sap access control 10.0 interface for identity...

SAP Access Control 10.0 Interface for Identity Management


2

TABLE OF CONTENTS

1. BUSINESS SCENARIO .............................................................................................................................. 5

2. BACKGROUND INFORMATION ............................................................................................................... 5

3. PREREQUISITES ....................................................................................................................................... 5

4. CALLING WEB SERVICES FROM IDM .................................................................................................... 6 4.1 Application Web Service – GRAC_SELECT_APPL_WS ........................................................................ 6 4.2 Firefighter Object Web Service – GRAC_FIRE_FIGHTER_WS ............................................................. 8 4.3 Lookup Web Service - GRAC_LOOKUP_WS ........................................................................................ 10 4.4 Search Role Web Service – GRAC_SEARCH_ROLES_WS ................................................................. 20 4.5 User’s Existing Assignment Web Service – GRAC_USER_EXISTING_ASSIGN_WS ....................... 23 4.6 Role Details Web Service – GRAC_ROLE_DETAILS_WS.................................................................... 25 4.7 Submit User Access Request Web Service – GRAC_USER_ACCESS_WS ...................................... 29 4.8 Organization Assignment Request Web Service – GRAC_ORG_ASSGN_REQUEST_WS .............. 35 4.9 Request Status Web Service – GRAC_REQUEST_STATUS_WS ....................................................... 38 4.10 Request Details Web Service – GRAC_REQUEST_DETAILS_WS .................................................... 41 4.11 Provision Log Web Service – GRAC_PROV_LOGS_WS ................................................................... 51 4.12 Audit Log Web Service – GRAC_AUDIT_LOG_WS ............................................................................ 53 4.13 Exit Web Service – GRAC_EXIT_FROM_IDM_WS .............................................................................. 56 4.13 Risk Analysis With Request Number Web Service – GRAC_RISK_ANALYSIS_WITH_NO_WS .... 59 4.15 Risk Analysis Without Request Number Web Service – GRAC_RISK_ANALYSIS_WOUT_NO_WS ......................................................................................................................................................................... 64 4.16 EUP Config Web Service – GRAC_EUP_CONFIG_DATA_WS .......................................................... 70 4.17 Audit Logs Integration Web Service – GRAC_AUDIT_LOGS_WS .................................................... 71 4.18 Exit Log Web Service – GRAC_EXIT_FROM_IDM_WS ...................................................................... 75

5. CALLING WEB SERVICES FROM ACCESS CONTROL ....................................................................... 78 5.1 Application Web Service – GRAC_SELECT_APPL_WS ...................................................................... 78 5.2 Polling Web Service ................................................................................................................................ 79

6. APPENDIX - INTEGRATION WITH NETWEAVER IDENTITY MANAGER ............................................ 82 6.1 Appendix A – Provisioning Operations ................................................................................................. 83 6.2 Appendix B – Search Operations ........................................................................................................... 87


3

Applies to: SAP® Access Control 10.0

Summary Identity Management (IdM) solutions are typically used by IT to handle a large amount of personnel changes and to provision and de-provision users throughout your enterprise. Access Control (AC) 10.0 integrates with any IdM system to ensure user provisioning does not contain risk violations when granting user access, provides real-time access management as a standard provisioning process across a heterogeneous IT environment, and delivers greater governance and control over your IT environment. However, the deepest and proven integration currently is given to SAP NetWeaver Identity Management. This guide provides instructions on how to integrate Access Control 10.0 with Identity Management systems. See Chapter 6, Appendix for details about SAP NetWeaver Identity Management integration.

Authors: T Kishore Babu, Swetta Singh Company: SAP Integration and Certification Center Governance, Risk, and Compliance SAP BusinessObjects Division

Updated on: 14 December 2012

Version 4.0


4

Document History

Document Version Description

4.0 Updated Chapter 5 adding separate GRC and IdM request status;

changed title to ‘Calling Web Services from Access Control’

3.0 Added GRC AC web service callback and polling configuration

information; updated summary.

2.0 First release

1.0 Beta release


5

1. BUSINESS SCENARIO

Large corporations deal with personnel changes on a daily basis. There can be hundreds of new hires, terminations, and role changes on any given day. To handle the influx, an Identity Management (IdM) solution is used by the IT organization to provision users to applications throughout the enterprise. A typical IdM has the following features:

User information self-service

Management of passwords (changes and lost)

Workflow

Provisioning and de-provisioning of identities from resources

2. BACKGROUND INFORMATION

Most IdM solutions do not provide complete functionality to enforce governance and control policies that your corporation may demand. Some IdM systems lack an approval workflow mechanism and reporting capability that are basic to tracking and auditing purposes. The Access Control application now makes it possible to integrate with any IdM system, which helps bridge the need for corporate compliance, preventing risk, and enforce all governance that are required for your enterprise. Access Control allows you to define corporate policies and Segregation of Duties (SoD) rules for granting access to resources, where they are enforced by provisioning services. The integration between Access Control and the IdM system ensures that user provisioning does not contain risk violations when granting user access. The integration involves exposing Web services in both Access Control and the IdM system. These Web services can be called from either system to request user provisioning. This integration extends the IdM solution by enabling compliant-based user provisioning functionality. The Web service solution provides proactive enforcement of access policies, such as those policies that prevent SoD and risk violations. These Web services can alert you to potential SoD conflicts before they occur as well as prevent SoD violations when assigning roles to users. With these Web services, Access Control and IdM integration also provides real-time access management as a standard provisioning process across heterogeneous IT environments. In addition, Web services provided by Access Control deliver greater governance and control over your IT environment. Currently, Access Control is integrated with the SAP NetWeaver Identity Manager component and is in development with other partners to provide continuous compliance capabilities with core identity management functionality. For SAP NetWeaver Identity Manager and other IdM solutions, the following Web services must be supported for integration with Access Control:

Look up GRC Web Services

Select Applications

Search Roles

Submit User Access Request (to Access Control)

Audit Trail

NOTE: Access Control and the IdM integration support only SPML 1.0 protocol. Service Provisioning Markup

Language (SPML) is the open standard protocol for the integration and interoperation of service

provisioning requests. SPML is an OASIS standard. Web services that are called from Access Control to an

IdM system are SPML 1.0 compliant. However, the exposed Access Control Web services to an IdM

system or other applications are not SPML 1.0 compliant.

3. PREREQUISITES

The following prerequisite must be in place before starting this procedure.

Access Control 10.0


6

4. CALLING WEB SERVICES FROM IDM

This section includes Web services offered by GRC. 4.1 Application Web Service – GRAC_SELECT_APPL_WS Input Parameters: Select Application Web Service

Serial No. Field Name Mandatory/Optional Description Comments

1 ConnectorCategory

Optional

Category of System

2 ConnectorId Optional System ID

3 ConnectorType Optional System Type

4 Language Optional Language

Input Parameters: Validation and Support Upon successful data retrieval, the following SUCCESS message: ‘Data populated successfully’ will be displayed having MsgNo = 0 and MsgType ‘SUCCESS’.

For wrong entry or no availability of data, the output will be an ERROR message: ‘Invalid input or no data found for given input data’ having MsgNo = 4 and MsgType ‘ERROR’.


7

Output Parameters: Select Application Web Service (Connector List Table)

Serial No. Field Name Mandatory/Optional Description

1 ConnectorType Single value Connector Type Used

2 ConnectorId Single value Application Category

3 ConnectorCategory Single value Connector Category

4 ConnectorDesc Single value Connector Description

5 ConnectorCategoryDesc Single value Connector Category Description

Return Messages: Structure Message Return

Serial No. Name Description Comments

1 MsgNo Message number 0 For Success, 4 For Error

2 MsgType Message type Success, Error

3 MsgStatement Message text Text for message return


8

4.2 Firefighter Object Web Service – GRAC_FIRE_FIGHTER_WS Input Parameters: Firefighter Object Web Service


1 FfObject Optional Firefighter Object ID

2 System Optional System ID


Input Parameters: Validation and Support

Web Service name: GRAC_FIRE_FIGHTER_WS.

All inputs are OPTIONAL. If there are no values in any input field, a list of all Firefighter Objects will display. The following is a reference table for various input fields.

Serial No.

Input Field Name

Ref. Source Service

Input Field Name

Input Value Output Field Name

1 System Select Application

ConnectorID Null ConnectorID

FFObject If valid Firefighter Object value is passed into the FFobject field, the details of the

corresponding FFobject will be displayed.

System Similarly, if a valid System value is passed into the System field, the details of all firefighters in

the system will be displayed.

Language field is optional. Choose your native language for queries. If there is no entry or the entry is

incorrect, the language will be set as login language.

After successful data retrieval, the message ‘Data populated successfully’ displays with MsgNo = 0 and MsgType SUCCESS.

For incorrec t entr y or unavail ability of data, the messag e of s tatement ‘Invalid i nput or N o FF obj ect data found for gi ven i nput’ displays with MsgN o = 4 and MsgType ERR OR.


9

Output Parameters: Firefighter Object Web Service (FFOwnerList Table)

Serial No. Name Nature of Output Description

1 FFid Single value Firefighter ID

2 FfidName Single value Firefighter Name

3 Connector Single value System

4 OwnerId Single value Firefighter Owner ID

Output Parameters: Firefighter Object Web Service (FFAplicationInfo)


1 Application Type Single value Application Type

2 Application Type Desc Single value Application Type Description


Serial No. Name Description Comments





10

4.3 Lookup Web Service - GRAC_LOOKUP_WS

Input Parameters: Lookup Web Service


1 RequestType Optional Request Type Boolean input (T/t)

2 EmployeeType Optional Employee Type Boolean input (T/t)

3 PriorityType Optional Priority Type Boolean input (T/t)

4 BusProc Optional Business Process Boolean input (T/t)

5 BusSubProc Optional Business Sub Process

Boolean input (T/t)

6 Phase Optional Phase Boolean input (T/t)

7 Landscape Optional Landscape Boolean input (T/t)

8 CriticalLevel Optional Critical Level Boolean input (T/t)

9 FunctionArea Optional Functional Area Boolean input (T/t)

10 ProjectRelease Optional Project Release Boolean input (T/t)

11 RoleStatus Optional Role Status Boolean input (T/t)

12 RoleType Optional Role Type Boolean input (T/t)

13 RoleSensitivity Optional Role Sensitivity Boolean input (T/t)

14 ItemProvType Optional Item Provision Type Boolean input (T/t)

15 ItemProvActionType Optional Item Provision Action Type

Value input

16 RequestCustomFields Optional Request Custom Field

Boolean input (T/t)

17 RoleCustomFields Optional Role Custom Field Boolean input (T/t)

18 CustomFieldsValues Optional List of Custom Field Value input


11

19 Communication Type Optional Communication Type

Boolean input (T/t)

20 OmObjectType Optional OM Object Type Boolean input (T/t)

21 OmObjectValue Optional OM Object Value Value input

22 Language Optional Language Language code


Web Service name: GRAC_LOOKUP_WS.

All inputs are OPTIONAL. If no value is passed in any input field, all the systems irrespective of all System ID and Type.



All Boolean type input variables are optional. Each input has a corresponding output.

If we put T or t in any input field, the corresponding output table will be filled with all possible values of the

variable.

A table with the input and corresponding output is shown below:

Serial No. Input Field Output Table

1 REQUESTTYPE REQUESTTYPELIST

2 EMPLOYEETYPE EMPLOYEETYPELIST

3 PRIORITYTYPE PRIORITYTYPELIST

4 BUSPROC BUSPROCLIST

5 BUSSUBPROC BUSSUBPROCLIST

6 PHASE PHASELIST

7 LANDSCAPE LANDSCAPELIST

8 CRITICALLEVEL CRITICALLEVELLIST

9 FUNCTIONAREA FUNCTIONAREALIST


12

10 PROJECTRELEASE PROJECTRELEASELIST

11 ROLESTATUS ROLESTATUSLIST

12 ROLETYPE ROLETYPELIST

13 ROLESENSITIVITY ROLESENSITIVITYLIST

14 ITEMPROVTYPE ITEMPROVTYPELIST

15 REQUESTCUSTOMFIELDS REQUESTCUSTOMFIELDSLIST

16 ROLECUSTOMFIELDS ROLECUSTOMFIELDSLIST

17 COMMUNICATIONTYPE COMMUNICATIONTYPELIST

18 OMOBJECTTYPE OMOBJECTTYPELIST

There are two variables (ItemProvActionType and CustomFieldsValues) requiring input of a specific value. The valid values for the corresponding fields will be taken from other lookup services. The process is as follows:

1. Input in ItemProvActionType field: First pass T/t value to ITEMPROVTYPE field and a list of all

possible values. Then select any one value to pass to the ItemProvActionType field to get the list of all

Provision Actions in the ITEMPROVTYPELIST output table.

2. Input CustomFieldsValues field. There are two kinds of custom fields: Request Custom Fields and

Role Custom Field. We may pass the name of any of the Custom Field, if it has fixed values or range

configured in its domain, the values will be listed in the output. To get the field name, pass T/t into the

input field REQUESTCUSTOMFIELDS for Request Custom field and ROLECUSTOMFIELDS for Role

Custom field. The output appears in REQUESTCUSTOMFIELDSLIST or ROLECUSTOMFIELDSLIST

respectively. The fieldname obtained thus may be passed to CustomFieldsValues to get the list of all

possible values of the input field in the CUSTOMFIELDDETAILS table.

3. Input OmObjectValue field. This structure contains two fields: SYSTEM and OmObjType. The value

for System can be obtained from the Select Application Web Service and OmObjType is obtained from

lookup service by passing t/T to OmObjectType and getting the list of OM Object List from

OmObjectTypeList in the output.

4. Each output has its own return message. For success data retrieval, the following message will be

displayed:


13

For unsuccessful data retrieval, no message will be displayed.

Output Parameters: Lookup Web Service Request Type


1 Reqtype Single value Request Type ID

2 Reqtypename Single value Request Type Description

3 MsgReturn Value Input Message

Employee Type


1 Emptypeid Single value Employee Type

2 Emptypename Single value Employee Type Description


Business Process


1 Bproc Single value Business Process ID

2 Descn Single value Business Process Description


14


Business Sub Process


1 Bproc Single value Business Process ID

2 Bsubproc Single value Business Sub Process ID

3 Descn Single value Business Sub Process Description


Critical Level


1 Critlvl Single value Critical Level

2 Descn Single value Critical Level Description


Functional Area


1 Funarea Single value Function Area ID

2 Descn Single value Function Area Description

3 Abbrv Single value Function Area Abbreviation



15

Landscape


1 ConnectorGrp Single value Connector Group

2 ConnectorGrpT Single value Connector Group Type

3 ConnectionType Single value Connection Type


Phase List


1 MthAction Single value Method Action

2 Descn Single value Method Action Description


Priority Type


1 Prioritype Single value Priority Type ID

2 Priorityname Single value Priority Type Description


Project Release


1 Prjrel Single value Project Release ID

2 Descn Single value Project Release Description


16


Request Item Type


1 Val Single value Request Item ID

2 Text Single value Request Item Description

Role Sensitivity


1 Sensitivity Single value Sensitivity

2 Descn Single value Description


Role Status


1 RoleStatus Single value Role Status ID

2 Descn Single value Role Status Description


Role Type


1 RoleType Single value Role Type ID

2 Descn Single value Role Type Description


17


Request Custom Field


1 FieldName Single value Request Field Name

2 Fieldtext Single value Request Field text


Role Custom Field


1 FieldName Single value Role Field Name

2 Fieldtext Single value Role Field Text


Custom Field Details


1 CustomFieldName Single value Custom Field Name

2 CustomFieldLow Single value Custom Field Value

3 CustomFieldHigh Single Value Custom Field Value

4 CustomFieldText Single value Custom Field Text



18

Item Provision Type List


1 Val Single value Provision Type Value

2 Txt Single value Provision Type Value text


Item Prov Action List


1 ItemProvType Single Value Item Provisioning Type

2 ItemProvTypeDesc Single Value Item Provisioning Type Description

3 ProvAction Single Value Provisioning Action

4 ActionDescn Single Value Action Description


Communication Type List


1 CommType Single value Communication Type

2 CommTypeText Single value Communication Type Text


OM Object Type


1 Value Single value OM Object Type

2 Text Single value OM Object Type Text


19

OM Object ID


1 OM Object Id Single value OM Object ID

2 OM Object Text Single value OM Object Text


Serial No. Name Description Comment





20

4.4 Search Role Web Service – GRAC_SEARCH_ROLES_WS

Input Parameters: Search Role Web Service


1 Action Optional Action

2 ApplicationType Optional Application Type

3 Approver Optional Approver

4 AssociatedRole Optional Associated Role

5 BusinessProcess Optional Business Process

6 SubProcess Optional Sub Process

7 ConnectorGroup Optional Connector Group

8 Landscape Optional Landscape

9 CriticalLevel Optional Critical Level

10 RoleDesc Optional Role Description

11 OrgVal Optional Organization Value

12 FunctionalArea Optional Functional Area

13 LastReaffirmDT Optional Last Reaffirm Date

14 OrgLvl Optional Organization Level

15 RoleOwner Optional Role Owner

16 Permission Optional Permission

17 Profile Optional Profile

18 ReaffirmPeriod Optional Reaffirm Period


21

19 RoleName Optional Role Name

20 RoleStatus Optional Role Status

21 RoleType Optional Role Type

22 RoleSensitivity Optional Role Sensitivity

23 System Optional System



Web Service name: GRAC_SEARCH_ROLES_WS.

All inputs are OPTIONAL. If no value is passed in any input field, a list of all default Roles will be displayed.



All input fields support the use of * as a wild card for possible entries.

Also supported are fields:

Beginning with the form *<string-val>

Containing any of the form <string-val1> *<string-val2>

Output Parameters: Search Role Web Service (SearchRole Table)


1 RoleName Single value Role Name

2 RoleDesc Single value Role Description

3 System Single value System

4 RoleType Single value Role Type

5 RoleTypeDesc Single value Role Type Description

6 RoleOwner Single value Role Owner

7 Landscape Single value Landscape

8 LanScapeDesc Single value Landscape Description


22







23

4.5 User’s Existing Assignment Web Service – GRAC_USER_EXISTING_ASSIGN_WS

Input Parameters: User’s Existing Assignment Web Service


1 UserId Mandatory User ID

2 System Optional System



Web Service name: GRAC_USER_EXISTING_ASSGN_WS.

The User ID is mandatory and System is an optional input parameter. If we pass only valid User ID, all existing assignments irrespective of the System will be displayed in the output along with this message:

User ID or System may be entered in uppercase, lowercase, or any combination of both. One or more spaces to the left of these entries are also allowed. If the web service is executed without passing a User ID, the following error message will be displayed:

For an invalid User ID, System or any combination for which the input user ID does not have any assignment in the input system, no data will be fetched and the Web Service will display the following message:


24

Output Parameters: User’s Existing Assignment Web Service (Table)


1 Item Single value Item

2 Type Single value Role Type

3 TypeTxt Single value Role Text

4 SystemId Single value System ID

5 Descn Single value Description

6 ValidFrom Single value Valid From

7 ValidTo Single value Valid To

8 Status Single value Status







25

4.6 Role Details Web Service – GRAC_ROLE_DETAILS_WS

Input Parameters: Role Details Web Service


1 ObjectName Required Role Name

2 ObjectType Optional Role Object Type

3 Landscape Required Connector ID



Web Service Name: GRAC_ROLE_DETAILS_WS

From interface point of view, Object Name and Landscape are mandatory. Validations and Input format for input fields:

Object Name should be entered in full—no wildcards are supported

Landscape should be entered in full—no wildcards are supported

Output Parameters: Role Details Web Service Object Attributes


1 ObjectName

Single value Object Name

2 Description

Single value Object Description

3 Landscape

Single value Connector ID

4 Landscape_Desc

Single value Connector Description

5 ObjectType

Single value Object Type

6 ObjectTypeDesc

Single value Object Description

7 BusinessProcess

Single value Business process

8 BusinessProcess Desc

Single value Business process Description


26

9 SubProcess

Single value Business Subprocess

10 SubProcess Desc

Single value Business Subprocess Description

11 ObjectStatus

Single value Object Status

12 ObjectStatus Desc

Single value Object Status Description

13 ReaffimPeriod

String Reaffirm Period

14 LastReaffirDate

String Last Reaffirm Date

15 LastReaffirBy

String Last reaffirm Changed By

Table Company


1 CompanyName String Company Name

2 CompanyDesc String Company Description

Table Functional Area


1 FunctionalArea String Functional Area

2 FunctionalDesc String Functional Area Name Description

Table Role Approvers


1 Approver Single value Approver

2 AltApprover Single value Alternate Approver

3 Apprvp Single value


27

4 Owner Single value

5 Lead Single value

6 ValidFrom Single value Valid From

7 ValidTo Single value Valid To

Table System Data


1 Connector Single value Connector ID

2 Environment Single value Environment

3 RoleExists Single value Role Exists

4 SystemValidityPeriod Single value System Validity Period

5 Status Single value Status

Table Role Actions


1 Roleid Single value Role ID

2 ActionId Single value Action ID

3 Funcid Single value Function ID

4 IsActive Single value Active

5 Action Single value Action


28

Table Violations


1 ReportType Single value Report Type

2 ObjeectId Single value Object ID

3 RiskId Single value Risk ID

4 Connector Single value Connector ID

5 Role Single value Role

6 CompositeRole Single value Composite Role

7 SodcontrolId Single value SOD Control ID

8 Monitor Single value Monitor

9 Orgruleid Single value Org ruler ID

Table Customer Fields


1 Fieldname Single value Field Name

2 Value Single value Field Value

Table Function


1 FunctionID Single value Function ID


29






4.7 Submit User Access Request Web Service – GRAC_USER_ACCESS_WS

Header Data


1 REQTYPE Request Type

2 PRIORITY Priority

3 REQ_DUE_DATE Request Due Date

4 REQ_INIT_SYSTEM Mandatory Request Initiation System

5 REQUESTORID Requestor ID

6 EMAIL Requestor’s E-mail

7 REQUEST_REASON Reason of Request

8 FUNCAREA Functional Area

9 BPROC Business Process

Fields other than REQ_INIT_SYSTEM will be Mandatory/ Optional as per the End User Personalization Screen Configuration.


30

User Info


1 USERID User ID

2 TITLE Accademic/Personal title (MR/MS/MRS/DOC)

3 FNAME User’s First Name

4 LNAME User’s Last Name

5 SNC_NAME SNC Name

6 UNSEC_SNC User’s SNC Name

7 ACCNO User’s Account Number

8 USER_GROUP User Group

9 VALID_FROM Valid From Date

10 VALID_TO Valid To

11 EMPPOSITION Position of Employee

12 EMPJOB Job of Employee

13 PERSONNELNO Personnel Number

14 PERSONNELAREA Personnel Area

15 COMM_METHOD Communication Method

16 FAX FAX

17 EMAIL E-mail

18 TELNUMBER Telephone No


31

19 DEPARTMENT Department

20 COMPANY Company

21 LOCATION Location

22 COSTCENTER Cost Center

23 PRINTER Printer

24 ORGUNIT Organization Unit

25 EMPTYPE Employee Type

26 MANAGER Manager

27 MANAGER_EMAIL Manager’s E-mail

28 MANAGER_FIRSTNAME

Manager’s First Name

29 MANAGER_LASTNAME

Manager’s Last Name

30 START_MENU Start Menu

31 LOGON_LANG Logon Language

32 DEC_NOTATION Decimal Notation

33 DATE_FORMAT Date Format

34 ALIAS Alias

35 USER_TYPE User’s Type

The Fields will be Mandatory/Optional as per the End User Personalization Screen Configuration.


32

Requested Line Item


1 ITEM_NAME Item Name

2 CONNECTOR System ID

3 PROV_ITEM_TYPE Provision Item Type

4 PROV_TYPE Provision Type

5 ASSIGNMENT_TYPE Assignment Type

6 PROV_STATUS Provision Status

7 VALID_FROM Valid From

8 VALID_TO Valid To

9 FF_OWNER Firefighter Owner

10 COMMENTS Comments

11 PROV_ACTION Provision Action

12 ROLE_TYPE Role Type

User Group


1 USER_GROUP User Group

2 USER_GROUP_DESC

User Group Description


33

Custom Field


1 FIELDNAME Name of Custom Field

2 VALUE Value of Custom Field


Web Service name: GRAC_USER_ACCES_WS

Mandatory fields and default values in the Header Data and User Info are determined and based on the End User’s Personalization Screen Configuration. The REQ_INIT_SYSTEM field (Request Initiating SYSTEM) of Header Data is always mandatory. Validation for Request Line item:

In Request Line Item, ItemName, System, Provision Item Type and Provision Item Action are

mandatory.

If Provision Item type is ROLE (value ‘ROL’), Role Type is Mandatory.

If Line Item type is System, Item name and connector will have same value.

If Line Item is FFid, Item Name and connector should be in sync with FF Object Web service.

If Line Item is FFid, FFowner field is mandatory and input value of FFowner is in sync with FF

Object Web service.

Always ensure Provision Item Type is in sync with Provision Item Action.

For each line item Valid From date must be previous or same with Valid To date.

If the request contains lock unlock and delete actions, then one system should always be present.

Account Validation will also be applicable if it is enabled and set to error.

Priority and Request type should be correctly entered which are available in the system. Custom field validation:

For the custom field with fixed values, the values are defined either as a set of fixed values or as a range. The value entered in the corresponding field of Custom field Value must satisfy the fixed value or within the range wherever applicable.

Output Parameters: Submit User Access Request Web Service (Table)


1 RequestNumber Single value Request Number

2 RequestId Single value Request ID


34







35

4.8 Organization Assignment Request Web Service – GRAC_ORG_ASSGN_REQUEST_WS Input Parameters: Organization Assignment Request Web Service Request Header Details


1 ReqReason Mandatory Request reason

2 Priority Optional Priority

3 Bproc Mandatory Business Process

4 FuncArea Optional Functional Area

5 DueDt Optional Approval Due Date

Language



Request Assignment Details


1 System Mandatory

2 OmObjTyp Mandatory

3 OmObjId Mandatory

4 RoleId Mandatory

5 ValidFrom Mandatory

6 ValidTo Mandatory

7 Comment Optional


36

8 ProvAction Mandatory


Web Service name: GRAC_ORG_ASSGN_REQUEST_WS

Validation and Support in Header data:

Request reason and Business process fields are mandatory

See the following reference table for value source in various input fields.

Serial No.

Input Field Name

Ref. Source Service

Input Field Name

Input Value Output Field Name

1 Priority Lookup PriorityType T/t PriorityTypeList

2 Bproc Lookup BusProc T/t BusProcList

3 FuncArea Lookup FunctionArea T/t FunctionAreaList

Validation and Support in Request Assignment:

Serial No.

Input Field Name

Ref. Source Service

Input Field Name Input Value Output Field Name

1 System Select Application

ConnectorId No value ConnectorListhmm

2 OmObjTyp Lookup OmObjTyp t/T OmObjectTypeList

3 OmObjId Lookup OmObjValue System and OmObjTyp

OmObjectTypeList

4 RoleId SearchRole No value

5 ProvAction Lookup ItemProvActionType ROL ItemProvActionList

Output Parameters: Organization Assignment Request Web Service Submit User Access R equest (Table)

Submit User Access Request (Table)



2 RequestId Single value Request ID


37







38

4.9 Request Status Web Service – GRAC_REQUEST_STATUS_WS Input Parameters: Request Status Web Service


1 Request Number Mandatory Request Number



Web Service name: GRAC_REQUEST_STATUS_WS

Request Number This field is mandatory. If no value is input in this field and web service is been executed, the following error message will appear having MsgNo = 4, MsgType ‘ERROR’ and message statement: ‘Request No is mandatory’.

If space in provided to the left of the request number at the time of input, it will accept the request number and proper output will appear. No space to the left of request is allowed but Zeros are allowed in the left of request number. If space is provided within the request number, it will show the following error message having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Invalid Request No’.

Input of any alphabet or special character in the INPUT field with or without the request number will be treated as ‘INVALID REQUEST NO’ and the above message will be displayed. Language field is optional. Choose your native language for queries. If there is no entry or the entry is incorrect, the language will be set as login language.


39

Output Parameters: Request Status Web Service


1 Request No Single value Request No

2 ReqCreated Single value Request Creation Date

3 Priority Single value HIGH/MEDIUM/LOW

4 RequestorId Single value Requestor’s ID

5 DueDate Single value Request due date

6 UserList List List of Users

7 Reqstatus Single value Current status of Request

8 ReqstatusTxt Single value Description of Current status of Request

9 Approver List List of Approver

10 ReqCurrentStage Single Value Request Current Stage

User List


1 UserID User ID

2 FName First Name

3 LName Last Name

Approver List


1 ApproverID Approver ID


40







41

4.10 Request Details Web Service – GRAC_REQUEST_DETAILS_WS Input Parameters: Request Details Web Service


1 Request Number Mandatory Request Number



Web Service name: GRAC_REQUEST_DETAILS_WS

Request Number This field is mandatory. If no value is input in this field and web service is executed, the following error message will appear having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Request No is mandatory’.

If a space provided to the left of the Request No at the time of input, it will accept the Request No and proper output will display. No space to the left of request is allowed but Zeros are allowed in the left of Request No. If space is given within the request number, it will show the following error message having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Invalid Request No’.

Input of any alphabet or special character in the INPUT field with or without the request number will be treated as ‘INVALID REQUEST NO’ and the above message will be displayed. Language field is optional. Choose your native language for queries. If there is no entry or the entry is incorrect, the language will be set as login language.


42

Output Parameters: Request Details Web Service


1 Request ID Single value Request ID

2 Request Type Single value Type of requests CREATE_USER, CHANGE_USER, LOCK_USER, UNLOCK_USER, DELETE_USER, ASSIGN_ROLES etc

3 Request Type Desc Single value Request Type description

4 Request Status Single value APPROVED/REJECTED/PENDING

5 Request Status Desc

Single value Request Status description

6 Priority Single value HIGH/MEDIUM/LOW

7 Priority Desc Single value Priority Description

8 Approval due date Single value Approval due date

9 Requestor Single value Requestor’s ID

10 Requestor First Name

Single value Requestor’s First Name

11 Requestor Last Name

Single value Requestor’s Last Name

12 Requestor Email Single value Email address of the requestor

13 User Info Table User Information

14 RequestedItems Table Requested Items

15 RequestPaths Table Request Paths

16 RiskViolationData Table Risk Violation data

17 Parameter Table Parameter


43

18 User Group Table User Group

19 Request Organization Assignment Item

Table Organization Assignment Item

User Info


1 USERID Single value User ID

2 TITLE Single value Accademic/Personal title (MR/MS/MRS/DOC)

3 FNAME Single value User’s First Name

4 LNAME Single value User’s Last Name

5 SNC_NAME Single value SNC Name

6 UNSEC_SNC Single value User’s SNC Name

7 ACCNO Single value User’s Account Number

8 USER_GROUP Single value User Group

9 VALID_FROM Single value Valid From Date

10 VALID_TO Single value Valid To

11 EMPPOSITION Single value Position of Employee

12 EMPJOB Single value Job of Employee

13 PERSONNELNO Single value Personal No

14 PERSONNELAREA Single value Personal Area

15 COMM_METHOD Single value Communication Method


44

16 FAX Single value FAX

17 EMAIL Single value Email

18 TELNUMBER Single value Telephone No

19 DEPARTMENT Single value Department

20 COMPANY Single value Company

21 LOCATION Single value Location

22 COSTCENTER Single value Cost Center

23 PRINTER Single value Printer

24 ORGUNIT Single value Organization Unit

25 EMPTYPE Single value Employee Type

26 MANAGER Single value Manager

27 MANAGER_EMAIL Single value Manager’s Email

28 MANAGER_FIRSTNAME Single value Manager’s First Name

29 MANAGER_LASTNAME Single value Manager’s Last Name

30 START_MENU Single value Start Menu

31 LOGON_LANG Single value Logon Language

32 DEC_NOTATION Single value Decimal Notation

33 DATE_FORMAT Single value Date Format

34 ALIAS Single value Alias

35 USER_TYPE Single value User’s Type


45

Requested Item


1 Item ID Single value Item ID

2 Item Desc Single value Item Description

3 Connector Single value System

4 Prov Item Type Single value Provision Item Type

5 Prov Item Type Desc

Single value Provision Type Description

6 Prov Type Single value Provision Type

7 Prov Type Decs Single value Provision Type Description

8 Assignment Type Single value Assignment Type

9 Assignment type Desc

Single value Assignment Type Description

10 Prov Status Single value Provision Status

11 Prov Status Desc Single value Provision Status Description

12 Valid From Single value Valid From

13 Valid To Single value Valid To

14 Owners Single value Owners

15 Comments Single value Comment

16 Prov Action Single value Provision Action

17 Prov Action Desc Single value Provision Action Description

18 Approval Status Single value Approval Status


46

19 Approval Status Desc

Single value Approval Status description

20 ReqItemApprover Table List of Approvers

21 ReqItemDetails Single value Request Item Details

22 Status Single Value Status

ReqItemApprover


1 UserID Single value User ID

2 UserFirstName Single value User First Name

3 UserLastName Single value User Last Name

RequestPaths


1 Path Name Single value Path Name

2 Path Desc Single value Path Description

3 Current Stage Name

Single value Current Stage Name

4 Current Stage Desc Single value Current Stage Description

5 Current Stage Status

Single value Current Stage Status

6 Current Stage Status Desc

Single value Current Stage Status Description

7 CurstageApprovers Table List of Currentstage Approver


47

Current Stage Approvers


1 UserId Single value User ID


3 RiskDesc Single value Risk Description

4 RiskLevel Single value Risk Level

5 RiskLevelDesc Single value Risk Level Description

6 RuleId Single value Rule ID

7 Role List Table List of Roles


9 SystemType Single value System Type

10 Mitigation Details Table Mitigation Details

11 Action Table Action

12 OrgRule Table Organisation Rule

13 RiskStatus Single value Risk Status

14 ViolationCount Single value Violation Count

15 LastExecutedOn Single value Last Executed On

16 Execution Count Single value No of Execution

17 RiskOwner Table List of Risk Owner

18 Tcode Table List Of Tcode


48

Role List



2 CompositRole Single value Composit Role

Mitigation Details


1 MitigationCtrl Single value Mitigation Control

2 MitigationStatus Single value Mitigation Status

3 Monitor Table List Monitor

Monitor



Action



OrgRule


1 OrgRule Single value Organization Rule

RiskOwner



49

1 OwnerId Single value ID of Risk Owner

2 FullName Single value Full Name of Risk Owner

TCode


1 RoleID Single value Role ID



4 Tcode Single value Transaction Code

5 TcodeDesc Single value Transaction Code Description

Parameter


1 PARAMETER Single value Parameter Name

2 PARAMETER_VALUE Single value Parameter Value

3 PARAMETER_DESC Single value Parameter Description

User Group


1 USER_GROUP Single value User Group

2 USER_GROUP_DESC Single value User Group Description


50

Organization Assignment Team



2 OMObjType Single value OM Object Type

3 OMObjTypeTxt Single Value OM Object Type Description

4 OMObjID Single Value OM Object ID

5 OMObjIDTxt Single Value OM Object ID Description

6 RoleID Single Value Role ID

7 ValidFrom Single Value Valid From

8 ValidTo Single Value Valid To

9 ProvAction Single Value Provisioning Action

10 ProvActionTxt Single Value Provisioning Action Description







51

4.11 Provision Log Web Service – GRAC_PROV_LOGS_WS Input Parameters: Provision Log Web Service


1 ConnectorId Optional Connector ID

2 DateFrom Optional Date From YYYYMMDD


4 ProvAction Optional Provision Action

5 ProvItem Optional Provision Item

6 ProvItemType Optional Provision Item Type

7 ReqNumber Optional Request Number

8 ReqStatus Optional Request Status

9 DateTo Optional Date To YYYYMMDD

10 UpdateBy Optional Update By

11 UserId Optional User ID User ID to be Provisioned


Web Service name: GRAC_PROV_LOGS_WS

All parameters are optional from interface point of view, but request number is to be kept mandatory at the Web Service consuming end; the rest of the parameters restrict the provision logs for that request number. If only initial parameters are entered, then the error message will be shown “All Inputs are Initial”. No space to the left of any of the input parameter is allowed. The error message “Invalid Inputs” will display. Validations and Input format for input fields:

Connector ID: Wild card * supported

Date From: Format supported YYYYMMDD

Date To: Format supported YYYYMMDD

Provision item: Wild card * supported

Provision item type: Wild card * supported

Provision Action: Wild card * supported


52

Output Parameters: Provision Log Web Service (Table PROVISION_LOGS)

Serial No. Name Description

1 RequestNumber Request Number

2 User ID User ID

3 ConnectorId Target Connector

4 ProvItem Provisioning Item Name

5 ProvItemType Provisioning Item Type

6 ProvItemTypeDesc Provisioning Item Type Description

7 ProvAction Provisioning Action

8 ProvActionDesc Provisioning Action Description

9 Updated By Updated By

10 Last Updated Last Updated

11 ReqItemStatus Status

12 ReqItemStatusDesc Status Description

13 ReqShortText Short Description







53

4.12 Audit Log Web Service – GRAC_AUDIT_LOG_WS Input Parameters: Audit Log Web Service


1 RequestNumber Optional Request Number

2 UserId Optional User ID Request Created by User ID

3 MaxHits Optional Maximum Number Limited to 100 request numbers

4 DateFrom Optional From date

5 DateTo Optional To Date


7 RequestorID Optional Requestor ID

8 Action Optional Action Currently Not Supported


Web service name: GRAC_AUDIT_LOG_WS

All inputs are mandatory from interface point of view, but if the user executes the service without passing anything, the user will be asked to pass Request Number or User ID or Date.

Validation and Input format for input fields:

Maximum Hits: If user does not enter anything in this parameter, hits are maximized to the first 100 log entries. These 100 entries are validated on the number of requests not on audit log entries, and the result will be displayed irrespective of how many audit logs are generated for a request number.

For example: If user has entered only user ID in input fields.

If the data that exists for him is greater than 100 requests. he would only be able to see the first 100

requests and the rest of the requests will not be shown

Date From: Format supported YYYYMMDD

Date To: Format supported YYYYMMDD

Action: Currently not supported included in interface to sync with old version

From Date and To Date can never be after the current date.

From Date can never be after To Date.

If length of From Date or To Date is greater than 8, then the error message “Invalid Input” will be

shown.

No spaces to the left of request are allowed. In this case, the error message “No data found for

requested inputs” will be shown.

If Max Hits is less than 0, then the error message “Invalid Max Hits” will be shown.


54

Output Parameters: Audit Log Web Service Output i nformati on is s truc tur ed in a nested format. At the header l evel, data related to Req ues t number is displ ayed; at sec ond l evel of the str ucture, all pr ovision items are displ ayed; and at the third level, audit logs for ever y provisi on item ar e displ ayed.

Audit Logs Main Header Table



2 Requested_by Single value Requested By

3 Submitted_by Single value

4 Status Single value Status of Request

5 CreateDate Single value Date of Creation of Request

6 Priority Single value Priority for Request

7 ItAuditData List Request History in Detail

Request ItAuditData Structure


1 ActionDate Single value Date on Which Action Was Performed

2 ActionValue Single value Currently Not Supported

3 DependantId Single value ID For Which Request Is Created

4 Description Single value Audit Log Text

5 DisplayString Single value Audit Log Text

6 Id Single value Unique ID For This Action

7 Path Single value Path

8 Stage Single value Request Stage


55


10 ItAuditDataChild List Mother Request ID of This Tree

Request ItAuditDataChild Structure


1 ActionDate Single value Date on Which Action Was Performed

2 ActionValue Single value Currently Not Supported

3 DependantId Single value ID For Which Request Is Created

4 Description Single value Audit Log Text

5 DisplayString Single value Audit Log Text

6 Id Single value Unique ID For This Action


8 Stage Single value Request Stage








56

4.13 Exit Web Service – GRAC_EXIT_FROM_IDM_WS Input Parameters: Exit Web Service


1 RequestNumber Mandatory Request Number <Request Number>$ <Connectorid>

2 EntrySeq Optional Sequence Number of Task

3 OperResponse Optional Response Code

4 OperResponseDesc Optional Response Description

5 Status Optional Status

6 ProvItem Optional Provisioning Item


Input Parameters: Exit Web Service

• Web service Name: GRAC_EXIT_FROM_IDM_WS

Input for exit Web Service supports multiple sequence updates for a single request number; handshaking between IDM and GRC for update in request number is <RequestNumber>$<ConnectorID> for parameter RequestNumber. However, no extra efforts have to be done by IDMs to maintain this formatting as same way information will be provided by GRC while provisioning.

Request Number is Mandatory.

From interface point of view nothing is mandatory but user needs to enter RequestNumber and EntrySeq for successful execution of the Web Service.

Validations and Input format for input fields: A combination of Request Number and Entry Sequence should exist in the GRC box for updating. If not, the following Error message will be displayed as MsgNo = 4, MsgType ERROR and MsgStatement ‘Seq <seqno> of Request <request no> not found’.


57


58







59

4.13 Risk Analysis With Request Number Web Service – GRAC_RISK_ANALYSIS_WITH_NO_WS Input Parameters: Risk Analysis with Request Number Web Service


1 RequestNo Mandatory Request Number

2 HitCounts Optional Number of Records


Web Service name: GRAC_RISK_ANALYSIS_WITH_NO_WS.

Request Number is mandatory. If no value is passed to this field, the following ERROR message will be displayed having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Request No is mandatory’.

If you pass an invalid request number, the following ERROR message having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement ‘Invalid Request No’ will display. Hit count is a number; the interface is attached with a calculator to avoid any alphabetic entry. On successful data retrieval, the following success message will be displayed having MsgNo = 0 and MsgType ‘SUCCESS’ and MsgStatement ‘Data populated successfully’.

This WS returns violations for these 5 Report Types:

Action

Permission

Critical Action

Critical Permission

Critical Role/Profile

Language field is optional. Choose your native language for queries. If there is no entry or the entry is incorrect, the language will be set as login language.


60

Output Parameters: Risk Analysis With Request Number Web Service








7 Role List Table List of Roles


9 SystemType Single value System Type

10 Mitigation Details Table Mitigation Details

11 Action Table Action

12 OrgRule Table Organization Rule

13 RiskStatus Single value Risk Status

14 ViolationCount Single value Violation Count

15 LastExecutedOn Single value Last Executed On

16 Execution Count Single value Number of Executions

17 RiskOwner Table List of Risk Owner

18 Tcode Table List Of Transaction Codes


61

Role List



2 CompositRole Single value Composite Role

Mitigation Details



2 MitigationStatus Single value Mitigation Status

3 Monitor Table List Monitor

Monitor



Action



OrgRule


1 OrgRule Single value Organization Rule


62

RiskOwner


1 OwnerId Single value ID of Risk Owner

2 FullName Single value Full Name of Risk Owner

TCode


1 RoleID Single value Role ID



4 Tcode Single value Transaction Code

5 TcodeDesc Single value Transaction Code Description

Parameter


1 PARAMETER Single value Parameter Name

2 PARAMETER_VALUE Single value Parameter Value

3 PARAMETER_DESC Single value Parameter Description






63



64

4.15 Risk Analysis Without Request Number Web Service – GRAC_RISK_ANALYSIS_WOUT_NO_WS Input Parameters: Risk Analysis Without Request Number Web Service

Serial No.

Field Name Mandatory/Optional Nature of Input Description Comments

1 RoleType Mandatory if ObjectType is ‘ROL’

Single Value Role Type

2 ConnectorId Mandatory Table Connector ID -System

3 ObjectId Mandatory Table Object ID

4 UserGroup Optional Single Value User Group

5 ObjectType Mandatory Single Value Object Type

6 OrgRule Optional Table Org Rule

7 OrgLevel Optional Single Value Org level

8 BusinessProc Optional Single Value Bus Procedure

9 RiskId Optional Table Risk ID

10 RuleId Optional Single Value Rule ID

11 RiskLevel Optional Single Value Risk Level

12 RuleSetId Optional Single Value Rule Set ID

13 ReportType Optional Table Report Type

14 ReportFormat Optional Single Value Report Format

15 Org Val Optional Table Org Value Not Used

16 UserType Optional Single Value User Type

17 Simulation Optional Table Simulation


65

18 SimuRiskOnly Optional Single Value Simulation Risk Only

19 ApplicationType Optional Single Value Application Type

20 AddlAttrib Optional Table Additional Attributes

21 HitCounts Optional Single Value If no value is supplied then, by default, 100 records will be displayed

Connector


1 Connector Single value Connector

Object ID


1 ObjectID Single value Object ID

Org Rule


1 OrgRule Single value Org Rule

Risk ID


1 RiskID Single value Risk ID

Report Type


1 Report Type Single value Report type


66

Simulation


1 Connector Single value Connector

2 SimuObjType Single value Simulation Object Type

3 SimuObjIDList Table Simulation Object ID List

4 ExcludeSimu Single value Flag Value

Simulation Object ID List


1 SIMUOBJID Single value Simulation Object ID

Additional Attributes


1 Addl Attrib Single value Additional Attribute

Org value


1 Org Val Single value Organization v=Value


Web Service name: GRAC_RISK_ANALYSIS_WOUT_NO_WS.

ConnectorID field is mandatory, failing to pass any value in this field will yield the following ERROR message having MsgNo = 4 and MsgType ‘ERROR’ and MsgStatement ‘Connector ID is mandatory’.


67

ObjectID field is mandatory, failing to pass any value in this field, will yield the following ERROR message having MsgNo = 4 and MsgType ‘ERROR’ and MsgStatement ‘Object Field is Mandatory’.

Object type is mandatory, failing to pass any value in this field, will yield the following ERROR message having MsgNo = 4 and MsgType ‘ERROR’ and MsgStatement ‘Object type is mandatory’.

Object type will be either ‘ROL’ (for Role) or ‘USR’ (for User). For any other Object Type, the following ERROR message will be displayed having MsgNo = 4 and MsgType ‘ERROR’ and MsgStatement ‘Invalid object type’. The rest of the inputs are used for filtration.

In Simulation, the following five simulation object types are supported.

ACT(1) ROL(2) PRF (3) BUS(4) CUA(5)

This WS returns violations for the following five Report Types: Action, Permission, Critical Action, Critical Permission, Critical Role/Profile

Risk Analysis is done at User and Role Level.

Only SAP Systems are supported.

If Object Type is Role, Correct Role Type is mandatory.


68

Supported Object Types include the following:

User

Role

Profile

HR Object-Job

HR Object-Org Unit

HR Object- Position

Action

User Org

Role Org

User Group

Org unit

Output Parameters: Risk Analysis Without Request Number Web Service

Risk Data


1 Object ID Single value Object ID

2 Role ID Single value Role ID

3 RiskID Single value Risk ID




7 Rule ID Single Value Rule ID



10 Lastexecutedon Single value Date Last Executed

11 Executioncount Single value Execution Count


69

12 Control Single value Control


TCode










9 Lastexecutedon Single value Date Last Executed

10 Executioncount Single value Execution Count

11 Control Single value Control



70

4.16 EUP Config Web Service – GRAC_EUP_CONFIG_DATA_WS Input Parameters: EUP Configuration Data


1 EUP Criteria ID Optional EUP Criteria ID



Web Service name: GRAC_EUP_CONFIG_DATA_WS. If EUP Criteria ID is an initial, the error message “Enter the valid EUP criteria ID supported by IDM” will display. If EUP Criteria ID is 999 then default success message will be shown, otherwise Error message “Only 999 EUP criteria ID is supported” will display. Output Parameters: EUP Configuration Data EUP Data


1 FieldLabel Single value Field Label

2 FieldName Single value Field Name

3 Mandatory Single value Mandatory

4 DefaultValue Single value Default Value







71

4.17 Audit Logs Integration Web Service – GRAC_AUDIT_LOGS_WS There are two scenarios supported:

Audit Logs from GRC: In case of IdM-driven Provisioning, IdM can get the audit logs from GRC by

using GRAC_AUDIT_LOGS_WS Web Service.

Auditlogs from IDM: Currently IdMs are not exposing enough audit information; only Request

status is shown in the GRC Audit Logs.

Synchronous requests: the result from IdM is captured and shown in Audit Logs in GRC

Asynchronous requests

For All Open requests: real time call is sent to IdM to fetch Request status for the requests

that are still open in IdM.

For All Closed requests: If the requests are processed and closed in IdM, then IdM is

expected to post the status of the request to GRC by using GRAC_EXIT_FROM_IDM_WS

Web Service.

Input Parameters: Audit Logs Integration Web Service


1 RequestNumber Optional Request Number

2 UserId Optional User ID Request Created by User ID

3 MaxHits Optional Maximum Number Limited to 100 Request Numbers

4 DateFrom Optional From Date

5 DateTo Optional To Date


7 RequestorID Optional Requestor ID

8 Action Optional Action Currently Not Supported


Web service name: GRAC_AUDIT_LOGS_WS

All inputs are Optional from interface point of view, but if the user executes the service without passing anything the user will be asked to pass Request Number or User ID or Date.

Validations and Input format for input fields:

Maximum Hits: If user does not enter anything in this parameter, hits are maximized to first

100 Log entries. These 100 entries are validated on number of requests not on audit log


72

entries. Result will be displayed irrespective of how many audit logs are generated for a

request number.

For example: If a user has entered only user ID in input fields. If data that exists for that user is more

than 100 requests than the user would only be able to see first 100 requests; the rest of the

requests will not be shown.

Date From : Format supported YYYYMMDD

Date To : Format supported YYYYMMDD

Action : Currently not supported included in interface to sync with old version

From Date and To Date can never be after the current date.

From Date can never be after To Date.

If length of From Date or To Date is greater than 8, then the error message “Invalid Input” will be

shown.

No space to the left of request is allowed. In this case, the error message “No data found for

requested inputs” will be shown.

If Max Hits is less than 0, then the error message “Invalid Max Hits” will be shown.

Output Parameters: Audit Logs Integration Web Service Output information is structured in nested format. At header level, data related to Request number is displayed; at second level of the structure, all provision item are displayed; and at the third level, audit logs for every provision item is displayed Audit Logs Main Header Table



2 Requested_by Single value Requested By

3 Submitted_by Single value

4 Status Single value Status of Request

5 CreateDate Single value Date of Creation of Request

6 Priority Single value Priority for Request

7 ItAuditData List Request History in Detail


73

Request ItAuditData Structure


1 ActionDate Single value Date on Which Action was Performed

2 ActionValue Single value Currently not supported

3 DependantId Single value ID for which request is created

4 Description Single value Audit log text

5 DisplayString Single value Audit log text

6 Id Single value Unique ID for this action


8 Stage Single value Request stage


10 ItAuditDataChild List Mother request ID of this tree

ItAuditDataChild Structure


1 ActionDate Single value Date on which action was performed

2 ActionValue Single value Currently not supported

3 DependantId Single value ID for which request is created

4 Description Single value Audit log text

5 DisplayString Single value Audit log text

6 Id Single value Unique ID for this action


74


8 Stage Single value Request stage








75

4.18 Exit Log Web Service – GRAC_EXIT_FROM_IDM_WS Input Parameters: Exit Log Web Service


1 RequestNumber Optional Request Number <Request Number>$<Connectorid>

2 EntrySeq Optional Sequence Number of task

3 OperResponse Optional Response Code

4 OperResponseDesc Optional Response Description

Web service Name: GRAC_EXIT_FROM_IDM_WS

Input for exit Web Service supports multiple sequence update for a single request number; handshaking between IDM and GRC for update in request number is <RequestNumber>$<ConnectorID> for parameter RequestNumber. However, no extra effort is required by IdM’s to maintain this formatting as the same information will be provided by GRC while provisioning. Input Parameters: Validation and Support From interface point of view nothing is mandatory but user needs to enter RequestNumber and EntrySeq for a successful execution of Web Service.

Validations and Input format for input fields:

Combination of Request Number and Entry Sequence should exist in the GRC box for

updating or an Error message having MsgNo = 4, MsgType ‘ERROR’ and MsgStatement

‘Seq <seqno> of req <request no> not found’ will display.


76






Audit Logs from IdM for Synchronous Requests: Request Submission from GRC to assign a role


77

Audit Log from IDM is displayed in GRC


78

5. CALLING WEB SERVICES FROM ACCESS CONTROL

In most cases, you call Web Services from Access Control to request user provisioning to a non-ERP system. Access Control can call the following Web Services:

• Submit Request (to IdM) – This Web Service allows you to submit a request to IdM for non-ERP

provisioning and submit a request when user information is new or changed in an HR system and

privileges require adjusting.

• Request Status – This Web Service returns the status and detail request information for the

selected request. GRC Access Control supports two options to request status information: Callback

and Polling using IMG customization.

• GRC Request to IdM

o If a status request is sent to IdM from GRC for Non ERP systems provisioning, then the

status of this request will get updated back into GRC through the following two methods:

o For all synchronous calls, the request status is received as an SPML response from IdM,

and GRC updates the audit logs accordingly.

o For all asynchronous calls, GRC initially receives the status from IdM as ‘PENDING’. When

the request is processed completely by IdM, it triggers the status back to GRC using web

services configuration “GRC_EXIT_FROM_IdM_WS”.

• IdM Request to GRC

o The option of supporting Polling and Callback to request status information is driven by IdM.

If the status request for systems provisioning is created by IdM to GRC, there are two

options to get request status: Polling or Callback.

o Polling – IdM can make frequent requests to GRC to get status using the GRC web service

configuration “GRAC_REQUEST_STATUS_WS”. Polling should be configured in IdM:

“EXIT_FROM_GRC=false”.

o Callback – GRC will communicate back to IdM as soon as provisioning is finished in GRC or

other LDAP systems. Callback in GRC should be configured as “EXIT_FROM_GRC=true”.

Corresponding configuration has to also be done in IdM.

Note: By default, “EXIT_FROM_GRC=TRUE is configured in GRC.

• Audit Trail (includes the Provisioning Log Web Service) – This Web Service returns a

comprehensive audit history. It enables the Access Control application to retrieve the Audit Log from

IdM (for non-ERP provisioning) as well as an audit history of user provisioning to IdM.

5.1 Application Web Service – GRAC_SELECT_APPL_WS To process a status request from GRC Access Control IdM has to make an SPML call by setting up the following configuration. Go to Assign default connector to connector group then Assign group parameter mapping. Select EXIT_FROM_GRC = true.

If callback is disabled in GRC Access Control, IdM has an option to get the request status using Polling configuration: EXIT_FROM_IDM = FALSE.


79

5.2 Polling Web Service IdM has an option to use Polling to fetch GRC Access Control Request Status information at regular intervals. In this scenario, IdM uses the request status web service GRAC_REQUEST_STATUS_WS. Go to Assign default connector to connector group then Assign group parameter mapping. Select EXIT_FROM_GRC = false. Note: Web Service calls from Access Control to the IdM system incorporate SPML1.0 (Service Provisioning Markup Language) for exchanging XML-based information. The examples in Appendix A describe the Submit Request and Audit Trail Web Services for integration with the SAP NetWeaver Identity Manager.


80

Sample Use Case


81


82

6. APPENDIX - INTEGRATION WITH NETWEAVER IDENTITY MANAGER

These appendices contain integration information for configuring:

Provisioning Operations that are used for the Submit Request Web Service to the NetWeaver

Identity Manager

Search Operations that are used for the Audit Trail Web Service called from the NetWeaver Identity

Manager

For more detailed information describing how to install and configure GRC provisioning see DOC-4376SAP-NW_IdM_GRC_ConfigGuide posted on SCN: http://sdn.sap.com .

http://sdn.sap.com/


83

6.1 Appendix A – Provisioning Operations Depending on the nature and capability of the system, there are two execution modes for provisioning operations: synchronous and asynchronous. The SAP NetWeaver Identity Manager (IdM) is, by nature, an asynchronous system. The following outlines the processing of provisioning a request in asynchronous mode

1. Provisioning request is sent to Identity Services

The SPML request contains the field requested. Typically, the requestor will set the value for this field

2. Identity Services accepts the request and returns the preliminary “OK” to the requestor.

Among other things, Identity Services extracts the requestID from the request. If the value is not given by the requestor, then Identity Services will generate a new value. The SPML response’s requested field will be set to this new value. Information about all subsequent processing of the request will be stored together with the requested value discussed previously. It is now possible for the requestor to check the status of the operation using this value.

3. Identity Services handles the request.

Typically, there are multiple requests to managed applications, approvals, and so on. Operations may be re-tried due to error conditions

4. Requestor checks for the status of the provisioning request by using the requestID value mentioned

previously.

Adding Person Entry

Operations Properties Key Value / Description

Operation SPML Add Operation

DN The unique ID of the entry to be added. It will be stored in the mskeyvalue attribute in the Identity Store.

Attributes Any set of the attributes available for the MX_PERSON. Currently, it is possible to add only person objects.


84

Example SPML Request Supplied identifier: Simple User

Supplied attributes and values givenname=Simple,

sn=User,

objectclass=MX_PERSON

<SOAP-ENV:Body>

spml:addRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”

xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core” requestID=”add123”

<spml:identifier type=”urn:oasis:names:tc:SPML:1.0#GUID”>

<spml:id>Simple User</spml:id>

</spml:attributes>

<dsml:attr name=”sn”>

<dsml:value>User</dsml:value>

</dsml:attr>

<dsml:attr name=”objectclass”>

<dsml:value>MX_PERSON</dsml:value>

</dsml:attr>

<dsml:attr name=”givenname”>

<dsml:value>Simple</dsml:value>

</spml:attributes>

</spml:addRequest>

</SOAP-ENV:Body>

SPML Response

Failure

<SOAP-ENV:Body>

<spml:addResponse errorMessage=”Insufficient access” requestID=”add123”

Result=”urn:oasis:names:tc:SPML:1.0#success”

xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core”

xmlns:dsml=”urn:oasis:names:tc:SPML:1:0/>

<SOAP-ENV:Body>

Success <SOAP-ENV:Body>

</spml:addResponse requestID=”add123” result=”urn:oasis”names:tc:SPML:1:0#success>


xmlns:dsml=”urn:oasis:names:tc:SPML:1.0/>

</SOAP-ENV:Body>

Modifying Person Entry

Operations Properties Key Value / Description

Operation SPML Modify Operation

DN The unique ID of the entry to be modified.

Attributes Any set of the attributes available for the MX_PERSON. Currently, it is possible to modify only one person.


85

Example SPML Request Supplied identifier: Simple User

Supplied attributes and values initials=SU

[email protected],

telephonenumber=+4711223344

<SOAP-ENV:Body>

<spml:modifyRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”

xmlns:dsml=”urn:oasis:names:tc:DSML:2:0:core” requestID=”modify124”



</spml:identifier>

</spml:modifications>

<dsml:modification name=”initials” operation=”add”>

<dsml:value>SU</dsml:value>

</dsml:modification>

<dsml:modification name=”mail” operation=”add”>

<dsml:value>[email protected]</dsml:value>


<dsml:modification name=”telephonenumber” operation=”add”>

<dsml:value>+4711223344</dsml:value>


</spml:modifications>

</spml:modifyRequest>

</SOAP-ENV:Body>


86

Deleting Person Entry Operation Properties

Key Value / Description

Operation SPML Delete Operation

DN The unique ID of the entry to be deleted.

Supplied identifier: Simple user

<SOAP-ENV:Body>

<spml:deleteRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”




</spml:identifier>

</spml:deleteRequest>

</SOAP-ENV:Body>


87

6.2 Appendix B – Search Operations

Checking the Results of an Update Since SAP NetWeaver IdM operates in asynchronous mode, after each provisioning operation the requestor must (regularly) check the status of the operation by executing special Identity Service operations. Operation Properties


Operation SPML Search Operation

Starting Point Operation = auditlog

Search Type Not relevant

Attributes requested *

Filter (objectclass=*)

Returned Entry List of entries is returned. The identifiers of the returned entries are in the form cn = < mskeyvalue >. <used System Naming Context >

Attribute Description Value

requestoperation The original update operation whose status is checked.

Add, modify, delete

requestuserid The User ID (mskeyvalue) of the entry which was updated.

requestid The request ID for operation.

taskname The name of the task that is executed as a result of the request.

taskid The ID ot the task that is executed as a result of the request.

operationstatus The status of the operation. OK, Error, Task Initiated, etc.

timestamp The date/time when the status of the audit entry is updated.

message Additional message about the state of the request. Typically, explanatory error messages are shown here.

mskey mskey of the entry that was the source of the operation in question.

auditid The ID of the object in the audit table.

SPML Request Supplied identifier: auditlog (special IDS operation)

Supplied filter: (requested=add123)

<SOAP-ENV:Body>

<spml:searchRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”


<spml:searchBase type=”urn:oasis:names:tc:SPML:1.0#GUID”>

<spml:id>operation=auditlog</spml:id>

</spml:searchBase>

</dsml:filter>

<dsml:equalityMatch name=”requestid”>

<dsml:value>add123</dsml:value>

</dsml:equalityMatch>

</dsml:filter>

</dpml:searchRequest>

</SOAP-ENV:Body>


88

SPML Response <SOAP-ENV:Body>

<spml:searchResponse requestID=”add123” result==”urn:oasis:names:tc:SPML:1:0#success”


xmlns:spml=”urn:oasis:names:tc:SPML:1:0”

<searchResultEntry>

<spml:identifier>

<spml:id>cn=234,ou=audit,o=control</spml:id>

<spml:identifier>

<spml:attributes>

<dsml:attr name=”auditid”>

<dsml:value type=”xsd:string”>234</dsml:value>

</dsml:attr>

<dsml:attr name=”useid”>

<dsml:value type:xsd:string”>*24:INSERT</dsml:value>

</dsml:attr>

<dsml:attr name=”mskey”>


</dsml:attr>

<dsml:attr name=”msg”>

<dsml:value type=”xsd:string”>no message</dsml:value>

</dsml:attr>

<dsml:attr name=”auditroot”>


</dsml:attr>

<dsml:attr name=”lastaction”>


</dsml:attr>

<dsml:attr name=”provision_status”>

<dsml:value type=”xsd:string”>Failed</dsml:value>

</dsml:attr>

<dsml:attr name=”taskname”>

<dsml:value type=”xsd:string”> Process ASYNC Request </dsml:value>

</dsml:attr>

<dsml:attr name=”posteddate”>

<dsml:value type=”xsd:string”>2008-01-16 15:23:58.49</dsml:value>

</dsml:attr>

<dsml:attr name=”taskid”>


</dsml:attr>

<dsml:attr name=”postedby”>

<dsml:value type=”xsd:string”>mxmc_rt_u</dsml:value>

</dsml:attr>

<dsml:attr name=”idsid”>


</dsml:att>

</spml:attributes>

</searchResultEntry>

</spml:searchResponse>

</SOAP-ENV:Body>


89

Obtaining Entry Information It is possible to obtain information about entries managed by Identity Services at any time. Normally, it is not possible to list multiple entries with SPML; however, SPML returns so-called base-level information (that is, information about a single entry). Identity Services implements additional special operations that make it possible to list multiple entries.

Listing Multiple Entries Operation Properties



Starting Point Operation = list


Attributes requested * OR any attribute subset (shown below)

Filter The following must be present in the filter (objectclass=MX_PERSON). In addition, the filter can contain any valid filtering based on the objects’ attributes.

Detailed Search on a Single Person Operation Properties



Starting Point The unique ID of the entry to be listed.


Attributes requested Any valid attribute subset

Filter (objectclass=*) OR any valid filtering based on the objects’ attributes.

SPML Request <SOAP-ENV:Body>

<spml:searchRequest xmlns:spml=”urn:oasis:names:tc:SPML:1:0”


<spml:searchBase type=”urn:oasis:names:tc:SPML:1.0#GUID”>


</spml:searchBase>

</dsml:filter>

<dsml:present name=”objectclass”></dsml:present>

</dsml: filter>

</spml:searchRequest>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>Example SPML response


90

SPML Response (Entry after successful ADD)

The following example shows the SPML response after the first example ADD operation. <SOAP-ENV:Body>

<spml:searchResponse result=”urn:oasis:names:tc:SPML:1:0#success”


xmlns:spml:”urn:oasis:names:tc:SPML:1.0><searchResultEntry><spml:identifier><spml:id>

cn=Simple User,ou=nwidml,o=ids</spml:id></spml:identifier><spml:attributes><dsml:attr

name=”sn”><dsml:value type=”xsd:string”>User</dsml:value></dsml:attr><dsml:attr

name=”objectclass”><dsml:valuetype:xsd.string”>MX_PERSON>dsml:value></dsml:attr><dsml:

attrname=”mskeyvalue><dsml:value type=xsd.string”Simple User</dsml:value></dsml:attr>

<dsml:attr name=”mskey”>dsml:value type=”xsd:string”>167</dsml:value><dsml:attr><dsml:

attr name=”mx-disabled”><dsml:value

type=”xsd:string”>1</dsml:value><dsml:attr><dsml:attr name=”givenname><dsml:value

type=”xsd.string”Simple<dsml:value>,/dsml:attr><spml:attributes><searchResultEntry>

</spml:searchResponse>

</SOAP-ENV:Body>

SPML Response (Entry after successful MODIFY)

The following example shows the SPML response after the MODIFY operation.

<SOAP-ENV:Body>

<spml:searchResponse result=”urn:oasis:names:tc:SPML:1:0#success”


xmlns:spml:”urn:oasis:names:tc:SPML:1.0><searchResultEntry><spml:identifier><spml:id>

cn=Simple User,ou=nwidml,o=ids</spml:id></spml:identifier><spml:attributes><dsml:attr

name=”sn”><dsml:value type=”xsd:string”>User</dsml:value></dsml:attr><dsml:attr

name=”objectclass”><dsml:value type:”xsd.string”>MX_PERSON>dsml:value></dsml:attr>

<dsml:attrname=”telephonnumber”><dsml:value

type=”xsd.string”+4711223344<dsml:value><dsml:attr><attrname=”mskeyvalue><dsml:value

type=”xsd.string”>Simple User</dsml:value></dsml:attr><dsml:attr name=”mskey”>

<dsml:value type=”xsd:string”>167</dsml:value><dsml:attr><dsml:attr

name=”initials”><dsml:value type=”xsd:string”>SU</dsml:value><dsml:attr><dsml:attr

name=”mail”><dsml:value type=”xsd.string”>[email protected]<dsml:value>

</dsml:attr><dsml:attr name=”givenname><dsml:value type=”xsd.:string”>

Simple<dsml:value></dsml:attr></spml:attributes><searchResultEntry></spml:searchResponse>

</SOAP-ENV:Body>

mailto:[email protected]%3cdsml:value

© 2012 SAP AG. All rights reserved.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP

BusinessObjects Explorer, StreamWork, SAP HANA, and other SAP

products and services mentioned herein as well as their respective

logos are trademarks or registered trademarks of SAP AG in Germany

and other countries.

Business Objects and the Business Objects logo, BusinessObjects,

Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and

other Business Objects products and services mentioned herein as

well as their respective logos are trademarks or registered trademarks

of Business Objects Software Ltd. Business Objects is an SAP

company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL

Anywhere, and other Sybase products and services mentioned herein

as well as their respective logos are trademarks or registered

trademarks of Sybase Inc. Sybase is an SAP company.

Crossgate, m@gic EDDY, B2B 360°, and B2B 360° Services are

registered trademarks of Crossgate AG in Germany and other

countries. Crossgate is an SAP company.

All other product and service names mentioned are the trademarks of

their respective companies. Data contained in this document serves

informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials

are provided by SAP AG and its affiliated companies ("SAP Group")

for informational purposes only, without representation or warranty of

any kind, and SAP Group shall not be liable for errors or omissions

with respect to the materials. The only warranties for SAP Group

products and services are those that are set forth in the express

warranty statements accompanying such products and services, if

any. Nothing herein should be construed as constituting an additional

warranty.

www.sap.com

sap access control 10.0 interface for identity...

Documents