We are delighted to share our new EIC Delivery Methodology for efficiently managing Saviynt Implementations and delivering quick time to value. CLICK HERE.

SAP GRC: External SOD Risk Evaluation does not return risks.

Olesia
Regular Contributor
Regular Contributor

Hi,

can anyone help me with SAP GRC integration.

We would like to use an External SOD risk evaluation using an External connection to SAP GRC.

We have created a new security system, its endpoint named as our SAP instance and we have created two connections: a SAP Base connection and an External Risk connection.
We added our new endpoint name on sod.endpoints in the external config file and restarted the application.
​We also validated the value ENABLE_EXTERNAL_SOD_EVAL in the configuration table.
and enabled "Show SOD" in users SAV Role.

Our External Risk Connection has JSON with the below parameters:
{
"GRAC_IDM_RISK_WOUT_NO_SERVICES":{
"ROLE_TYPE":"",
"USER_GROUP":"",
"OBJECT_TYPE":"USR",
"ORG_LEVEL":"",
"BUSINESS_PROC":"",
"REPORT_TYPE":"02",
"RISK_LEVEL":"",
"RULE_SET_ID":"GLOBAL",
"REPORT_FORMAT":"2",
"USER_TYPE":"",
"SIMULATION_RISK_ONLY":"",
"APPLICATION_TYPE":"SAP",
"HIT_COUNT":"1000",
"LANGUAGE":"EN"
}
}

When we raise an access request an External SOD evaluation call is sent to SAP GRC and we can see our output parameters in a log:
integration.SapDataImportService - connectorid = |---------|
| TABLE 'GRAC_T_WS_API_CONNECTOR_LST'
|---------|
|CONNECTOR|
|---------|
| |
|---------|
|DS4 |
|---------|

integration.SapDataImportService - objectid = |-----|
| TABLE 'GRAC_T_WS_API_OBJID_LST'
|-----|
|OBJID|
|-----|
| |
|-----|
|4000 |
|-----|

integration.SapDataImportService - simuobjIDTable = |---------|
| TABLE 'GRAC_T_SIMOBJ_LST'
|---------|
|SIMUOBJID|
|---------|
| |
|---------|
|/AIF/ADMI|
|ZED:CAMER|
|---------|

integration.SapDataImportService - simulation = |---------|----------|-------------|-|
| TABLE 'GRAC_T_WS_SIMULATION'
|---------|----------|-------------|-|
|CONNECTOR|SIMUOBTYPE|SIMUOBJID_LST|E|
|---------|----------|-------------|-|
| | | |0|
|---------|----------|-------------|-|
|DS4 |ROL |SIMUOBJID_LST| |
|---------|----------|-------------|-|


It is worth saying that from the SAP connection, Import and Provisioning work fine.

But we have a problem with the SOD evaluation. Display log in SAP shows "Risk analysis finished successfully". But it always returns "sod not found" even if there should be a list of risks.
If I run the simulation in GRC it shows the list of risks for the respective users and roles.

Here is the log from Saviynt:
integration.SapDataImportService - Function call successful
integration.SapDataImportService - msgreturn = SUCCESS
integration.SapDataImportService - msgstmt = No Violations
integration.SapDataImportService - In success message return
integration.SapDataImportService - No data returned
integration.SapDataImportService - Exit evaluateExternalSod
integration.ExternalConnectionCallService - Exit evaluateExternalSODCall
services.JbpmWorkflowService - evaluationstatus = true
services.JbpmWorkflowService - Success
services.JbpmWorkflowService - retmap = [success:true, sodResponse:[], status:true]
services.JbpmWorkflowService - sod not found
services.JbpmWorkflowService - evaluation successful, hence creating request

Could anyone suggest what else to check?

I went through all the documentation and prerequisites for integrating IDM-SAP and IDM-GRC and noticed that there are three names mentioned which as I understand must match the name of our SAP endpoint. They are:
1. Logical system name defined in SAP CUA
2. SAP client system name in the SAP GRC system - this is not clear for me. I took SAP instance name.
3. Target connector name defined in SAP GRC. Maybe this is the reason as our target connector name does not match our endpoint name.

If you use External risk evaluation could you please check whether your endpoint name matches all these names? How to check a target connector name is described in the section "Prerequisites for Integrating with SAP GRC" in the documentation here https://saviynt.freshdesk.com/support/solutions/articles/43000539903-sap-integration-guide

Our Saviynt version is 5.5 SP3.11

Many thanks to everyone who can help!

17 REPLIES 17

rushikeshvartak
All-Star
All-Star

Pre-requisite :

  • Endpoint Name= Security System Name = SAP instance Name
  • Application entry under externalconfig.properties in sod.endpoints varaible
  • Connection - EXTERNAL_SOD_EVAL_JSON
  •  

rushikeshvartak_0-1660931496660.png

Here MS-UI is ruleset name

  • Validate Global Config
    • select name, configdata from configuration where name = 'ENABLE_EXTERNAL_SOD_EVAL';

      rushikeshvartak_2-1660932586298.png

       Value should be 1 

       


Regards,
Rushikesh Vartak
If you find the response useful, kindly consider selecting Accept As Solution and clicking on the kudos button.

Olesia
Regular Contributor
Regular Contributor

Thank you for your quick response!

Still getting "msgstmt = No Violations"

Could I ask you also what do you send in OBJID in TABLE 'GRAC_T_WS_API_OBJID_LST'? Should an account name be there? In my case there is a username.

If there should be an account name, how to force to use an account name?

Olesia
Regular Contributor
Regular Contributor

We finally got the external SOD evaluation work. The issue was with the names. We have different names for SAP instances and a target connector. And in our case, it returns risks only with a target connector name.

 

Maybe it will help anyone also:

You can take almost all the needed parameters while making a user-level simulation in SAP GRC:

Olesia_0-1662971884171.png

When running a user level simulation in GRC the next parameters should be defined. Here, in brackets are Saviynt parameters:

  1.             System (target connector name = Security System = endpoint name)
  2.             User (ObjID = SAP account name, in Saviynt log you will see a username)
  3.             Risk level (RISK_LEVEL , 0 – Medium, 1 – High, 2 – Low, 3 - Critical)
  4.             Rule set (RULE_SET_ID), in UPPER case
  5.             Format (REPORT_FORMAT , 2 - Detail)
  6.             Type (REPORT_TYPE , 02 – Permission Level)
  7.             Additional Criteria (ADDL_ATTRIB , 05 – Include Mitigated Risks)

Application entry under externalconfig.properties:

#SOD Performance Configurations

sod.endpoints=name of the SAP endpoint

sod.entitlement.depth=2

sod.endpoints is not mandatory. If you do not specify any endpoints in the externalconfig.properties file, all the endpoints that are available in EIC will be considered for evaluation.

sod.entitlement.depth - specify this property to handle the sod evaluation of entitlement hierarchy. This is applicable for both sap and non sap application for which sod.entitlement.depth is added in externalconfig.properties file. The entitlement depth can be set to a maximum of 14.

What I have noticed also that order of parameters is important. And don’t send empty values in EXTERNAL_SOD_EVAL_JSON, so use only those with values, like what Rushikesh posted above

 

adriencosson
Regular Contributor III
Regular Contributor III

Hello @Olesia@rushikeshvartak,

I'm running v23.3 and trying to set up SAP GRC and struggling to enable the external SOD risk  evaluation.

In fact, when I'm running the below query, I am getting no result returned :

 

 

select name, configdata from configuration where name = 'ENABLE_EXTERNAL_SOD_EVAL';

adriencosson_0-1681598215533.png

 

How should I proceed further ?

Thanks.

Regards,
Adrien COSSON

Manu269
All-Star
All-Star

@adriencosson Please raise a ticket with Saviynt, they should be able to add the entry in the database.

Also, post that server has to be restarted.

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

adriencosson
Regular Contributor III
Regular Contributor III

Hello @Manu269 ,

Thanks for your response, I'm in touch with the support Team already and will ask them for additional help.

Also thanks for the heads up on server restart tip 😊

Regards,
Adrien COSSON

adriencosson
Regular Contributor III
Regular Contributor III

Hello @Olesia , @Manu269 , @rushikeshvartak ,

Hope you're doing great.

We checked with support team. As per discussions, the 'ENABLE_EXTERNAL_SOD_EVAL' entry in configuration table was not mandatory as it was dedicated to 5.5 version.

We also confirmed the target connector name from SAP GRC at customer end was correct.

 

I want now to confirm with you if the same name needs to be inserted on Security System and Endpoint display names as well to make it work ?

Many thanks.  

Regards,
Adrien COSSON

Olesia
Regular Contributor
Regular Contributor

Hi,

Endpoint Name= Security System Name = SAP instance Name =  Target connector name.

All of these are about names (securitysystems.SYSTEMNAME, endpoints.ENDPOINTNAME),  display names could differ.

 

adriencosson
Regular Contributor III
Regular Contributor III

Thanks for the confirmation.

Currently looking with Saviynt support as it looks this feature has not been implemented in v23x.

Will confirm with you on this ticket in order to let people aware.

Regards,
Adrien COSSON

@adriencosson, we also facing similar issue, we are running Saviynt v23.5.

Does your issue resolved?

 

@adriencosson  did you heard back anything if this is functioning in v23.11?

Regards
Manish Kumar
If the response answered your query, please Accept As Solution and Kudos
.

adriencosson
Regular Contributor III
Regular Contributor III

Hi @Sonam_Chikorde,

I had to set the following :

  • Set the endpoint's "Application experience" as "Classic UI" :

adriencosson_1-1689237456974.png

 

  • In Settings > Configuration Files > externalconfig.properties : comment the sod.endpoints line with a # at the beginning

adriencosson_0-1689237442454.png

 

  • Create a CustomQueryJob and perform the below query :
INSERT INTO `configuration` (`NAME`, `CONFIGDATA`) VALUES ('ENABLE_EXTERNAL_SOD_EVAL', '1');
  • In your security system, set the below configurations with the appropriate SAP GRC connector :

adriencosson_2-1689237533937.png

 

Regards,
Adrien COSSON

Thanks a ton @adriencosson . It worked 🙂

adriencosson
Regular Contributor III
Regular Contributor III

You're welcome @Sonam_Chikorde ,

Note that of course, this enforce that end users would use the Classic UI as per user interface for requesting accessing, which may disturb end users to have 2 different UIs based on requested application.

Supporting External SOD Evaluation in new UI should come within end of 2023 as per discussions with Saviynt.

Regards,
Adrien COSSON

pj5233
New Contributor III
New Contributor III

@adriencosson Do you know if there an update on when the new UI will be release which will support the external SOD Evaluation?  The going to back to the classic UI will not go over well.

 

Sonam_Chikorde
New Contributor
New Contributor

Thanks @adriencosson for the update.

adriencosson
Regular Contributor III
Regular Contributor III

Hi @pj5233 ,

Saviynt has reworked the Classic UI we all know about from 5.5 and earlier, to a fresher UI. This is already available starting from 23.6 onwards. It can be enabled through Global Configurations > Preferences > Enable Request Modern Experience Gen 2 (Beta)

Speaking about the new UI experienced revealed on 2020.X onwards, I do not have a visibility yet on enabling External SOD Evaluation yet.

Regards,
Adrien COSSON