SAP GRC Access Management logs

Hello colleagues,

We are working on a SAP GRC implementation, at this time is not with “risk analysis” is with “Access Management” but we are trying to gather all the entitlements in the application and we are not receiving all the entitlements loaded in SAP.
We can see that we do not have any filter added in the task or in the application but even that, many entitlements are missing (Ariba, SAC, Concur…).
Please, How we could know the Sailpoint call or the xml that sailpoint is sending to SAP to gather all the entitlements?
We are trying with this log:
llogger.sapgrc.name=sailpoint.connector.SAPGRCConnector
logger.sapgrc.level=trace

Should we add some logs?
Wich call or xml is sailpoint sending to SAP?

Any recommendation will be thankful.

thank you so much

The logger you have configured seems to be the correct one. If the logger does not provide the API call details you are looking for, then you might be able to record which API calls are being made by installing an HTTP traffic analysis tool.

1 Like

Hello @paulo_urcid
Could you give me some tips to install and work with an HTTP traffic analysis tool?
Which one should I could install?

Thank you so much for your response.

WireShark is one tool that you could use.

2 Likes

@LewisSPoint1

To see the full interaction, you could also enable logging for the sailpoint.connector.sapgrc classes, such as SAPGRCConnectorService, SAPGRCRFCServiceProvider & SAPGRCSDKService

Be prepared for massive logs if you enable trace logging. Configuring a rolling log rotation with compression is recommended.

Also make sure that the SAP GRC Synchronization jobs are being executed by the SAP administrators and that the synch jobs complete without errors. The SAP GRC Connector in Access Management mode, uses both SAP JCO RFCs and the SAP GRC Web Service endpoints GRAC_ROLE_DETAILS_WS and GRAC_SEARCH_ROLES_WS to gather role and user account details.

I recently had a similar challenge where the SAP administrators did not run synchronization jobs for all their SAP GRC connected SAP systems and also had NPEs in the connector because of some corrupt/broken SAP GRC table data that was not maintained properly.