I have an integration between IDN using the SAP GRC connector and an SAP GRC system that serves as governance for other SAP applications (referred to as satellites by the client). The issue lies in the inconsistency between the accounts read by SAP GRC for the ARIBACIG2 system (corresponding to SAP ARIBA governed through the SAP GRC source in the client’s integration). The inconsistency arises because some roles are missing in certain accounts.
For example, the account USUARIO1 has 4 permissions related to SAP ARIBA. However, in the export generated by the SAP team on the SAP GRC source side, it is indicated that the same account USUARIO1 has 5 roles. After analyzing the account, I did not find errors in the VA, nor do I see any issues from the IDN side. Nevertheless, the client insists that this account should have 5 roles, and these roles should appear in IDN.
For now, I have advised the client to check the GRACUSER and GRACUSERCONN tables (to verify the account’s existence) and to review GRACROLE and GRACRLCONN. The client claims everything is correct.
As I understand it, the process for retrieving roles for accounts involves the following steps:
- Retrieve the account ID from GRACUSER.
- Check connected systems through GRACUSERCONN.
- Finally, navigate to GRACROLE and GRACRLCONN to locate the roles corresponding to that account.
Additionally, there is an extra step where IDN performs some sort of role verification.
So far, I cannot pinpoint the root cause of this issue. The client insists that everything is correct on the GRC side. However, the SAP GRC source system has multiple connected systems (around 15 systems), and while some discrepancies exist, these usually involve test roles or accounts with no significant impact. For almost all systems, there are no conflicts. This issue is only occurring with SAP ARIBA.
I am aware that the client has some kind of integration with SAP IAG, which then synchronizes with SAP GRC to populate the tables from which IDN reads data.
Questions:
- Are there any additional resources I can suggest to the client to help them identify what they should review?
- Is the process I described for reviewing SAP GRC correct to ensure that the GRC tables are populated with the latest information?
- Is there additional information about how the SAP GRC connector works?
Current Challenges:
This integration is quite complex, and we have encountered multiple incidents. It has required extensive research online since SailPoint does not provide much documentation regarding this integration.
Any additional information about the connector and how it works is welcome.
Note: According to the client, the synchronization jobs were executed correctly. Currently, the discrepancy mentioned is quite significant between IDN/ISC and the SAP GRC source system (reading roles and accounts from SAP ARIBA through GRC).