of 48/48
SAP NetWeaver ® Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide Version 7.1 Rev 6

SAP NetWeaver Identity Management Compliant provisioning ... · SAP NetWeaver® Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

  • View
    5

  • Download
    0

Embed Size (px)

Text of SAP NetWeaver Identity Management Compliant provisioning ... · SAP NetWeaver® Identity Management...

  • SAP NetWeaver® Identity Management

    Compliant provisioning using SAPBusinessObjects Access Control

    Configuration guide

    Version 7.1 Rev 6

  • © Copyright 2011 SAP AG. All rights reserved.

    No part of this publication may be reproduced or transmitted in any form or for any purpose without the expresspermission of SAP AG. The information contained herein may be changed without prior notice.

    Some software products marketed by SAP AG and its distributors contain proprietary software components of othersoftware vendors.

    Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

    IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10,System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400,S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5,POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect,RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli andInformix are trademarks or registered trademarks of IBM Corporation.

    Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

    Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of AdobeSystems Incorporated in the United States and/or other countries.

    Oracle is a registered trademark of Oracle Corporation.

    UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

    Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registeredtrademarks of Citrix Systems, Inc.

    HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium,Massachusetts Institute of Technology.

    Java is a registered trademark of Sun Microsystems, Inc.

    JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented andimplemented by Netscape.

    SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products andservices mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG inGermany and other countries.

    Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, WebIntelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respectivelogos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries.Business Objects is an SAP company.

    All other product and service names mentioned are the trademarks of their respective companies. Data contained in thisdocument serves informational purposes only. National product specifications may vary.

    These materials are subject to change without notice. These materials are provided by SAP AG and its affiliatedcompanies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAPGroup shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Groupproducts and services are those that are set forth in the express warranty statements accompanying such products andservices, if any. Nothing herein should be construed as constituting an additional warranty.

    Page 3 of 48

  • i

    © Copyright 2011 SAP AG. All rights reserved.

    Preface

    The productThe SAP NetWeaver Identity Management GRC integration consists of a set of tasks in theIdentity Center and a configuration in the Virtual Directory Server that enables the use of SAPBusinessObjects Access Control for risk validation before user provisioning. Using thissolution, SAP NetWeaver Identity Management can execute provisioning to multiple targetsystems which are controlled by SAP BusinessObjects Access Control to ensure complianceaccording to the rules implemented here.

    When business requirements imply compliancy and Segregation of Duties checks, SAPNetWeaver Identity Management performs risk validation on SAP BusinessObjects AccessControl before assigning permissions, in order to achieve the compliant provisioning.

    The readerThis manual is intended for people who are to install and perform the initial configuration of theGRC provisioning framework.

    PrerequisitesTo get the most benefit from this manual, you should have the following knowledge andsoftware:

    Knowledge of the Identity Center.

    Knowledge of the Virtual Directory Server.

    Knowledge of and access to SAP BusinessObjects Access Control 5.3 SP9, which ismandatory for the centralized provisioning described in section Landscape configurationscenarios in this document.

    SAP NetWeaver Identity Management Virtual Directory Server 7.1 SP3 Patch 1 or higher iscorrectly installed and licensed.

    SAP NetWeaver Identity Management Identity Center 7.1 SP3 Patch 1 or higher is correctlyinstalled and licensed.

    The Provisioning Framework for SAP Systems is correctly installed and configured.

    The manualThis document describes how you install and configure the GRC provisioning framework.

  • ii

    © Copyright 2011 SAP AG. All rights reserved.

    Related documentsYou can find useful information in the following documents:

    The install guides for the SAP NetWeaver Identity Management.

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjectsAccess Control - Architectural overview.

    SAP NetWeaver Identity Management Identity Services Architectural overview.

    SAP NetWeaver Identity Management Identity Services Configuration guide.

    The tutorials for the Identity Center.

    The tutorials for the Virtual Directory Server.

    Relevant documentation for SAP BusinessObjects Access Control 5.3, in particular thedocument SAP GRC Access Control 5.3 – Configuration Guide available on SDN(https://websmp108.sap-ag.de/~sapdownload/011000358700001913042008E).

    The documents SAP NetWeaver Identity Management Identity Management for SAP SystemLandscapes: Architectural Overview and SAP NetWeaver Identity Management IdentityManagement for SAP System Landscapes: Configuration Guide (describing theProvisioning Framework for SAP Systems).

    Page 5 of 48

    https://websmp108.sap-ag.de/~sapdownload/011000358700001913042008E

  • iii

    © Copyright 2011 SAP AG. All rights reserved.

    Table of contentsIntroduction .................................................................................................................................. 1

    Integration scenarios ............................................................................................................................. 1The configuration process ..................................................................................................................... 3

    Adding the Virtual Directory Server configuration .................................................................... 4Setting the access credentials ................................................................................................................ 7Starting the server ................................................................................................................................. 7Testing the configuration ...................................................................................................................... 8

    Extending the Identity Center identity store schema ................................................................ 11Adding the GRC provisioning framework to the Identity Center ............................................ 13

    Preparing the Identity Center............................................................................................................... 13Importing the GRC provisioning framework ....................................................................................... 14Importing the service jobs ................................................................................................................... 15Configuring the repository definition .................................................................................................. 17Configuring the parameters in Virtual Directory Server (for future use: only if implementing event-based result handling) ......................................................................................................................... 20

    Process description ...................................................................................................................... 21Initialization process description ................................................................................................ 22

    Running the "Initial Load" jobs ........................................................................................................... 22Troubleshooting .................................................................................................................................. 25

    Privilege assignment process description ................................................................................... 27Task execution process description ............................................................................................ 30

    AC Validation..................................................................................................................................... 30Fix PVO ............................................................................................................................................. 30Prepare AC Request ............................................................................................................................ 31Perform Risk Check ............................................................................................................................ 32Set IdM Approver ............................................................................................................................... 32Submit AC Request ............................................................................................................................ 32Write RequestId and opt. Start Polling ................................................................................................ 37Risk Validation ................................................................................................................................... 37AC Polling .......................................................................................................................................... 38AC Callback Service ........................................................................................................................... 40

    Timeouts and stale requests ........................................................................................................ 41Limitations/tuning of the framework ......................................................................................... 42

  • iv

    © Copyright 2011 SAP AG. All rights reserved.

    Page 7 of 48

  • 1IntroductionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    IntroductionThis document gives an overview of the integration between SAP NetWeaver IdentityManagement and SAP BusinessObjects Access Control (for SAP BusinessObjects governance,risk and compliance (GRC) solutions).

    The components of SAP NetWeaver Identity Management are used in the following way:

    The Virtual Directory Server:

    Accepts requests from Identity Center.

    Deals with all connection to/from SAP BusinessObjects Access Control through theweb service API exposed by SAP BusinessObjects Access Control.

    The Identity Center:

    Contains the workflow tasks and the necessary jobs that drive the risk validation usingSAP BusinessObjects Access Control, before provisioning based on the ProvisioningFramework for SAP Systems.

    Communicates with the Virtual Directory Server (VDS) using the LDAP protocol.

    Integration scenariosSeveral integration scenarios exist, depending on two factors:

    Landscape configuration

    Result handling

    The GRC provisioning framework can be configured to deal with any combination of these two.

  • 2Introduction

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Landscape configuration scenariosThere are two landscape configuration scenarios for the integration:

    Centralized provisioning: This is a scenario where SAP NetWeaver Identity Management isthe only provisioning system, responsible for provisioning both the assignments requiringand not requiring compliance checks to the systems (both SAP and non-SAP). The SAPNetWeaver Identity Management uses SAP BusinessObjects Access Control to execute riskanalysis. The centralized provisioning is recommended as a default solution.

    Distributed provisioning: This solution is recommended to use in exceptional cases only.This is a scenario where the provisioning is performed both by SAP NetWeaver IdentityManagement and SAP BusinessObjects Access Control. SAP NetWeaver IdentityManagement is responsible for provisioning the assignments not requiring compliancechecks to multiple target systems (both SAP and non-SAP), while SAP BusinessObjectsAccess Control is used for provisioning assignments requiring compliance checks to SAPABAP target systems.

    Page 9 of 48

  • 3IntroductionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Result handling scenariosWhenever a request to SAP BusinessObjects Access Control is sent by the SAP NetWeaverIdentity Management, further action depends on the results of SAP BusinessObjects AccessControl's request processing, i.e. which privileges are approved and which are not.

    Two different approaches to handling a request processing result exist:

    Polling: The Identity Management performs the appropriate web service request, polling theSAP BusinessObjects Access Control for the result.

    Event based (Call-back Services): Instead of polling for the result, the Identity Managementis informed about the status of the request when the processing is done.

    The GRC provisioning framework contains tasks/workflow that deals with both scenarios. Thebehavior of the GRC provisioning framework is controlled by a configurable set of parameterson the GRC repository definition as shown on page 17.

    The configuration processThe configuration process described in this document consists of:

    Creating a configuration in the Virtual Directory Server based on a template.

    Extend the Identity Center identity store schema.

    Importing the GRC provisioning framework to the Identity Center.

    Configuring the imported objects.

  • 4Adding the Virtual Directory Server configuration

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Adding the Virtual Directory Server configurationThe first step is to create the server configuration in the Virtual Directory Server that theIdentity Center uses to access SAP BusinessObjects Access Control. The Virtual DirectoryServer contains a template that can be used to create this configuration:

    To create the configuration:

    1. Choose File/New… to open the "New configuration" dialog box.

    Select "SAP NetWeaver" in the "Group" list. Select "GRC AE 53 Integration SP9.xml" inthe "Template" list.

    2. Choose "OK".

    Page 11 of 48

  • 5Adding the Virtual Directory Server configurationSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Fill in the following values (the names of the corresponding constants created in the VirtualDirectory Server configuration are given in parentheses):

    PortEnter the port number that will be used for Virtual Directory Server (when deployed asLDAP server).

    It is recommended to test and verify the configuration (especially if additional tailoring ofthe template is done) using an LDAP client, before using it together with the IdentityCenter.

    Web Service URL (URLPREFIX)The URL to SAP BusinessObjects Access Control system, typically with the patternhttp://:/.

    GRC User and GRC Password (GRCUSER and GRCPWD)Credentials of the user with access rights to execute web service calls against SAPBusinessObjects Access Control.

    Connection string (CONNECTION_STRING)Enter the connection string to the Identity Center database. It is recommended that you usethe JDBC URL wizard. It is the _rt user in the Identity Center database that shouldbe used.

    SAP BusinessObjects Access Control requires values for request operation properties suchas request type, request priority and request employee type correctly set when it receives arequest. These can be configured on the Add/Modify/Delete/Lock/Unlock tabs. It is possibleto overwrite the default settings in the pass Submit AC Request in the GRC provisioningframework (see section Submit AC Request on page 32).

    3. Choose "OK".

    Enter a file name of the new configuration (for instance, grcintegration.xml) and save theconfiguration.

  • 6Adding the Virtual Directory Server configuration

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    The expanded virtual tree looks like this:

    The parameters entered in the template above – URLPREFIX, GRCUSER, GRCPWD andCONNECTION_STRING can be altered. To do so, select the "Constants" node in the consoletree of the Virtual Directory Server and view the properties:

    Enter the changes and choose "Apply", then choose "OK" to close the "Constants" dialog box.

    Page 13 of 48

  • 7Adding the Virtual Directory Server configurationSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Setting the access credentialsThe user access credentials to log on to the Virtual Directory Server are set togrcuser (user)/grcuser (password) as default in the template. It is not recommended to modifythese, although they can be modified in the configuration:

    1. Under the node "User groups" in the console tree, select the default authenticated user"grcuser" and view its properties.

    To change the user name enter the new login name in the "Login name" field.

    2. Choose "Reset…" to change the password:

    Enter and confirm the new password.

    3. Choose "OK" to close the "Change password" dialog box".

    4. Choose "Apply" to apply the changes, and then "OK" to close the user properties dialogbox.

    Starting the serverIn order to verify that the server starts without errors, do the following:

    1. Start the server.

    2. Display the operation log (choose the "Operation" button).

    3. Start the server. If the run-time environment is correct, the Virtual Directory Server willstart listening on the configured port. Verify that the server starts in the operation log.

    Some typical errors:

    The database driver for your Identity Center database is not in the class path for the VirtualDirectory Server. See the help file for the Virtual Directory Server for information abouthow to extend/configure the class path.

    The selected port is occupied by another process. It can be changed by viewing theproperties of Deployments/LDAP Deployments/Main listener.

  • 8Adding the Virtual Directory Server configuration

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Testing the configurationWhen the server has started successfully, the configuration can be tested using an LDAP client,e.g. LDP (a tool available in the Microsoft Windows Server 2003 toolkit and freely on theinternet).

    Logging in with LDP1. Start LDP.

    2. Choose Connection/Connect…:

    Enter the host name/IP number and port number you specified when configuring the VirtualDirectory Server.

    3. Choose "OK".

    4. Choose Connection/Bind…:

    Enter grcuser (user)/grcuser (password) as user credentials to log on to the VirtualDirectory Server. These are the default credentials in the template, but this can be modifiedin the configuration, as shown on page 7.

    5. Choose "OK".

    Page 15 of 48

  • 9Adding the Virtual Directory Server configurationSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Performing a searchTo test the connectivity, perform a search to list the applications in the back-end SAPBusinessObjects Access Control system. Use the DN as shown below. This corresponds to anode in the Virtual Directory Server configuration as shown on page 6.

    1. Choose Browse/Search.

    2. Choose "Options":

    Make sure that the "Attributes" field is empty.

    3. Choose "OK" to close the "Search Options" dialog box.

  • 10Adding the Virtual Directory Server configuration

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    4. Choose "Run" to perform the search.

    The applications returned by the search may vary depending on what is available in SAPBusinessObjects Access Control you are connecting to.

    Page 17 of 48

  • 11Extending the Identity Center identity store schemaSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Extending the Identity Center identity store schemaThe GRC provisioning framework uses a few attributes not available in the existing versions ofthe SAP NetWeaver Identity Management 7.1 (status as of SAP NetWeaver IdentityManagement 7.1 SP4). The Identity Center identity store schema, where the GRC provisioningframework is imported, needs to be extended with the following attributes:

    Attribute name Attributetype

    Data type Multi/Single

    Presentation Entry types

    MX_APPLICATION_ID Generalattribute

    String (Text) Single SingleLine MX_PRIVILEGE

    MX_AC_ROLEID Generalattribute

    String (Text) Single SingleLine MX_PRIVILEGE andMX_ROLE

    MX_AC_RESULT Generalattribute

    String (Text) Single SingleLine MX_PENDING_VALUE

    MX_AC_ REQUESTID Generalattribute

    String (Text) Single SingleLine MX_PENDING_VALUE

    To extend the identity store schema, do the following:

    1. Select the "Attributes" node for your identity store schema in the console tree.

    2. Choose New/Identity store attribute… from the context menu.

    Fill in the following information:

    On the "General" tab:Enter the attribute name in the "Name" field. It is optional to enter the description.

    Note:Note that the attribute ID is assigned automatically. Which number the attribute is assignedis not important.

    On the "Storage" tab:Select the correct attribute type and data type for the attribute (in the "Attribute type" andthe "Data type" field respectively). Select the Multi/Single option for the attribute.

  • 12Extending the Identity Center identity store schema

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    On the "Presentation" tab:Optionally, enter the display name of the attribute in the "Display name" field. The text keyshould follow the format "#MX__DN", e.g."#MX_MX_APPLICATION_ID_DN".

    Select the presentation of the attribute in the "Presentation" field.

    On the "Entry types" tab:Select the correct entry types to contain this attribute.

    3. Choose "OK" to close the dialog box and save the new attribute.

    4. Repeat the process until all attributes are added.

    Optionally, it is possible to create the attributes automatically by enabling for the automaticcreation of attributes on the identity store where the GRC provisioning framework is imported.The automatic attribute creation is not generally recommended and should be disabled asdefault. To enable this option, do the following:

    1. Select the identity store where the GRC provisioning framework is to be imported in theconsole tree.

    2. Select the "General" tab of the identity store's details pane:

    Select "Automatically create attributes".

    3. Choose "Apply".

    Note:You should disable this option by deselecting "Automatically create attributes" on theidentity store after importing the GRC provisioning framework.

    Page 19 of 48

  • 13Adding the GRC provisioning framework to the Identity CenterSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Adding the GRC provisioning framework to the IdentityCenter

    The GRC provisioning framework added to the Identity Center makes it possible to submitrequests to SAP BusinessObjects Access Control from a provisioning solution implemented inthe Identity Center.

    The framework itself is available on the SAP NetWeaver Identity Management pages on theSDN (http://www.sdn.sap.com/), together with this document. Download the ZIP fileGRC Provisioning Framework.sda. Unzip the file to a folder of your choice. You need to locatethis folder when importing the framework to the Identity Center as described later in thissection.

    Adding the provisioning framework involves the following steps:

    Preparing the Identity Center

    Importing the GRC provisioning framework

    Importing the service jobs

    Configuring operation

    Configuring the repository information

    Performing Initial Load

    Preparing the Identity CenterBefore importing the framework to the identity store, some initial configuration of the IdentityCenter needs to be made.

    Ensure that you have at least one valid dispatcher enabled to run Java jobs.

    Specifying import optionsTo specify import options:

    1. View the properties of the Identity Center and select the "Options" tab.

    2. Make sure that "Enable imported jobs" is selected

    3. Select a default dispatcher for the imported jobs.

    This ensures that imported tasks/jobs are enabled. It is possible to enable those later, but thiswill have to be done manually for each job in the framework and the number of jobs islarge.

    4. Choose "Apply".

    http://www.sdn.sap.com/

  • 14Adding the GRC provisioning framework to the Identity Center

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Importing the GRC provisioning frameworkThe GRC provisioning framework contains tasks specific to the SAP BusinessObjects AccessControl integration with SAP NetWeaver Identity Management.

    To import the framework:

    1. Select the identity store where you will import the framework and choose "Import…" fromthe context menu.

    2. Locate the file containing the framework, GRC_5.3_Provisioning_Framework.mcc.

    3. Choose "Open".

    Make sure that "Import" is selected.

    4. Select the "Advanced" tab and make sure that a dispatcher is selected for the imported jobs,as configured for the Identity Center.

    Page 21 of 48

  • 15Adding the GRC provisioning framework to the Identity CenterSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    5. Choose "Next >".

    6. Choose "Import".

    7. Choose "Finish" when the import is completed. Alternatively choose "View logfile" beforechoosing "Finish" to view the details about the completed import.

    The imported framework is added to the identity store:

    The framework contains the following:

    A sub-folder Utility tasks which contains a number of utility tasks.

    An ordered task group AC Validation (for more information, see the section AC Validationon page 30).

    An ordered task group AC Polling (for more information, see the section AC Polling onpage 37).

    An ordered task group AC Callback Service. For future expansion (not currently available).For more information, see the section AC Callback Service on page 40.

    In addition, when imported the framework adds a set of scripts, variables and constants, and arepository definition GRC. For more information about the repository definition and itsconstants, see the section Configuring the repository definition on page 17.

    Importing the service jobsThe service jobs are used for the initial load and other tasks that are not part of the provisioningframework itself. Two files are available:

    AC_5.3_Initial_Load_Centralized_provisioning.dst

    AC_5.3_Initial_Load_Distributed_provisioning.dst

    It is recommended to import the both files, but which one you need to use depends on whichlandscape configuration scenario you want to deploy.

    To import the jobs, do the following:

    1. Select the job folder where you want to add the service jobs. You can either use an existingfolder or create one for this purpose.

  • 16Adding the GRC provisioning framework to the Identity Center

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Note:Name of the job folder may be " - jobs", e.g. " Enterprise People - GRC jobs".

    Choose New/Run job wizard… from the context menu.

    2. Choose "Next >" and then locate the file containing the initial load job,AC_5.3_Initial_Load_Centralized_provisioning.dst. Choose "Change folder…" to browsefor the correct folder.

    3. Choose "Next >".

    Select the "GRC" repository definition imported previously.

    4. Choose "Next >" and then "Finish" to complete the wizard.

    5. Enable the job, select a dispatcher and choose "Apply".

    6. Repeat the procedure above for the file AC_5.3_Initial_Load_Distributed_provisioning.dst.

    Page 23 of 48

  • 17Adding the GRC provisioning framework to the Identity CenterSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Configuring the repository definitionWhen importing the GRC provisioning framework a repository definition named GRC is created(it may be necessary to refresh the repository node in the Identity Center Management Console).

    View the repository constants for the GRC repository definition and modify the constants.

    Virtual Directory Server related parametersThese parameters define the values needed for successful communication with the VirtualDirectory Server.

    The following parameters have hard-coded values. These settings should not be changed. Theycan however be changed, but the appropriate values in the template have to be changedaccordingly:

    Constant name DescriptionVDS2GRC_SUFFIX The top RDN of the virtual tree in the Virtual Directory

    Server. The default value is "o=grc".

    VDS2GRC_BRANCH_AUDITLOGVDS2GRC_BRANCH_REQUESTSTATUSVDS2GRC_BRANCH_RISKANALYSISVDS2GRC_BRANCH_ROLEDETAILSVDS2GRC_BRANCH_SEARCHROLESVDS2GRC_BRANCH_SELECTAPPLICATIONSVDS2GRC_BRANCH_SUBMITREQUESTVDS2GRC_BRANCH_PROVISIONINGLOGVDS2GRC_BRANCH_REQUESTDETAILS

    The RDNs of the branches in the virtual tree of theVirtual Directory Server (one branch for each of theexposed web services).

    The following values must be configured. Use the values specified when configuring the VirtualDirectory Server:

    Constant name DescriptionVDS2GRC_HOST The host name or IP address of the Virtual Directory Server.

    VDS2GRC_PORT The LDAP port which is used by the Virtual Directory Server.

    VDS2GRC_LOGIN/VDS2GRC_PASSWORD

    The credentials of the user that is used to log on to the VirtualDirectory Server. The default value is grcuser/grcuser(user/password). These default credentials in the template can bemodified in the configuration, as shown on page 7.

  • 18Adding the GRC provisioning framework to the Identity Center

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Request parametersThese parameters will be a part of the request sent to SAP BusinessObjects Access Control (theweb service call SAPGRC_AC_IDM_SUBMITREQUEST):

    Constant name DescriptionGRC_MANAGER_ID The user ID of one of the existing users in the SAP Application

    Server Java which runs SAP BusinessObjects Access Control.This user acts as the default approver for provisioning request(hence it must have approval access rights in SAPBusinessObjects Access Control). The default value is NULL.

    See the section Setting the manager ID on page 33 in thisdocument.

    GRC_REASON The default reason for the request. It is used only if the reason isnot set by other means (see more about this later in the documenton page 35).

    GRC_COMPANY The default company string. Make sure that this company existsin your Access Control configuration. Whether theGRC_COMPANY attribute is mandatory for a request or notdepends on your Access Control configuration.

    GRC_REQUESTOR_ID/GRC_REQUESTOR_EMAILADDRESS/GRC_REQUESTOR_FIRSTNAME/GRC_REQUESTOR_LASTNAME

    Correct values of one of the valid users in the SAP ApplicationServer Java which runs SAP BusinessObjects Access Control.

    If the values are not possible to obtain from the user entry thatexecuted the role assignment task, then the default values thatare configured on the repository definition are used. For moreinformation, see the section Setting the requestor properties onpage 35 in this document.

    Page 25 of 48

  • 19Adding the GRC provisioning framework to the Identity CenterSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Run-time properties (tasks)These parameters set the values that are necessary for the internal processing of the provisioningframework.

    Constant name DescriptionMX_PRIV_GROUPING_RULE 3 (do not change). Only relevant for distributed provisioning

    scenario. For more, see section Grouping of privileges on page28.

    MX_PRIV_GROUPING_ATTRIBUTE The name of the attribute whose value may be used forgrouping, i.e. in addition to other criteria, only the privileges thathave values identical to the value of this attribute will begrouped. Only relevant for distributed provisioning scenario.

    REPOSITORY_TYPE GRC (do not change)

    MX_ADD_MEMBER_TASK Holds the task ID of the task AC Validation from the GRCprovisioning framework.

    The value is filled in automatically during the import of theGRC provisioning framework. The attribute is only relevant forthe distributed provisioning scenario.

    MX_DEL_MEMBER_TASK Holds the task ID of the task AC Validation from the GRCprovisioning framework.

    The value is filled in automatically during the import of theGRC provisioning framework. The attribute is only relevant forthe distributed provisioning scenario.

    MX_AC_POLLING_ENABLED If this attribute is set and has value "1" the GRC provisioningframework will, after successfully sending a request to AccessControl, invoke the polling process in order to obtain the resultof the request.

    The task referenced by the attribute MX_AC_POLLING_TASKis executed.

    MX_AC_POLLING_TASK Holds the task to be executed during the polling process. Seeabove.

    MX_AC_FIX_SYSTEM_PRIVILEGES Legal values for this attribute are:

    0: Required for the centralized provisioning scenario,i.e. keeping track of the accounts in the target systems isthe responsibility of SAP Provisioning Framework.

    1: Required for the distributed provisioning scenario, i.e.the GRC provisioning framework keeps track ofaccounts in various target systems.

    MX_AC_APPROVAL_SYSTEMACCOUNT Holds the MSKEYVALUE of the user that is responsible forapprovals generated by this framework. This user must not haveany UI permissions for the Identity Management User Interfacein the Identity Center.

    Will be created during the Initial Load(s).

  • 20Adding the GRC provisioning framework to the Identity Center

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Configuring the parameters in Virtual DirectoryServer (for future use: only if implementing event-based result handling)When implementing the event-based result handling scenario (Call-back Services), thefollowing parameters must be configured in the Virtual Directory Server (on the "Additionalparameters" tab of the data source properties). Use the same values as specified in the IdentityCenter:

    Constant name DescriptionROLE_ASSIGNMENT_CALLBACK_TASK For future use. Holds the task ID of the task AC Callback

    Service from the GRC provisioning framework. See moredetails about the task AC Callback Service on page 40.

    ROLE_DEFINITION_CALLBACK_TASK For future use.

    Page 27 of 48

  • 21Process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Process descriptionIn the following sections, three phases and their processes are described:

    Initialization

    Privilege assignment

    Task execution

  • 22Initialization process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Initialization process descriptionDuring this phase, the Identity Center obtains information about the environment managed bySAP BusinessObjects Access Control (managed systems and available roles). AppropriateIdentity Management objects (privileges, applications) are created or enhanced, and stored inthe identity store.

    This is achieved by running one of the "Initial Load" jobs. The section below describes thisprocess.

    Running the "Initial Load" jobsBefore any provisioning or de-provisioning through the provisioning framework can be carriedout, the framework must be initialized.

    One of the following two jobs has to be executed:

    AC 5.3 – Initial Load – Centralized provisioning

    AC 5.3 – Initial Load – Distributed provisioning

    Which one of the two jobs should be executed depends on which landscape configurationscenario (see page 2) is chosen.

    The centralized provisioning scenario requires the AS ABAP – Initial Load job (from the SAPProvisioning Framework) to be executed first, before the job AC 5.3 – Initial Load –Centralized provisioning is executed. For the distributed provisioning scenario, only the jobAC 5.3 – Initial Load – Distributed provisioning is required to be executed.

    Initial load job for centralized provisioning scenarioFor the centralized provisioning scenario, the following jobs are required to be executed in thefollowing order:

    AS ABAP – Initial Load job from the SAP Provisioning Framework.

    The job AC 5.3 – Initial Load – Centralized provisioning imported from the GRCprovisioning framework.

    Perform the initial load AS ABAP – Initial Load as described in the document SAP NetWeaverIdentity Management Identity Management for SAP System Landscape: Configuration guide(see section 3.6 Performing the Initial Loads).

    Page 29 of 48

  • 23Initialization process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    The imported AC 5.3 – Initial Load – Centralized provisioning job contains the followingpasses:

    Get Applications From VDS: The information about applications managed by SAPBusinessObjects Access Control is obtained using the web service call getSystems. Theinformation is stored in the local table sapGRCapplications.

    Get Roles From VDS: For each application, the information about roles available in SAPBusinessObjects Access Control is obtained using the web service call getRoles. Theinformation is stored in the local table sapGRCroles.

    Enrich Role Privileges: The attributes needed by the provisioning framework need to beappended to the corresponding ABAP roles to each of the SAP BusinessObjects AccessControl roles:

    The script sap_matchACRoleToIdMPrivilege is used to match the SAP BusinessObjectsAccess Control roles to the SAP NetWeaver Identity Management privileges in thefollowing way:

    Try to find privilege namedPRIV:ROLE::.

    If the step above fails, find a repository definition that holds a constantAC_APPLICATION_ID with a value that matches MX_APPLICATION_ID. Then tryto find privilege namedPRIV:ROLE::.

    To retrieve the DESCRIPTION attribute from the SAP BusinessObjects Access Control, theattribute needs to be activated in the pass definitions. Also, in cases where the SAPBusinessObjects Access Control only manages a subset of the back-end roles, the attributesMX_ADD_MEMBER_TASK and MX_DEL_MEMBER_TASK need to be activated andthe task references added in the pass definitions.

    Create AC System Account: Creates an account that is needed for the approval processtriggered by the framework. For this purpose the MSKEYVALUE held by the attributeMX_AC_APPROVAL_SYSTEMACCOUNT on the repository definition GRC is used.

  • 24Initialization process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Initial load job for distributed provisioning scenarioFor the distributed provisioning scenario, the AC 5.3 – Initial Load – Distributed provisioningjob is required to be executed.

    This job contains the following passes:

    Get Applications From VDS: The information about applications managed by SAPBusinessObjects Access Control is obtained using the web service call getSystems. Theinformation is stored in the local table sapGRCapplications.

    Get Roles From VDS: For each application, the information about roles available in SAPBusinessObjects Access Control is obtained using the web service call getRoles. Theinformation is stored in the local table sapGRCroles.

    Create Application Privileges: Optional, and disabled by default. For each application, acorresponding MX_PRIVILEGE object is created in the identity store. For this, thefollowing information is used:

    Information from sapGRCapplications.

    Name of the repository definition.

    Note:These privileges are linked to the application object created in the pass above.MX_PRIVILEGE_TYPE of the created privileges is set to "GRC".

    Create System Privileges for Applications: This pass creates a system application privilegethat is added to all accounts provisioned to the application managed by SAPBusinessObjects Access Control. These are not real privileges and will not be assignable asall others.

    Create Role Privileges: The pass creates MX_PRIVILEGE objects in the identity store, foreach of the roles obtained from SAP BusinessObjects Access Control. For this, thefollowing information is used:

    Information from sapGRCroles.

    Page 31 of 48

  • 25Initialization process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Name of the repository definition.

    Create AC System Account: Creates an account that is needed for the approval processtriggered by the framework. For this purpose the MSKEYVALUE held by the attributeMX_AC_APPROVAL_SYSTEMACCOUNT on the repository definition GRC is used.

    TroubleshootingIf any problem should occur during the execution of the initial load jobs (and tasks and jobs ingeneral), you can check some of the following:

    Verify that the dispatcher is running and that it is enabled for the jobs.

    Verify that all tasks and jobs are enabled.

    Verify that the job has been defined for the given dispatcher.

    Verify that the repository definition is defined on the tasks.

    View the logs.

    System logVerify that the dispatcher has requested the given job.

    Job logView any error messages in the job log to see if you can find the cause of the problem.

    Example 1:

    Privilege could not be uniquely identified – an ABAP role exists with the same name as aprofile:

    The error indicates that a role object in Access Control couldn't be mapped to an ABAP roleprivilege or an ABAP profile privilege in the Identity Management. The reason for this isthat both a role and a profile exist with that name.

    A solution to this is to manually perform the assignment maintaining the following attributesthrough e.g. a task in User Interface:

    MX_AC_ROLEID: must contain the role name as in the Access Control system.

    MX_APPLICATION_ID: must contain the same application name as in the AccessControl system, of the application to which the object belongs to.

  • 26Initialization process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Example 2:

    Privilege not found in the identity store:

    This error indicates that the role object loaded from the Access Control system is not presentin the identity store. This can be solved by running either an initial load job or an update jobfor the AS ABAP system.

    If you need to investigate a job more thoroughly, you can specify a different log file namefor the job in the "Logging" tab of the job properties. You can also deselect the check box"Reset output file" to avoid overwriting the log file each time the job is run. This can beuseful when debugging a provisioning job that may be run several times in sequence.

    If you need more logging info from a specific job, you can create a specific dispatcher andincrease the log level in the dispatcher's .prop file. Specify that the job is to be run by thisspecific dispatcher. Make sure that the dispatcher is not running. To run the job, start thedispatcher from the command line with the following command:

    dispatcher_service_ test runonce

    The job will then be run once and a detailed log file will be created.

    Page 33 of 48

  • 27Privilege assignment process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Privilege assignment process descriptionIn this section, the privilege assignment/de-assignment process is described.

    The privileges are configured so that any assignment to an entry is treated as a pendingassignment, which means that the privilege is not assigned to/removed from an entry until therequest is sent to SAP BusinessObjects Access Control and an approval is received.

    The following describes the process that takes place when a set of privileges is assigned/de-assigned on a certain user entry for the centralized provisioning scenario:

    The administrator assigns a set of roles/privileges to a user, or an end-user requests arole/privilege assignment.

    Note:Privileges that correspond to non-SAP repositories (or the SAP repositories that theIdentity Center manages itself) normally start a provisioning process that is not a part ofthis description. Nevertheless, some of the privileges may correspond to the privilegesobtained from SAP BusinessObjects Access Control in the bootstrapping phase.

    For these privileges, the Identity Management checks if the add member event task (orremove member event task, depending on the operation) is defined. If it is defined, theIdentity Management creates a pending object for each of the assigned (removed)privileges.

    The Identity Management checks the property "Grouping rule"(MX_PRIV_GROUPING_RULE) on the repository definition which the privileges belong to(GRC), and if necessary groups the pending objects.

    Only one pending object in the group will actually trigger the provisioning process. TheGRC provisioning framework is designed to process all pending objects in a group, and willcreate a single request to SAP BusinessObjects Access Control where all assignedprivileges are sent.

  • 28Privilege assignment process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Grouping of privilegesGrouping of the privileges is done according to the grouping policy defined by the property"Grouping rule" (MX_PRIV_GROUPING_RULE) on the repository definition. Possible settingsfor this property are shown below:

    Split on

    Groupingpolicy

    Back-endsystem

    Operation type(add/remove)

    Description

    0 - - No grouping. Every pending object will triggerthe GRC provisioning framework and will besent in its own request to SAP BusinessObjectsAccess Control.

    3 No No All pending objects, regardless of the operationand the system, are sent in the same request.

    2 Yes No All operations to the same system will be sent inthe same request.

    1 Yes Yes Different operations will not be sent in the samerequest. Even the identical operations todifferent systems will not be sent in the samerequest. Multiple identical operations to thesame system will be grouped and sent in thesame request.

    Example:

    Grouping policy 0 1 2 3

    Role System Operation RequestsR1 SYS1 ADD 1 1 1 1R2 SYS1 ADD 2 1 1 1R3 SYS1 REMOVE 3 2 1 1R4 SYS1 REMOVE 4 2 1 1R5 SYS2 ADD 5 3 2 1R6 SYS2 ADD 6 3 2 1R7 SYS2 REMOVE 7 4 2 1R8 SYS2 REMOVE 8 4 2 1

    Number of requests 8 4 2 1

    The consequence of groupingThe possibility for dynamical setting of all critical parameters of the request is needed whengrouping the privileges (pending objects).

    The majority of the decisions regarding these critical request parameters may be taken based onthe properties of the privilege being provisioned. Each privilege may have different relevantproperties, thus making it impossible to send a request with a single valid value.

    Page 35 of 48

  • 29Privilege assignment process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    In the GRC provisioning framework, the properties of the leading privilege (pending object) ofthe group, i.e. the one that actually triggers the provisioning process, decide the dynamicproperties of the request. This may not always fit the customer expectations. In that case, theGRC provisioning framework must be explicitly simplified, i.e. the scripts that are used toachieve the dynamic behavior should be tailored adequately.

  • 30Task execution process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Task execution process descriptionThis section describes the execution process of the tasks in the GRC provisioning framework.

    AC ValidationUpon the assignment/de-assignment of the SAP BusinessObjects Access Control privileges, theIdentity Management executes the defined add member event task/remove member event task.

    Independently of the selected scenario (centralized/distributed), the same task is configured forboth properties (i.e. the same task is executed for both assignment and de-assignment ofprivileges). This task is AC Validation, an ordered task group:

    The task group AC Validation consists of three tasks:

    Fix PVO

    Prepare AC Request

    Perform Risk Check

    It also configures a specific chain result action:

    If any of the tasks in the chain results in error, the task Skip Pending On Group will beexecuted. It uses the script sap_skipPendingOnGroup and removes all pending objects in theparticular pending object group without applying them to the user.

    Fix PVOThis task is a part of the task group AC Validation and calls a script to make sure that the linksare defined by the MXREF_... attribute, both when adding/removing a privilege/role to/from auser and when adding/removing a user to/from a privilege/role, giving the same pending valueobject and referenced object in both cases.

    Page 37 of 48

  • 31Task execution process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Prepare AC Request

    This task is a part of the task group AC Validation and uses the scriptsap_prepareRiskCheckExecution to:

    extract all relevant information from the pending object group.

    store this information in context variables that are used by tasks in a later processing phase.

    The following list of context variables may be of interest when creating custom scripts asmentioned on page 34:

    Variable name DescriptionGRCROLEIDLIST The list of roles approved by SAP BusinessObjects

    Access Control. Format: [email protected], ...

    PENDINGMSKEY The MSKEY of the pending object (the leading in thegroup).

    PENDINGUSERMSKEY The MSKEY of the user entry that the privilege(s) is/areassigned to.

    PENDINGPRIVILEGEMSKEY The MSKEY of the privilege(s) assigned.

    GROUP_PENDINGMSKEY_PRIVILEGEMSKEYS The list of all MSKEYs in the group.

    GROUP_DISTINCT_APPLICATIONS The list of all application IDs, for all privileges in thegroup.

    MX_AC_OVERALLSTATUS For the Call-back Service result handling scenario.

    MX_AC_OVERALLREASON For the Call-back Service result handling scenario.

  • 32Task execution process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Perform Risk CheckThe task Perform Risk Check is a part of a task group AC Validation. After a successfulexecution of the task Prepare AC Request, the framework has all information needed to start theprocess of constructing an AC request.

    This is performed by an ordered task group, Perform Risk Check:

    Set IdM ApproverThe task Set IdM Approver is a part of the ordered task group Perform Risk Check. The pass setsthe approver for the task:

    The approver set for the task is just a placeholder for the approval process in the SAPBusinessObjects Access Control system. The system account has no Identity Management UserInterface permissions in the Identity Center.

    Submit AC RequestThis is a major task in the task group Perform Risk Check and it is responsible for preparing theinformation that is sent to Virtual Directory Server (that in turn executes aSAPGRC_AC_IDM_SUBMITREQUEST web service call and sends this information to SAPBusinessObjects Access Control).

    Page 39 of 48

  • 33Task execution process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    If the request is accepted, SAP BusinessObjects Access Control responds with the request IDthat is stored by the Virtual Directory Server in the context variable MX_GRC_REQUEST_ID.

    In the section below, it is explained how some of the important parameters that are submitted inthe request are calculated and filled in. The typical Identity Management pass that sends theinformation to the Virtual Directory Server, which in turn will create request to SAPBusinessObjects Access Control, looks like this:

    Common parametersDN: Identifier in the console (virtual) tree. The parameter triggers the creation and sendingof the web service call SAPGRC_AC_IDM_SUBMITREQUEST.

    Changetype: Internal attribute, used for internal processing in the Virtual Directory Server.

    Internal attributes for the Virtual Directory ServerMSKEYVALUE, ISID, AUDITID: Internal attributes, used for internal processing in theVirtual Directory Server.

    GRC_OPERATION: Automatically set by the GRC provisioning framework.

    Attributes for SAP BusinessObjects Access ControlFIRSTNAME, LASTNAME, EMAILADDRESS, TELEPHONE: values sent in the SAPBusinessObjects Access Control request. Obtained from the user's entry in the identity store.

    Setting the manager IDThis is only relevant if the web service Submit Request requires the manager ID parameter – i.e.if the manager user is responsible for approving the request on the SAP BusinessObjects AccessControl side. The value NULL is also allowed, in which case the request is forwarded to thedefault manager.

  • 34Task execution process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Whether the manager user is defined as approver or not depends on the configuration of theSAP BusinessObjects Access Control system.

    The repository definition of the GRC provisioning framework defines the default manager ID(GRC_MANAGER_ID) that may be used by the task mentioned above (optionally NULL):

    The GRC provisioning framework uses the following algorithms to set the values for thisparameter:

    Script sap_grc_getManagerThe script receives three parameters:

    1. Output of the script custom_getManager.

    2. Output of the script sap_getUserManager. The script checks if the user object contains theproperty MX_MANAGER, and gets the MSKEYVALUE of it if defined.

    3. The manager ID configured on the repository definition GRC.

    The first of these three that returns a value (except an empty String) is used.

    Request propertiesAll valid requests submitted to SAP BusinessObjects Access Control(SAPGRC_AC_IDM_SUBMITREQUEST) have following three properties:

    REQUEST_TYPE

    REQUEST_PRIORITY

    REQUEST_EMPLOYEETYPE

    The GRC provisioning framework uses the following algorithm to set the values for theseparameters:

    1. For each of the parameters, the corresponding script (custom_set) isexecuted. This is an extension point, since the script can return a value based on anycustomer/proprietary algorithm. This is for example useful if there are various parameters tobe sent by the Identity Management and a custom logic is required to decide on the value tochoose. See the list of some of the relevant context variables on page 31.

    2. If the value is not returned by the script, then no value is sent to the Virtual DirectoryServer. In that case, the Virtual Directory Server will set the values based on the default setof values configured on GRC Submit Request (SAPGRC_AC_IDM_SUBMITREQUEST)data source in the Virtual Directory Server configuration.

    Page 41 of 48

  • 35Task execution process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Setting the requestor propertiesThe web service Submit Request requires requestor ID (and optionally the requestor properties)– the identity of the user that performed the role assignment.

    The repository definition of the GRC provisioning framework defines the following defaultrequestor properties that may be used by the task mentioned above:

    The GRC provisioning framework uses the following algorithm to set the values for theseparameters:

    Script sap_grc_getRequestorValueThis script takes two parameters:

    1. The attribute name of the parameter whose value is obtained from the user entry thatexecuted the role assignment task.

    2. Appropriate default value that is configured on the repository definition.

    The output of this script (hence the parameter value used) is the attribute name if the GRCprovisioning framework was able to determine the attribute value in question, or the defaultvalue if determining the attribute value was not possible.

    Setting the reasonThe web service Submit Request has optional reason parameter. The setting of this parameter isperformed using the script sap_setRequestReason.

    Script sap_setRequestReasonThis script takes one parameter – the default reason configured on the repository definitionGRC. If any of the assigned privileges have an assignment reason configured, the script willretrieve these and create a single reason string that is returned and used in the request sent toSAP BusinessObjects Access Control.

    If this is not a case, a default reason (the script parameter) will be returned (see page 18).

    Mandatory attributesEach of the request types mentioned above may have a set of mandatory attributes that must besent in request.

    The GRC provisioning framework must obtain valid mandatory attribute values. This concept isillustrated using the attribute COMPANY that is an optional attribute which may be sent to SAPBusinessObjects Access Control. If there is a need for multiple attributes they have to beconfigured separately.

  • 36Task execution process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    These are recommendations for configuring/obtaining proper attribute values:

    If there is a single attribute value that fits all SAP BusinessObjects Access Control requests,configure it as the repository constant (see COMPANY in the existing GRC provisioningframework).

    If the value varies with the requestor, obtain the value from user's entry (seeDEPARTMENT).

    If the value varies with the role that is provisioned, create a script that retrieves the propervalue from the role property.

    Parameter considerations for request submissionTo define the "Submit AC Request" parameters in the Identity Management correctly, you needto know the corresponding parameters defined on the SAP BusinessObjects Access Controlside:

    Make sure that the mandatory parameters (e.g. e-mail address) are defined in the "Submit ACRequest" on the Identity Management side.

    When a request (with the defined parameters) is received by the SAP BusinessObjects AccessControl, it triggers the specific workflow designed to manage requests with that particularcondition. An initiator defines a precise request condition, and identifies the single, uniqueworkflow designed to handle the defined type of request.

    Page 43 of 48

  • 37Task execution process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Initiators and workflows function as matched pairs. Each initiator can call only one workflow,and each workflow can be called by one initiator.

    Write RequestId and opt. Start PollingThe task Write RequestId and opt. Start Polling is a part of the ordered task group Perform RiskCheck.

    The pass calls the script sap_grc_WriteRequestId2PVO to retrieve the request ID from a contextvariable (MX_GRC_REQUEST_ID as of, and GRC_REQUEST_ID prior to SAP NW IdentityManagement 7.1 SP4) and save it to MX_AC_REQUESTID on a pending value object.

    It then checks the attribute MX_AC_POLLING_ENABLED of the assigned privilege (definedon the repository definition of the privilege). If this attribute is set and the polling enabled, thenthe attribute MX_AC_POLLING_TASK is read, and the referenced task executed. Otherwise(if the attribute is not set) the call-back service is enabled and used, and the task stops.

    Risk ValidationThe Risk Validation is an approval task and is a part of the ordered task group Perform RiskCheck.

    When you configure an approval task, you use the "Approval" tab to configure whether the taskrequires an approval and who is to grant this approval. To do this you specify one or moreapproval rules defining who is responsible for handling approval requests.

  • 38Task execution process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    The approval task has two sub-nodes, "Approve" and "Decline". The tasks under the "Approve"node are executed when the request is approved, and the tasks under the "Decline" node areexecuted if the request is declined:

    Approve:The task Apply Pending On Group – approved only is executed if the request is approved. Itretrieves the value of the attribute MX_AC_RESULT from a pending value object (obtainedeither by polling or a call-back service as a result handling scenario), and applies the approvedprivileges only.

    Depending on the setting of the repository definition constant FIX_SYSTEM_PRIVILEGES,the appropriate tasks for access control of account existence are either executed (when constantvalue is "1") or not (any other values for the constant).

    Decline:The task Skip Pending On Group is executed if the request is declined.

    The same task is executed if the approval fails (e.g. because of a timeout or some other reason).It is configured on the "Result handling" tab of the Risk Validation task – the task is referencedby "Execute task on Failed result":

    AC PollingThis is an ordered group of tasks, containing two tasks:

    Read Status

    Check Status

    Read StatusThis task polls SAP BusinessObjects Access Control for result using the value of the contextvariable MX_GRC_REQUEST_ID. The polling will continue until:

    SAP BusinessObjects Access Control processes the request (i.e. its state read bygetAuditLog changes to "CLOSED"). The obtained status is stored in the context variableGRCSTATUS which will be used in the next phase. Possible values are "OK" and"FAILED".

    Page 45 of 48

  • 39Task execution process descriptionSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Check StatusThis task will process the status obtained by the task Read Status:

    In case of "FAILED" and anything else but the status "OK", the task DeclineRequest will beexecuted.

    In case of "OK", it is possible that only a subset of the roles sent to SAP BusinessObjectsAccess Control are actually approved. In order to obtain information about that a pass(Request Details) with the call to script sap_grc_requestDetails is executed. It will return alist of privileges that are actually approved. This list is stored in the context variableGRCROLEIDLIST. The pass … or … Read Provision Log with the call to scriptsap_grc_readProvisioningLog is disabled by default (it is used instead of the pass RequestDetails for versions prior to SAP BusinessObjects Access Control 5.3 SP9). The task WriteRole Result to PVO stores the contents of the context variables GRCSTATUS andGRCROLEIDLIST to a pending value object. After the request is approved (taskApproveRequest), the GRC provisioning framework will apply only the privileges (from thepending object group) that are approved and not apply all others.

    TimeoutsIn this section aligning of the timeout settings for the approval task Risk Validation with theretry interval of the Read Status pass is described. The goal is to configure a good error handlingin case the request does not get approved within a defined period of time. In order to achievethis, the approval timeout should match the retry interval setting. The following default valuesare configured in the GRC provisioning framework:

    The approval task Risk Validation has a default timeout set to 5 days:

    The required retry interval of the Read Status pass is then defined to be 1440 retries, every 5minutes:

    In addition, the adequate settings on the SAP BusinessObjects Access Control side are needed.See section Timeouts and stale requests on page 41, for more.

  • 40Task execution process description

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    AC Callback ServiceThis is an ordered group of tasks, containing two tasks:

    Prepare Callback Service execution

    External Result

    The ordered task group is for future expansion.

    Page 47 of 48

  • 41Timeouts and stale requestsSAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Timeouts and stale requestsThere is a configuration option in the SAP BusinessObjects Access Control, which allows theuser to close any older requests in the system that have been waiting for an approver for a longperiod of time (stale requests). This configuration should be aligned with the timeout settingsconfigured in the GRC provisioning framework shown in section Timeouts on page 39.

    For more information about the configuration of the stale requests, see section Stale Requests inthe document SAP GRC Access Control 5.3 – Configuration Guide available on SDN(https://websmp203.sap-ag.de/~sapdownload/011000358700001913042008E).

    https://websmp203.sap-ag.de/~sapdownload/011000358700001913042008E

  • 42Limitations/tuning of the framework

    SAP NetWeaver Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guide

    © Copyright 2011 SAP AG. All rights reserved.

    Limitations/tuning of the frameworkThe following may be adjusted in the framework:

    The GRC provisioning framework is built around the smallest set of attributes that arerequired in a SAPGRC_AC_IDM_SUBMITREQUEST web service call. Submittingadditional attributes must be configured as custom attributes on the SAP BusinessObjectsAccess Control side and added to the relevant task(s)/pass(es) of the GRC provisioningframework.

    See section Mandatory attributes on page 35.

    The SAPGRC_AC_IDM_SUBMITREQUEST web service call includes the followinginformation: Request type, priority and employee type. The values that SAP NetWeaverIdentity Management uses when executing this call has to be aligned with the values that areconfigured in SAP BusinessObjects Access Control.

    See section Setting the requestor properties on page 35.

    The following limitations apply to the GRC provisioning framework:

    Obtaining information about managed systems and roles has to be done regularly – there isno automatic process for this.

    A change of the SAP NetWeaver Identity Management's request (so called remediation) islimited to removing the items. It is not possible to add new roles on SAP BusinessObjectsAccess Control side.

    Page 49 of 48

    SAP NetWeaver® Identity Management Compliant provisioning using SAP BusinessObjects Access Control Configuration guidePrefaceTable of contentsIntroductionIntegration scenariosLandscape configuration scenariosResult handling scenarios

    The configuration process

    Adding the Virtual Directory Server configurationSetting the access credentialsStarting the serverTesting the configurationLogging in with LDPPerforming a search

    Extending the Identity Center identity store schemaAdding the GRC provisioning framework to the Identity CenterPreparing the Identity CenterSpecifying import options

    Importing the GRC provisioning frameworkImporting the service jobsConfiguring the repository definitionVirtual Directory Server related parametersRequest parametersRun-time properties (tasks)

    Configuring the parameters in Virtual Directory Server (for future use: only if implementing event-based result handling)

    Process descriptionInitialization process descriptionRunning the "Initial Load" jobsInitial load job for centralized provisioning scenarioInitial load job for distributed provisioning scenario

    Troubleshooting

    Privilege assignment process descriptionPrivilege assignment process descriptionGrouping of privilegesThe consequence of grouping

    Task execution process descriptionAC ValidationFix PVOPrepare AC RequestPerform Risk CheckSet IdM ApproverSubmit AC RequestCommon parametersInternal attributes for the Virtual Directory ServerAttributes for SAP BusinessObjects Access ControlSetting the manager IDRequest propertiesSetting the requestor propertiesSetting the reasonMandatory attributesParameter considerations for request submission

    Write RequestId and opt. Start PollingRisk ValidationAC PollingRead StatusCheck StatusTimeouts

    AC Callback Service

    Timeouts and stale requestsLimitations/tuning of the framework