Accounts deletion during account aggregation in SAP GRC connector

Identity Security Cloud (ISC) ISC Discussion and Questions
,
1

Hi Everyone,

We have configured SAP GRC connector, during account aggregation few accounts are getting deleted even though they are existing in target system side. What might be the root cause for this. Can any one please provide your thoughts on this.

Thanks

2

There could be multiple reasons for this. Can you validate if the sync between sailpoint tables is completed. Can you validate if the records are present in GRACUSER and GRACUSERCONN tables. You need to also validate the native identity case when you are checking in these tables.

3

Hi @udayputta ,

Can you please help us what you meant by validating “sync between sailpoint tables is completed”.

Thanks,
Prathyusha

4

Hi @prathyusha730 ,

There might be couple of checks you can do,

  • Verify the systems you are connecting and if there is a dependency in the GRC systems Ex: does the user have to present in all the systems for an external system to detect?)
  • Sometimes connectivity or performance issues between IdentityNow and SAP GRC could cause incomplete data retrieval.
  • Check if any filters are applied on the connector configuration
  • As GRC can behave a bit complex at times, raising a SailPoint support ticket in parallel might be helpful as well!
  • Enable the connector logs and see if the cog has captured any traffic regarding this issue!

Hope this helps! troubleshoot the issue!

1 Like
5

Yes sure, we had a scenario which we over came with SailPoint help. To understand the problem first let me go with the tables in SAP GRC.
In SAP GRC there are two tables GRACUSER and GRACUSERCONN. GRACUSER table will have data entry of user account from the priority system, check what is the priority system at your client, usually it might be LDAP. In GRACUSERCONN table there will be data entry of all the SAP systems users.​
GRACUSERCONN table will have the user ids (native identity) in all upper case. GRACUSER table can have user ids (native identity) in mixed case. So, when aggregation starts SailPoint will pick up the user id from GRACUSER table and search for entries in GRACUSERCONN table. In our integration SailPoint was considering the user ids as case sensitive (before the fix) and was failing to find the records from GRACUSERCONN table.
We got it resolved and I believe SailPoint is using case insensitivity while searching for the records to find the user accounts from GRACUSERCONN. I am not sure if you are facing the same problem.
If you have access to SAP GRC check these things and raise a ticket to SailPoint for them to validate too.

6

Hi @udayputta and @Prashanth0707

Thanks for your responses, We have checked at SAP GRC side, that there is no mismatch between user id (native identity) in GRCUSER and GRCUSERCONN table. is there any other alternative approaches are there to debug this issue.

Thanks