_REQUEST_WS .............. 35 4.9 Request Status Web Service – GRAC_REQUEST_STATUS_WS ....................................................... 38 4.10 Request Details Web Service – GRAC_REQUEST_DETAILS_WS .................................................... 41 4.11 Provision Log Web Service – GRAC_PROV_LOGS_WS ................................................................... 51 4.12 Audit Log Web Service – GRAC_AUDIT_LOG_WS ............................................................................ 53 4.13 Exit Web Service – GRAC_EXIT_FROM_IDM_WS .............................................................................. 56 4.13 Risk Analysis With Request Number Web Service – GRAC_RISK_ANALYSIS_WITH_NO_WS .... 59 4.15 Risk Analysis Without Request Number Web Service – GRAC_RISK_ANALYSIS_WOUT_NO_WS ......................................................................................................................................................................... 64 4.16 EUP Config Web Service – GRAC_EUP_CONFIG_DATA_WS .......................................................... 70 4.17 Audit Logs Integration Web Service – GRAC_AUDIT_LOGS_WS .................................................... 71 4.18 Exit Log Web Service – GRAC_EXIT_FROM_IDM_WS ...................................................................... 75
5. CALLING WEB SERVICES FROM ACCESS CONTROL ....................................................................... 78 5.1 Application Web Service – GRAC_SELECT_APPL_WS ...................................................................... 78 5.2 Polling Web Service ................................................................................................................................ 79
6. APPENDIX - INTEGRATION WITH NETWEAVER IDENTITY MANAGER ............................................ 82 6.1 Appendix A – Provisioning Operations ................................................................................................. 83 6.2 Appendix B – Search Operations ........................................................................................................... 87
SAP Access Control 10.0 Interface for Identity Management
3
Applies to: SAP® Access Control 10.0
Summary Identity Management (IdM) solutions are typically used by IT to handle a large amount of personnel changes and to provision and de-provision users throughout your enterprise. Access Control (AC) 10.0 integrates with any IdM system to ensure user provisioning does not contain risk violations when granting user access, provides real-time access management as a standard provisioning process across a heterogeneous IT environment, and delivers greater governance and control over your IT environment. However, the deepest and proven integration currently is given to SAP NetWeaver Identity Management. This guide provides instructions on how to integrate Access Control 10.0 with Identity Management systems. See Chapter 6, Appendix for details about SAP NetWeaver Identity Management integration.
Authors: T Kishore Babu, Swetta Singh Company: SAP Integration and Certification Center Governance, Risk, and Compliance SAP BusinessObjects Division
Updated on: 14 December 2012
Version 4.0
SAP Access Control 10.0 Interface for Identity Management
4
Document History
Document Version Description
4.0 Updated Chapter 5 adding separate GRC and IdM request status;
changed title to ‘Calling Web Services from Access Control’
3.0 Added GRC AC web service callback and polling configuration
information; updated summary.
2.0 First release
1.0 Beta release
SAP Access Control 10.0 Interface for Identity Management
5
1. BUSINESS SCENARIO
Large corporations deal with personnel changes on a daily basis. There can be hundreds of new hires, terminations, and role changes on any given day. To handle the influx, an Identity Management (IdM) solution is used by the IT organization to provision users to applications throughout the enterprise. A typical IdM has the following features:
User information self-service
Management of passwords (changes and lost)
Workflow
Provisioning and de-provisioning of identities from resources
2. BACKGROUND INFORMATION
Most IdM solutions do not provide complete functionality to enforce governance and control policies that your corporation may demand. Some IdM systems lack an approval workflow mechanism and reporting capability that are basic to tracking and auditing purposes. The Access Control application now makes it possible to integrate with any IdM system, which helps bridge the need for corporate compliance, preventing risk, and enforce all governance that are required for your enterprise. Access Control allows you to define corporate policies and Segregation of Duties (SoD) rules for granting access to resources, where they are enforced by provisioning services. The integration between Access Control and the IdM system ensures that user provisioning does not contain risk violations when granting user access. The integration involves exposing Web services in both Access Control and the IdM system. These Web services can be called from either system to request user provisioning. This integration extends the IdM solution by enabling compliant-based user provisioning functionality. The Web service solution provides proactive enforcement of access policies, such as those policies that prevent SoD and risk violations. These Web services can alert you to potential SoD conflicts before they occur as well as prevent SoD violations when assigning roles to users. With these Web services, Access Control and IdM integration also provides real-time access management as a standard provisioning process across heterogeneous IT environments. In addition, Web services provided by Access Control deliver greater governance and control over your IT environment. Currently, Access Control is integrated with the SAP NetWeaver Identity Manager component and is in development with other partners to provide continuous compliance capabilities with core identity management functionality. For SAP NetWeaver Identity Manager and other IdM solutions, the following Web services must be supported for integration with Access Control:
Look up GRC Web Services
Select Applications
Search Roles
Submit User Access Request (to Access Control)
Audit Trail
NOTE: Access Control and the IdM integration support only SPML 1.0 protocol. Service Provisioning Markup
Language (SPML) is the open standard protocol for the integration and interoperation of service
provisioning requests. SPML is an OASIS standard. Web services that are called from Access Control to an
IdM system are SPML 1.0 compliant. However, the exposed Access Control Web services to an IdM
system or other applications are not SPML 1.0 compliant.
3. PREREQUISITES
The following prerequisite must be in place before starting this procedure.
Access Control 10.0
SAP Access Control 10.0 Interface for Identity Management
6
4. CALLING WEB SERVICES FROM IDM
This section includes Web services offered by GRC. 4.1 Application Web Service – GRAC_SELECT_APPL_WS Input Parameters: Select Application Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 ConnectorCategory
Optional
Category of System
2 ConnectorId Optional System ID
3 ConnectorType Optional System Type
4 Language Optional Language
Input Parameters: Validation and Support Upon successful data retrieval, the following SUCCESS message: ‘Data populated successfully’ will be displayed having MsgNo = 0 and MsgType ‘SUCCESS’.
For wrong entry or no availability of data, the output will be an ERROR message: ‘Invalid input or no data found for given input data’ having MsgNo = 4 and MsgType ‘ERROR’.
SAP Access Control 10.0 Interface for Identity Management
7
Output Parameters: Select Application Web Service (Connector List Table)
Serial No. Field Name Mandatory/Optional Description
1 ConnectorType Single value Connector Type Used
2 ConnectorId Single value Application Category
3 ConnectorCategory Single value Connector Category
4 ConnectorDesc Single value Connector Description
5 ConnectorCategoryDesc Single value Connector Category Description
Return Messages: Structure Message Return
Serial No. Name Description Comments
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
8
4.2 Firefighter Object Web Service – GRAC_FIRE_FIGHTER_WS Input Parameters: Firefighter Object Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 FfObject Optional Firefighter Object ID
2 System Optional System ID
3 Language Optional Language
Input Parameters: Validation and Support
Web Service name: GRAC_FIRE_FIGHTER_WS.
All inputs are OPTIONAL. If there are no values in any input field, a list of all Firefighter Objects will display. The following is a reference table for various input fields.
Serial No.
Input Field Name
Ref. Source Service
Input Field Name
Input Value Output Field Name
1 System Select Application
ConnectorID Null ConnectorID
FFObject If valid Firefighter Object value is passed into the FFobject field, the details of the
corresponding FFobject will be displayed.
System Similarly, if a valid System value is passed into the System field, the details of all firefighters in
the system will be displayed.
Language field is optional. Choose your native language for queries. If there is no entry or the entry is
incorrect, the language will be set as login language.
After successful data retrieval, the message ‘Data populated successfully’ displays with MsgNo = 0 and MsgType SUCCESS.
For incorrec t entr y or unavail ability of data, the messag e of s tatement ‘Invalid i nput or N o FF obj ect data found for gi ven i nput’ displays with MsgN o = 4 and MsgType ERR OR.
SAP Access Control 10.0 Interface for Identity Management
9
Output Parameters: Firefighter Object Web Service (FFOwnerList Table)
Serial No. Name Nature of Output Description
1 FFid Single value Firefighter ID
2 FfidName Single value Firefighter Name
3 Connector Single value System
4 OwnerId Single value Firefighter Owner ID
Output Parameters: Firefighter Object Web Service (FFAplicationInfo)
Serial No. Name Nature of Output Description
1 Application Type Single value Application Type
2 Application Type Desc Single value Application Type Description
Return Messages: Structure Message Return
Serial No. Name Description Comments
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
10
4.3 Lookup Web Service - GRAC_LOOKUP_WS
Input Parameters: Lookup Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 RequestType Optional Request Type Boolean input (T/t)
2 EmployeeType Optional Employee Type Boolean input (T/t)
3 PriorityType Optional Priority Type Boolean input (T/t)
4 BusProc Optional Business Process Boolean input (T/t)
5 BusSubProc Optional Business Sub Process
Boolean input (T/t)
6 Phase Optional Phase Boolean input (T/t)
7 Landscape Optional Landscape Boolean input (T/t)
8 CriticalLevel Optional Critical Level Boolean input (T/t)
9 FunctionArea Optional Functional Area Boolean input (T/t)
10 ProjectRelease Optional Project Release Boolean input (T/t)
11 RoleStatus Optional Role Status Boolean input (T/t)
12 RoleType Optional Role Type Boolean input (T/t)
13 RoleSensitivity Optional Role Sensitivity Boolean input (T/t)
14 ItemProvType Optional Item Provision Type Boolean input (T/t)
15 ItemProvActionType Optional Item Provision Action Type
Value input
16 RequestCustomFields Optional Request Custom Field
Boolean input (T/t)
17 RoleCustomFields Optional Role Custom Field Boolean input (T/t)
18 CustomFieldsValues Optional List of Custom Field Value input
SAP Access Control 10.0 Interface for Identity Management
11
19 Communication Type Optional Communication Type
Boolean input (T/t)
20 OmObjectType Optional OM Object Type Boolean input (T/t)
21 OmObjectValue Optional OM Object Value Value input
22 Language Optional Language Language code
Input Parameters: Validation and Support
Web Service name: GRAC_LOOKUP_WS.
All inputs are OPTIONAL. If no value is passed in any input field, all the systems irrespective of all System ID and Type.
Language field is optional. Choose your native language for queries. If there is no entry or the entry is
incorrect, the language will be set as login language.
All Boolean type input variables are optional. Each input has a corresponding output.
If we put T or t in any input field, the corresponding output table will be filled with all possible values of the
variable.
A table with the input and corresponding output is shown below:
Serial No. Input Field Output Table
1 REQUESTTYPE REQUESTTYPELIST
2 EMPLOYEETYPE EMPLOYEETYPELIST
3 PRIORITYTYPE PRIORITYTYPELIST
4 BUSPROC BUSPROCLIST
5 BUSSUBPROC BUSSUBPROCLIST
6 PHASE PHASELIST
7 LANDSCAPE LANDSCAPELIST
8 CRITICALLEVEL CRITICALLEVELLIST
9 FUNCTIONAREA FUNCTIONAREALIST
SAP Access Control 10.0 Interface for Identity Management
12
10 PROJECTRELEASE PROJECTRELEASELIST
11 ROLESTATUS ROLESTATUSLIST
12 ROLETYPE ROLETYPELIST
13 ROLESENSITIVITY ROLESENSITIVITYLIST
14 ITEMPROVTYPE ITEMPROVTYPELIST
15 REQUESTCUSTOMFIELDS REQUESTCUSTOMFIELDSLIST
16 ROLECUSTOMFIELDS ROLECUSTOMFIELDSLIST
17 COMMUNICATIONTYPE COMMUNICATIONTYPELIST
18 OMOBJECTTYPE OMOBJECTTYPELIST
There are two variables (ItemProvActionType and CustomFieldsValues) requiring input of a specific value. The valid values for the corresponding fields will be taken from other lookup services. The process is as follows:
1. Input in ItemProvActionType field: First pass T/t value to ITEMPROVTYPE field and a list of all
possible values. Then select any one value to pass to the ItemProvActionType field to get the list of all
Provision Actions in the ITEMPROVTYPELIST output table.
2. Input CustomFieldsValues field. There are two kinds of custom fields: Request Custom Fields and
Role Custom Field. We may pass the name of any of the Custom Field, if it has fixed values or range
configured in its domain, the values will be listed in the output. To get the field name, pass T/t into the
input field REQUESTCUSTOMFIELDS for Request Custom field and ROLECUSTOMFIELDS for Role
Custom field. The output appears in REQUESTCUSTOMFIELDSLIST or ROLECUSTOMFIELDSLIST
respectively. The fieldname obtained thus may be passed to CustomFieldsValues to get the list of all
possible values of the input field in the CUSTOMFIELDDETAILS table.
3. Input OmObjectValue field. This structure contains two fields: SYSTEM and OmObjType. The value
for System can be obtained from the Select Application Web Service and OmObjType is obtained from
lookup service by passing t/T to OmObjectType and getting the list of OM Object List from
OmObjectTypeList in the output.
4. Each output has its own return message. For success data retrieval, the following message will be
displayed:
SAP Access Control 10.0 Interface for Identity Management
13
For unsuccessful data retrieval, no message will be displayed.
Output Parameters: Lookup Web Service Request Type
Serial No. Name Nature of Output Description
1 Reqtype Single value Request Type ID
2 Reqtypename Single value Request Type Description
3 MsgReturn Value Input Message
Employee Type
Serial No. Name Nature of Output Description
1 Emptypeid Single value Employee Type
2 Emptypename Single value Employee Type Description
3 MsgReturn Value Input Message
Business Process
Serial No. Name Nature of Output Description
1 Bproc Single value Business Process ID
2 Descn Single value Business Process Description
SAP Access Control 10.0 Interface for Identity Management
14
3 MsgReturn Value Input Message
Business Sub Process
Serial No. Name Nature of Output Description
1 Bproc Single value Business Process ID
2 Bsubproc Single value Business Sub Process ID
3 Descn Single value Business Sub Process Description
4 MsgReturn Value Input Message
Critical Level
Serial No. Name Nature of Output Description
1 Critlvl Single value Critical Level
2 Descn Single value Critical Level Description
3 MsgReturn Value Input Message
Functional Area
Serial No. Name Nature of Output Description
1 Funarea Single value Function Area ID
2 Descn Single value Function Area Description
3 Abbrv Single value Function Area Abbreviation
4 MsgReturn Value Input Message
SAP Access Control 10.0 Interface for Identity Management
15
Landscape
Serial No. Name Nature of Output Description
1 ConnectorGrp Single value Connector Group
2 ConnectorGrpT Single value Connector Group Type
3 ConnectionType Single value Connection Type
4 MsgReturn Value Input Message
Phase List
Serial No. Name Nature of Output Description
1 MthAction Single value Method Action
2 Descn Single value Method Action Description
3 MsgReturn Value Input Message
Priority Type
Serial No. Name Nature of Output Description
1 Prioritype Single value Priority Type ID
2 Priorityname Single value Priority Type Description
3 MsgReturn Value Input Message
Project Release
Serial No. Name Nature of Output Description
1 Prjrel Single value Project Release ID
2 Descn Single value Project Release Description
SAP Access Control 10.0 Interface for Identity Management
16
3 MsgReturn Value Input Message
Request Item Type
Serial No. Name Nature of Output Description
1 Val Single value Request Item ID
2 Text Single value Request Item Description
Role Sensitivity
Serial No. Name Nature of Output Description
1 Sensitivity Single value Sensitivity
2 Descn Single value Description
3 MsgReturn Value Input Message
Role Status
Serial No. Name Nature of Output Description
1 RoleStatus Single value Role Status ID
2 Descn Single value Role Status Description
3 MsgReturn Value Input Message
Role Type
Serial No. Name Nature of Output Description
1 RoleType Single value Role Type ID
2 Descn Single value Role Type Description
SAP Access Control 10.0 Interface for Identity Management
17
3 MsgReturn Value Input Message
Request Custom Field
Serial No. Name Nature of Output Description
1 FieldName Single value Request Field Name
2 Fieldtext Single value Request Field text
3 MsgReturn Value Input Message
Role Custom Field
Serial No. Name Nature of Output Description
1 FieldName Single value Role Field Name
2 Fieldtext Single value Role Field Text
3 MsgReturn Value Input Message
Custom Field Details
Serial No. Name Nature of Output Description
1 CustomFieldName Single value Custom Field Name
2 CustomFieldLow Single value Custom Field Value
3 CustomFieldHigh Single Value Custom Field Value
4 CustomFieldText Single value Custom Field Text
5 MsgReturn Value Input Message
SAP Access Control 10.0 Interface for Identity Management
18
Item Provision Type List
Serial No. Name Nature of Output Description
1 Val Single value Provision Type Value
2 Txt Single value Provision Type Value text
3 MsgReturn Value Input Message
Item Prov Action List
Serial No. Name Nature of Output Description
1 ItemProvType Single Value Item Provisioning Type
2 ItemProvTypeDesc Single Value Item Provisioning Type Description
3 ProvAction Single Value Provisioning Action
4 ActionDescn Single Value Action Description
5 MsgReturn Value Input Message
Communication Type List
Serial No. Name Nature of Output Description
1 CommType Single value Communication Type
2 CommTypeText Single value Communication Type Text
3 MsgReturn Value Input Message
OM Object Type
Serial No. Name Nature of Output Description
1 Value Single value OM Object Type
2 Text Single value OM Object Type Text
SAP Access Control 10.0 Interface for Identity Management
19
OM Object ID
Serial No. Name Nature of Output Description
1 OM Object Id Single value OM Object ID
2 OM Object Text Single value OM Object Text
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
20
4.4 Search Role Web Service – GRAC_SEARCH_ROLES_WS
Input Parameters: Search Role Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 Action Optional Action
2 ApplicationType Optional Application Type
3 Approver Optional Approver
4 AssociatedRole Optional Associated Role
5 BusinessProcess Optional Business Process
6 SubProcess Optional Sub Process
7 ConnectorGroup Optional Connector Group
8 Landscape Optional Landscape
9 CriticalLevel Optional Critical Level
10 RoleDesc Optional Role Description
11 OrgVal Optional Organization Value
12 FunctionalArea Optional Functional Area
13 LastReaffirmDT Optional Last Reaffirm Date
14 OrgLvl Optional Organization Level
15 RoleOwner Optional Role Owner
16 Permission Optional Permission
17 Profile Optional Profile
18 ReaffirmPeriod Optional Reaffirm Period
SAP Access Control 10.0 Interface for Identity Management
21
19 RoleName Optional Role Name
20 RoleStatus Optional Role Status
21 RoleType Optional Role Type
22 RoleSensitivity Optional Role Sensitivity
23 System Optional System
24 Language Optional Language
Input Parameters: Validation and Support
Web Service name: GRAC_SEARCH_ROLES_WS.
All inputs are OPTIONAL. If no value is passed in any input field, a list of all default Roles will be displayed.
Language field is optional. Choose your native language for queries. If there is no entry or the entry is
incorrect, the language will be set as login language.
All input fields support the use of * as a wild card for possible entries.
Also supported are fields:
Beginning with the form *<string-val>
Containing any of the form <string-val1> *<string-val2>
Output Parameters: Search Role Web Service (SearchRole Table)
Serial No. Name Nature of Output Description
1 RoleName Single value Role Name
2 RoleDesc Single value Role Description
3 System Single value System
4 RoleType Single value Role Type
5 RoleTypeDesc Single value Role Type Description
6 RoleOwner Single value Role Owner
7 Landscape Single value Landscape
8 LanScapeDesc Single value Landscape Description
SAP Access Control 10.0 Interface for Identity Management
22
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
23
4.5 User’s Existing Assignment Web Service – GRAC_USER_EXISTING_ASSIGN_WS
Input Parameters: User’s Existing Assignment Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 UserId Mandatory User ID
2 System Optional System
3 Language Optional Language
Input Parameters: Validation and Support
Web Service name: GRAC_USER_EXISTING_ASSGN_WS.
The User ID is mandatory and System is an optional input parameter. If we pass only valid User ID, all existing assignments irrespective of the System will be displayed in the output along with this message:
User ID or System may be entered in uppercase, lowercase, or any combination of both. One or more spaces to the left of these entries are also allowed. If the web service is executed without passing a User ID, the following error message will be displayed:
For an invalid User ID, System or any combination for which the input user ID does not have any assignment in the input system, no data will be fetched and the Web Service will display the following message:
SAP Access Control 10.0 Interface for Identity Management
24
Output Parameters: User’s Existing Assignment Web Service (Table)
Serial No. Name Nature of Output Description
1 Item Single value Item
2 Type Single value Role Type
3 TypeTxt Single value Role Text
4 SystemId Single value System ID
5 Descn Single value Description
6 ValidFrom Single value Valid From
7 ValidTo Single value Valid To
8 Status Single value Status
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
25
4.6 Role Details Web Service – GRAC_ROLE_DETAILS_WS
Input Parameters: Role Details Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 ObjectName Required Role Name
2 ObjectType Optional Role Object Type
3 Landscape Required Connector ID
4 Language Optional Language
Input Parameters: Validation and Support
Web Service Name: GRAC_ROLE_DETAILS_WS
From interface point of view, Object Name and Landscape are mandatory. Validations and Input format for input fields:
Object Name should be entered in full—no wildcards are supported
Landscape should be entered in full—no wildcards are supported
Output Parameters: Role Details Web Service Object Attributes
Serial No. Name Nature of Output Description
1 ObjectName
Single value Object Name
2 Description
Single value Object Description
3 Landscape
Single value Connector ID
4 Landscape_Desc
Single value Connector Description
5 ObjectType
Single value Object Type
6 ObjectTypeDesc
Single value Object Description
7 BusinessProcess
Single value Business process
8 BusinessProcess Desc
Single value Business process Description
SAP Access Control 10.0 Interface for Identity Management
26
9 SubProcess
Single value Business Subprocess
10 SubProcess Desc
Single value Business Subprocess Description
11 ObjectStatus
Single value Object Status
12 ObjectStatus Desc
Single value Object Status Description
13 ReaffimPeriod
String Reaffirm Period
14 LastReaffirDate
String Last Reaffirm Date
15 LastReaffirBy
String Last reaffirm Changed By
Table Company
Serial No. Name Nature of Output Description
1 CompanyName String Company Name
2 CompanyDesc String Company Description
Table Functional Area
Serial No. Name Nature of Output Description
1 FunctionalArea String Functional Area
2 FunctionalDesc String Functional Area Name Description
Table Role Approvers
Serial No. Name Nature of Output Description
1 Approver Single value Approver
2 AltApprover Single value Alternate Approver
3 Apprvp Single value
SAP Access Control 10.0 Interface for Identity Management
27
4 Owner Single value
5 Lead Single value
6 ValidFrom Single value Valid From
7 ValidTo Single value Valid To
Table System Data
Serial No. Name Nature of Output Description
1 Connector Single value Connector ID
2 Environment Single value Environment
3 RoleExists Single value Role Exists
4 SystemValidityPeriod Single value System Validity Period
5 Status Single value Status
Table Role Actions
Serial No. Name Nature of Output Description
1 Roleid Single value Role ID
2 ActionId Single value Action ID
3 Funcid Single value Function ID
4 IsActive Single value Active
5 Action Single value Action
SAP Access Control 10.0 Interface for Identity Management
28
Table Violations
Serial No. Name Nature of Output Description
1 ReportType Single value Report Type
2 ObjeectId Single value Object ID
3 RiskId Single value Risk ID
4 Connector Single value Connector ID
5 Role Single value Role
6 CompositeRole Single value Composite Role
7 SodcontrolId Single value SOD Control ID
8 Monitor Single value Monitor
9 Orgruleid Single value Org ruler ID
Table Customer Fields
Serial No. Name Nature of Output Description
1 Fieldname Single value Field Name
2 Value Single value Field Value
Table Function
Serial No. Name Nature of Output Description
1 FunctionID Single value Function ID
SAP Access Control 10.0 Interface for Identity Management
29
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
4.7 Submit User Access Request Web Service – GRAC_USER_ACCESS_WS
Header Data
Serial No. Field Name Mandatory/Optional Description Comments
1 REQTYPE Request Type
2 PRIORITY Priority
3 REQ_DUE_DATE Request Due Date
4 REQ_INIT_SYSTEM Mandatory Request Initiation System
5 REQUESTORID Requestor ID
6 EMAIL Requestor’s E-mail
7 REQUEST_REASON Reason of Request
8 FUNCAREA Functional Area
9 BPROC Business Process
Fields other than REQ_INIT_SYSTEM will be Mandatory/ Optional as per the End User Personalization Screen Configuration.
SAP Access Control 10.0 Interface for Identity Management
30
User Info
Serial No. Field Name Mandatory/Optional Description Comments
1 USERID User ID
2 TITLE Accademic/Personal title (MR/MS/MRS/DOC)
3 FNAME User’s First Name
4 LNAME User’s Last Name
5 SNC_NAME SNC Name
6 UNSEC_SNC User’s SNC Name
7 ACCNO User’s Account Number
8 USER_GROUP User Group
9 VALID_FROM Valid From Date
10 VALID_TO Valid To
11 EMPPOSITION Position of Employee
12 EMPJOB Job of Employee
13 PERSONNELNO Personnel Number
14 PERSONNELAREA Personnel Area
15 COMM_METHOD Communication Method
16 FAX FAX
17 EMAIL E-mail
18 TELNUMBER Telephone No
SAP Access Control 10.0 Interface for Identity Management
31
19 DEPARTMENT Department
20 COMPANY Company
21 LOCATION Location
22 COSTCENTER Cost Center
23 PRINTER Printer
24 ORGUNIT Organization Unit
25 EMPTYPE Employee Type
26 MANAGER Manager
27 MANAGER_EMAIL Manager’s E-mail
28 MANAGER_FIRSTNAME
Manager’s First Name
29 MANAGER_LASTNAME
Manager’s Last Name
30 START_MENU Start Menu
31 LOGON_LANG Logon Language
32 DEC_NOTATION Decimal Notation
33 DATE_FORMAT Date Format
34 ALIAS Alias
35 USER_TYPE User’s Type
The Fields will be Mandatory/Optional as per the End User Personalization Screen Configuration.
SAP Access Control 10.0 Interface for Identity Management
32
Requested Line Item
Serial No. Field Name Mandatory/Optional Description Comments
1 ITEM_NAME Item Name
2 CONNECTOR System ID
3 PROV_ITEM_TYPE Provision Item Type
4 PROV_TYPE Provision Type
5 ASSIGNMENT_TYPE Assignment Type
6 PROV_STATUS Provision Status
7 VALID_FROM Valid From
8 VALID_TO Valid To
9 FF_OWNER Firefighter Owner
10 COMMENTS Comments
11 PROV_ACTION Provision Action
12 ROLE_TYPE Role Type
User Group
Serial No. Field Name Mandatory/Optional Description Comments
1 USER_GROUP User Group
2 USER_GROUP_DESC
User Group Description
SAP Access Control 10.0 Interface for Identity Management
33
Custom Field
Serial No. Field Name Mandatory/Optional Description Comments
1 FIELDNAME Name of Custom Field
2 VALUE Value of Custom Field
Input Parameters: Validation and Support
Web Service name: GRAC_USER_ACCES_WS
Mandatory fields and default values in the Header Data and User Info are determined and based on the End User’s Personalization Screen Configuration. The REQ_INIT_SYSTEM field (Request Initiating SYSTEM) of Header Data is always mandatory. Validation for Request Line item:
In Request Line Item, ItemName, System, Provision Item Type and Provision Item Action are
mandatory.
If Provision Item type is ROLE (value ‘ROL’), Role Type is Mandatory.
If Line Item type is System, Item name and connector will have same value.
If Line Item is FFid, Item Name and connector should be in sync with FF Object Web service.
If Line Item is FFid, FFowner field is mandatory and input value of FFowner is in sync with FF
Object Web service.
Always ensure Provision Item Type is in sync with Provision Item Action.
For each line item Valid From date must be previous or same with Valid To date.
If the request contains lock unlock and delete actions, then one system should always be present.
Account Validation will also be applicable if it is enabled and set to error.
Priority and Request type should be correctly entered which are available in the system. Custom field validation:
For the custom field with fixed values, the values are defined either as a set of fixed values or as a range. The value entered in the corresponding field of Custom field Value must satisfy the fixed value or within the range wherever applicable.
Output Parameters: Submit User Access Request Web Service (Table)
Serial No. Name Nature of Output Description
1 RequestNumber Single value Request Number
2 RequestId Single value Request ID
SAP Access Control 10.0 Interface for Identity Management
34
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
35
4.8 Organization Assignment Request Web Service – GRAC_ORG_ASSGN_REQUEST_WS Input Parameters: Organization Assignment Request Web Service Request Header Details
Serial No. Field Name Mandatory/Optional Description Comments
1 ReqReason Mandatory Request reason
2 Priority Optional Priority
3 Bproc Mandatory Business Process
4 FuncArea Optional Functional Area
5 DueDt Optional Approval Due Date
Language
Serial No. Field Name Mandatory/Optional Description Comments
1 Language Optional Language
Request Assignment Details
Serial No. Field Name Mandatory/Optional Description Comments
1 System Mandatory
2 OmObjTyp Mandatory
3 OmObjId Mandatory
4 RoleId Mandatory
5 ValidFrom Mandatory
6 ValidTo Mandatory
7 Comment Optional
SAP Access Control 10.0 Interface for Identity Management
36
8 ProvAction Mandatory
Input Parameters: Validation and Support
Web Service name: GRAC_ORG_ASSGN_REQUEST_WS
Validation and Support in Header data:
Request reason and Business process fields are mandatory
See the following reference table for value source in various input fields.
Serial No.
Input Field Name
Ref. Source Service
Input Field Name
Input Value Output Field Name
1 Priority Lookup PriorityType T/t PriorityTypeList
2 Bproc Lookup BusProc T/t BusProcList
3 FuncArea Lookup FunctionArea T/t FunctionAreaList
Validation and Support in Request Assignment:
Serial No.
Input Field Name
Ref. Source Service
Input Field Name Input Value Output Field Name
1 System Select Application
ConnectorId No value ConnectorListhmm
2 OmObjTyp Lookup OmObjTyp t/T OmObjectTypeList
3 OmObjId Lookup OmObjValue System and OmObjTyp
OmObjectTypeList
4 RoleId SearchRole No value
5 ProvAction Lookup ItemProvActionType ROL ItemProvActionList
Output Parameters: Organization Assignment Request Web Service Submit User Access R equest (Table)
Submit User Access Request (Table)
Serial No. Name Nature of Output Description
1 RequestNumber Single value Request Number
2 RequestId Single value Request ID
SAP Access Control 10.0 Interface for Identity Management
37
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
38
4.9 Request Status Web Service – GRAC_REQUEST_STATUS_WS Input Parameters: Request Status Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 Request Number Mandatory Request Number
2 Language Optional Language
Input Parameters: Validation and Support
Web Service name: GRAC_REQUEST_STATUS_WS
Request Number This field is mandatory. If no value is input in this field and web service is been executed, the following error message will appear having MsgNo = 4, MsgType ‘ERROR’ and message statement: ‘Request No is mandatory’.
If space in provided to the left of the request number at the time of input, it will accept the request number and proper output will appear. No space to the left of request is allowed but Zeros are allowed in the left of request number. If space is provided within the request number, it will show the following error message having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Invalid Request No’.
Input of any alphabet or special character in the INPUT field with or without the request number will be treated as ‘INVALID REQUEST NO’ and the above message will be displayed. Language field is optional. Choose your native language for queries. If there is no entry or the entry is incorrect, the language will be set as login language.
SAP Access Control 10.0 Interface for Identity Management
39
Output Parameters: Request Status Web Service
Serial No. Name Nature of Output Description
1 Request No Single value Request No
2 ReqCreated Single value Request Creation Date
3 Priority Single value HIGH/MEDIUM/LOW
4 RequestorId Single value Requestor’s ID
5 DueDate Single value Request due date
6 UserList List List of Users
7 Reqstatus Single value Current status of Request
8 ReqstatusTxt Single value Description of Current status of Request
9 Approver List List of Approver
10 ReqCurrentStage Single Value Request Current Stage
User List
Serial No. Name Nature of Output Description
1 UserID User ID
2 FName First Name
3 LName Last Name
Approver List
Serial No. Name Nature of Output Description
1 ApproverID Approver ID
SAP Access Control 10.0 Interface for Identity Management
40
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
41
4.10 Request Details Web Service – GRAC_REQUEST_DETAILS_WS Input Parameters: Request Details Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 Request Number Mandatory Request Number
2 Language Optional Language
Input Parameters: Validation and Support
Web Service name: GRAC_REQUEST_DETAILS_WS
Request Number This field is mandatory. If no value is input in this field and web service is executed, the following error message will appear having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Request No is mandatory’.
If a space provided to the left of the Request No at the time of input, it will accept the Request No and proper output will display. No space to the left of request is allowed but Zeros are allowed in the left of Request No. If space is given within the request number, it will show the following error message having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Invalid Request No’.
Input of any alphabet or special character in the INPUT field with or without the request number will be treated as ‘INVALID REQUEST NO’ and the above message will be displayed. Language field is optional. Choose your native language for queries. If there is no entry or the entry is incorrect, the language will be set as login language.
SAP Access Control 10.0 Interface for Identity Management
42
Output Parameters: Request Details Web Service
Serial No. Name Nature of Output Description
1 Request ID Single value Request ID
2 Request Type Single value Type of requests CREATE_USER, CHANGE_USER, LOCK_USER, UNLOCK_USER, DELETE_USER, ASSIGN_ROLES etc
3 Request Type Desc Single value Request Type description
4 Request Status Single value APPROVED/REJECTED/PENDING
5 Request Status Desc
Single value Request Status description
6 Priority Single value HIGH/MEDIUM/LOW
7 Priority Desc Single value Priority Description
8 Approval due date Single value Approval due date
9 Requestor Single value Requestor’s ID
10 Requestor First Name
Single value Requestor’s First Name
11 Requestor Last Name
Single value Requestor’s Last Name
12 Requestor Email Single value Email address of the requestor
13 User Info Table User Information
14 RequestedItems Table Requested Items
15 RequestPaths Table Request Paths
16 RiskViolationData Table Risk Violation data
17 Parameter Table Parameter
SAP Access Control 10.0 Interface for Identity Management
43
18 User Group Table User Group
19 Request Organization Assignment Item
Table Organization Assignment Item
User Info
Serial No. Name Nature of Output Description
1 USERID Single value User ID
2 TITLE Single value Accademic/Personal title (MR/MS/MRS/DOC)
3 FNAME Single value User’s First Name
4 LNAME Single value User’s Last Name
5 SNC_NAME Single value SNC Name
6 UNSEC_SNC Single value User’s SNC Name
7 ACCNO Single value User’s Account Number
8 USER_GROUP Single value User Group
9 VALID_FROM Single value Valid From Date
10 VALID_TO Single value Valid To
11 EMPPOSITION Single value Position of Employee
12 EMPJOB Single value Job of Employee
13 PERSONNELNO Single value Personal No
14 PERSONNELAREA Single value Personal Area
15 COMM_METHOD Single value Communication Method
SAP Access Control 10.0 Interface for Identity Management
44
16 FAX Single value FAX
17 EMAIL Single value Email
18 TELNUMBER Single value Telephone No
19 DEPARTMENT Single value Department
20 COMPANY Single value Company
21 LOCATION Single value Location
22 COSTCENTER Single value Cost Center
23 PRINTER Single value Printer
24 ORGUNIT Single value Organization Unit
25 EMPTYPE Single value Employee Type
26 MANAGER Single value Manager
27 MANAGER_EMAIL Single value Manager’s Email
28 MANAGER_FIRSTNAME Single value Manager’s First Name
29 MANAGER_LASTNAME Single value Manager’s Last Name
30 START_MENU Single value Start Menu
31 LOGON_LANG Single value Logon Language
32 DEC_NOTATION Single value Decimal Notation
33 DATE_FORMAT Single value Date Format
34 ALIAS Single value Alias
35 USER_TYPE Single value User’s Type
SAP Access Control 10.0 Interface for Identity Management
45
Requested Item
Serial No. Name Nature of Output Description
1 Item ID Single value Item ID
2 Item Desc Single value Item Description
3 Connector Single value System
4 Prov Item Type Single value Provision Item Type
5 Prov Item Type Desc
Single value Provision Type Description
6 Prov Type Single value Provision Type
7 Prov Type Decs Single value Provision Type Description
8 Assignment Type Single value Assignment Type
9 Assignment type Desc
Single value Assignment Type Description
10 Prov Status Single value Provision Status
11 Prov Status Desc Single value Provision Status Description
12 Valid From Single value Valid From
13 Valid To Single value Valid To
14 Owners Single value Owners
15 Comments Single value Comment
16 Prov Action Single value Provision Action
17 Prov Action Desc Single value Provision Action Description
18 Approval Status Single value Approval Status
SAP Access Control 10.0 Interface for Identity Management
46
19 Approval Status Desc
Single value Approval Status description
20 ReqItemApprover Table List of Approvers
21 ReqItemDetails Single value Request Item Details
22 Status Single Value Status
ReqItemApprover
Serial No. Name Nature of Output Description
1 UserID Single value User ID
2 UserFirstName Single value User First Name
3 UserLastName Single value User Last Name
RequestPaths
Serial No. Name Nature of Output Description
1 Path Name Single value Path Name
2 Path Desc Single value Path Description
3 Current Stage Name
Single value Current Stage Name
4 Current Stage Desc Single value Current Stage Description
5 Current Stage Status
Single value Current Stage Status
6 Current Stage Status Desc
Single value Current Stage Status Description
7 CurstageApprovers Table List of Currentstage Approver
SAP Access Control 10.0 Interface for Identity Management
47
Current Stage Approvers
Serial No. Name Nature of Output Description
1 UserId Single value User ID
2 RiskId Single value Risk ID
3 RiskDesc Single value Risk Description
4 RiskLevel Single value Risk Level
5 RiskLevelDesc Single value Risk Level Description
6 RuleId Single value Rule ID
7 Role List Table List of Roles
8 System Single value System
9 SystemType Single value System Type
10 Mitigation Details Table Mitigation Details
11 Action Table Action
12 OrgRule Table Organisation Rule
13 RiskStatus Single value Risk Status
14 ViolationCount Single value Violation Count
15 LastExecutedOn Single value Last Executed On
16 Execution Count Single value No of Execution
17 RiskOwner Table List of Risk Owner
18 Tcode Table List Of Tcode
SAP Access Control 10.0 Interface for Identity Management
48
Role List
Serial No. Name Nature of Output Description
1 Role Single value Role
2 CompositRole Single value Composit Role
Mitigation Details
Serial No. Name Nature of Output Description
1 MitigationCtrl Single value Mitigation Control
2 MitigationStatus Single value Mitigation Status
3 Monitor Table List Monitor
Monitor
Serial No. Name Nature of Output Description
1 MitigationCtrl Single value Mitigation Control
Action
Serial No. Name Nature of Output Description
1 Action Single value Action
OrgRule
Serial No. Name Nature of Output Description
1 OrgRule Single value Organization Rule
RiskOwner
Serial No. Name Nature of Output Description
SAP Access Control 10.0 Interface for Identity Management
49
1 OwnerId Single value ID of Risk Owner
2 FullName Single value Full Name of Risk Owner
TCode
Serial No. Name Nature of Output Description
1 RoleID Single value Role ID
2 RoleDesc Single value Role Description
3 System Single value System
4 Tcode Single value Transaction Code
5 TcodeDesc Single value Transaction Code Description
Parameter
Serial No. Name Nature of Output Description
1 PARAMETER Single value Parameter Name
2 PARAMETER_VALUE Single value Parameter Value
3 PARAMETER_DESC Single value Parameter Description
User Group
Serial No. Name Nature of Output Description
1 USER_GROUP Single value User Group
2 USER_GROUP_DESC Single value User Group Description
SAP Access Control 10.0 Interface for Identity Management
50
Organization Assignment Team
Serial No. Name Nature of Output Description
1 System Single value System
2 OMObjType Single value OM Object Type
3 OMObjTypeTxt Single Value OM Object Type Description
4 OMObjID Single Value OM Object ID
5 OMObjIDTxt Single Value OM Object ID Description
6 RoleID Single Value Role ID
7 ValidFrom Single Value Valid From
8 ValidTo Single Value Valid To
9 ProvAction Single Value Provisioning Action
10 ProvActionTxt Single Value Provisioning Action Description
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
51
4.11 Provision Log Web Service – GRAC_PROV_LOGS_WS Input Parameters: Provision Log Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 ConnectorId Optional Connector ID
2 DateFrom Optional Date From YYYYMMDD
3 Language Optional Language
4 ProvAction Optional Provision Action
5 ProvItem Optional Provision Item
6 ProvItemType Optional Provision Item Type
7 ReqNumber Optional Request Number
8 ReqStatus Optional Request Status
9 DateTo Optional Date To YYYYMMDD
10 UpdateBy Optional Update By
11 UserId Optional User ID User ID to be Provisioned
Input Parameters: Validation and Support
Web Service name: GRAC_PROV_LOGS_WS
All parameters are optional from interface point of view, but request number is to be kept mandatory at the Web Service consuming end; the rest of the parameters restrict the provision logs for that request number. If only initial parameters are entered, then the error message will be shown “All Inputs are Initial”. No space to the left of any of the input parameter is allowed. The error message “Invalid Inputs” will display. Validations and Input format for input fields:
Connector ID: Wild card * supported
Date From: Format supported YYYYMMDD
Date To: Format supported YYYYMMDD
Provision item: Wild card * supported
Provision item type: Wild card * supported
Provision Action: Wild card * supported
SAP Access Control 10.0 Interface for Identity Management
52
Output Parameters: Provision Log Web Service (Table PROVISION_LOGS)
Serial No. Name Description
1 RequestNumber Request Number
2 User ID User ID
3 ConnectorId Target Connector
4 ProvItem Provisioning Item Name
5 ProvItemType Provisioning Item Type
6 ProvItemTypeDesc Provisioning Item Type Description
7 ProvAction Provisioning Action
8 ProvActionDesc Provisioning Action Description
9 Updated By Updated By
10 Last Updated Last Updated
11 ReqItemStatus Status
12 ReqItemStatusDesc Status Description
13 ReqShortText Short Description
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
53
4.12 Audit Log Web Service – GRAC_AUDIT_LOG_WS Input Parameters: Audit Log Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 RequestNumber Optional Request Number
2 UserId Optional User ID Request Created by User ID
3 MaxHits Optional Maximum Number Limited to 100 request numbers
4 DateFrom Optional From date
5 DateTo Optional To Date
6 Language Optional Language
7 RequestorID Optional Requestor ID
8 Action Optional Action Currently Not Supported
Input Parameters: Validation and Support
Web service name: GRAC_AUDIT_LOG_WS
All inputs are mandatory from interface point of view, but if the user executes the service without passing anything, the user will be asked to pass Request Number or User ID or Date.
Validation and Input format for input fields:
Maximum Hits: If user does not enter anything in this parameter, hits are maximized to the first 100 log entries. These 100 entries are validated on the number of requests not on audit log entries, and the result will be displayed irrespective of how many audit logs are generated for a request number.
For example: If user has entered only user ID in input fields.
If the data that exists for him is greater than 100 requests. he would only be able to see the first 100
requests and the rest of the requests will not be shown
Date From: Format supported YYYYMMDD
Date To: Format supported YYYYMMDD
Action: Currently not supported included in interface to sync with old version
From Date and To Date can never be after the current date.
From Date can never be after To Date.
If length of From Date or To Date is greater than 8, then the error message “Invalid Input” will be
shown.
No spaces to the left of request are allowed. In this case, the error message “No data found for
requested inputs” will be shown.
If Max Hits is less than 0, then the error message “Invalid Max Hits” will be shown.
SAP Access Control 10.0 Interface for Identity Management
54
Output Parameters: Audit Log Web Service Output i nformati on is s truc tur ed in a nested format. At the header l evel, data related to Req ues t number is displ ayed; at sec ond l evel of the str ucture, all pr ovision items are displ ayed; and at the third level, audit logs for ever y provisi on item ar e displ ayed.
Audit Logs Main Header Table
Serial No. Name Nature of Output Description
1 RequestNumber Single value Request Number
2 Requested_by Single value Requested By
3 Submitted_by Single value
4 Status Single value Status of Request
5 CreateDate Single value Date of Creation of Request
6 Priority Single value Priority for Request
7 ItAuditData List Request History in Detail
Request ItAuditData Structure
Serial No. Name Nature of Output Description
1 ActionDate Single value Date on Which Action Was Performed
2 ActionValue Single value Currently Not Supported
3 DependantId Single value ID For Which Request Is Created
4 Description Single value Audit Log Text
5 DisplayString Single value Audit Log Text
6 Id Single value Unique ID For This Action
7 Path Single value Path
8 Stage Single value Request Stage
SAP Access Control 10.0 Interface for Identity Management
55
9 UserId Single value User ID
10 ItAuditDataChild List Mother Request ID of This Tree
Request ItAuditDataChild Structure
Serial No. Name Nature of Output Description
1 ActionDate Single value Date on Which Action Was Performed
2 ActionValue Single value Currently Not Supported
3 DependantId Single value ID For Which Request Is Created
4 Description Single value Audit Log Text
5 DisplayString Single value Audit Log Text
6 Id Single value Unique ID For This Action
7 Path Single value Path
8 Stage Single value Request Stage
9 UserId Single value User ID
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
56
4.13 Exit Web Service – GRAC_EXIT_FROM_IDM_WS Input Parameters: Exit Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 RequestNumber Mandatory Request Number <Request Number>$ <Connectorid>
2 EntrySeq Optional Sequence Number of Task
3 OperResponse Optional Response Code
4 OperResponseDesc Optional Response Description
5 Status Optional Status
6 ProvItem Optional Provisioning Item
7 Language Optional Language
Input Parameters: Exit Web Service
• Web service Name: GRAC_EXIT_FROM_IDM_WS
Input for exit Web Service supports multiple sequence updates for a single request number; handshaking between IDM and GRC for update in request number is <RequestNumber>$<ConnectorID> for parameter RequestNumber. However, no extra efforts have to be done by IDMs to maintain this formatting as same way information will be provided by GRC while provisioning.
Request Number is Mandatory.
From interface point of view nothing is mandatory but user needs to enter RequestNumber and EntrySeq for successful execution of the Web Service.
Validations and Input format for input fields: A combination of Request Number and Entry Sequence should exist in the GRC box for updating. If not, the following Error message will be displayed as MsgNo = 4, MsgType ERROR and MsgStatement ‘Seq <seqno> of Request <request no> not found’.
SAP Access Control 10.0 Interface for Identity Management
57
SAP Access Control 10.0 Interface for Identity Management
58
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
59
4.13 Risk Analysis With Request Number Web Service – GRAC_RISK_ANALYSIS_WITH_NO_WS Input Parameters: Risk Analysis with Request Number Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 RequestNo Mandatory Request Number
2 HitCounts Optional Number of Records
Input Parameters: Validation and Support
Web Service name: GRAC_RISK_ANALYSIS_WITH_NO_WS.
Request Number is mandatory. If no value is passed to this field, the following ERROR message will be displayed having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Request No is mandatory’.
If you pass an invalid request number, the following ERROR message having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Invalid Request No’ will display. Hit count is a number; the interface is attached with a calculator to avoid any alphabetic entry. On successful data retrieval, the following success message will be displayed having MsgNo = 0 and MsgType ‘SUCCESS’ and MsgStatement ‘Data populated successfully’.
This WS returns violations for these 5 Report Types:
Action
Permission
Critical Action
Critical Permission
Critical Role/Profile
Language field is optional. Choose your native language for queries. If there is no entry or the entry is incorrect, the language will be set as login language.
SAP Access Control 10.0 Interface for Identity Management
60
Output Parameters: Risk Analysis With Request Number Web Service
Serial No. Name Nature of Output Description
1 UserId Single value User ID
2 RiskId Single value Risk ID
3 RiskDesc Single value Risk Description
4 RiskLevel Single value Risk Level
5 RiskLevelDesc Single value Risk Level Description
6 RuleId Single value Rule ID
7 Role List Table List of Roles
8 System Single value System
9 SystemType Single value System Type
10 Mitigation Details Table Mitigation Details
11 Action Table Action
12 OrgRule Table Organization Rule
13 RiskStatus Single value Risk Status
14 ViolationCount Single value Violation Count
15 LastExecutedOn Single value Last Executed On
16 Execution Count Single value Number of Executions
17 RiskOwner Table List of Risk Owner
18 Tcode Table List Of Transaction Codes
SAP Access Control 10.0 Interface for Identity Management
61
Role List
Serial No. Name Nature of Output Description
1 Role Single value Role
2 CompositRole Single value Composite Role
Mitigation Details
Serial No. Name Nature of Output Description
1 MitigationCtrl Single value Mitigation Control
2 MitigationStatus Single value Mitigation Status
3 Monitor Table List Monitor
Monitor
Serial No. Name Nature of Output Description
1 MitigationCtrl Single value Mitigation Control
Action
Serial No. Name Nature of Output Description
1 Action Single value Action
OrgRule
Serial No. Name Nature of Output Description
1 OrgRule Single value Organization Rule
SAP Access Control 10.0 Interface for Identity Management
62
RiskOwner
Serial No. Name Nature of Output Description
1 OwnerId Single value ID of Risk Owner
2 FullName Single value Full Name of Risk Owner
TCode
Serial No. Name Nature of Output Description
1 RoleID Single value Role ID
2 RoleDesc Single value Role Description
3 System Single value System
4 Tcode Single value Transaction Code
5 TcodeDesc Single value Transaction Code Description
Parameter
Serial No. Name Nature of Output Description
1 PARAMETER Single value Parameter Name
2 PARAMETER_VALUE Single value Parameter Value
3 PARAMETER_DESC Single value Parameter Description
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
SAP Access Control 10.0 Interface for Identity Management
63
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
64
4.15 Risk Analysis Without Request Number Web Service – GRAC_RISK_ANALYSIS_WOUT_NO_WS Input Parameters: Risk Analysis Without Request Number Web Service
Serial No.
Field Name Mandatory/Optional Nature of Input Description Comments
1 RoleType Mandatory if ObjectType is ‘ROL’
Single Value Role Type
2 ConnectorId Mandatory Table Connector ID -System
3 ObjectId Mandatory Table Object ID
4 UserGroup Optional Single Value User Group
5 ObjectType Mandatory Single Value Object Type
6 OrgRule Optional Table Org Rule
7 OrgLevel Optional Single Value Org level
8 BusinessProc Optional Single Value Bus Procedure
9 RiskId Optional Table Risk ID
10 RuleId Optional Single Value Rule ID
11 RiskLevel Optional Single Value Risk Level
12 RuleSetId Optional Single Value Rule Set ID
13 ReportType Optional Table Report Type
14 ReportFormat Optional Single Value Report Format
15 Org Val Optional Table Org Value Not Used
16 UserType Optional Single Value User Type
17 Simulation Optional Table Simulation
SAP Access Control 10.0 Interface for Identity Management
65
18 SimuRiskOnly Optional Single Value Simulation Risk Only
19 ApplicationType Optional Single Value Application Type
20 AddlAttrib Optional Table Additional Attributes
21 HitCounts Optional Single Value If no value is supplied then, by default, 100 records will be displayed
Connector
Serial No. Name Nature of Output Description
1 Connector Single value Connector
Object ID
Serial No. Name Nature of Output Description
1 ObjectID Single value Object ID
Org Rule
Serial No. Name Nature of Output Description
1 OrgRule Single value Org Rule
Risk ID
Serial No. Name Nature of Output Description
1 RiskID Single value Risk ID
Report Type
Serial No. Name Nature of Output Description
1 Report Type Single value Report type
SAP Access Control 10.0 Interface for Identity Management
66
Simulation
Serial No. Name Nature of Output Description
1 Connector Single value Connector
2 SimuObjType Single value Simulation Object Type
3 SimuObjIDList Table Simulation Object ID List
4 ExcludeSimu Single value Flag Value
Simulation Object ID List
Serial No. Name Nature of Output Description
1 SIMUOBJID Single value Simulation Object ID
Additional Attributes
Serial No. Name Nature of Output Description
1 Addl Attrib Single value Additional Attribute
Org value
Serial No. Name Nature of Output Description
1 Org Val Single value Organization v=Value
Input Parameters: Validation and Support
Web Service name: GRAC_RISK_ANALYSIS_WOUT_NO_WS.
ConnectorID field is mandatory, failing to pass any value in this field will yield the following ERROR message having MsgNo = 4 and MsgType ‘ERROR’ and MsgStatement ‘Connector ID is mandatory’.
SAP Access Control 10.0 Interface for Identity Management
67
ObjectID field is mandatory, failing to pass any value in this field, will yield the following ERROR message having MsgNo = 4 and MsgType ‘ERROR’ and MsgStatement ‘Object Field is Mandatory’.
Object type is mandatory, failing to pass any value in this field, will yield the following ERROR message having MsgNo = 4 and MsgType ‘ERROR’ and MsgStatement ‘Object type is mandatory’.
Object type will be either ‘ROL’ (for Role) or ‘USR’ (for User). For any other Object Type, the following ERROR message will be displayed having MsgNo = 4 and MsgType ‘ERROR’ and MsgStatement ‘Invalid object type’. The rest of the inputs are used for filtration.
In Simulation, the following five simulation object types are supported.
ACT(1) ROL(2) PRF (3) BUS(4) CUA(5)
This WS returns violations for the following five Report Types: Action, Permission, Critical Action, Critical Permission, Critical Role/Profile
Risk Analysis is done at User and Role Level.
Only SAP Systems are supported.
If Object Type is Role, Correct Role Type is mandatory.
SAP Access Control 10.0 Interface for Identity Management
68
Supported Object Types include the following:
User
Role
Profile
HR Object-Job
HR Object-Org Unit
HR Object- Position
Action
User Org
Role Org
User Group
Org unit
Output Parameters: Risk Analysis Without Request Number Web Service
Risk Data
Serial No. Name Nature of Output Description
1 Object ID Single value Object ID
2 Role ID Single value Role ID
3 RiskID Single value Risk ID
4 RiskDesc Single value Risk Description
5 RiskLevel Single value Risk Level
6 RiskLevelDesc Single value Risk Level Description
7 Rule ID Single Value Rule ID
8 System Single value System
9 Action Single value Action
10 Lastexecutedon Single value Date Last Executed
11 Executioncount Single value Execution Count
SAP Access Control 10.0 Interface for Identity Management
69
12 Control Single value Control
13 Monitor Single value Monitor
TCode
Serial No. Name Nature of Output Description
1 UserId Single value User ID
2 RiskId Single value Risk ID
3 RiskDesc Single value Risk Description
4 RiskLevel Single value Risk Level
5 RiskLevelDesc Single value Risk Level Description
6 RuleId Single value Rule ID
7 System Single value System
8 Action Single value Action
9 Lastexecutedon Single value Date Last Executed
10 Executioncount Single value Execution Count
11 Control Single value Control
12 Monitor Single value Monitor
SAP Access Control 10.0 Interface for Identity Management
70
4.16 EUP Config Web Service – GRAC_EUP_CONFIG_DATA_WS Input Parameters: EUP Configuration Data
Serial No. Field Name Mandatory/Optional Description Comments
1 EUP Criteria ID Optional EUP Criteria ID
2 Language Optional Language
Input Parameters: Validation and Support
Web Service name: GRAC_EUP_CONFIG_DATA_WS. If EUP Criteria ID is an initial, the error message “Enter the valid EUP criteria ID supported by IDM” will display. If EUP Criteria ID is 999 then default success message will be shown, otherwise Error message “Only 999 EUP criteria ID is supported” will display. Output Parameters: EUP Configuration Data EUP Data
Serial No. Name Nature of Output Description
1 FieldLabel Single value Field Label
2 FieldName Single value Field Name
3 Mandatory Single value Mandatory
4 DefaultValue Single value Default Value
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
71
4.17 Audit Logs Integration Web Service – GRAC_AUDIT_LOGS_WS There are two scenarios supported:
Audit Logs from GRC: In case of IdM-driven Provisioning, IdM can get the audit logs from GRC by
using GRAC_AUDIT_LOGS_WS Web Service.
Auditlogs from IDM: Currently IdMs are not exposing enough audit information; only Request
status is shown in the GRC Audit Logs.
Synchronous requests: the result from IdM is captured and shown in Audit Logs in GRC
Asynchronous requests
For All Open requests: real time call is sent to IdM to fetch Request status for the requests
that are still open in IdM.
For All Closed requests: If the requests are processed and closed in IdM, then IdM is
expected to post the status of the request to GRC by using GRAC_EXIT_FROM_IDM_WS
Web Service.
Input Parameters: Audit Logs Integration Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 RequestNumber Optional Request Number
2 UserId Optional User ID Request Created by User ID
3 MaxHits Optional Maximum Number Limited to 100 Request Numbers
4 DateFrom Optional From Date
5 DateTo Optional To Date
6 Language Optional Language
7 RequestorID Optional Requestor ID
8 Action Optional Action Currently Not Supported
Input Parameters: Validation and Support
Web service name: GRAC_AUDIT_LOGS_WS
All inputs are Optional from interface point of view, but if the user executes the service without passing anything the user will be asked to pass Request Number or User ID or Date.
Validations and Input format for input fields:
Maximum Hits: If user does not enter anything in this parameter, hits are maximized to first
100 Log entries. These 100 entries are validated on number of requests not on audit log
SAP Access Control 10.0 Interface for Identity Management
72
entries. Result will be displayed irrespective of how many audit logs are generated for a
request number.
For example: If a user has entered only user ID in input fields. If data that exists for that user is more
than 100 requests than the user would only be able to see first 100 requests; the rest of the
requests will not be shown.
Date From : Format supported YYYYMMDD
Date To : Format supported YYYYMMDD
Action : Currently not supported included in interface to sync with old version
From Date and To Date can never be after the current date.
From Date can never be after To Date.
If length of From Date or To Date is greater than 8, then the error message “Invalid Input” will be
shown.
No space to the left of request is allowed. In this case, the error message “No data found for
requested inputs” will be shown.
If Max Hits is less than 0, then the error message “Invalid Max Hits” will be shown.
Output Parameters: Audit Logs Integration Web Service Output information is structured in nested format. At header level, data related to Request number is displayed; at second level of the structure, all provision item are displayed; and at the third level, audit logs for every provision item is displayed Audit Logs Main Header Table
Serial No. Name Nature of Output Description
1 RequestNumber Single value Request Number
2 Requested_by Single value Requested By
3 Submitted_by Single value
4 Status Single value Status of Request
5 CreateDate Single value Date of Creation of Request
6 Priority Single value Priority for Request
7 ItAuditData List Request History in Detail
SAP Access Control 10.0 Interface for Identity Management
73
Request ItAuditData Structure
Serial No. Name Nature of Output Description
1 ActionDate Single value Date on Which Action was Performed
2 ActionValue Single value Currently not supported
3 DependantId Single value ID for which request is created
4 Description Single value Audit log text
5 DisplayString Single value Audit log text
6 Id Single value Unique ID for this action
7 Path Single value Path
8 Stage Single value Request stage
9 UserId Single value User ID
10 ItAuditDataChild List Mother request ID of this tree
ItAuditDataChild Structure
Serial No. Name Nature of Output Description
1 ActionDate Single value Date on which action was performed
2 ActionValue Single value Currently not supported
3 DependantId Single value ID for which request is created
4 Description Single value Audit log text
5 DisplayString Single value Audit log text
6 Id Single value Unique ID for this action
SAP Access Control 10.0 Interface for Identity Management
74
7 Path Single value Path
8 Stage Single value Request stage
9 UserId Single value User ID
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
SAP Access Control 10.0 Interface for Identity Management
75
4.18 Exit Log Web Service – GRAC_EXIT_FROM_IDM_WS Input Parameters: Exit Log Web Service
Serial No. Field Name Mandatory/Optional Description Comments
1 RequestNumber Optional Request Number <Request Number>$<Connectorid>
2 EntrySeq Optional Sequence Number of task
3 OperResponse Optional Response Code
4 OperResponseDesc Optional Response Description
Web service Name: GRAC_EXIT_FROM_IDM_WS
Input for exit Web Service supports multiple sequence update for a single request number; handshaking between IDM and GRC for update in request number is <RequestNumber>$<ConnectorID> for parameter RequestNumber. However, no extra effort is required by IdM’s to maintain this formatting as the same information will be provided by GRC while provisioning. Input Parameters: Validation and Support From interface point of view nothing is mandatory but user needs to enter RequestNumber and EntrySeq for a successful execution of Web Service.
Validations and Input format for input fields:
Combination of Request Number and Entry Sequence should exist in the GRC box for
updating or an Error message having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement
‘Seq <seqno> of req <request no> not found’ will display.
SAP Access Control 10.0 Interface for Identity Management
76
Return Messages: Structure Message Return
Serial No. Name Description Comment
1 MsgNo Message number 0 For Success, 4 For Error
2 MsgType Message type Success, Error
3 MsgStatement Message text Text for message return
Audit Logs from IdM for Synchronous Requests: Request Submission from GRC to assign a role
SAP Access Control 10.0 Interface for Identity Management
77
Audit Log from IDM is displayed in GRC
SAP Access Control 10.0 Interface for Identity Management
78
5. CALLING WEB SERVICES FROM ACCESS CONTROL
In most cases, you call Web Services from Access Control to request user provisioning to a non-ERP system. Access Control can call the following Web Services:
• Submit Request (to IdM) – This Web Service allows you to submit a request to IdM for non-ERP
provisioning and submit a request when user information is new or changed in an HR system and
privileges require adjusting.
• Request Status – This Web Service returns the status and detail request information for the
selected request. GRC Access Control supports two options to request status information: Callback
and Polling using IMG customization.
• GRC Request to IdM
o If a status request is sent to IdM from GRC for Non ERP systems provisioning, then the
status of this request will get updated back into GRC through the following two methods:
o For all synchronous calls, the request status is received as an SPML response from IdM,
and GRC updates the audit logs accordingly.
o For all asynchronous calls, GRC initially receives the status from IdM as ‘PENDING’. When
the request is processed completely by IdM, it triggers the status back to GRC using web
services configuration “GRC_EXIT_FROM_IdM_WS”.
• IdM Request to GRC
o The option of supporting Polling and Callback to request status information is driven by IdM.
If the status request for systems provisioning is created by IdM to GRC, there are two
options to get request status: Polling or Callback.
o Polling – IdM can make frequent requests to GRC to get status using the GRC web service
configuration “GRAC_REQUEST_STATUS_WS”. Polling should be configured in IdM:
“EXIT_FROM_GRC=false”.
o Callback – GRC will communicate back to IdM as soon as provisioning is finished in GRC or
other LDAP systems. Callback in GRC should be configured as “EXIT_FROM_GRC=true”.
Corresponding configuration has to also be done in IdM.
Note: By default, “EXIT_FROM_GRC=TRUE is configured in GRC.
• Audit Trail (includes the Provisioning Log Web Service) – This Web Service returns a
comprehensive audit history. It enables the Access Control application to retrieve the Audit Log from
IdM (for non-ERP provisioning) as well as an audit history of user provisioning to IdM.
5.1 Application Web Service – GRAC_SELECT_APPL_WS To process a status request from GRC Access Control IdM has to make an SPML call by setting up the following configuration. Go to Assign default connector to connector group then Assign group parameter mapping. Select EXIT_FROM_GRC = true.
If callback is disabled in GRC Access Control, IdM has an option to get the request status using Polling configuration: EXIT_FROM_IDM = FALSE.
SAP Access Control 10.0 Interface for Identity Management
79
5.2 Polling Web Service IdM has an option to use Polling to fetch GRC Access Control Request Status information at regular intervals. In this scenario, IdM uses the request status web service GRAC_REQUEST_STATUS_WS. Go to Assign default connector to connector group then Assign group parameter mapping. Select EXIT_FROM_GRC = false. Note: Web Service calls from Access Control to the IdM system incorporate SPML1.0 (Service Provisioning Markup Language) for exchanging XML-based information. The examples in Appendix A describe the Submit Request and Audit Trail Web Services for integration with the SAP NetWeaver Identity Manager.
SAP Access Control 10.0 Interface for Identity Management
80
Sample Use Case
SAP Access Control 10.0 Interface for Identity Management
81
SAP Access Control 10.0 Interface for Identity Management
82
6. APPENDIX - INTEGRATION WITH NETWEAVER IDENTITY MANAGER
These appendices contain integration information for configuring:
Provisioning Operations that are used for the Submit Request Web Service to the NetWeaver
Identity Manager
Search Operations that are used for the Audit Trail Web Service called from the NetWeaver Identity
Manager
For more detailed information describing how to install and configure GRC provisioning see DOC-4376SAP-NW_IdM_GRC_ConfigGuide posted on SCN: http://sdn.sap.com .
SAP Access Control 10.0 Interface for Identity Management
83
6.1 Appendix A – Provisioning Operations Depending on the nature and capability of the system, there are two execution modes for provisioning operations: synchronous and asynchronous. The SAP NetWeaver Identity Manager (IdM) is, by nature, an asynchronous system. The following outlines the processing of provisioning a request in asynchronous mode
1. Provisioning request is sent to Identity Services
The SPML request contains the field requested. Typically, the requestor will set the value for this field
2. Identity Services accepts the request and returns the preliminary “OK” to the requestor.
Among other things, Identity Services extracts the requestID from the request. If the value is not given by the requestor, then Identity Services will generate a new value. The SPML response’s requested field will be set to this new value. Information about all subsequent processing of the request will be stored together with the requested value discussed previously. It is now possible for the requestor to check the status of the operation using this value.
3. Identity Services handles the request.
Typically, there are multiple requests to managed applications, approvals, and so on. Operations may be re-tried due to error conditions
4. Requestor checks for the status of the provisioning request by using the requestID value mentioned
previously.
Adding Person Entry
Operations Properties Key Value / Description
Operation SPML Add Operation
DN The unique ID of the entry to be added. It will be stored in the mskeyvalue attribute in the Identity Store.
Attributes Any set of the attributes available for the MX_PERSON. Currently, it is possible to add only person objects.
SAP Access Control 10.0 Interface for Identity Management
84
Example SPML Request Supplied identifier: Simple User
Supplied attributes and values givenname=Simple,
sn=User,
objectclass=MX_PERSON
<SOAP-ENV:Body>
spml:addRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core” requestID=”add123”
<spml:identifier type=”urn:oasis:names:tc:SPML:1.0#GUID”>
<spml:id>Simple User</spml:id>
</spml:attributes>
<dsml:attr name=”sn”>
<dsml:value>User</dsml:value>
</dsml:attr>
<dsml:attr name=”objectclass”>
<dsml:value>MX_PERSON</dsml:value>
</dsml:attr>
<dsml:attr name=”givenname”>
<dsml:value>Simple</dsml:value>
</spml:attributes>
</spml:addRequest>
</SOAP-ENV:Body>
SPML Response
Failure
<SOAP-ENV:Body>
<spml:addResponse errorMessage=”Insufficient access” requestID=”add123”
Result=”urn:oasis:names:tc:SPML:1.0#success”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”
xmlns:dsml=”urn:oasis:names:tc:SPML:1:0/>
<SOAP-ENV:Body>
Success <SOAP-ENV:Body>
</spml:addResponse requestID=”add123” result=”urn:oasis”names:tc:SPML:1:0#success>
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”
xmlns:dsml=”urn:oasis:names:tc:SPML:1.0/>
</SOAP-ENV:Body>
Modifying Person Entry
Operations Properties Key Value / Description
Operation SPML Modify Operation
DN The unique ID of the entry to be modified.
Attributes Any set of the attributes available for the MX_PERSON. Currently, it is possible to modify only one person.
SAP Access Control 10.0 Interface for Identity Management
85
Example SPML Request Supplied identifier: Simple User
Supplied attributes and values initials=SU
telephonenumber=+4711223344
<SOAP-ENV:Body>
<spml:modifyRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core” requestID=”modify124”
<spml:identifier type=”urn:oasis:names:tc:SPML:1.0#GUID”>
<spml:id>Simple User</spml:id>
</spml:identifier>
</spml:modifications>
<dsml:modification name=”initials” operation=”add”>
<dsml:value>SU</dsml:value>
</dsml:modification>
<dsml:modification name=”mail” operation=”add”>
<dsml:value>[email protected]</dsml:value>
</dsml:modification>
<dsml:modification name=”telephonenumber” operation=”add”>
<dsml:value>+4711223344</dsml:value>
</dsml:modification>
</spml:modifications>
</spml:modifyRequest>
</SOAP-ENV:Body>
SAP Access Control 10.0 Interface for Identity Management
86
Deleting Person Entry Operation Properties
Key Value / Description
Operation SPML Delete Operation
DN The unique ID of the entry to be deleted.
Supplied identifier: Simple user
<SOAP-ENV:Body>
<spml:deleteRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”
<spml:identifier type=”urn:oasis:names:tc:SPML:1.0#GUID”>
<spml:id>Simple User</spml:id>
</spml:identifier>
</spml:deleteRequest>
</SOAP-ENV:Body>
SAP Access Control 10.0 Interface for Identity Management
87
6.2 Appendix B – Search Operations
Checking the Results of an Update Since SAP NetWeaver IdM operates in asynchronous mode, after each provisioning operation the requestor must (regularly) check the status of the operation by executing special Identity Service operations. Operation Properties
Key Value / Description
Operation SPML Search Operation
Starting Point Operation = auditlog
Search Type Not relevant
Attributes requested *
Filter (objectclass=*)
Returned Entry List of entries is returned. The identifiers of the returned entries are in the form cn = < mskeyvalue >. <used System Naming Context >
Attribute Description Value
requestoperation The original update operation whose status is checked.
Add, modify, delete
requestuserid The User ID (mskeyvalue) of the entry which was updated.
requestid The request ID for operation.
taskname The name of the task that is executed as a result of the request.
taskid The ID ot the task that is executed as a result of the request.
operationstatus The status of the operation. OK, Error, Task Initiated, etc.
timestamp The date/time when the status of the audit entry is updated.
message Additional message about the state of the request. Typically, explanatory error messages are shown here.
mskey mskey of the entry that was the source of the operation in question.
auditid The ID of the object in the audit table.
SPML Request Supplied identifier: auditlog (special IDS operation)
Supplied filter: (requested=add123)
<SOAP-ENV:Body>
<spml:searchRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”
<spml:searchBase type=”urn:oasis:names:tc:SPML:1.0#GUID”>
<spml:id>operation=auditlog</spml:id>
</spml:searchBase>
</dsml:filter>
<dsml:equalityMatch name=”requestid”>
<dsml:value>add123</dsml:value>
</dsml:equalityMatch>
</dsml:filter>
</dpml:searchRequest>
</SOAP-ENV:Body>
SAP Access Control 10.0 Interface for Identity Management
88
SPML Response <SOAP-ENV:Body>
<spml:searchResponse requestID=”add123” result==”urn:oasis:names:tc:SPML:1:0#success”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”
xmlns:spml=”urn:oasis:names:tc:SPML:1:0”
<searchResultEntry>
<spml:identifier>
<spml:id>cn=234,ou=audit,o=control</spml:id>
<spml:identifier>
<spml:attributes>
<dsml:attr name=”auditid”>
<dsml:value type=”xsd:string”>234</dsml:value>
</dsml:attr>
<dsml:attr name=”useid”>
<dsml:value type:xsd:string”>*24:INSERT</dsml:value>
</dsml:attr>
<dsml:attr name=”mskey”>
<dsml:value type=”xsd:string”>169</dsml:value>
</dsml:attr>
<dsml:attr name=”msg”>
<dsml:value type=”xsd:string”>no message</dsml:value>
</dsml:attr>
<dsml:attr name=”auditroot”>
<dsml:value type=”xsd:string”>234</dsml:value>
</dsml:attr>
<dsml:attr name=”lastaction”>
<dsml:value type=”xsd:string”>26</dsml:value>
</dsml:attr>
<dsml:attr name=”provision_status”>
<dsml:value type=”xsd:string”>Failed</dsml:value>
</dsml:attr>
<dsml:attr name=”taskname”>
<dsml:value type=”xsd:string”> Process ASYNC Request </dsml:value>
</dsml:attr>
<dsml:attr name=”posteddate”>
<dsml:value type=”xsd:string”>2008-01-16 15:23:58.49</dsml:value>
</dsml:attr>
<dsml:attr name=”taskid”>
<dsml:value type=”xsd:string”>20</dsml:value>
</dsml:attr>
<dsml:attr name=”postedby”>
<dsml:value type=”xsd:string”>mxmc_rt_u</dsml:value>
</dsml:attr>
<dsml:attr name=”idsid”>
<dsml:value type=”xsd:string”>3</dsml:value>
</dsml:att>
</spml:attributes>
</searchResultEntry>
</spml:searchResponse>
</SOAP-ENV:Body>
SAP Access Control 10.0 Interface for Identity Management
89
Obtaining Entry Information It is possible to obtain information about entries managed by Identity Services at any time. Normally, it is not possible to list multiple entries with SPML; however, SPML returns so-called base-level information (that is, information about a single entry). Identity Services implements additional special operations that make it possible to list multiple entries.
Listing Multiple Entries Operation Properties
Key Value / Description
Operation SPML Search Operation
Starting Point Operation = list
Search Type Not relevant
Attributes requested * OR any attribute subset (shown below)
Filter The following must be present in the filter (objectclass=MX_PERSON). In addition, the filter can contain any valid filtering based on the objects’ attributes.
Detailed Search on a Single Person Operation Properties
Key Value / Description
Operation SPML Search Operation
Starting Point The unique ID of the entry to be listed.
Search Type Not relevant
Attributes requested Any valid attribute subset
Filter (objectclass=*) OR any valid filtering based on the objects’ attributes.
SPML Request <SOAP-ENV:Body>
<spml:searchRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”
<spml:searchBase type=”urn:oasis:names:tc:SPML:1.0#GUID”>
<spml:id>Simple User</spml:id>
</spml:searchBase>
</dsml:filter>
<dsml:present name=”objectclass”></dsml:present>
</dsml: filter>
</spml:searchRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>Example SPML response
SAP Access Control 10.0 Interface for Identity Management
90
SPML Response (Entry after successful ADD)
The following example shows the SPML response after the first example ADD operation. <SOAP-ENV:Body>
<spml:searchResponse result=”urn:oasis:names:tc:SPML:1:0#success”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”
xmlns:spml:”urn:oasis:names:tc:SPML:1.0><searchResultEntry><spml:identifier><spml:id>
cn=Simple User,ou=nwidml,o=ids</spml:id></spml:identifier><spml:attributes><dsml:attr
name=”sn”><dsml:value type=”xsd:string”>User</dsml:value></dsml:attr><dsml:attr
name=”objectclass”><dsml:valuetype:xsd.string”>MX_PERSON>dsml:value></dsml:attr><dsml:
attrname=”mskeyvalue><dsml:value type=xsd.string”Simple User</dsml:value></dsml:attr>
<dsml:attr name=”mskey”>dsml:value type=”xsd:string”>167</dsml:value><dsml:attr><dsml:
attr name=”mx-disabled”><dsml:value
type=”xsd:string”>1</dsml:value><dsml:attr><dsml:attr name=”givenname><dsml:value
type=”xsd.string”Simple<dsml:value>,/dsml:attr><spml:attributes><searchResultEntry>
</spml:searchResponse>
</SOAP-ENV:Body>
SPML Response (Entry after successful MODIFY)
The following example shows the SPML response after the MODIFY operation.
<SOAP-ENV:Body>
<spml:searchResponse result=”urn:oasis:names:tc:SPML:1:0#success”
xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”
xmlns:spml:”urn:oasis:names:tc:SPML:1.0><searchResultEntry><spml:identifier><spml:id>
cn=Simple User,ou=nwidml,o=ids</spml:id></spml:identifier><spml:attributes><dsml:attr
name=”sn”><dsml:value type=”xsd:string”>User</dsml:value></dsml:attr><dsml:attr
name=”objectclass”><dsml:value type:”xsd.string”>MX_PERSON>dsml:value></dsml:attr>
<dsml:attrname=”telephonnumber”><dsml:value
type=”xsd.string”+4711223344<dsml:value><dsml:attr><attrname=”mskeyvalue><dsml:value
type=”xsd.string”>Simple User</dsml:value></dsml:attr><dsml:attr name=”mskey”>
<dsml:value type=”xsd:string”>167</dsml:value><dsml:attr><dsml:attr
name=”initials”><dsml:value type=”xsd:string”>SU</dsml:value><dsml:attr><dsml:attr
name=”mail”><dsml:value type=”xsd.string”>[email protected]<dsml:value>
</dsml:attr><dsml:attr name=”givenname><dsml:value type=”xsd.:string”>
Simple<dsml:value></dsml:attr></spml:attributes><searchResultEntry></spml:searchResponse>
</SOAP-ENV:Body>
© 2012 SAP AG. All rights reserved.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP
BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP
products and services mentioned herein as well as their respective
logos are trademarks or registered trademarks of SAP AG in Germany
and other countries.
Business Objects and the Business Objects logo, BusinessObjects,
Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and
other Business Objects products and services mentioned herein as
well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP
company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL
Anywhere, and other Sybase products and services mentioned herein
as well as their respective logos are trademarks or registered
trademarks of Sybase Inc. Sybase is an SAP company.
Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are
registered trademarks of Crossgate AG in Germany and other
countries. Crossgate is an SAP company.
All other product and service names mentioned are the trademarks of
their respective companies. Data contained in this document serves
informational purposes only. National product specifications may vary.
These materials are subject to change without notice. These materials
are provided by SAP AG and its affiliated companies ("SAP Group")
for informational purposes only, without representation or warranty of
any kind, and SAP Group shall not be liable for errors or omissions
with respect to the materials. The only warranties for SAP Group
products and services are those that are set forth in the express
warranty statements accompanying such products and services, if
any. Nothing herein should be construed as constituting an additional
warranty.
www.sap.com