SAP IdM - GRC Integration Guide

SAP NetWeaver® Identity Management

GRC Integration

Configuration Guide

Version 7.0 Rev 2

© Copyright 2008 SAP AG. All rights reserved.

SAP Library document classification: PUBLIC

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Outlook, Excel, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, OS/2, Parallel Sysplex, MVS/ESA, AIX, S/390, AS/400, OS/390, OS/400, iSeries, pSeries, xSeries, zSeries, System i, System i5, System p, System p5, System x, System z, System z9, z/OS, AFP, Intelligent Miner, WebSphere, Netfinity, Tivoli, Informix, i5/OS, POWER, POWER5, POWER5+, OpenPower and PowerPC are trademarks or registered trademarks of IBM Corporation.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML, and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

MaxDB is a trademark of MySQL AB, Sweden.

SAP, R/3, mySAP, mySAP.com, xApps, xApp, SAP NetWeaver, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves information purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.

i

Preface

The product The SAP NetWeaver Identity Management GRC Integration consists of a provisioning framework in the Identity Center and a configuration in the Virtual Directory Server that enables user provisioning to GRC Access Control. Using this solution, SAP NetWeaver Identity Management can execute provisioning to multiple target systems which are controlled by GRC Access Control to ensure compliance according to the rules implemented here.

The reader This manual is intended for people who are to install and perform the initial configuration of the GRC provisioning framework.

Prerequisites To get the most benefit from this manual, you should have the following knowledge:

• Knowledge of the Identity Center.

• Knowledge of the Virtual Directory Server.

• Knowledge of GRC Access Control.

The following software is required:

• GRC Access Control

• The component "Access Enforcer" of GRC Access Control release 5.2 is installed and connected to the target systems.

• Appropriate workflow processes, typically including compliance checks by the component "Compliance calibrator" are defined in the Access Enforcer.

• A service user which has the right to execute the GRC web services is defined and the credentials are known.

• SAP NetWeaver Identity Management Virtual Directory Server 7.0 SP2 is correctly installed and licensed.

• SAP NetWeaver Identity Management Identity Center 7.0 SP2 is correctly installed and licensed.

• The Provisioning Framework for SAP Systems is correctly installed and configured.

The manual This document describes how you install and configure the GRC integration framework.


ii

Related documents You can find useful information in the following documents:

• The tutorials for the Identity Center

• The tutorials for the Virtual Directory Server

• Relevant documentation for GRC Access Control


iii

Table of contents Introduction........................................................................................................................................ 1 Adding the Virtual Directory Server configuration ....................................................................... 2

Starting the server.......................................................................................................................................3 Testing the configuration................................................................................................................... 5

Logging in with LDP..................................................................................................................................5 Performing a search....................................................................................................................................5

Adding the provisioning framework to the Identity Center .......................................................... 7 Preparing the Identity Center .....................................................................................................................7 Importing the GRC provisioning framework .............................................................................................8 Adding the repository definition for GRC Access Control ......................................................................11 Importing the service jobs ........................................................................................................................14 Configuring the GRC provisioning framework........................................................................................15

Process description........................................................................................................................... 18 Initial load ................................................................................................................................................18 GRC Provisioning ....................................................................................................................................19 GRC Deprovisioning................................................................................................................................21 Modify GRC user .....................................................................................................................................22 Process Status...........................................................................................................................................24


iv


1 Introduction SAP NetWeaver Identity Management GRC Integration Configuration Guide

Introduction This document describes how you integrate SAP NetWeaver Identity Management and GRC Access Control.

Using this solution, SAP NetWeaver Identity Management can execute compliant provisioning to multiple target systems which are controlled by GRC Access Control.

The components of SAP NetWeaver Identity Management are used in the following way:

• The Virtual Directory Server:

• Accepts requests from Identity Center.

• Deals with all connection to/from GRC Access Control through the web service API exposed by GRC Access Control.

• The Identity Center:

• Contains the workflow tasks and the necessary jobs that drive the provisioning to GRC Access Control based on the Provisioning Framework for SAP Systems.

• Communicates with the Virtual Directory Server using the LDAP protocol.

The configuration process described in this document consists of:

• Creating a configuration in the Virtual Directory Server based on a template.

• Importing the GRC provisioning framework to the Identity Center.

• Configuring the imported objects.


2 Adding the Virtual Directory Server configuration

SAP NetWeaver Identity Management GRC Integration Configuration Guide

Adding the Virtual Directory Server configuration The first step is to create the server configuration in the Virtual Directory Server that the Identity Center uses to access GRC Access Control. The Virtual Directory Server contains a template that can be used to create this configuration:

To create the configuration:

1. Choose File/New… to open the "New configuration" dialog box.

Select "SAP NetWeaver" in the "Group" list and "GRC_Integration.xml" in the "Template"

list.

2. Choose "OK".


3 Adding the Virtual Directory Server configuration SAP NetWeaver Identity Management GRC Integration Configuration Guide

Fill in the following values:

Port Enter the port number that will be used for Virtual Directory Server (when deployed as LDAP server).

It is recommended to test and verify the configuration (especially if additional tailoring of the template is done) using an LDAP client, before using it together with the Identity Center.

Web Service URL The URL to GRC Access Control, typically with the pattern http://<server>:<port>/.

GRC User and GRC Password Credentials of the user with access rights to execute web service calls against Access Control.

Connection string Enter the connection string to the Identity Center database. It is recommended that you use the JDBC URL wizard. It is the <prefix>_rt user in the Identity Center database that should be used.

3. Choose "OK".

Enter a name of the new configuration (for instance, grcintegration.xml) and save the configuration.

The expanded virtual tree looks like this:

Starting the server We can now start the server to see that it starts without errors:

1. Display the operation log. (Choose the "Operation" button.)

2. Start the server. If the run-time environment is correct, the Virtual Directory Server will start listening on configured port. Verify that the server starts in the operation log.

Some typical errors:

• The JDBC driver for the Microsoft SQL Server is not in the classpath for the Virtual Directory Server. See the help file for the Virtual Directory Server for information about how to extend/configure the classpath.


4 Adding the Virtual Directory Server configuration


• The selected port is occupied. It can be changed by viewing the properties of Deployments/LDAP Deployments/Main listener.


5 Testing the configuration SAP NetWeaver Identity Management GRC Integration Configuration Guide

Testing the configuration When the server has started successfully, we can test the configuration using an LDAP client as LDP.

Logging in with LDP 1. Start LDP.

2. Choose Connection/Connect…:

Enter the host name/IP number and port number you specified for the Virtual Directory

Server.

3. Choose "OK".

4. Choose Connection/Bind…:

Enter grcuser as user name and password to log on to the Virtual Directory Server. This is

the default user in the template, but this can be modified in the configuration.

5. Choose "OK".

Performing a search To test the connectivity, we perform a search to list the applications in the backend GRC Access Control system. Use the DN as shown below. This corresponds to a node in the Virtual Directory Server configuration as shown on page 3.

1. Choose Browse/Search.


6 Testing the configuration


2. Choose "Options":

Make sure that the "Attributes" field is empty.

3. Choose "OK" to close the "Search Options" dialog box.

4. Choose "Run" to perform the search.

The applications returned by the search may vary depending on what is available in the

GRC Access Control you are connecting to.


7 Adding the provisioning framework to the Identity Center SAP NetWeaver Identity Management GRC Integration Configuration Guide

Adding the provisioning framework to the Identity Center The GRC provisioning framework that we add to the Identity Center makes it possible to submit provisioning requests to GRC Access Control from a provisioning solution implemented in the Identity Center.

Adding the provisioning framework involves the following steps:

• Preparing the Identity Center.

• Importing the GRC Provisioning framework.

• Adding the repository definition for GRC Access Control.

• Importing the service jobs.

• Configuring the GRC provisioning framework.

Preparing the Identity Center Before we import the framework to the identity store, we need to make some initial configuration of the Identity Center.

• Ensure that you have at least one valid dispatcher enabled to run both Windows and Java jobs.

• Verify that the Provisioning framework for SAP systems is imported and configured as described in Identity Management for SAP System Landscapes: Configuration Guide.

Specifying import options To specify import options:

1. View the properties of the Identity Center and select the "Options" tab.

2. Make sure that "Enable imported jobs" is selected

3. Select a default dispatcher for the imported jobs.

This ensures that imported tasks/jobs are enabled. It is possible to enable those later, but the number of jobs is large.

4. Choose "Apply".


8 Adding the provisioning framework to the Identity Center


Adding an administrator user to the identity store To add the administrator user:

1. View the properties of the identity store where you will import the GRC provisioning framework and select the "Workflow" tab.

2. Select "Identity store" as "Authentication method".

3. Choose "Add user…":

Enter the user idmadm with the entry type "MX_PERSON".

4. Choose "OK".

5. Choose "Apply".

Importing the GRC provisioning framework The GRC provisioning framework contains tasks specific to the GRC integration.

To import the framework:

1. Select the identity store where you will import the framework and choose "Import…" from the context menu.



Locate the file containing the framework, GRC_Provisioning_Framework.mcc in the folder

C:\Program Files\SAP\IdM\Identity center\templates\Identity Center\SAP Provisioning Framework.

2. Choose "Open".

Select "Import".

3. Select the "Advanced" tab and make sure that a dispatcher is selected for the imported jobs, as we configured for the Identity Center.




4. Choose "Next >".

Select "Update attributes with event tasks".

5. Choose "Import".

6. Choose "Finish" when the import is completed.

The imported framework is added to the identity store:

The tasks are placed in two folders. The folder "Web Enabled Tasks" contains sample Workflow tasks that can be used for testing. The folder "GRC Tasks" contains the tasks used for provisioning. The tasks that are used as event tasks are "GRC Provisioning", "GRC Deprovisioning" and "Modify GRC User".



Adding the repository definition for GRC Access Control We need to add a repository definition for GRC Access Control that we want to connect to.

1. Select the Identity Center's "Repositories" node and choose "New…" from the context menu.

Locate the template "VDS to GRC repository" in the "Identity Center/Repositories" folder.

2. Choose "Next >".




Enter GRC as the name of the repository definition.

3. Choose "Next >".

Enter the following values:

Server IP The host name or IP address of the Virtual Directory Server. This must be the same value as you specified when configuring the Virtual Directory Server.

Server Port The LDAP port which is used by Virtual Directory Server. This must be the same value as you specified when configuring the Virtual Directory Server.

Login/Password The credentials of the user that is used to log on to the Virtual Directory Server. The default value is grcuser/grcuser. This can be changed, but it must match the values specified in the Virtual Directory Server.

GRC Manager ID The user ID of one of the existing users in the SAP Application Server Java which runs GRC Access Control. In addition, this user must have access rights to approve incoming provisioning requests.

The default value is NULL. In that case Access Control assigns incoming requests to the default manager.

GRC Requestor E-Mail/GRC Requestor Firstname/GRC Requestor Lastname/GRC Requestor ID Correct values of one of the valid users in the SAP Application Server Java which runs GRC Access Control. It is possible to enter non-existing values. During the process of Initial Load (see page 18), the framework will create the user with these attributes, if needed.

4. Choose "Next >" and then "Finish" to complete the wizard.



5. View the repository constants for the GRC repository and modify the following constants:

APPLICATION_HOST The server name of the GRC Access Control installation (an SAP Application Server Java).

HTTP_PORT GRC Access Control installation (the ports of a SAP Application Server Java typically has the pattern 5<nn>00), where nn is the variable part of the port number.

HTTP_AUTH_USER User name for authentication of the service user in the GRC Access Control.

HTTP_AUTH_PWD Password for authentication of the service user in the GRC Access Control.

MX_DEPROVISIONTASK The task ID of the "GRC Deprovisioning" task from the GRC Provisioning Framework.

MX_PROVISIONTASK The task ID of the "GRC Provisioning" task from the GRC Provisioning Framework.

MX_MODIFYTASK The task ID of the "Modify GRC User" task from the GRC Provisioning Framework.

VDS2GRC_SUFFIX The top RDN of the virtual tree in the Virtual Directory Server. The default value is "o=grc". This can only be changed if the configuration of the Virtual Directory Server is changed accordingly.

The complete list of repository constants will look something like this:




Importing the service jobs The last component we add is the services jobs that are used for the initial load and other tasks that are not part of the provisioning framework itself.

1. Select the job folder where you want to add the service jobs. You can either use an existing folder or create one for this purpose. Choose New/Run job wizard… from the context menu.

2. Choose "Next >".

Locate the template "GRC 5.2 - Initial Load" in the "Identity Center/Jobs/GRC" folder.

3. Choose "Next >".

Select the "GRC" repository definition you created.

4. Choose "Next >" and then "Finish" to complete the wizard.

5. Enable the job and select a dispatcher for it.

6. Repeat the steps and select the "Process status" template in the wizard.



The result should look as follows:

Configuring the GRC provisioning framework Before you can use the GRC provisioning framework, a few configuration steps are necessary.

Adding references to repository definitions You need to add the reference to the repository definition for GRC Access Control to the tasks "Create Delta on Add" and "Modify existing GRC user – simple attr".

1. View the properties of each of the tasks.

2. Select "GRC" as "Repository" for the tasks.

3. Choose "Apply".




Adding event triggers to the attribute MX_GRC_CHANGES_DETECTED Every time the attribute "MX_GRC_CHANGES_DETECTED" is added or modified, the task "Modify existing GRC user – simple attr" is executed. To configure this behavior, do the following:

1. View the properties of the attribute "MX_GRC_CHANGES_DETECTED" and select the "Event tasks" tab:

Add event tasks for "Add" and "Modify" as shown above. Select the "…" button to the right

of the field and select the corresponding task:

2. Choose "OK" twice to close both dialog boxes.



Adding event triggers to the entry type MX_PERSON You also add event triggers to the entry type MX_PERSON.

1. View the properties of the entry type "MX_PERSON" and select the "Event tasks" tab:

Add event tasks for "Add" and "Modify" as shown above. Select the "…" button to the right

of the field and select the corresponding task:

2. Choose "OK" twice to close both dialog boxes.


18 Process description


Process description The following section describes the processes that can be performed with the GRC provisioning framework.

Initial load Before you can do any provisioning or deprovisioning through the provisioning framework, you must run the job "GRC 5.2 – Initial Load".

This job does the following:

• Reads the users from the user store of the SAP Application Server Java which is used for the GRC Access Control and stores them in the identity store.

The ACCOUNTGRC attribute is filled in to indicate the presence of accounts in GRC Access Control. It will later be used by other tasks in the Provisioning Framework for SAP systems.

• Obtains the information about available applications from GRC Access Control.

• Creates the proper MX_APPLICATION and MX_PRIVILEGE objects in the identity store, based on information read from GRC Access Control.

The MX_PRIVILEGE_TYPE of the created privileges is set to "GRC".


19 Process description SAP NetWeaver Identity Management GRC Integration Configuration Guide

GRC Provisioning The purpose of this task is to create a Java user and perform GRC provisioning when the user receives a new privilege.

The process can be illustrated as follows:

A privilege can be assigned to a user either when a user is added or modified in the identity store. In either case, the following happens:

• Based on the privilege's MX_PRIVILEGE_TYPE property, the framework obtains the repository definition where the connection information (and other control information) is configured.

In this particular case, all relevant privileges are of type "GRC", and the repository is GRC.

• Each repository definition in the framework contains a variable MX_PROVISIONTASK. In this particular case it contains the task ID of the "GRC Provisioning" task.

• The "GRC Provisioning" task checks if the user exists in the back-end SAP Application

Server Java. If the user does not exist, it is created.

• Next, the framework executes the task "Create GRC user with a single privilege".




Create GRC user with a single privilege This task executes an LDAP call to the Virtual Directory Server. The Virtual Directory Server creates a proper request and executes a Web Service call toward GRC Access Control (SubmitRequestToGRC).

The properties of the LDAP operation are:

Attributes Description

DN Constructed using the value of the ACCOUNTGRC attribute and the DN suffix configured in the GRC repository definition.

FIRSTNAME LASTNAME EMAILADDRESS

Passed to GRC. Properties of the account to create.

APPLICATION Passed to GRC. The name of the system for which the account is requested.

MGRID Passed to GRC. This is the user ID of the approver of the request. The framework uses the value of the repository constant GRC_MANAGER_ID.

REQUESTORID REQUESTOREMAILADDRESSREQUESTORFIRSTNAME REQUESTORLASTNAME

Passed to GRC. Specifies the properties of the requestor. The framework uses the values configured in the GRC repository constants.

GRC_OPERATION Not sent to GRC. This attribute indicates the type of operation that the Virtual Directory Server will execute toward GRC. "ADD" will result in a GRC Request of type "NEW".

MSKEYVALUE ISID AUDITID

Not sent to GRC. Control attributes needed for the Virtual Directory Server to carry out operation toward GRC.



GRC Deprovisioning The purpose of this task is to deprovision from GRC Access Control when a privilege is removed, and when the last privilege is removed, also delete the Java user.

The process can be illustrated as follows:

This process is similar to the GRC provisioning:

• Based on the privilege's MX_PRIVILEGE_TYPE, the repository is obtained (GRC).

• The task pointed to by the constant MX_DEPROVISIONTASK is executed ("GRC Deprovisioning").

• This task submits an appropriate call to the Virtual Directory Server ("Remove single privilege from GRC user").

• The attributes that are passed to the Virtual Directory Server are similar to those described

for the provisioning process. The only difference is that the attribute "GRC_OPERATION" will have the value "DELETE", which indicates to the Virtual Directory Server that a DELETE request has to be created and executed in the GRC.

• Next, the framework checks if this was the last privilege for this user. If it is, the entry is removed from SAP Application Server Java.




Modify GRC user The purpose of this task is to modify user data in GRC Access Control when information is changed in the identity store.

The following diagram illustrates this process:

Whenever a user entry is changed, the Modify event configured on the entry type MX_PERSON is triggered and the configured task ("Modify User") is executed.

The configured task belongs to the Provisioning Framework for SAP Systems. By using the global script "sap_ModifyUser" and depending on the repository type extracted from ACCOUNT<NAME> attribute on the user entry, the following tasks:

• The corresponding Provisioning and Deprovisioning tasks for the changed privileges, if any.

• The Configured MX_MODIFYTASK for all other "normal" attributes ("Modify GRC User").

The "Modify GRC User" task will execute "Check for GRC related changes – no privileges". This task will compare the list of modified attributes with the configured list of attributes that are relevant for the GRC. If none of GRC relevant attributes is modified, nothing happens.

If any of GRC relevant attributes is modified, the "Check for GRC related changes – no privileges" sets a time-stamp on the user entry. The attribute "MX_GRC_CHANGES_DETECTED" is used as time-stamp. Modify and add events are configured on this attribute. The execution of the task "Modify existing GRC user – no privileges" is triggered every time the attribute is set or modified. This task will send the changed information over to GRC.



Modify existing GRC user – no privileges The attributes that are passed to the Virtual Directory Server are similar to those described for Provisioning, but the attribute "GRC_OPERATION" contains the value "MODIFY".

Delta is enabled on this pass, meaning that it will detect and send only attributes that are modified. However, to be able to create a proper request to the GRC, the Virtual Directory Server needs even some attributes that are not modified.

It is possible to distinguish between several types of attributes:

• User attributes that always must be sent to the Virtual Directory Server (even if they are not changed).

These attributes are tagged with "*" in front of the attribute name:

FIRSTNAME, LASTNAME, EMAILADDRESS

• Non-user attributes that must be sent to the Virtual Directory Server. These are either constructed or read from global constants.

ISID, AUDITID, GRC_OPERATION, REQUESTOR attributes, MGRID

• User attributes that are modified (according to the delta).

These new values will be provisioned to the GRC to all existing applications.




Process Status Whenever a successful request submission to GRC Access Control takes place, the Virtual Directory Server creates a new attribute on the user entry; "MX_GRC_REQUEST_PENDING". If the attribute already exists, only the value of the attribute is changed.

The "MX_GRC_REQUEST_PENDING" attribute is a multi-value attribute, since multiple requests can be submitted to GRC for the same entry before they are acknowledged.

The value of the attribute contains information used by the "Process Status" service job. "Process Status" is executed on a regular basis.

It does the following:

• Executes a call to the Virtual Directory Server and obtains the status information for every entry and for each pending request in the queue.

• If the obtained status is "OK", "MX_GRC_REQUESTS_OK" is created and "MX_GRC_REQUESTS_PENDING" is removed. If there are multiple values, only the relevant value is removed.

• If the obtained status is "FAILED", "MX_GRC_REQUESTS_FAILED" is created and the attribute "MX_GRC_REQUESTS_PENDING" is removed. If there are multiple values, only the relevant value is removed.

• If the obtained status is unchanged, "PENDING", nothing will happen. The same entry will be processed by the "Process status" service job in the next cycle.


Documents

SAP IdM - GRC Integration Guide