Mismatch in SAP GRC Entitlement values in SailPoint vs Target system

verma14 · September 10, 2025, 8:25am

Which IIQ version are you inquiring about?

8.4p2

Please share any images or screenshots, if relevant.

Share all details about your problem, including any error messages you may have received.

Hi all, we have noticed a strange behavior with SAP GRC application in all our environments, there is a mismatch between the values in Entitlement catalog in IIQ vs SAP GRC export.

The Entitlement (attribute: Roles) have same display name, but the value is different in IIQ vs SAP system, and we have noticed this for all our environments. Anyone has any idea why this is happening?

For Example: there is an Entitlement in Entitlement catalog for Application SAP GRC named “ZSGRAC.S.T:GRC_BASE_REQ”, for this, the value (Role ID) is “005056A05FD01EDEB0BEEDA99FCF2260” in SAP end, but the entitlement value is “005056A05FD01EEEB0C9066A1CAE520F” in SailPoint.

vinnysail · September 13, 2025, 7:32pm

Hi @verma14

If this entitlement has come to sailpoint via aggregation task, please enable more logging when the task is running to print the full resource object then you can all details that will help when you are discoing with SAP team.

Riyazuddin99 · September 15, 2025, 6:09am

Hello @verma14 ,

can you show the application schema configuration page for the role/groups.

thanks
riyazuddin

Riyazuddin99 · September 15, 2025, 6:13am

kindly try to set this setting in the application configuration for the sap grc application in your application.

value is something which is the unique id in both the application.

and display name will be one which is use to display the information on the entitlement page.

please me know if any additional information is needed

verma14 · September 15, 2025, 12:29pm

@Riyazuddin99 here is the schema for group, but my ques is, the entitlement value should always match with target, the display name can be anything as that is an editable field in IIQ. Since SailPoint is pulling data from SAP, then it should match to what’s there in the target system.

verma14 · September 15, 2025, 12:31pm

sure @vinnysail , I will try to enable the aggregator logs to see what’s printing there

vinnysail · September 15, 2025, 3:05pm

Hi @verma14,

you can also run the below IIQ console command whats the resource object that you get from the connector

verma14 · September 19, 2025, 7:35am

After enabling the SAP loggers, I ran the aggregation and it seems both values might be coming from SAP end but as per the application team, only “005056A05FD01EEEAFF655755D1B4BA4” exists on their end and in sailpoint we see “005056A05FD01EDC9EE18F926046C82F” as the entitlement value

Any idea why is there 2 values coming? or if anyone knows about the table Sailpoint pulls data from SAP GRC?

2025-09-15T12:18:46,858 TRACE https-jsse-nio-8443-exec-61 connector.sapgrc.dto.Role:78 - Entering : Arguments => 005056A05FD01EDC9EE18F926046C82F, null, 005056A05FD01EEEAFF655755D1B4BA4

vinnysail · September 19, 2025, 9:43am

Hi @verma14

Can you share the screenshot of this entitlement from entitlement catalog

Also can you run the connector debug IIQ console get group command from the screenshot on and that I shared before

verma14 · September 26, 2025, 1:35pm

Hi @vinnysail , apologies for the delayed response, please find the screenshot and connector debug output below
For the Same Display value we have different values “005056A05FD01EEEB0C9066A1CAE520F” which we see in IIQ and “005056A05FD01EDEB0BEEDA99FCF2260” which the SAP team sees on their end, and we see this behavior only for entitlement which SAP specifies as “Technical Roles” it’s not happening for “Business Roles”, the values are matching for those

> connectorDebug “SAP GRC” get group PR1CLNT101N/005056A05FD01EEEB0C9066A1CAE520F2025-09-26T09:25:48,512  WARN main sailpoint.connector.SAPGRCConnector:949 - CON_SAPGRC_RESPECT_FILTER flag is : false2025-09-26T09:25:48,589  WARN main connector.sapgrc.service.SAPGRCConnectorService:314 - Selected SailPoint function module: /SAILPOIN/SAIL_READ_TABLE2025-09-26T09:25:49,166  WARN main connector.sapgrc.service.SAPGRCConnectorService:316 - Using RFC_READ_TABLE

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE ResourceObject PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<ResourceObject displayName="PR1CLNT101N/ZSGRAC.S.T:GRC_BASE_REQ" identity="PR1CLNT101N/005056A05FD01EEEB0C9066A1CAE520F" objectType="group">   <Attributes>     <Map>       <entry key="Business Process" value="GRC"/>       <entry key="Description" value="GRC:Base Role for FF Requestors"/>       <entry key="Landscape" value="SAP_S4HANA"/>       <entry key="Role Desc" value="GRC:Base Role for FF Requestors"/>       <entry key="Role Name" value="ZSGRAC.S.T:GRC_BASE_REQ"/>       <entry key="Role Owner"/>       <entry key="Role Status" value="PRD"/>       <entry key="Role Type" value="SIN"/>       <entry key="Role Type Desc" value="Single Role"/>       <entry key="Role UUID" value="PR1CLNT101N/005056A05FD01EEEB0C9066A1CAE520F"/>       <entry key="Sub Process" value="GRC"/>       <entry key="System" value="PR1CLNT101N"/>     </Map>   </Attributes> </ResourceObject>

> connectorDebug “SAP GRC” get group 005056A05FD01EDEB0BEEDA99FCF22602025-09-26T09:26:28,558  WARN main sailpoint.connector.SAPGRCConnector:949 - CON_SAPGRC_RESPECT_FILTER flag is : false2025-09-26T09:26:28,635  WARN main connector.sapgrc.service.SAPGRCConnectorService:314 - Selected SailPoint function module: /SAILPOIN/SAIL_READ_TABLE2025-09-26T09:26:29,172  WARN main connector.sapgrc.service.SAPGRCConnectorService:316 - Using RFC_READ_TABLE

<?xml version='1.0' encoding='UTF-8'?>

<!DOCTYPE ResourceObject PUBLIC "sailpoint.dtd" "sailpoint.dtd">

<ResourceObject displayName="PR1CLNT101N/ZSGRAC.S.T:GRC_BASE_REQ" identity="PR1CLNT101N/005056A05FD01EDEB0BEEDA99FCF2260" objectType="group">
  <Attributes>
    <Map>
      <entry key="Business Process" value="GRC"/>
      <entry key="Description" value="GRC:Base Role for FF Requestors"/>
      <entry key="Landscape" value="SAP_S4HANA"/>
      <entry key="Role Desc" value="GRC:Base Role for FF Requestors"/>
      <entry key="Role Name" value="ZSGRAC.S.T:GRC_BASE_REQ"/>
      <entry key="Role Owner"/>
      <entry key="Role Status" value="PRD"/>
      <entry key="Role Type" value="SIN"/>
      <entry key="Role Type Desc" value="Single Role"/>
      <entry key="Role UUID" value="PR1CLNT101N/005056A05FD01EDEB0BEEDA99FCF2260"/>
      <entry key="Sub Process" value="GRC"/>
      <entry key="System" value="PR1CLNT101N"/>
    </Map>
  </Attributes>
</ResourceObject>

vinnysail · September 26, 2025, 5:26pm

Thanks for checking the command. This is the resource object that you get from SAP system. You need to check with the SAP team and understand more details.

system · November 25, 2025, 5:26pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SAP Direct connector Entitlements are not provisioned when User Account is created on SAP side first IIQ Discussion and Questions identityiq , provisioning	5	98	January 6, 2026
Entitlement does not appear after aggregation ISC Discussion and Questions aggregation , identity-security-cloud , entitlements	4	180	August 4, 2024
Cross-source Entitlement Mapping ISC Discussion and Questions identity-security-cloud , correlation , entitlements , sources	4	76	May 24, 2025
SAP GRC Entitlement aggregation is failing ISC Discussion and Questions aggregation , identity-security-cloud	14	1147	August 21, 2023
SAP GRC Role aggregation incomplete ISC Discussion and Questions aggregation , identity-security-cloud	3	590	August 11, 2023

Mismatch in SAP GRC Entitlement values in SailPoint vs Target system

Which IIQ version are you inquiring about?

Please share any images or screenshots, if relevant.

Share all details about your problem, including any error messages you may have received.

Related topics