8/30/2019 How the GRC Provisioning Framework works | SAP Blogs

Products
Products Industries
Industries Services Support
Services and Support Training
Training Community
Community Developer
Developer

Partner
Partner About
About

 
Ask a Question Write a Blog Post Login

Former Member
April 12, 2011 4 minute read

How the GRC Provisioning Framework works

Follow RSS feed Like

5 Likes 2,550 Views 8 Comments

For quite a while now I think that the GRC provisioning framework seems to be used quite heavily and it might
be worth to publish something about it in a blog post because I work a lot with it myself and I nd it hard to
understand and more importantly hard to debug.
So I will share some explanations with the readers of SDN here in this post.
I am not going to rephrase the installation documentation, how you need to instrument repositories and
perform initial loads. My starting point is the add member task setting on a repository:

https://blogs.sap.com/2011/04/12/how-the-grc-provisioning-framework-works/ 1/7
8/30/2019 How the GRC Provisioning Framework works | SAP Blogs

I had already discussed the add member task setting in one of The speci ed item was not found.. Only
di erence was that in that post, I had set the MX_ADD_MEMBER_TASK attribute on a role whereas here it is set
on the repository. If it comes to privileges, it doesn’t make a di erence whether the approval task is con gured
on the privilege itself or the repository the privilege is linked to.
So let’s focus what happens in this approval task. One of the things that makes the GRC provisioning framework
hard to understand is the fact that if uses a huge lot of scripts. I try to describe the big picture a bit, however, I
am not going to discuss the purpose of every single task in the tree.
Let’s recap a bit. I had explained in The speci ed item was not found. that if you con gure the add member task
this makes role or privilege assignments result in the creation of a pending value. That pending value is then
sent into the task con gured as add member task. AC Validation in this case.

Somewhere down the road, the GRC provisioning framework will send an LDAP request to the VDS with a lot of
information and the VDS will submit a WebService call to GRC. This web service call will create a GRC request
and the approver / risk analyzer will see the request in his/her inbox.

https://blogs.sap.com/2011/04/12/how-the-grc-provisioning-framework-works/ 2/7
8/30/2019 How the GRC Provisioning Framework works | SAP Blogs

What you see in the screenshot is the toLDAP pass that submits the data to the VDS. Here, I’d like to discuss
some things. First of all, what happens until here is some preparation work that is not so important if you try to
get the big picture. What is important is that the user might have requested several privileges but only one
pending value goes into the AC Validation work ow. This is a built in concept called privilege grouping. Privilege
grouping means that some pending values are grouped together because they are considered as one single
request. Much the way you wouldn’t want to bother an approver with 3 individual requests instead of one
request which contains the 3 roles (at least if they have been requested together) you want to send the 3 roles
as a whole to GRC.
SAP ID Mgmt groups the pending values by an attribute called MX_PRIV_GROUPING_GUID. The pending values
that belong to one group share the same value.

In the above screenshot you can see that ROLEDATA is computed by a function call. And if you look into these
functions you will nd that the grouping guid is used to nd the roles the user is requesting. Here one snippet:

https://blogs.sap.com/2011/04/12/how-the-grc-provisioning-framework-works/ 3/7
8/30/2019 How the GRC Provisioning Framework works | SAP Blogs

This snippet is taken from the function sap_getPendingMsKeysInGroup which is being called in the preparation
task Prepare AC Request which is called directly before the Perform Risk Check task group. This preparation
task sets the context variable GROUP_PENDINGMSKEYS_PRIVILEGEMSKEYS. This variable (as the name
indicates it contains the pending value mskeys and privilege mskeys of the group) is then used to compute the
list of roles that is to be sent to Access Control in the request.

So far about pending values and grouping. The tricky thing is if something goes wrong. If you request 3
privileges in some Request Privilege IdM UI, the status of your privileges will be displayed as pending until an
approver in GRC approves and IdM applies the pending values. But if e.g. GRC is down or something fails on the
network no approver in GRC will ever see the request. What happens to the pending values? They need to be
cleaned up. Maybe you say “ok, I have some inconsistent data in the DB, but can’t I just reapply for the
privileges when the problems with the network is solved?”. Unfortunately not. Until the pending values are
deleted, the user won’t be able to reapply. If he does, nothing will happen. And nobody will be noti ed that there
is something wrong. Fortunately, there is an error handler which automatically cleans up the pending value if
something goes wrong. But I have seen many cases where this did not work properly. The pending values
Alert Moderator
stayed in the system until somebody deleted them – and until then, they created a lot of confusion.

Fortunately, there is one relatively easy way to mitigate this. You can write a simple report about all pending
Assigned tags
values in the system. If all goes ok, pending values are deleted from mxi_values so the risk that the report will
grow too big is pretty low (if it does anyway, then you have another problem you should address rst). By some
SAP
easyIdentity lter stu you |should
SQL Management Identity
beAnd Access
able Management
to exclude |
all pending values that do not relate to GRC (for example
those pending values that deal with values that become valid in the future, see The speci ed item was not
found.).
Related Blog Posts

Hope you liked this post. If I nd the time, I’ll post a blog about how to deal with GRC integration and business
roles.
My concerns with the SAP Provisioning Framework
By Former Member , May 06, 2010

Undestanding SAP Provisioning Framework (group assignment)

By Former Member , Jun 06, 2014

IdM-GRC Manager Approvals

By Murali Shanmugham , Apr 03, 2013

Related Questions

GRC AC integration scenario and web services

By Dongsu Park , Apr 22, 2019

Queries About SAP IDM Support Pack upgrade from 8.0 SP0 to SP4
By Deva Prakash B , Jan 25, 2017
IDM8 - Users provisioning no more working after incidental "Initial load"
By Eight Labs , Jan 07, 2017

https://blogs.sap.com/2011/04/12/how-the-grc-provisioning-framework-works/ 4/7
8/30/2019 How the GRC Provisioning Framework works | SAP Blogs

8 Comments

You must be Logged on to comment or reply to a post.

Former Member

December 9, 2012 at 12:30 pm

Hi,

I’m very interested in getting our IDM business roles into GRC AC by only generating 1 request per business
role. At the moment I am only able to generate 1 request per privilege.

Should I look at MX_PRIV_GROUPING_RULE and MX_PRIV_GROUPING_ATTRIBUTE?

Thanks,
Gerhard

Like (0)

Former Member | Post author

April 4, 2013 at 9:21 am

Sorry if I’m replying late. Sounds like yes, the grouping is not con gured correctly.

Like (0)

Former Member

January 22, 2013 at 10:05 pm

Hi Kai,

Great post, any chance you could do part 2 on how the VDS to GRC part works as although we use it, if I’m
honest, I don’t know how it works!

Cheers,

Ian

Like (0)

Former Member | Post author

April 4, 2013 at 9:23 am

https://blogs.sap.com/2011/04/12/how-the-grc-provisioning-framework-works/ 5/7
8/30/2019 How the GRC Provisioning Framework works | SAP Blogs

Hi Ian,

I think you already saw I published part 2 (click here).

Cheers

Kai

Like (0)

Former Member

April 5, 2013 at 9:44 am

I did see part 2 and I loved it, thanks for contributing.

Like (0)

Murali Shanmugham

March 8, 2013 at 6:39 am

Kai,

Great Blog. This does really provide an insight as to what is happening internally.

Cheers,

Murali

Like (0)

Dilip Jaiswal

January 22, 2014 at 12:58 pm

Thank you for posting such a nice blog.

Like (0)

Jaya Kumar

November 28, 2014 at 7:44 am

https://blogs.sap.com/2011/04/12/how-the-grc-provisioning-framework-works/ 6/7
8/30/2019 How the GRC Provisioning Framework works | SAP Blogs

Hi Kai,

Very informative and useful blog.

Thank you fo sharing information.

Regards,

Jaya

Like (0)

Share & Follow

Privacy Terms of Use

Legal Disclosure Copyright

Trademark Cookie Preferences

Sitemap Newsletter

https://blogs.sap.com/2011/04/12/how-the-grc-provisioning-framework-works/ 7/7