Saviynt unveils its cutting-edge Intelligence Suite products to revolutionize Identity Security!
Click HERE to see how Saviynt Intelligence is transforming the industry.
Saviynt Copilot Icon
No ratings
sudeshjaiswal
Saviynt Employee
Saviynt Employee

Use Case

How to Use Saviynt as Ticketing System to SAP GRC for SoD validation and last-mile SAP ERP apps account and access provisioning / de-provisioning? 

USE-CASE / FLOW:  

  1. SAP GRC system in Saviynt is a requestable application with multiple Business Roles for targeted SAP Apps
  2. End-User will request SAP ‘Business Roles’ from Saviynt as seamless access process for SAP Apps
  3. Saviynt will submit a ‘Request’ to SAP GRC using SAP GRC SOAP webservices
  4. SAP GRC should return a Request ID as the response to the web service call when a new request is submitted. Saviynt will not make a separate call to get the request ID
  5. Saviynt will poll the SAP GRC system using the SAP GRC Request ID to retrieve the latest status of the request. Once the request is closed in, all the corresponding Tasks will be marked ‘completed’ in Saviynt.

 

Pre-requisites

 

 1.  Setup of Service Account in SAPPI/SAP GRC. (Read & Write)

  • Service account Username/Password

2. SAP GRC Web Services are accessible from Saviynt System (enabled SC 2.0 client as required)

3. SAP GRC webservices enabled for accessing via a Service account 

  • GRAC_USER_ACCES_WS: User Access Request Service
  • GRAC_REQUEST_STATUS_WS: Polling the status access request submitted by Saviynt (IDM solution)

 4. A callback is set at the SAP GRC side, where the overall status of the access request is passed on to Saviynt as soon as provisioning is finished.  Make sure “EXIT_FROM_GRC=TRUE is configured in GRC

 5. SC2.0 or connectivity between Saviynt and Customer is set up. Saviynt application should be able to access the SAP GRC system


Applicable Version(s)


All (Soap Connector)
 

Solution

 

  1. The following figure illustrates the Saviynt SAP GRC architecture and integration with SSM and communication between SSM and SAP GRC using the SOAP web service call
  2. Below JSON configuration supports multiple business role access requests via an iterative loop. One ticket gets created for multiple-role access
  3. Below connection needs to be set as “Service Desk Connection” in Security System in Saviynt

sudeshjaiswal_0-1689144216999.png

Configuration: 

Parameters

Details

Connection Type

SOAP

CONNECTIONJSON

{

    "authentications":{

        "login":{

            "properties":{

                   "SOAP_ENDPOINT":"https://xxxxx:1443/XISOAPAdapter/MessageServlet?senderParty

                                                                =&senderService=BC_SAVIYNT&receiverParty=&receiverService=&interface=INTERFACENAME

                                                                &interfaceNamespace=urn:Kxxxxxx.com:GRC:userAccess",

                   "USERNAME":"USERID",

                   "PASSWORD":"PASSWORD"

 

            }

        },

        "ticketlogin":{

            "properties":{

                   "SOAP_ENDPOINT":"https:// xxxxx:1443/XISOAPAdapter/MessageServlet?senderParty=&senderService=INTERFACENAME

                                                                &receiverParty=&receiverService=&interface=SI_SAVIYNT_STATUS_OUT&interfaceNamespace=urn:Kxxxxxx.com:

                                                                GRC:UsrReqStatus",

                   "USERNAME":"USERID",

                   "PASSWORD":"PASSWORD"

            }

        }

    }

}

CREATEACCOUNTJSON

[

  {

    "CONNECTION": "login",

    "REQUESTXML": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header>

</soapenv:Header>

<soapenv:Body>

<urn:GracIdmUsrAccsReqServices>

<RequestHeaderData>

<Reqtype>001</Reqtype>

<Priority>011</Priority>

<ReqInitSystem>QTEST100</ReqInitSystem>

<Requestorid>${manager.systemUserName}</Requestorid>

<Email>${requestor.email}</Email>

<ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><RequestReason>test</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr = '';String startDate=new Date().format('yyyyMMdd');String bprocVal=bproc?.substring(bproc?.indexOf('-')+1,bproc?.length());String endDate='20991231';String empType=user?.employeeclass;int size = entitlementSet?.size();int i = 0;for (String ent : entitlementSet){String tempEnt = ent.indexOf('&') > 0 ? ent.substring(0, ent.indexOf('&') + 1).toUpperCase().concat('amp;').concat(ent.substring(ent.indexOf('&')+1).toUpperCase()) : ent.toUpperCase(); rolesStr=rolesStr+'<item>

<Emptype>'+empType+'</Emptype>

<Connector></Connector>

<ProvType></ProvType>

<AssignmentType></AssignmentType>

<ProvStatus></ProvStatus>

<FfOwner></FfOwner>

<Comments></Comments>

<ProvItemType>ROL</ProvItemType>

<ItemName>'+tempEnt+'</ItemName><ValidFrom>'+startDate+'</ValidFrom><ValidTo>'+endDate+'</ValidTo><ProvAction>006</ProvAction><RoleType>BUS</RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem>

<UserGroup>${String groups  = '';List lstItemName = ['QTEST','QTEST100','QTEST110','QTEST120'];String groupSelected=userGroup?.toUpperCase();int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){groups=groups+'<item><UserGroup>'+groupSelected+'</UserGroup><UserGroupDesc>'+groupSelected+'-'+ItemId+'</UserGroupDesc></item>';i++;if(i == size){return groups;}}}</UserGroup>

<UserInfo>

<item>

<Userid>${task.accountName}</Userid>

<Title>

</Title>

<SncName>p:CN=${task.accountName}@CustomerName.com </SncName>

<Fname>${user.firstname}</Fname>

<Lname>${user.lastname}</Lname>

<Email>${user.email}</Email>

<Manager>${manager.systemUserName}</Manager>

<Accno></Accno>

<UserGroup></UserGroup>

<ValidFrom></ValidFrom>

<ValidTo></ValidTo>

<Empposition></Empposition>

<Empjob></Empjob><Personnelno>

</Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><ManagerEmail></ManagerEmail><ManagerFirstname></ManagerFirstname><ManagerLastname></ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>",

    "RESPONSEMAPPING": {

      "task.provisioningcomments": "Body.GracIdmUsrAccsReqServicesResponse.MsgReturn.MsgStatement",

      "TASK.TICKETID": "Body.GracIdmUsrAccsReqServicesResponse.RequestNo",

      "SUCCESSMSG": "Body.GracIdmUsrAccsReqServicesResponse.MsgReturn.MsgType"

    },

    "SUCCESSCRITERIA": "SUCCESSMSG=SUCCESS",

    "REQUESTPARAMS": {

      "Content-Type": "text/xml;charset=UTF-8",

      "SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"

    }

  }

]

DELETEACCOUNTJSON

[

  {

    "CONNECTION": "login",

    "REQUESTXML": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><CustomFieldsVal><item><Fieldname></Fieldname><Value></Value></item><item><Fieldname></Fieldname><Value></Value></item></CustomFieldsVal><Language>String 5</Language><Parameter><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item></Parameter><RequestHeaderData><Reqtype>003</Reqtype><Priority>011</Priority><ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><ReqInitSystem>QTEST100</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><RequestReason>New User Demo</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr  = '';List lstItemName = ['QTEST100','QTEST110','QTEST'];int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){rolesStr=rolesStr+'<item><ItemName>'+ItemId+'</ItemName><Connector>'+ItemId+'</Connector><ProvItemType>SYS</ProvItemType><ProvType></ProvType><AssignmentType></AssignmentType><ProvStatus></ProvStatus><ValidFrom></ValidFrom><ValidTo></ValidTo><FfOwner></FfOwner><Comments></Comments><ProvAction>003</ProvAction><RoleType></RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserGroup><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item></UserGroup><UserInfo><item><Userid>${task.accountName}</Userid><Title></Title><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><SncName></SncName><UnsecSnc></UnsecSnc><Accno></Accno><UserGroup></UserGroup><ValidFrom></ValidFrom><ValidTo></ValidTo><Empposition></Empposition><Empjob></Empjob><Personnelno></Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Email>${user.email}</Email><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><Manager>${manager.systemUserName}</Manager><ManagerEmail>${manager.email}</ManagerEmail><ManagerFirstname>${manager.firstname}</ManagerFirstname><ManagerLastname>${manager.lastname}</ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>",

    "RESPONSEMAPPING": {

      "TASK.TICKETID": "Body.GracIdmUsrAccsReqServicesResponse.RequestNo",

      "user.customproperty50": "Body.GracIdmUsrAccsReqServicesResponse.RequestNo"

    },

    "REQUESTPARAMS": {

      "Content-Type": "text/xml;charset=UTF-8",

      "SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"

    }

  }

]

DISABLEACCOUNTJSON

[{"CONNECTION":"login","REQUESTXML":"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><CustomFieldsVal><item><Fieldname></Fieldname><Value></Value></item><item><Fieldname></Fieldname><Value></Value></item></CustomFieldsVal><Language>String 5</Language><Parameter><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item></Parameter><RequestHeaderData><Reqtype>004</Reqtype><Priority>011</Priority><ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><ReqInitSystem>QTEST100</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><RequestReason>New User Demo</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr  = '';List lstItemName = ['QTEST100','QTEST110','QTEST'];int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){rolesStr=rolesStr+'<item><ItemName>'+ItemId+'</ItemName><Connector>'+ItemId+'</Connector><ProvItemType>SYS</ProvItemType><ProvType></ProvType><AssignmentType></AssignmentType><ProvStatus></ProvStatus><ValidFrom></ValidFrom><ValidTo></ValidTo><FfOwner></FfOwner><Comments></Comments><ProvAction>004</ProvAction><RoleType></RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserGroup><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item></UserGroup><UserInfo><item><Userid>${task.accountName}</Userid><Title></Title><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><SncName></SncName><UnsecSnc></UnsecSnc><Accno></Accno><UserGroup></UserGroup><ValidFrom></ValidFrom><ValidTo></ValidTo><Empposition></Empposition><Empjob></Empjob><Personnelno></Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Email>${user.email}</Email><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><Manager>${manager.systemUserName}</Manager><ManagerEmail>${manager.email}</ManagerEmail><ManagerFirstname>${manager.firstname}</ManagerFirstname><ManagerLastname>${manager.lastname}</ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>","RESPONSEMAPPING":{"TASK.TICKETID":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo","user.customproperty50":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo"},"REQUESTPARAMS":{"Content-Type":"text/xml;charset=UTF-8","SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"}}]

ENABLEACCOUNTJSON

[{"CONNECTION":"login","REQUESTXML":"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><CustomFieldsVal><item><Fieldname></Fieldname><Value></Value></item><item><Fieldname></Fieldname><Value></Value></item></CustomFieldsVal><Language>String 5</Language><Parameter><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item></Parameter><RequestHeaderData><Reqtype>005</Reqtype><Priority>011</Priority><ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><ReqInitSystem>QTEST100</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><RequestReason>New User Demo</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr  = '';List lstItemName = ['QTEST100','QTEST110','QTEST'];int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){rolesStr=rolesStr+'<item><ItemName>'+ItemId+'</ItemName><Connector>'+ItemId+'</Connector><ProvItemType>SYS</ProvItemType><ProvType></ProvType><AssignmentType></AssignmentType><ProvStatus></ProvStatus><ValidFrom></ValidFrom><ValidTo></ValidTo><FfOwner></FfOwner><Comments></Comments><ProvAction>005</ProvAction><RoleType></RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserGroup><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item></UserGroup><UserInfo><item><Userid>${task.accountName}</Userid><Title></Title><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><SncName></SncName><UnsecSnc></UnsecSnc><Accno></Accno><UserGroup></UserGroup><ValidFrom></ValidFrom><ValidTo></ValidTo><Empposition></Empposition><Empjob></Empjob><Personnelno></Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Email>${user.email}</Email><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><Manager>${manager.systemUserName}</Manager><ManagerEmail>${manager.email}</ManagerEmail><ManagerFirstname>${manager.firstname}</ManagerFirstname><ManagerLastname>${manager.lastname}</ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>","RESPONSEMAPPING":{"TASK.TICKETID":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo","user.customproperty50":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo"},"REQUESTPARAMS":{"Content-Type":"text/xml;charset=UTF-8","SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"}}]

GRANTACCESSJSON

[{"CONNECTION":"login","REQUESTXML":"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><RequestHeaderData><Reqtype>002</Reqtype><Priority>011</Priority><ReqInitSystem>QTEST</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><RequestReason>test</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr = '';String startDate=new Date().format('yyyyMMdd');String bprocVal=bproc?.substring(bproc?.indexOf('-')+1,bproc?.length());String endDate='20991231';String empType=user?.employeeclass;int size = entitlementSet?.size();int i = 0;for (String ent : entitlementSet){String tempEnt = ent.indexOf('&') > 0 ? ent.substring(0, ent.indexOf('&') + 1).toUpperCase().concat('amp;').concat(ent.substring(ent.indexOf('&')+1).toUpperCase()) : ent.toUpperCase(); rolesStr=rolesStr+'<item><Emptype>'+empType+'</Emptype><Connector></Connector><ProvType></ProvType><AssignmentType></AssignmentType><ProvStatus></ProvStatus><FfOwner></FfOwner><Comments></Comments><ProvItemType>ROL</ProvItemType><ItemName>'+tempEnt+'</ItemName><ValidFrom>'+startDate+'</ValidFrom><ValidTo>'+endDate+'</ValidTo><ProvAction>006</ProvAction><RoleType>BUS</RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserGroup>${String groups  = '';List lstItemName = ['QTEST','QTEST100','QTEST110','QTEST120'];String groupSelected=userGroup?.toUpperCase();int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){groups=groups+'<item><UserGroup>'+groupSelected+'</UserGroup><UserGroupDesc>'+groupSelected+'-'+ItemId+'</UserGroupDesc></item>';i++;if(i == size){return groups;}}}</UserGroup><UserInfo><item><Userid>${task.accountName}</Userid><Title ></Title><SncName>p:CN=${task.accountName}@CUSTOMER.COM</SncName><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><Email>${user.email}</Email><Manager>${manager.systemUserName}</Manager><Accno></Accno><UserGroup></UserGroup><ValidFrom></ValidFrom><ValidTo></ValidTo><Empposition></Empposition><Empjob></Empjob><Personnelno></Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><ManagerEmail></ManagerEmail><ManagerFirstname></ManagerFirstname><ManagerLastname></ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>","RESPONSEMAPPING":{"task.provisioningcomments": "Body.GracIdmUsrAccsReqServicesResponse.MsgReturn.MsgStatement","TASK.TICKETID":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo","SUCCESSMSG" : "Body.GracIdmUsrAccsReqServicesResponse.MsgReturn.MsgType"},"SUCCESSCRITERIA" : "SUCCESSMSG=SUCCESS","REQUESTPARAMS":{"Content-Type":"text/xml;charset=UTF-8","SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"}}]

REVOKEACCESSJSON

[{"CONNECTION":"login","REQUESTXML":"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><RequestHeaderData><Reqtype>002</Reqtype><Priority>011</Priority><ReqInitSystem>QTEST</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><ReqDueDate></ReqDueDate><RequestReason>demo</RequestReason></RequestHeaderData><RequestedLineItem>${String rolesStr = '';String startDate=new Date().format('yyyyMMdd');String bprocVal='';String endDate=new Date().plus(10).format('yyyyMMdd');String empType=user?.employeeclass;int size = entitlementSet?.size();int i = 0;for (String ent : entitlementSet){rolesStr=rolesStr+'<item><Emptype>'+empType+'</Emptype><Connector></Connector><ProvItemType>ROL</ProvItemType><Funcarea>Fixed Assets</Funcarea><Bproc></Bproc><ItemName>'+ent.toUpperCase()+'</ItemName><ValidFrom></ValidFrom><ValidTo></ValidTo><ProvAction>009</ProvAction><RoleType>BUS</RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserInfo><item><Userid>${task.accountName}</Userid><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><SncName>p:CN=${task.accountName}@CUSTOMER.COM</SncName><Email>${user.email}</Email><Manager>${manager.systemUserName}</Manager></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>","RESPONSEMAPPING":{"TASK.TICKETID":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo","user.customproperty50":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo"},"REQUESTPARAMS":{"Content-Type":"text/xml;charset=UTF-8","SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"}}]

TICKETSTATUSJSON

[

  {

    "CONNECTION": "ticketlogin",

    "REQUESTXML": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"     xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmRequestStatServices><Language>EN</Language><ReqNo>${TICKETID}</ReqNo></urn:GracIdmRequestStatServices></soapenv:Body></soapenv:Envelope>",

    "CLOSETICKETSTATUS": "OK,COMPLETED",

    "REJECTEDTICKETSTATUS": "ABORTED,FAILED",

    "RESPONSEMAPPING": {

      "TICKETSTATUS": "Body.GracIdmRequestStatServicesResponse.ReqStatus.Reqstatus"

    },

    "REQUESTPARAMS": {

      "Content-Type": "text/xml;charset=UTF-8",

      "SOAPAction": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_REQUEST_STATUS_WS:GracIdmRequestStatServicesRequest",

      "Authorization": "Basic xxxxxxxxxxxxxxxxxxxxxxxxxx=="

    }

  }

]

COMBINEDCREATEREQUEST
 
Specify whether to combine Account and Entitlement provisioning in one

TRUE


OUTCOME / RESULTS:

  1. End-User Submits request for an SAP access request in Saviynt. User will request SAP GRC specific ‘Roles’ in Saviynt
  2. Saviynt will submit a ‘Request’ in SAP GRC using SAP GRC SOAP web services
  • The authentication mechanism for the SAP GRC SOAP web services would be “Basic authentication with username/password”
  • SAP GRC would return a Request ID as the response to the web services call. Saviynt will not make a separate call to get the request ID.
  1. SAP GRC performs preventative risk analysis 
  2. Approval workflow in SAP GRC which includes
  • Assign mitigation control
  • SAP GRC performs detective SOD checks
  • Maintain mitigating control
  1. SAP GRC provisions the approved access to SAP
  2. Saviynt will poll the SAP GRC system using the SAP GRC Request ID to get the status of the request. Once the request is closed in SAP GRC, all the corresponding Tasks will be marked ‘completed’ in Saviynt

References

Access Request Web Service WSDL

Comments
Sonam_Chikorde
New Contributor
New Contributor

@sudeshjaiswal, @Rishi 

We trying to configure the External Risks Evaluation and Access Provisioning Using SAP GRC

In the connection JSON, SOAP_ENDPOINT for Access Request and Request status are provided as below:

"SOAP_ENDPOINT": "https://IPADDRESSS:1443/XISOAPAdapter/MessageServlet?senderParty\n\n=&senderService=BC_SAVIYNT&receiverParty=&receiverService=&interface=INTERFACENAME\n\n&interfaceNamespace=urn:Kxxxxxx.com:GRC:userAccess"

"SOAP_ENDPOINT": "https://IPADDRESSS:1443/XISOAPAdapter/MessageServlet?senderParty=&senderService=INTERFACENAME\n\n&receiverParty=&receiverService=&interface=SI_SAVIYNT_STATUS_OUT&interfaceNamespace=urn:Kxxxxxx.com:\n\nGRC:UsrReqStatus"

We tried using SOAP_ENDPOINT url as below, however test connection not successful.
https://<host:port>/sap/bc/srt/rfc/sap/grac_user_acces_ws/100/grac_user_access_ws/grac_user_access_ws

Does only "https://IPADDRESSS:1443/XISOAPAdapter/MessageServlet?senderParty\n\n=&senderService=BC_SAVIYNT&receiverParty=&receiverService=&interface=INTERFACENAME\n\n&interfaceNamespace=urn:Kxxxxxx.com:GRC:userAccess",

XISOAPAdapter type of urls should be used?

sudeshjaiswal
Saviynt Employee
Saviynt Employee

@Sonam_Chikorde,  Yes,  You have to use "XISOAPAdapter" in the url, As mentioned in above connection json.

Sonam_Chikorde
New Contributor
New Contributor

@sudeshjaiswal, Thank you for the updates.

SeShoSama
New Contributor
New Contributor

Hi Sudeshjaiswal, thx nice share it help us a lot. Just fyi doesn't have to be XISOAdapter in the url, as long as the GRC webservice url can be hit and get success response from postman then it's possible, it run success on my connection using sap-client in url (without XISOAdapter as in the sample).

Thx

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @SeShoSama,

Thank you for confirming. This information will be useful for others too.

shruanand24
New Contributor
New Contributor

Hello @sudeshjaiswal 

 

We are using Saviynt as Ticketing System to SAP GRC for SoD validation and hence connecting to SAP GRC using SOAP connector. There is requirement to send user's termination date to 'valid to' field of user detail in SAP GRC. To accomodate this requirement we are utilizing ${user.termDate} in Create Account and Update Account payload of SAP GRC connector. However it is observed that upon new account ticket creation in GRC, 'valid to' field is populated with a default 99991231 value, and not with the termination date selected in the user profile of Saviynt.

Please recommend a solution/binding value to pass the term date to GRC.

 
sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hello @shruanand24,

Can you please check on the SAP GRC end, what payload is been recieved on the target end?
Is ${user.termDate} value is been passed as per the saviynt in the payload been sent to target?

Or You can try to set the termdate in one of the customproperty and try it.(Just for your test).

Thanks

asp
Regular Contributor II
Regular Contributor II

Hello @sudeshjaiswal 

In this set up, how are the SAP GRC roles imported into EIC? There is no SOAP webservice on the GRC side that we can call to extract roles and role data. 

asp
Regular Contributor II
Regular Contributor II

Hi @sudeshjaiswal - Can you please elaborate on how can the existing grc role assignments to users can be pulled from this SOAP connector? Also.. pulling all sap grc roles into EIC? Thank you.

sudeshjaiswal
Saviynt Employee
Saviynt Employee

Hi @asp,

You can achieve this scenario by configuring the SAP ECC Connector and import all the user to role mapping and all the granular role information from SAP GRC.

Thanks,

Version history
Last update:
‎04/02/2024 11:06 AM
Updated by: