SAP GRC 12.0 – ADDING ADDITIONAL SYSTEMS TO PROVISIONING ENVIRONMENT

In this blog post, you will learn how to add additional system(s) to provisioning environment in SAP GRC 12.0

Recently, I was asked if it would be possible to add another environment (system) in SAP GRC Access Request as part of Provisioning Environment. So I thought of checking it out and see if it can be done.

By default, SAP Access will give you four options for Provisioning Environment:

  1. ALL
  2. Production
  3. Development
  4. Testing

Requirement: To add Sandbox system to the above list so that users could be provisioned only to sandbox system

Access%20request%20Provisioning%20Environment%20list

Access request Provisioning Environment list

To achieve this, you would a need help of ABAP developer and help from someone with S-user id who has authorizations to register object keys on support.sap.com portal

Note: No code change or enhancement (BADI / User Exit) is required

To achieve this, you would a need ABAP developer to help and help from someone with S-user id that has authorizations to register object keys on support.sap.com portal

  • Object keys for Domain GRAC_SYS_TYPE and GRAC_ENVNNT

After you get the object keys for the two domains, you can have the ABAP developer add the Sandbox System

Add the value SBX – Sandbox in both the domain GRAC_SYS_TYPE

Domain%20GRAC_SYS_TYPE

Domain GRAC_SYS_TYPE

Add the value SBX – Sandbox in both the domain GRAC_ENVNNT

Note: This may not be needed. But since this also has the environments list, we added the system to this domain too

Domain%20GRAC_ENVNNT

Domain GRAC_ENVNNT

After the domains are updated, activate screen 0011 (including screen painter layout) in Function Group GRAC_AD_MAINTAIN of program SAPLGRAC_AD_MAINTAIN

Go to transaction SE80 and enter Function Group GRAC_AD_MAINTAIN of program

Select screen 0011

Function%20Group%20GRAC_AD_MAINTAIN

Function Group GRAC_AD_MAINTAIN

Click on Activate icon

Next, click on Layout button to bring up the screen painter screen

Function%20Group%20GRAC_AD_MAINTAIN%20Screen%200011

Function Group GRAC_AD_MAINTAIN Screen 0011

Click on Activate  icon

Update the Maintain Connector Setting and assign the Sandbox under Environment column for your sandbox connector

Go to SPRO –> SAP REFRENCE IMG  –> GOVERANCE, RISK AND COMPLIANCE –> ACCESS CONTROL –> MAINTAIN CONNECTOR SETTINGS

Add or update the connector entry of your Sandbox system

Maintain%20Connector%20Settings

Maintain Connector Settings

After mapping the target connector to sandbox environment, save the configuration change.

You will be prompted include the change in a transport request. Please create a transport so that the changes can be transported

Update view GRACV_ENRONMENT list with sandbox entry

View%20GRACV_ENRONMENT

View GRACV_ENRONMENT

You will be prompted include the change in a transport request. You will be prompted include the change in a transport request. Please create a transport so that the changes can be transported

Validate these changes by submitting an access request to provision a user the Sandbox system

In our example, it is FE1 system (Connector FE2CLNT001) is our sandbox system

Maintain%20Connector%20Settings

Maintain Connector Settings

But before we submit the request let us verify that the user id TESTUSERSBX2 that we want create does not exist in FE1 system

Validating%20User%20before%20submitting%20access%20request%20-%20SU01

Validating User before submitting access request – SU01

Go to NWBC and submit an access request to provision user in Sandbox system

Access%20Request%20Submission

Access Request Submission

Click on Submit button to submit the request

Access%20Request

Access Request

Note: If you have workflow setup for provisioning users, please have the request approved.

Now let us go to FE1 and check if the user id was created

User%20Provisioning%20Validation%20-%201

User Provisioning Validation – 1

The role(s) will be assigned too

User%20Provisioning%20Validation%20-%202

User Provisioning Validation – 2

The steps described in this blog above are also described in the video below:

To summarize, to add additional systems to provisioning environment list, following activities needs to be performed:

  1. Register object keys for domains GRAC_SYS_TYPE and GRAC_ENVNNT
  2. Activate screen 0011 in Function Group GRAC_AD_MAINTAIN of program SAPLGRAC_AD_MAINTAIN
  3. Activate screen 0011 layout
  4. Update the Maintain Connector Setting and assign the Sandbox under Environment column for your sandbox connector
  5. Update view GRACV_ENRONMENT list with sandbox entry

The idea of adding a additional system to the provisioning list seemed interesting to me and prompted me to check the possibility of implementing it. It also opens up the idea for provisioning setup where you can provision and deprovision user ids specifically in individual system in your SAP landscape via SAP GRC Access Request Management.

I hope you will also find the idea interesting too.

Any feedback, thoughts and comments on this topic are welcome.