SAP GRC: External SOD Risk Evaluation does not return risks.

New Contributor III
New Contributor III


can anyone help me with SAP GRC integration.

We would like to use an External SOD risk evaluation using an External connection to SAP GRC.

We have created a new security system, its endpoint named as our SAP instance and we have created two connections: a SAP Base connection and an External Risk connection.
We added our new endpoint name on sod.endpoints in the external config file and restarted the application.
​We also validated the value ENABLE_EXTERNAL_SOD_EVAL in the configuration table.
and enabled "Show SOD" in users SAV Role.

Our External Risk Connection has JSON with the below parameters:

When we raise an access request an External SOD evaluation call is sent to SAP GRC and we can see our output parameters in a log:
integration.SapDataImportService - connectorid = |---------|
| |
|DS4 |

integration.SapDataImportService - objectid = |-----|
| |
|4000 |

integration.SapDataImportService - simuobjIDTable = |---------|
| |

integration.SapDataImportService - simulation = |---------|----------|-------------|-|
| | | |0|

It is worth saying that from the SAP connection, Import and Provisioning work fine.

But we have a problem with the SOD evaluation. Display log in SAP shows "Risk analysis finished successfully". But it always returns "sod not found" even if there should be a list of risks.
If I run the simulation in GRC it shows the list of risks for the respective users and roles.

Here is the log from Saviynt:
integration.SapDataImportService - Function call successful
integration.SapDataImportService - msgreturn = SUCCESS
integration.SapDataImportService - msgstmt = No Violations
integration.SapDataImportService - In success message return
integration.SapDataImportService - No data returned
integration.SapDataImportService - Exit evaluateExternalSod
integration.ExternalConnectionCallService - Exit evaluateExternalSODCall
services.JbpmWorkflowService - evaluationstatus = true
services.JbpmWorkflowService - Success
services.JbpmWorkflowService - retmap = [success:true, sodResponse:[], status:true]
services.JbpmWorkflowService - sod not found
services.JbpmWorkflowService - evaluation successful, hence creating request

Could anyone suggest what else to check?

I went through all the documentation and prerequisites for integrating IDM-SAP and IDM-GRC and noticed that there are three names mentioned which as I understand must match the name of our SAP endpoint. They are:
1. Logical system name defined in SAP CUA
2. SAP client system name in the SAP GRC system - this is not clear for me. I took SAP instance name.
3. Target connector name defined in SAP GRC. Maybe this is the reason as our target connector name does not match our endpoint name.

If you use External risk evaluation could you please check whether your endpoint name matches all these names? How to check a target connector name is described in the section "Prerequisites for Integrating with SAP GRC" in the documentation here

Our Saviynt version is 5.5 SP3.11

Many thanks to everyone who can help!



Pre-requisite :

  • Endpoint Name= Security System Name = SAP instance Name
  • Application entry under in sod.endpoints varaible


Here MS-UI is ruleset name

  • Validate Global Config
    • select name, configdata from configuration where name = 'ENABLE_EXTERNAL_SOD_EVAL';


       Value should be 1 


New Contributor III
New Contributor III

Thank you for your quick response!

Still getting "msgstmt = No Violations"

Could I ask you also what do you send in OBJID in TABLE 'GRAC_T_WS_API_OBJID_LST'? Should an account name be there? In my case there is a username.

If there should be an account name, how to force to use an account name?

New Contributor III
New Contributor III

We finally got the external SOD evaluation work. The issue was with the names. We have different names for SAP instances and a target connector. And in our case, it returns risks only with a target connector name.


Maybe it will help anyone also:

You can take almost all the needed parameters while making a user-level simulation in SAP GRC:


When running a user level simulation in GRC the next parameters should be defined. Here, in brackets are Saviynt parameters:

  1.             System (target connector name = Security System = endpoint name)
  2.             User (ObjID = SAP account name, in Saviynt log you will see a username)
  3.             Risk level (RISK_LEVEL , 0 – Medium, 1 – High, 2 – Low, 3 - Critical)
  4.             Rule set (RULE_SET_ID), in UPPER case
  5.             Format (REPORT_FORMAT , 2 - Detail)
  6.             Type (REPORT_TYPE , 02 – Permission Level)
  7.             Additional Criteria (ADDL_ATTRIB , 05 – Include Mitigated Risks)

Application entry under

#SOD Performance Configurations

sod.endpoints=name of the SAP endpoint


sod.endpoints is not mandatory. If you do not specify any endpoints in the file, all the endpoints that are available in EIC will be considered for evaluation.

sod.entitlement.depth - specify this property to handle the sod evaluation of entitlement hierarchy. This is applicable for both sap and non sap application for which sod.entitlement.depth is added in file. The entitlement depth can be set to a maximum of 14.

What I have noticed also that order of parameters is important. And don’t send empty values in EXTERNAL_SOD_EVAL_JSON, so use only those with values, like what Rushikesh posted above