Initially as a Security consultant and then Architect I have used and implemented SAP GRC Access Control tool for user provisioning and creation along with many other features for most of the SAP and some Non-SAP landscapes. SAP came out with new strategy for GRC AC and after Success Factors they will not extend standard integration of GRC AC with any new SAP cloud product.
As an alternative or new way SAP came with a new tool called Identity Access Governance (IAG)- which is kind of Cloud version of GRC AC with less more flexible and without GRC AC MSMP engine. The SAP Cloud Identity Access Governance solution (IAG) is built on the SAP Cloud Platform and it uses SAP NetWeaver APIs to fetch data from target systems and perform multiple actions.
There are many SAP customers like us who have GRC AC setup as their primary provisioning tool and with new cloud systems not part of standard GRC integration this is a big challenge. Also, moving completely from GRC AC is a long-term process.
To resolve this SAP came up with a new licensing type of IAG called “IAG-GRC Bridge”- This allows us to still use GRC AC as our primary provisioning tool by integrating GRC and IAG and then IAG will integrate with Cloud application to perform the provisioning.
This part of Blog will provide detailed Configuration steps required for Integrating IAG with ARIBA Cloud Application only.
In this blog I will go through the steps to Integrate GRC AC with IAG Bridge Integration with ARIBA. When we say SAP Cloud IAG integrates with SAP Ariba, it natively integrates with Ariba Buying (and Invoicing) module, and from there if the applications are suite integrated, it will also integrate the users and authorizations to Strategic Sourcing Suite applications too. and this is ideally the Best Practice too.
The IAG Integration Flow:
The technical communication between IAG and Ariba is based on SOAP API calls. IAG reads the users from Ariba via MDNI by accessing the fetchUsers and fetchGroups locations specified in the destination. IAG sends via MDNI provisioning requests (users creation request/authorization assignment operations) to SAP Ariba at the location defined under uploadXMLUserData.
I have broadly defined the Integration into 5 step process and will go through them:
- Complete the integration process for SAP Cloud Identity Access Governance and target cloud application, for instance, SAP Ariba.
- In the SAP Cloud Identity Access Governance launchpad, sync the repository data from target app to the IAG repository.
- Complete the integration process for the SAP Access Control on-premises system and SAP Cloud Identity Access Governance.
- In the SAP Access Control system, sync the repository data from the IAG repository to the SAP Access Control system.
- In the SAP Access Control system, create access requests for target cloud application.
- Complete the integration process for SAP Cloud Identity Access Governanceand target cloud application, for instance, SAP Ariba.
- In the SAP Cloud Platform, set up destination for the SAP Ariba solution.
click Connectivity->Destinations, and then click New Destination.
SAP BTP Destination Config.(Setup below properties):
|User:||Create User in AribaEnd Point Configuration|
|Password:||Password of above created user|
|apiKey||Generate the API key with your ARIBA DSC Contact|
|tenantId||AN-Id provided as part of the Ariba system|
Observation: In Cloud Integration with IAG this is very common that when you test connection it errors out but this works.
- Create an instance for SAP Ariba in the Systems app in IAG Launchpad
2. Sync User Data and Provision Access Requests
Open the Job Scheduler app. In the Job Category dropdown, schedule the Repository Sync job.
This is 2 part configuration steps 1 and 2 which is explained above allows the User Data to be synced from ARIBA to IAG.The next steps will be how to sync Data from IAG to GRC.