WIXLIB

IBM Security IdentityManager WorkflowExtensionsSAPNetWeaver SAP GRC ACProfileIBM Security IdentityManager SAP GRCAC ComponentsSAP GRC ACWSDL WrappersNotificationServiceSAPNetWeaverProfileSAP NetWeaverTDI AdapterFigure 1. IBM Security Identity Manager SAP NetWeaver Adapter with Integration for SAPGRC Access Control components and relationshipsA high level of control is obtained over the provisioning process by configuringIBM Security Identity Manager workflow extensions for SAP GRC Access Control.The IBM Security Identity Manager workflow extensions allow Add, Modify,Suspend, Restore, and Delete requests to be sent to SAP GRC Access Control. SoDcompliance checks are then performed in SAP GRC Access Control beforeprovisioning the account in SAP NetWeaver. The risk analysis and remediationfeatures of SAP GRC Access Control Compliant Provisioning can be used to:v Modify the requestv Submit an approvalv Submit a rejectionv Cancel the requestIn IBM Security Identity Manager workflow, there are two possible modes toconfigure each type of request. These modes are referred to as Non-blocking modeand Blocking mode.In Non-blocking mode, SAP GRC Access Control takes control of accountprovisioning on the target system. Following submission of an access request toSAP GRC Access Control, IBM Security Identity Manager workflow continuesexecution and does not wait for the result of the request in SAP GRC AccessControl. This mode passes the responsibility of provisioning the account in SAPNetWeaver to SAP GRC Access Control.In Blocking mode, IBM Security Identity Manager workflow blocks (orwait/pause) following submission of an access request to SAP GRC AccessControl. The workflow continues to block until the result of the request is receivedfrom SAP GRC Access Control. A dedicated Notification Service deployed inWebSphere is responsible forv Periodically querying SAP GRC Access Controlv Relaying results of completed requests to IBM Security Identity Managerv Unblocking the relevant IBM Security Identity Manager workflows.The IBM Security Identity Manager workflow becomes the central point ofcoordination and auditing for account provisioning. IBM Security Identity Manager2Integration for SAP GRC Access Control Installation and Configuration Guide

determines whether an account is provisioned in SAP NetWeaver, depending onpre-conditions such as whether the request was approved or rejected in SAP GRCAccess Control.Supported configurationsThe integration requires the interaction of several components.The fundamental components of the integration are:vvvvAn IBM Security Identity Manager ServerAn Tivoli Directory Integrator serverAn IBM Security Identity Manager SAP NetWeaver AdapterThe Integration for SAP GRC Access Control 5.3 or 10.0Chapter 1. Integration for SAP GRC Access Control Installation and Configuration Guide3

4Integration for SAP GRC Access Control Installation and Configuration Guide

Chapter 2. Planning to install the integrationInstalling and configuring the integration involves several steps that must becompleted in the appropriate sequence.Review the pre-installation and installation roadmaps before beginning theinstallation process.Preinstallation roadmapThe environment must be prepared following these steps before the integration canbe installed.Table 1. Preinstallation roadmapWhat to doWhere to find more informationVerify that the software and hardwarerequirements for the integration that youwant to install have been met.See “Prerequisites.”Collect the necessary information for theinstallation and configuration.See “Installation worksheet for theintegration” on page 6.Obtain the installation softwareDownload the software from PassportAdvantage . See “Downloading thesoftware” on page 7.Installation roadmapThe necessary steps here must be completed to install the integration includingcompleting post-installation configuration tasks and verifying the installation.Table 2. Installation roadmapWhat to doWhere to find more informationInstall the integration.See Chapter 3, “Installing the integration,”on page 9.Import the SAP NW GRC profile.See “Importing the SAP NetWeaver GRCprofile into the IBM Security IdentityManager Server” on page 9.Create a service.See “Creating an SAP NetWeaver GRCservice” on page 9.Verify the installation.See “Verifying the SAP GRC AC Workflowcomponents installation” on page 47.Configure the SAP GRC workflowextensions for the integration.See Chapter 4, “Installing and configuringSAP GRC Access Control workflowextensions,” on page 19.PrerequisitesVerify that all of the prerequisites are met before installing the Integration for SAPGRC Access Control. Copyright IBM Corp. 20125

Table 3 identifies hardware, software, and authorization prerequisites to install theIntegration for SAP GRC Access Control.Table 3. Prerequisites to install the integrationPrerequisiteDescriptionOperating SystemThe Integration for SAP GRC Access Control can be usedon any operating system that is supported by IBMSecurity Identity Manager.Network ConnectivityTCP/IP networkSystem AdministratorAuthorityThe person who completes the Integration for SAP GRCAccess Control installation procedure must have systemadministrator authority.Tivoli Directory IntegratorserverSee the IBM Security Identity Manager SAP NetWeveradapter release notes for the supported versions.IBM Security Identity ManagerVersion 6.0IBM Security Identity ManagerAdapter (also known as theDispatcher)See the IBM Security Identity Manager SAP NetWeveradapter release notes for the supported versions.IBM Websphere ApplicationServer*WebSphere Application Server 7.0 FixPack 19 (7.0.0.19)SAP NetWeaver AS ABAP with See the IBM Security Identity Manager SAP NetWeverSAP Basis Componentadapter release notes for the supported versions.SAP JCo3.0.8SAP GRC Access Control5.3, 10.0 FP08*The minimum WebSphere Application Server FixPacks listed are required tosatisfy web service dependencies that the integration has in WebSphere.Installation worksheet for the integrationThe following table identifies the information you need to install the Integrationfor SAP GRC Access Control.Table 4. Required information to install the integrationRequired informationDescriptionAdministrator account on theAn administrator account on the managed resource thatmanaged resource for SAP GRC has the necessary administrative privileges for SAP GRC.Access Control 5.3The administrator account must have the followingassigned role in UME:v AEADMINAdministrator account on theAn administrator account on the managed resource thatmanaged resource for SAP GRC has the necessary administrative privileges for SAP GRCAccess Control 10.010.0. The administrator account must have at least thefollowing assigned roles:v SAP GRC NWBCv SAP GRAC *See the GRC 10.0 Post-installation and Security guidesfor further information.6Integration for SAP GRC Access Control Installation and Configuration Guide

Table 4. Required information to install the integration (continued)Required informationDescriptionSAP GRC 10.0 Web ServiceEndpoint creationEndpoint bindings must be created in the transactionSOAMANAGER under Service Administration – SingleService Configuration - Configurations, for at least thefollowing SAP GRC 10.0 web services:v GRAC AUDIT LOGS WSv GRAC LOOKUP WSv GRAC REQUEST DETAILS WSv GRAC REQUEST STATUS WSv GRAC RISK ANALYSIS WITH NO WSv GRAC USER ACCES WSAfter the endpoint binding has been created, the"Calculated Access URL" for the web service is foundunder the "Transport Settings" tab. This URL is definedon the service form. The service form in the SAP GRCAccess Control integration and SAPNotify.props makeuse of these URLs to locate the relevant SAP GRC AccessControl 10.0 web service.Downloading the softwareDownload the software from your account at the IBM Passport Advantage website.Go to IBM Passport Advantage.See the IBM Security Identity Manager Download Document for instructions.Chapter 2. Planning to install the integration7

8Integration for SAP GRC Access Control Installation and Configuration Guide

Chapter 3. Installing the integrationThe following sections contain the information that you need to install andconfigure the Integration for SAP GRC Access Control.Importing the SAP NetWeaver GRC profile into the IBM SecurityIdentity Manager ServerAn IBM Security Identity Manager integration profile defines the types of resourcesthat the IBM Security Identity Manager Server can manage.In this case, the profile SapGRCNWProfile.jar is used to create a SAP GRC AccessControl service on the IBM Security Identity Manager server. TheSapGRCNWProfile.jar profile must be imported into the IBM Security IdentityManager server.Before importing the SapGRCNWProfile.jar profile, verify that the followingconditions are met:v The IBM Security Identity Manager Server is installed and running.v You have root or Administrator authority on the IBM Security Identity ManagerServer.1. Log in to the IBM Security Identity Manager server by using an account thathas the authority to perform administrative tasks.2. Import the integration profile by using the import feature for your IBMSecurity Identity Manager product. See the information center or the onlinehelp for specific instructions about importing the integration profile.3. Restart the Dispatcher service.If an error related to the schema is received when the integration profile isimported, go to the trace.log file for information about the error. The trace.logfile location is specified by the handler.file.fileDir property defined in the IBMSecurity Identity Manager enRoleLogging.properties file. TheenRoleLogging.properties file is installed in the ITIM HOME/data directory.Creating an SAP NetWeaver GRC serviceYou must define attributes on the SAP GRC SERVICE ATTRIBUTES TAB when youcreate an SAP NetWeaver GRC service.If the SapGRCNWProfile.jar profile was imported, then an additional SAP GRCService Attributes tab is displayed that contains the set of the following attributes.Enable GRC Workflow ExtensionsOptional attribute. Flag to indicate whether workflow extensions areconfigured for either SAP GRC Access Control 5.3 or 10.0. The value of thisflag is only used by the "Check GRC Version" workflow extension. It hasno effect otherwise.GRC VersionOptional attribute. The version of SAP GRC Access Control the service isconfigured against. This attribute can be used in the workflow todetermine the path to take if these conditions exist: Copyright IBM Corp. 20129

v A combination of different SAP GRC Access Control versions exists inthe environment.v The environment is supported by a single IBM Security IdentityManager server instance.The value of this flag is only used by the "Check GRC Version" workflowextension. It has no effect otherwise.GRC Admin IdThe SAP GRC Access Control user name with privileges to invoke SAPGRC web services and submit Access Control requests. A value is requiredif the authentication and security services are enabled on the SAPNetWeaver Application server on which Access Control is deployed.GRC PasswordPassword of the SAP GRC Access Control Admin ID.Access Control Request URLThe URL address of the Access Control Submit Request web service. Theformat is http://remotehost:port/web-service-name where:v The remotehost is the SAP GRC Access Control host.v The port is the port number on which SAP NetWeaver application serverlistens.v The web-service-name is the web service exposed by SAP GRC AccessControl that receives requests from IBM Security Identity Manager.For example, the URL for SAP GRC 5.3 might be specified ashttp://remotehost:port/SAPGRC AC IDM SUBMITREQUEST/Config1?style documentThe URL for SAP GRC 10.0 might be specified as http://remotehost:port/sap/bc/srt/rfc/sap/grac user acces ws/clientnumber/grac user acces ws/binding?sap-client clientnumberAccess Control Look Up URLThe URL address of the Access Control Look Up Request web service. Theformat is http://remotehost:port/web-service-name where:v The remotehost is the SAP GRC Access Control host.v The port is the port number on which SAP NetWeaver ABAP applicationserver listens.v The web-service-name is the web service exposed by SAP GRC AccessControl that receives requests from IBM Security Identity Manager.For example, the URL for SAP GRC Access Control 10.0 might be specifiedas http://remotehost:port/sap/bc/srt/rfc/sap/grac lookup ws/clientnumber/grac lookup ws/binding?sap-client clientnumberAccess Control Risk Analysis URLThe URL address of the Access Control Risk Analysis Request withRequest ID web service. The format is http://remotehost:port/webservice-name where:v The remotehost is the SAP GRC Access Control host.v The port is the port number on which SAP NetWeaver ABAP applicationserver listens.v The web-service-name is the web service exposed by SAP GRC AccessControl that receives requests from IBM Security Identity Manager.10Integration for SAP GRC Access Control Installation and Configuration Guide

For example, the URL for SAP GRC Access Control 10.0 might be specifiedas http://remotehost:port/sap/bc/srt/rfc/sap/grac risk analysis with no ws/clientnumber/grac risk analysis with no ws/binding?sap-client clientnumberAccess Control Request Details URLThe attribute for Update Account Attribute Request. The URL address ofthe Access Control Request Details web service. The format ishttp://remotehost:port/web-service-name where:v The remotehost is the SAP GRC Access Control host.v The port is the port number on which SAP NetWeaver ABAP applicationserver listens.v The web-service-name is the web service exposed by SAP GRC AccessControl that receives requests from IBM Security Identity Manager.For example, the URL for SAP GRC Access Control 10.0 might be specifiedas http://remotehost:port/sap/bc/srt/rfc/sap/grac request details ws/clientnumber/grac request details ws/binding?sap-client clientnumberSystem IdentifierThe system identifier is the SAP connector name defined in Access Controlto enable provisioning directly to the target SAP ABAP server from SAPGRC Access Control. This system identifier is also supplied to SAP GRCAccess Control on a request submission in the account role data.Detail LoggingOptional attribute. Flag to enable SAP GRC request debugging traceoutput. For SAP GRC Access Control 5.3, this option writes a log file calledgrcextension.log to the location specified by the Java system propertyuser.home. For SAP GRC Access Control 10.0, this option enables the IBMSecurity Identity Manager trace log file for the workflow extensioncomponent.Note: The IBM Security Identity Manager logging level must be set toDEBUG MIN.Adapter attributes and object classesAfter the GRC profile is installed, the integration supports a standard set ofattributes that contains attributes from the NetWeaver adapter in addition toattributes required for SAP GRC Access Control.The following table lists the standard attributes supported for SAP GRC AccessControl, in addition to the SAP NetWeaver attributes that are listed in the Adapterfor SAP NetWeaver Installation and Configuration Guide.The following table shows the SAP GRC Access Control attributes used by requestssent to the SAP GRC Access Control 5.3 or 10.0. The set of attributes between SAPGRC Access Control versions is different as indicated in Table 3.The list of SAP GRC Access Control service form attributes can be found in Table 5on page 12.Chapter 3. Installing the integration11

Table 5. Supported SAP GRC AC service attributesIBM SecurityIdentityManager Name Attribute NameDescriptionData TypeRequiredfor SAPGRCAccessControl5.3RequestRequiredfor SAPGRCAccessControl10.0RequestEnable attribute.Indicates whetherSAP GRC AccessControl workflowextensions havebeen configuredYesYesGRC VersionersapgrcversionOptionalattribute. Theversion of SAPGRC AccessControl theservice has beenconfiguredagainst. Usedwhen there is acombination ofdifferent versionof SAP GRCAccess Controlneeds to besupported in thea single serverinstance.StringYesYesGRC Admin IdersapgrcsubmitrequestuidUser ID of theSAP GRC AccessControlAdministratorStringYesYesGRC PasswordersapgrcabappwdPassword of theSAP GRC fierersapgrcsystemidSystem identifierStringYesYesAccess ControlRequest URLersapgrcsubmitrequesturlThe URL addressof the AccessControl SubmitRequest WebserviceStringYesYesAccess ControlLook Up URLersapgrclookupurlThe URL addressof the AccessControl Look UpRequest webserviceStringNoYes12Integration for SAP GRC Access Control Installation and Configuration Guide

Table 5. Supported SAP GRC AC service attributes (continued)IBM SecurityIdentityManager Name Attribute NameDescriptionData TypeRequiredfor SAPGRCAccessControl5.3RequestRequiredfor SAPGRCAccessControl10.0RequestAccess ControlRisk AnalysisURLersapgrcriskanalysisurlThe URL addressof the AccessControl RiskAnalysis Requestweb serviceStringNoYes, Ifusing RiskAnalysisworkflowextensionAccess ControlRequest DetailURLersapgrcrequestdetailsurlThe URL addressof the RequestDetail webserviceStringNoYes, il LoggingersapgrcdebugFlag to enableGRC requestdebugging traceoutputStringNoNoNote: a GRC request contains values of several attributes that are supplied fromthe SAP NetWeaver account form tabs such as Given name, Surname, Emailaddress, and Role. The list of SAP GRC and NetWeaver account form attributevalues that are forwarded onto a GRC request are found in Table 6.Table 6. Supported SAP GRC/NetWeaver account attributesIBM SecurityIdentityManager Name Attribute NameDescriptionData TypeRequiredfor GRC5.3RequestRequiredfor GRC10.0RequestPriorityersapgrcpriorityRequest Priority.The value mustmatch theidentifier of aconfigured ACpriority.StringYesYesLocationersapgrclocationThe worklocation of theuser to beprovisioned.StringNoNoType ofemployee. Thisattribute valuemust matchconfiguration inAC.StringNoNoEmployee Type ersapgrcemployeetypeChapter 3. Installing the integration13

Table 6. Supported SAP GRC/NetWeaver account attributes (continued)IBM SecurityIdentityManager Name Attribute NameDescriptionData TypeRequiredfor GRC5.3RequestRequiredfor GRC10.0RequestRequestor IDersapgrcrequesteruidUser name of the Stringrequester.YesIfRequestorID is notdefined,SAP GRCAccessControl10.0 willdefault itto the SAPGRCAccessControlAdmin IDdefined onthe serviceform astherequestor.Requestor FirstNameersapgrcrequesterfirstnameGiven name ofthe requester.StringYesNoRequestor LastNameersapgrcrequesterlastnameSurname of esteremailThe emailaddress of crequestertelephoneTelephonenumber of therequester.StringNoNoManager IDersapgrcmanageruidUser name of the Stringemployeesmanager. Thisattribute valuemust match theuser ID of a userin the

Suspend, Restore, and Delete requests to be sent to SAP GRC Access Control. SoD compliance checks are then performed in SAP GRC Access Control before provisioning the account in SAP NetWeaver. The risk analysis and remediation features of SAP GRC Access Control Compliant Provisioning can be used to: v Modify the request v Submit an approval