Announcing the Saviynt Knowledge Exchange unifying the Saviynt forums, documentation, training,
and more in a single search tool across platforms. Read the announcement here.
This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
No ratings

Using Saviynt as a Ticketing System for SAP GRC

sudeshjaiswal
Saviynt Employee
Saviynt Employee

‎08/06/2023 08:56 PM - edited ‎04/02/2024 11:06 AM

Use Case

How to Use Saviynt as Ticketing System to SAP GRC for SoD validation and last-mile SAP ERP apps account and access provisioning / de-provisioning? 

USE-CASE / FLOW:  

  1. SAP GRC system in Saviynt is a requestable application with multiple Business Roles for targeted SAP Apps
  2. End-User will request SAP ‘Business Roles’ from Saviynt as seamless access process for SAP Apps
  3. Saviynt will submit a ‘Request’ to SAP GRC using SAP GRC SOAP webservices
  4. SAP GRC should return a Request ID as the response to the web service call when a new request is submitted. Saviynt will not make a separate call to get the request ID
  5. Saviynt will poll the SAP GRC system using the SAP GRC Request ID to retrieve the latest status of the request. Once the request is closed in, all the corresponding Tasks will be marked ‘completed’ in Saviynt.

 

Pre-requisites

 

 1.  Setup of Service Account in SAPPI/SAP GRC. (Read & Write)

  • Service account Username/Password

2. SAP GRC Web Services are accessible from Saviynt System (enabled SC 2.0 client as required)

3. SAP GRC webservices enabled for accessing via a Service account 

  • GRAC_USER_ACCES_WS: User Access Request Service
  • GRAC_REQUEST_STATUS_WS: Polling the status access request submitted by Saviynt (IDM solution)

 4. A callback is set at the SAP GRC side, where the overall status of the access request is passed on to Saviynt as soon as provisioning is finished.  Make sure “EXIT_FROM_GRC=TRUE is configured in GRC

 5. SC2.0 or connectivity between Saviynt and Customer is set up. Saviynt application should be able to access the SAP GRC system


Applicable Version(s)


All (Soap Connector)
 

Solution

 

  1. The following figure illustrates the Saviynt SAP GRC architecture and integration with SSM and communication between SSM and SAP GRC using the SOAP web service call
  2. Below JSON configuration supports multiple business role access requests via an iterative loop. One ticket gets created for multiple-role access
  3. Below connection needs to be set as “Service Desk Connection” in Security System in Saviynt

sudeshjaiswal_0-1689144216999.png

Configuration: 

Parameters

Details

Connection Type

SOAP

CONNECTIONJSON

{

    "authentications":{

        "login":{

            "properties":{

                   "SOAP_ENDPOINT":"https://xxxxx:1443/XISOAPAdapter/MessageServlet?senderParty

                                                                =&senderService=BC_SAVIYNT&receiverParty=&receiverService=&interface=INTERFACENAME

                                                                &interfaceNamespace=urn:Kxxxxxx.com:GRC:userAccess",

                   "USERNAME":"USERID",

                   "PASSWORD":"PASSWORD"

 

            }

        },

        "ticketlogin":{

            "properties":{

                   "SOAP_ENDPOINT":"https:// xxxxx:1443/XISOAPAdapter/MessageServlet?senderParty=&senderService=INTERFACENAME

                                                                &receiverParty=&receiverService=&interface=SI_SAVIYNT_STATUS_OUT&interfaceNamespace=urn:Kxxxxxx.com:

                                                                GRC:UsrReqStatus",

                   "USERNAME":"USERID",

                   "PASSWORD":"PASSWORD"

            }

        }

    }

}

CREATEACCOUNTJSON

[

  {

    "CONNECTION": "login",

    "REQUESTXML": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header>

</soapenv:Header>

<soapenv:Body>

<urn:GracIdmUsrAccsReqServices>

<RequestHeaderData>

<Reqtype>001</Reqtype>

<Priority>011</Priority>

<ReqInitSystem>QTEST100</ReqInitSystem>

<Requestorid>${manager.systemUserName}</Requestorid>

<Email>${requestor.email}</Email>

<ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><RequestReason>test</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr = '';String startDate=new Date().format('yyyyMMdd');String bprocVal=bproc?.substring(bproc?.indexOf('-')+1,bproc?.length());String endDate='20991231';String empType=user?.employeeclass;int size = entitlementSet?.size();int i = 0;for (String ent : entitlementSet){String tempEnt = ent.indexOf('&') > 0 ? ent.substring(0, ent.indexOf('&') + 1).toUpperCase().concat('amp;').concat(ent.substring(ent.indexOf('&')+1).toUpperCase()) : ent.toUpperCase(); rolesStr=rolesStr+'<item>

<Emptype>'+empType+'</Emptype>

<Connector></Connector>

<ProvType></ProvType>

<AssignmentType></AssignmentType>

<ProvStatus></ProvStatus>

<FfOwner></FfOwner>

<Comments></Comments>

<ProvItemType>ROL</ProvItemType>

<ItemName>'+tempEnt+'</ItemName><ValidFrom>'+startDate+'</ValidFrom><ValidTo>'+endDate+'</ValidTo><ProvAction>006</ProvAction><RoleType>BUS</RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem>

<UserGroup>${String groups  = '';List lstItemName = ['QTEST','QTEST100','QTEST110','QTEST120'];String groupSelected=userGroup?.toUpperCase();int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){groups=groups+'<item><UserGroup>'+groupSelected+'</UserGroup><UserGroupDesc>'+groupSelected+'-'+ItemId+'</UserGroupDesc></item>';i++;if(i == size){return groups;}}}</UserGroup>

<UserInfo>

<item>

<Userid>${task.accountName}</Userid>

<Title>

</Title>

<SncName>p:CN=${task.accountName}@CustomerName.com </SncName>

<Fname>${user.firstname}</Fname>

<Lname>${user.lastname}</Lname>

<Email>${user.email}</Email>

<Manager>${manager.systemUserName}</Manager>

<Accno></Accno>

<UserGroup></UserGroup>

<ValidFrom></ValidFrom>

<ValidTo></ValidTo>

<Empposition></Empposition>

<Empjob></Empjob><Personnelno>

</Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><ManagerEmail></ManagerEmail><ManagerFirstname></ManagerFirstname><ManagerLastname></ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>",

    "RESPONSEMAPPING": {

      "task.provisioningcomments": "Body.GracIdmUsrAccsReqServicesResponse.MsgReturn.MsgStatement",

      "TASK.TICKETID": "Body.GracIdmUsrAccsReqServicesResponse.RequestNo",

      "SUCCESSMSG": "Body.GracIdmUsrAccsReqServicesResponse.MsgReturn.MsgType"

    },

    "SUCCESSCRITERIA": "SUCCESSMSG=SUCCESS",

    "REQUESTPARAMS": {

      "Content-Type": "text/xml;charset=UTF-8",

      "SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"

    }

  }

]

DELETEACCOUNTJSON

[

  {

    "CONNECTION": "login",

    "REQUESTXML": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><CustomFieldsVal><item><Fieldname></Fieldname><Value></Value></item><item><Fieldname></Fieldname><Value></Value></item></CustomFieldsVal><Language>String 5</Language><Parameter><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item></Parameter><RequestHeaderData><Reqtype>003</Reqtype><Priority>011</Priority><ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><ReqInitSystem>QTEST100</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><RequestReason>New User Demo</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr  = '';List lstItemName = ['QTEST100','QTEST110','QTEST'];int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){rolesStr=rolesStr+'<item><ItemName>'+ItemId+'</ItemName><Connector>'+ItemId+'</Connector><ProvItemType>SYS</ProvItemType><ProvType></ProvType><AssignmentType></AssignmentType><ProvStatus></ProvStatus><ValidFrom></ValidFrom><ValidTo></ValidTo><FfOwner></FfOwner><Comments></Comments><ProvAction>003</ProvAction><RoleType></RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserGroup><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item></UserGroup><UserInfo><item><Userid>${task.accountName}</Userid><Title></Title><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><SncName></SncName><UnsecSnc></UnsecSnc><Accno></Accno><UserGroup></UserGroup><ValidFrom></ValidFrom><ValidTo></ValidTo><Empposition></Empposition><Empjob></Empjob><Personnelno></Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Email>${user.email}</Email><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><Manager>${manager.systemUserName}</Manager><ManagerEmail>${manager.email}</ManagerEmail><ManagerFirstname>${manager.firstname}</ManagerFirstname><ManagerLastname>${manager.lastname}</ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>",

    "RESPONSEMAPPING": {

      "TASK.TICKETID": "Body.GracIdmUsrAccsReqServicesResponse.RequestNo",

      "user.customproperty50": "Body.GracIdmUsrAccsReqServicesResponse.RequestNo"

    },

    "REQUESTPARAMS": {

      "Content-Type": "text/xml;charset=UTF-8",

      "SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"

    }

  }

]

DISABLEACCOUNTJSON

[{"CONNECTION":"login","REQUESTXML":"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><CustomFieldsVal><item><Fieldname></Fieldname><Value></Value></item><item><Fieldname></Fieldname><Value></Value></item></CustomFieldsVal><Language>String 5</Language><Parameter><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item></Parameter><RequestHeaderData><Reqtype>004</Reqtype><Priority>011</Priority><ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><ReqInitSystem>QTEST100</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><RequestReason>New User Demo</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr  = '';List lstItemName = ['QTEST100','QTEST110','QTEST'];int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){rolesStr=rolesStr+'<item><ItemName>'+ItemId+'</ItemName><Connector>'+ItemId+'</Connector><ProvItemType>SYS</ProvItemType><ProvType></ProvType><AssignmentType></AssignmentType><ProvStatus></ProvStatus><ValidFrom></ValidFrom><ValidTo></ValidTo><FfOwner></FfOwner><Comments></Comments><ProvAction>004</ProvAction><RoleType></RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserGroup><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item></UserGroup><UserInfo><item><Userid>${task.accountName}</Userid><Title></Title><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><SncName></SncName><UnsecSnc></UnsecSnc><Accno></Accno><UserGroup></UserGroup><ValidFrom></ValidFrom><ValidTo></ValidTo><Empposition></Empposition><Empjob></Empjob><Personnelno></Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Email>${user.email}</Email><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><Manager>${manager.systemUserName}</Manager><ManagerEmail>${manager.email}</ManagerEmail><ManagerFirstname>${manager.firstname}</ManagerFirstname><ManagerLastname>${manager.lastname}</ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>","RESPONSEMAPPING":{"TASK.TICKETID":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo","user.customproperty50":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo"},"REQUESTPARAMS":{"Content-Type":"text/xml;charset=UTF-8","SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"}}]

ENABLEACCOUNTJSON

[{"CONNECTION":"login","REQUESTXML":"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><CustomFieldsVal><item><Fieldname></Fieldname><Value></Value></item><item><Fieldname></Fieldname><Value></Value></item></CustomFieldsVal><Language>String 5</Language><Parameter><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item><item><Parameter></Parameter><ParameterValue></ParameterValue><ParameterDesc></ParameterDesc></item></Parameter><RequestHeaderData><Reqtype>005</Reqtype><Priority>011</Priority><ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><ReqInitSystem>QTEST100</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><RequestReason>New User Demo</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr  = '';List lstItemName = ['QTEST100','QTEST110','QTEST'];int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){rolesStr=rolesStr+'<item><ItemName>'+ItemId+'</ItemName><Connector>'+ItemId+'</Connector><ProvItemType>SYS</ProvItemType><ProvType></ProvType><AssignmentType></AssignmentType><ProvStatus></ProvStatus><ValidFrom></ValidFrom><ValidTo></ValidTo><FfOwner></FfOwner><Comments></Comments><ProvAction>005</ProvAction><RoleType></RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserGroup><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item><item><UserGroup></UserGroup><UserGroupDesc></UserGroupDesc></item></UserGroup><UserInfo><item><Userid>${task.accountName}</Userid><Title></Title><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><SncName></SncName><UnsecSnc></UnsecSnc><Accno></Accno><UserGroup></UserGroup><ValidFrom></ValidFrom><ValidTo></ValidTo><Empposition></Empposition><Empjob></Empjob><Personnelno></Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Email>${user.email}</Email><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><Manager>${manager.systemUserName}</Manager><ManagerEmail>${manager.email}</ManagerEmail><ManagerFirstname>${manager.firstname}</ManagerFirstname><ManagerLastname>${manager.lastname}</ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>","RESPONSEMAPPING":{"TASK.TICKETID":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo","user.customproperty50":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo"},"REQUESTPARAMS":{"Content-Type":"text/xml;charset=UTF-8","SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"}}]

GRANTACCESSJSON

[{"CONNECTION":"login","REQUESTXML":"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><RequestHeaderData><Reqtype>002</Reqtype><Priority>011</Priority><ReqInitSystem>QTEST</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><ReqDueDate>${new Date().plus(10).format('yyyyMMdd')}</ReqDueDate><RequestReason>test</RequestReason><Funcarea></Funcarea><Bproc></Bproc></RequestHeaderData><RequestedLineItem>${String rolesStr = '';String startDate=new Date().format('yyyyMMdd');String bprocVal=bproc?.substring(bproc?.indexOf('-')+1,bproc?.length());String endDate='20991231';String empType=user?.employeeclass;int size = entitlementSet?.size();int i = 0;for (String ent : entitlementSet){String tempEnt = ent.indexOf('&') > 0 ? ent.substring(0, ent.indexOf('&') + 1).toUpperCase().concat('amp;').concat(ent.substring(ent.indexOf('&')+1).toUpperCase()) : ent.toUpperCase(); rolesStr=rolesStr+'<item><Emptype>'+empType+'</Emptype><Connector></Connector><ProvType></ProvType><AssignmentType></AssignmentType><ProvStatus></ProvStatus><FfOwner></FfOwner><Comments></Comments><ProvItemType>ROL</ProvItemType><ItemName>'+tempEnt+'</ItemName><ValidFrom>'+startDate+'</ValidFrom><ValidTo>'+endDate+'</ValidTo><ProvAction>006</ProvAction><RoleType>BUS</RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserGroup>${String groups  = '';List lstItemName = ['QTEST','QTEST100','QTEST110','QTEST120'];String groupSelected=userGroup?.toUpperCase();int size = lstItemName.size();int i = 0;for (String ItemId : lstItemName){groups=groups+'<item><UserGroup>'+groupSelected+'</UserGroup><UserGroupDesc>'+groupSelected+'-'+ItemId+'</UserGroupDesc></item>';i++;if(i == size){return groups;}}}</UserGroup><UserInfo><item><Userid>${task.accountName}</Userid><Title ></Title><SncName>p:CN=${task.accountName}@CUSTOMER.COM</SncName><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><Email>${user.email}</Email><Manager>${manager.systemUserName}</Manager><Accno></Accno><UserGroup></UserGroup><ValidFrom></ValidFrom><ValidTo></ValidTo><Empposition></Empposition><Empjob></Empjob><Personnelno></Personnelno><Personnelarea></Personnelarea><CommMethod></CommMethod><Fax></Fax><Telnumber></Telnumber><Department></Department><Company></Company><Location></Location><Costcenter></Costcenter><Printer></Printer><Orgunit></Orgunit><Emptype></Emptype><ManagerEmail></ManagerEmail><ManagerFirstname></ManagerFirstname><ManagerLastname></ManagerLastname><StartMenu></StartMenu><LogonLang></LogonLang><DecNotation></DecNotation><DateFormat></DateFormat><Alias></Alias><UserType></UserType><Function></Function></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>","RESPONSEMAPPING":{"task.provisioningcomments": "Body.GracIdmUsrAccsReqServicesResponse.MsgReturn.MsgStatement","TASK.TICKETID":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo","SUCCESSMSG" : "Body.GracIdmUsrAccsReqServicesResponse.MsgReturn.MsgType"},"SUCCESSCRITERIA" : "SUCCESSMSG=SUCCESS","REQUESTPARAMS":{"Content-Type":"text/xml;charset=UTF-8","SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"}}]

REVOKEACCESSJSON

[{"CONNECTION":"login","REQUESTXML":"<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmUsrAccsReqServices><RequestHeaderData><Reqtype>002</Reqtype><Priority>011</Priority><ReqInitSystem>QTEST</ReqInitSystem><Requestorid>${manager.systemUserName}</Requestorid><Email>${requestor.email}</Email><ReqDueDate></ReqDueDate><RequestReason>demo</RequestReason></RequestHeaderData><RequestedLineItem>${String rolesStr = '';String startDate=new Date().format('yyyyMMdd');String bprocVal='';String endDate=new Date().plus(10).format('yyyyMMdd');String empType=user?.employeeclass;int size = entitlementSet?.size();int i = 0;for (String ent : entitlementSet){rolesStr=rolesStr+'<item><Emptype>'+empType+'</Emptype><Connector></Connector><ProvItemType>ROL</ProvItemType><Funcarea>Fixed Assets</Funcarea><Bproc></Bproc><ItemName>'+ent.toUpperCase()+'</ItemName><ValidFrom></ValidFrom><ValidTo></ValidTo><ProvAction>009</ProvAction><RoleType>BUS</RoleType></item>';i++;if(i == size){return rolesStr;}}}</RequestedLineItem><UserInfo><item><Userid>${task.accountName}</Userid><Fname>${user.firstname}</Fname><Lname>${user.lastname}</Lname><SncName>p:CN=${task.accountName}@CUSTOMER.COM</SncName><Email>${user.email}</Email><Manager>${manager.systemUserName}</Manager></item></UserInfo></urn:GracIdmUsrAccsReqServices></soapenv:Body></soapenv:Envelope>","RESPONSEMAPPING":{"TASK.TICKETID":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo","user.customproperty50":"Body.GracIdmUsrAccsReqServicesResponse.RequestNo"},"REQUESTPARAMS":{"Content-Type":"text/xml;charset=UTF-8","SOAPAction ": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_USER_ACCES_WS:GracIdmUsrAccsReqServicesRequest"}}]

TICKETSTATUSJSON

[

  {

    "CONNECTION": "ticketlogin",

    "REQUESTXML": "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"     xmlns:urn=\"urn:sap-com:document:sap:soap:functions:mc-style\"><soapenv:Header></soapenv:Header><soapenv:Body><urn:GracIdmRequestStatServices><Language>EN</Language><ReqNo>${TICKETID}</ReqNo></urn:GracIdmRequestStatServices></soapenv:Body></soapenv:Envelope>",

    "CLOSETICKETSTATUS": "OK,COMPLETED",

    "REJECTEDTICKETSTATUS": "ABORTED,FAILED",

    "RESPONSEMAPPING": {

      "TICKETSTATUS": "Body.GracIdmRequestStatServicesResponse.ReqStatus.Reqstatus"

    },

    "REQUESTPARAMS": {

      "Content-Type": "text/xml;charset=UTF-8",

      "SOAPAction": "urn:sap-com:document:sap:soap:functions:mc-style:GRAC_REQUEST_STATUS_WS:GracIdmRequestStatServicesRequest",

      "Authorization": "Basic xxxxxxxxxxxxxxxxxxxxxxxxxx=="

    }

  }

]

COMBINEDCREATEREQUEST
 Specify whether to combine Account and Entitlement provisioning in one

TRUE


OUTCOME / RESULTS:

  1. End-User Submits request for an SAP access request in Saviynt. User will request SAP GRC specific ‘Roles’ in Saviynt
  2. Saviynt will submit a ‘Request’ in SAP GRC using SAP GRC SOAP web services
  • The authentication mechanism for the SAP GRC SOAP web services would be “Basic authentication with username/password”
  • SAP GRC would return a Request ID as the response to the web services call. Saviynt will not make a separate call to get the request ID.
  1. SAP GRC performs preventative risk analysis 
  2. Approval workflow in SAP GRC which includes
  • Assign mitigation control
  • SAP GRC performs detective SOD checks
  • Maintain mitigating control
  1. SAP GRC provisions the approved access to SAP
  2. Saviynt will poll the SAP GRC system using the SAP GRC Request ID to get the status of the request. Once the request is closed in SAP GRC, all the corresponding Tasks will be marked ‘completed’ in Saviynt

References

Access Request Web Service WSDL

Labels:
Comments
Sonam_Chikorde
New Contributor
New Contributor
‎08/10/2023 07:29 AM

@sudeshjaiswal, @Rishi 

We trying to configure the External Risks Evaluation and Access Provisioning Using SAP GRC

In the connection JSON, SOAP_ENDPOINT for Access Request and Request status are provided as below:

"SOAP_ENDPOINT": "https://IPADDRESSS:1443/XISOAPAdapter/MessageServlet?senderParty\n\n=&senderService=BC_SAVIYNT&receiverParty=&receiverService=&interface=INTERFACENAME\n\n&interfaceNamespace=urn:Kxxxxxx.com:GRC:userAccess"

"SOAP_ENDPOINT": "https://IPADDRESSS:1443/XISOAPAdapter/MessageServlet?senderParty=&senderService=INTERFACENAME\n\n&receiverParty=&receiverService=&interface=SI_SAVIYNT_STATUS_OUT&interfaceNamespace=urn:Kxxxxxx.com:\n\nGRC:UsrReqStatus"

We tried using SOAP_ENDPOINT url as below, however test connection not successful.
https://<host:port>/sap/bc/srt/rfc/sap/grac_user_acces_ws/100/grac_user_access_ws/grac_user_access_ws

Does only "https://IPADDRESSS:1443/XISOAPAdapter/MessageServlet?senderParty\n\n=&senderService=BC_SAVIYNT&receiverParty=&receiverService=&interface=INTERFACENAME\n\n&interfaceNamespace=urn:Kxxxxxx.com:GRC:userAccess",

XISOAPAdapter type of urls should be used?

sudeshjaiswal
Saviynt Employee
Saviynt Employee
‎08/10/2023 08:18 AM

@Sonam_Chikorde,  Yes,  You have to use "XISOAPAdapter" in the url, As mentioned in above connection json.

Sonam_Chikorde
New Contributor
New Contributor
‎08/10/2023 08:29 AM

@sudeshjaiswal, Thank you for the updates.

SeShoSama
New Contributor
New Contributor
‎10/08/2023 03:08 AM

Hi Sudeshjaiswal, thx nice share it help us a lot. Just fyi doesn't have to be XISOAdapter in the url, as long as the GRC webservice url can be hit and get success response from postman then it's possible, it run success on my connection using sap-client in url (without XISOAdapter as in the sample).

Thx

sudeshjaiswal
Saviynt Employee
Saviynt Employee
‎10/08/2023 08:27 PM

Hello @SeShoSama,

Thank you for confirming. This information will be useful for others too.

shruanand24
New Contributor
New Contributor
‎10/18/2023 02:24 AM

Hello @sudeshjaiswal 

 

We are using Saviynt as Ticketing System to SAP GRC for SoD validation and hence connecting to SAP GRC using SOAP connector. There is requirement to send user's termination date to 'valid to' field of user detail in SAP GRC. To accomodate this requirement we are utilizing ${user.termDate} in Create Account and Update Account payload of SAP GRC connector. However it is observed that upon new account ticket creation in GRC, 'valid to' field is populated with a default 99991231 value, and not with the termination date selected in the user profile of Saviynt.

Please recommend a solution/binding value to pass the term date to GRC.

 
sudeshjaiswal
Saviynt Employee
Saviynt Employee
‎10/18/2023 08:14 PM

Hello @shruanand24,

Can you please check on the SAP GRC end, what payload is been recieved on the target end?
Is ${user.termDate} value is been passed as per the saviynt in the payload been sent to target?

Or You can try to set the termdate in one of the customproperty and try it.(Just for your test).

Thanks

Version history
Last update:
‎04/02/2024 11:06 AM
Updated by:
Saviynt Employee
Copyright © 2024 Khoros, LLC