Hello Sailors,
We are currently developing an SAP GRC application in Access Management mode on version 8.1p3. We are having difficulty understanding how the ‘System’ account attribute is intended to be used. Here is our current understanding:
- The ‘System’ attribute is required and used in two places when transforming the provisioning plan into a SOAP request.
- It is used as the ‘ReqInitSystem’ attribute in ‘RequestHeaderData’.
- It is set as it’s own create account ‘item’ in ‘RequestedLineItem’, meaning an account will be created on the system.
- The ‘System’ attribute is aggregated as the connector/source with highest sequence (priority) maintained in the data source configuration from SPRO.
We concluded this based on the following generated SOAP payload that was extracted from IIQ logs when requesting a business role for a new account. No ‘System’ value was used in the create provisioning policy and we can see nulls in the two places mentioned above.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style">
<soapenv:Body>
<urn:GracIdmUsrAccsReqServices>
<RequestHeaderData>
<Reqtype>001</Reqtype>
<Priority>006</Priority>
<ReqInitSystem>null</ReqInitSystem>
<Requestorid>(stripped)</Requestorid>
<Email>(stripped)</Email>
<RequestReason>Create user request from identityIQ</RequestReason>
<Bproc>basis</Bproc>
</RequestHeaderData>
<RequestedLineItem>
<item>
<ItemName>null</ItemName>
<Connector>null</Connector>
<ProvItemType>SYS</ProvItemType>
<ValidFrom>20220414</ValidFrom>
<ValidTo>99991231</ValidTo>
<ProvAction>001</ProvAction>
</item>
<item>
<ItemName>TEST - UT - DISPLAY</ItemName>
<Connector></Connector>
<ProvItemType>ROL</ProvItemType>
<ValidFrom>20220414</ValidFrom>
<ValidTo>99991231</ValidTo>
<ProvAction>006</ProvAction>
<RoleType>BUS</RoleType>
</item>
</RequestedLineItem>
<UserInfo>
<item>
<Email>[email protected]</Email>
<Lname>Tester</Lname>
<Userid>TEST001</Userid>
<Fname>John</Fname>
<Manager>(stripped)</Manager>
<UserGroup>SECURITY</UserGroup>
</item>
</UserInfo>
</urn:GracIdmUsrAccsReqServices>
</soapenv:Body>
</soapenv:Envelope>
So based on this understanding we have a few questions:
- Is it intended that the request initiation system should always be a system associated with the requested role?
- If the request initiation system SHOULD always be associated with the requested role and the requested role is a business role that has multiple sub-systems, how do we know which one to use as the initiation system? From our testing it appears only the highest priority system works as the initiation system, or we get an ‘Invalid request initiation system’ error.
- If the request initiation system SHOULD NOT always be associated with the requested role (for example using GRC system itself) then is it true that the request will always result in an account being created on that system as well? We do not want to always create accounts on GRC due to licensing.
Best,
Alex