This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP GRC: External SOD Risk Evaluation does not return risks.

Go to solution
Olesia
New Contributor III
New Contributor III

‎08-19-2022 08:05 AM

Hi,

can anyone help me with SAP GRC integration.

We would like to use an External SOD risk evaluation using an External connection to SAP GRC.

We have created a new security system, its endpoint named as our SAP instance and we have created two connections: a SAP Base connection and an External Risk connection.
We added our new endpoint name on sod.endpoints in the external config file and restarted the application.
​We also validated the value ENABLE_EXTERNAL_SOD_EVAL in the configuration table.
and enabled "Show SOD" in users SAV Role.

Our External Risk Connection has JSON with the below parameters:
{
"GRAC_IDM_RISK_WOUT_NO_SERVICES":{
"ROLE_TYPE":"",
"USER_GROUP":"",
"OBJECT_TYPE":"USR",
"ORG_LEVEL":"",
"BUSINESS_PROC":"",
"REPORT_TYPE":"02",
"RISK_LEVEL":"",
"RULE_SET_ID":"GLOBAL",
"REPORT_FORMAT":"2",
"USER_TYPE":"",
"SIMULATION_RISK_ONLY":"",
"APPLICATION_TYPE":"SAP",
"HIT_COUNT":"1000",
"LANGUAGE":"EN"
}
}

When we raise an access request an External SOD evaluation call is sent to SAP GRC and we can see our output parameters in a log:
integration.SapDataImportService - connectorid = |---------|
| TABLE 'GRAC_T_WS_API_CONNECTOR_LST'
|---------|
|CONNECTOR|
|---------|
| |
|---------|
|DS4 |
|---------|

integration.SapDataImportService - objectid = |-----|
| TABLE 'GRAC_T_WS_API_OBJID_LST'
|-----|
|OBJID|
|-----|
| |
|-----|
|4000 |
|-----|

integration.SapDataImportService - simuobjIDTable = |---------|
| TABLE 'GRAC_T_SIMOBJ_LST'
|---------|
|SIMUOBJID|
|---------|
| |
|---------|
|/AIF/ADMI|
|ZED:CAMER|
|---------|

integration.SapDataImportService - simulation = |---------|----------|-------------|-|
| TABLE 'GRAC_T_WS_SIMULATION'
|---------|----------|-------------|-|
|CONNECTOR|SIMUOBTYPE|SIMUOBJID_LST|E|
|---------|----------|-------------|-|
| | | |0|
|---------|----------|-------------|-|
|DS4 |ROL |SIMUOBJID_LST| |
|---------|----------|-------------|-|


It is worth saying that from the SAP connection, Import and Provisioning work fine.

But we have a problem with the SOD evaluation. Display log in SAP shows "Risk analysis finished successfully". But it always returns "sod not found" even if there should be a list of risks.
If I run the simulation in GRC it shows the list of risks for the respective users and roles.

Here is the log from Saviynt:
integration.SapDataImportService - Function call successful
integration.SapDataImportService - msgreturn = SUCCESS
integration.SapDataImportService - msgstmt = No Violations
integration.SapDataImportService - In success message return
integration.SapDataImportService - No data returned
integration.SapDataImportService - Exit evaluateExternalSod
integration.ExternalConnectionCallService - Exit evaluateExternalSODCall
services.JbpmWorkflowService - evaluationstatus = true
services.JbpmWorkflowService - Success
services.JbpmWorkflowService - retmap = [success:true, sodResponse:[], status:true]
services.JbpmWorkflowService - sod not found
services.JbpmWorkflowService - evaluation successful, hence creating request

Could anyone suggest what else to check?

I went through all the documentation and prerequisites for integrating IDM-SAP and IDM-GRC and noticed that there are three names mentioned which as I understand must match the name of our SAP endpoint. They are:
1. Logical system name defined in SAP CUA
2. SAP client system name in the SAP GRC system - this is not clear for me. I took SAP instance name.
3. Target connector name defined in SAP GRC. Maybe this is the reason as our target connector name does not match our endpoint name.

If you use External risk evaluation could you please check whether your endpoint name matches all these names? How to check a target connector name is described in the section "Prerequisites for Integrating with SAP GRC" in the documentation here https://saviynt.freshdesk.com/support/solutions/articles/43000539903-sap-integration-guide

Our Saviynt version is 5.5 SP3.11

Many thanks to everyone who can help!

Labels:
0 Kudos
3 REPLIES 3

Go to solution
rushikeshvartak
All-Star
All-Star

‎08-19-2022 11:10 AM

Pre-requisite :

  • Endpoint Name= Security System Name = SAP instance Name
  • Application entry under externalconfig.properties in sod.endpoints varaible
  • Connection - EXTERNAL_SOD_EVAL_JSON
  •  

rushikeshvartak_0-1660931496660.png

Here MS-UI is ruleset name

  • Validate Global Config

    • select name, configdata from configuration where name = 'ENABLE_EXTERNAL_SOD_EVAL';

      rushikeshvartak_2-1660932586298.png

       Value should be 1 

       


Regards,
Rushikesh Vartak

Go to solution
Olesia
New Contributor III
New Contributor III

‎08-19-2022 01:11 PM

Thank you for your quick response!

Still getting "msgstmt = No Violations"

Could I ask you also what do you send in OBJID in TABLE 'GRAC_T_WS_API_OBJID_LST'? Should an account name be there? In my case there is a username.

If there should be an account name, how to force to use an account name?

0 Kudos

Go to solution
Olesia
New Contributor III
New Contributor III

‎09-12-2022 01:47 AM

We finally got the external SOD evaluation work. The issue was with the names. We have different names for SAP instances and a target connector. And in our case, it returns risks only with a target connector name.

 

Maybe it will help anyone also:

You can take almost all the needed parameters while making a user-level simulation in SAP GRC:

Olesia_0-1662971884171.png

When running a user level simulation in GRC the next parameters should be defined. Here, in brackets are Saviynt parameters:

  1.             System (target connector name = Security System = endpoint name)
  2.             User (ObjID = SAP account name, in Saviynt log you will see a username)
  3.             Risk level (RISK_LEVEL , 0 – Medium, 1 – High, 2 – Low, 3 - Critical)
  4.             Rule set (RULE_SET_ID), in UPPER case
  5.             Format (REPORT_FORMAT , 2 - Detail)
  6.             Type (REPORT_TYPE , 02 – Permission Level)
  7.             Additional Criteria (ADDL_ATTRIB , 05 – Include Mitigated Risks)

Application entry under externalconfig.properties:

#SOD Performance Configurations

sod.endpoints=name of the SAP endpoint

sod.entitlement.depth=2

sod.endpoints is not mandatory. If you do not specify any endpoints in the externalconfig.properties file, all the endpoints that are available in EIC will be considered for evaluation.

sod.entitlement.depth - specify this property to handle the sod evaluation of entitlement hierarchy. This is applicable for both sap and non sap application for which sod.entitlement.depth is added in externalconfig.properties file. The entitlement depth can be set to a maximum of 14.

What I have noticed also that order of parameters is important. And don’t send empty values in EXTERNAL_SOD_EVAL_JSON, so use only those with values, like what Rushikesh posted above

 

Copyright © 2023 Khoros, LLC