This document provides instructions for creating different types of connectors in SAP GRC Access Control 10.0 including SAP, web service, LDAP, SPML, and file connectors. It describes the steps to define the connectors, connection types, connector groups, and scenario-connector links. It also outlines maintaining connection settings, mappings for actions and groups, and connector attributes. The document contains 11 chapters detailing each connector type's setup and how to link connectors to scenarios for integration and data exchange.
This document provides instructions for creating different types of connectors in SAP GRC Access Control 10.0 including SAP, web service, LDAP, SPML, and file connectors. It describes the steps to define the connectors, connection types, connector groups, and scenario-connector links. It also outlines maintaining connection settings, mappings for actions and groups, and connector attributes. The document contains 11 chapters detailing each connector type's setup and how to link connectors to scenarios for integration and data exchange.
This document provides instructions for creating different types of connectors in SAP GRC Access Control 10.0 including SAP, web service, LDAP, SPML, and file connectors. It describes the steps to define the connectors, connection types, connector groups, and scenario-connector links. It also outlines maintaining connection settings, mappings for actions and groups, and connector attributes. The document contains 11 chapters detailing each connector type's setup and how to link connectors to scenarios for integration and data exchange.
Document History Document Version Description 1.10 << Summary of changes in this version >> 1.00 First official release of this guide
DOCUMENT SPECI FI CATI ON CHANGE HI STORY: (Provide the change history for this document. If revision is due to a software change, include the Release or SP number that authorized the change.) VERSION DATE DESCRIPTION OF CHANGE AUTHOR SI GN OFF BY
3
CONTENTS Introduction Document History ................................................................................................................................................................... 2 Chapter 1 Example Connector Flow Concept ................................................................................................................. 5 Chapter 2 Creating SAP Connector ................................................................................................................................ 6 Chapter 3 Creating Webservice Connector .................................................................................................................... 8 Chapter 4 Creating LDAP Connector .............................................................................................................................. 9 Chapter 5 Creating SPML Connector ........................................................................................................................... 11 Chapter 6 Creating FILE Connector .............................................................................................................................. 12 File Connector Setup ............................................................................................................................................................. 12 Chapter 7 Create Connectors ....................................................................................................................................... 14 Chapter 8 Maintain Connectors and Connection Types .............................................................................................. 14 8.1 Connection type definition ...................................................................................................................................... 14 8.2 Define Connectors ................................................................................................................................................... 15 8.2.1 Define SAP Connector from section Error! Reference source not found. ............................................................... 15 8.2.2 Define Subsequent Connectors ............................................................................................................................... 15 8.3 Define Connector Groups ........................................................................................................................................ 15 8.3.1 Assign Connector Groups to Group types ................................................................................................................ 16 8.3.2 Assign Connectors to Connector Groups ................................................................................................................. 16 Chapter 9 Maintain Connection Settings ..................................................................................................................... 16 9.1 Subscenario definition ............................................................................................................................................. 17 9.2 Scenario-Connection type Link ................................................................................................................................ 17 9.2.1 Scenario Connector Link .......................................................................................................................................... 17 Chapter 10 Maintain Mapping for Actions and Connector Groups ............................................................................... 18 10.1 Maintain connector group status: ........................................................................................................................... 18 10.2 Assign default connector to connector group: ........................................................................................................ 18 10.2.1 Assign Group Field mapping: ................................................................................................................................... 18 10.2.2 Assign group parameter mapping: .......................................................................................................................... 19 Chapter 11 Maintain Connector Settings ...................................................................................................................... 19 11.1 Assign attributes to the connector .......................................................................................................................... 19 11.2 Subscenario definition ............................................................................................................................................. 21 11.3 Scenario-Connection type Link ................................................................................................................................ 21 4
11.3.1 Scenario Connector Link .......................................................................................................................................... 21
5
1 Example Connector Flow Concept
Cross System Group SAP SAP Oracle WS Microsoft LDAP FILE Logical Group: Systems that are logically Identical
Automatic Monitoring Authorization Management Provisioning Role Management SPM Integration Scenario Connectors Connector Groups Note: ERM Connector need to be defined to one and only one connector Group
Example By-passing Group Example Connections 6
2 Creating SAP Connector 1. Enter Transaction SPRO, and then click button. 2. Navigate to Governance, Risk, and Control > Common Component Settings > Integration Framework > Create Connectors. 3. Click on Create icon.
4. Enter the name for the RFC Destination 5. Enter Description for the connector. 6. Enter the Connection Type 3. 7. Save your entries. 8. Under the Technical Settings tab enter the target address. The IP is usually the same as the host name 9. Under the Logon & Security define the following fields Language EN Client Enter the Client number for the Target system User Enter User name for a user on target system Password Enter password for the user on target system Trust Relationship Click the appropriate radio button. See Note
If the Connection type is Trusted no user name and password are needed. If the Connection is un-trusted then, user must provide username and password for the connection .
10. Save your entries. 11. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types A . 12. Double-Click Define Connectors on the left side dialogue box. 13. Click on New Entries button 14. Enter the data for the following fields. Target Connector Select the RFC Connector created in section 2 from list Connection Type SAP Source Connector Not needed (See Note) Logical Port Not relevant Maximum number Not relevant 7
15. Save your work.
Source Connector is only needed if the information transfer will be bi-directional. Logical Port Only relevant for Webservice type connections. Maximum number used to define maximum number of background jobs. Relevant only with Automated framework. 16. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connection Settings A . 17. Select the Integration Scenario A . 18. Select the subscenario A . 19. Double-click on Scenario-Connector Link A
20. Click button. 21. Select or Enter the name of the target connector.
The connection type and connection type text are formulated based on the entries from section 1 for the connector.
8
3 Creating Webservice Connector 1. Enter the name for the RFC Destination 2. Enter Description for the connector. 3. Enter the Connection Type as G. 4. Under the Technical Settings tab enter the target address. Target Host IP or Host name of the target system Service No. Enter the target system service no. Path Prefix ????
Enter the Proxy Information if you need to go via a proxy for your landscape.
5. Under the Logon & Security define the following fields Logon Procedure Click the appropriate Radio button. User Enter User name for a user on target system Password Enter password for the user on target system Logon with Ticket Click the appropriate radio button. Security Options Enter appropriate information based on your connection
If Authentication is needed by the Target system enter the User and Password fields. 22. Save your entries. 23. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types A . 24. Double-Click Define Connectors on the left side dialogue box. 25. Click on New Entries 26. Enter the data for the following fields. Target Connector Select the RFC Connector created in section Error! Reference source not found. from list Connection Type WS Source Connector Not needed Logical Port Enter the Logical Port. Maximum number Not relevant 27. Save your work.
Source Connector is only needed if the information transfer will be bi-directional. Logical Port Only relevant for Webservice type connections. Maximum number used to define maximum number of background jobs. Relevant only with Automated framework. 28. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connection Settings A . 29. Select the Integration Scenario A . 30. Select the subscenario A . 31. Double-click on Scenario-Connector Link A
32. Click button. 33. Select or Enter the name of the target connector.
9
The connection type and connection type text are formulated based on the entries from section 1 for the connector. 4 Creating LDAP Connector 34. Enter Transaction SPRO, and then click button. 35. Navigate to Governance, Risk, and Control > Common Component Settings > Integration Framework > Create Connectors. 36. Click on Create icon.
37. Enter the name for the RFC Destination
RFC destination name must be specified in capital letters . 38. Enter Description 39. Enter the Connection Type as T. 40. Under the Technical Settings tab enter the following information. Application Type Click radio button Registered Server Program Program Same as RFC Destination name CPI-C Click radio button Default Gateway Value Gateway gateway with which the LDAP Connector is to register 41. Save your entries. 42. Under the Technical Settings tab enter the following information. Application Type Click radio button Registered Server Program Program Same as RFC Destination name CPI-C Click radio button Default Gateway Value Gateway gateway with which the LDAP Connector is to register 43. Save your entries. 44. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types A . 45. Double-Click Define Connectors on the left side dialogue box. 46. Click on New Entries button 47. Enter the data for the following fields. Target Connector Select the RFC Connector created in section 2 from list Connection Type SAP Source Connector Not needed (See Note) 10
Logical Port Not relevant Maximum number Not relevant 48. Save your work.
Source Connector is only needed if the information transfer will be bi-directional. Logical Port Only relevant for Webservice type connections. Maximum number used to define maximum number of background jobs. Relevant only with Automated framework. 49. Enter transaction LDAP. 50. Click on button. 51. Click on icon to switch to change mode, then click New Entries. 52. Enter the following data for the LDAP Connector: Connector Name Same as the RFC Destination defined for the LDAP connector above. Application Server Name of the application server on which the LDAP Connector is to be started. Status Connector is Active Trace Level Trace OFF 53. Save your entries. Click to start the connector. 54. Configure the LDAP Server using the following values: Server name Server Name Host name Host Name Port Number Port number Trace Level Trace OFF 55. Enter transaction LDAPMAP. 56. Click on icon to switch to change mode, then press F6 to get default mapping. 57. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connection Settings A . 58. Select the Integration Scenario A . 59. Select the subscenario A . 60. Double-click on Scenario-Connector Link A
61. Click button. 62. Select or Enter the name of the target connector.
The connection type and connection type text are formulated based on the entries from section 1 for the connector.
11
5 Creating SPML Connector 63. Enter Transaction SPRO, and then click button. 64. Navigate to Governance, Risk, and Control > Common Component Settings > Integration Framework > Create Connectors. 65. Click on Create icon.
66. Enter the name for the RFC Destination 67. Enter Description for the connector. 68. Enter the Connection Type G. 69. Under the Technical Settings tab enter: Target Host IP or Host name of the target system Path Prefix Enter the path to call the HTTP request handler 70. Under the Logon & Security tab if applicable enter the user name and password for the target system. 71. Save your work. 72. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types A . 73. Double-Click Define Connectors on the left side dialogue box. 74. Double-Click Define Connectors on the left side dialogue box. 75. Click on New Entries 76. Enter the data for the following fields. Target Connector Select the RFC Connector created in section Error! Reference source not found. from list Connection Type SPML1 Source Connector Not needed (See Note) Logical Port Not relevant Maximum number Not relevant 77. Save your work. 78. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connection Settings A . 79. Select the Integration Scenario A . 80. Select the subscenario A . 81. Double-click on Scenario-Connector Link A
82. Click button. 83. Select or Enter the name of the target connector.
The connection type and connection type text are formulated based on the entries from section 1 for the connector. 12
6 Creating FILE Connector 84. Enter Transaction SPRO, and then click button. 85. Navigate to Governance, Risk, and Control > Common Component Settings > Integration Framework > Create Connectors. 86. Click on Create icon.
1. Enter the name for the RFC Destination 2. Enter Description for the connector. 3. Enter the Connection Type L. 4. Save your work. 6.1 File Connector Setup 1. Enter transaction FILE. ??????????????????????????????????????????????????????????????
87. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types A . 88. Double-Click Define Connectors on the left side dialogue box. 89. Click on New Entries 90. Enter the data for the following fields. Target Connector Select the RFC Connector created in section Error! Reference source not found. from list Connection Type FILE Source Connector Not needed (See Note) Logical Port Not relevant Maximum number Not relevant 91. Save your work. 92. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connection Settings A . 93. Select the Integration Scenario A . 94. Select the subscenario A . 95. Double-click on Scenario-Connector Link A
96. Click button. 97. Select or Enter the name of the target connector.
13
The connection type and connection type text are formulated based on the entries from section 1 for the connector. 98. Select the Target Connector 99. Double-click Maintain file paths for logical connector. 100. Enter values for the following field: File Path Enter the logical file path File ID Enter the file ID File Type Enter the file type File Sep. Enter the file separator
14
7 Create Connectors To Create a connector: 101. Enter Transaction SPRO, and then click button. 102. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Create Connectors. 103. Click on Create icon.
7-1 8 Maintain Connectors and Connection Types Used the maintain Connection types and connection groups. To maintain connectors: 1. Enter Transaction SPRO 2. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connectors and Connection Types. 8.1 Connection type definition Under this tab user can define what the connection type is and a short text for a description of the connection type. 1. To Create a new entry click the button. 2. To edit an existing entry select the entry by clicking the button to the left of it, then click to enter change mode. 3. Enter the appropriate information in the Connection Type column and Connection Type Text column, save your work. The Following is the list of Connection Types provided by SAP: BUSINESS Business Role Type EP Enterprise Portal EVTSOURC Event Source FILE File system for legacy extraction GRCRM GRC Risk Management LDAP Ldap Connectors LOCAL Local Data Source SAP SAP system WS Webservice
15
8.2 Define Connectors This allows you to define a connection type, Source Connector, Logical Port, and Max No. of BG WP for each connector created in section Create Connector 1.0 above. 8.2.1 Define SAP Connector from section 2 1. Double-Click Define Connectors on the left side dialogue box. 2. Click on New Entries 3. Enter the data for the following fields. Target Connector Select the RFC Connector created in section 2 from list Connection Type SAP Source Connector Not needed (See Note) Logical Port Not relevant Maximum number Not relevant 4. Save your work.
Source Connector is only needed if the information transfer will be bi-directional. Logical Port Only relevant for Webservice type connections. Maximum number used to define maximum number of background jobs. Relevant only with Automated framework. 8.2.2 Define Subsequent Connectors Subsequent Connectors definition is needed when a connecter needs to trigger another connection. Example: When extracting data from SAP EP, most of the actions such as create user, delete user are served by standard SPML interface. But some actions like generate password are not available with standard SPML interface therefore needs a webservice protocol. In this scenario for SAP EP, standard SPML interface would be the subsequent connector and the webservice protocol would be the first connector. To Define Subsequent Connector: 1. Select the target connecter to which the subsequent connecter should succeed. 2. Click New Entries. 3. In the Subsequent Connector column, select the subsequent connector from the list. 4. In the Con. Type column, select the type of connection. 5. In the Logical Port column, enter the logical port for the connection. 8.3 Define Connector Groups Used to define Connector Groups 1. To Enter change mode and select an existing connector group or click on new entries to define a new group. 2. Enter data for appropriate fields, then save your work. Conn. Group Enter the name of the Conn. Group Connector Group Text Enter description or scenario for the Group Conn. Type Select the Connection type from the list (F4).
8.3.1 Assign Connector Groups to Group types Used to define Connector groups into Logical or Cross System Group types. You can enter change mode and edit existing or click new entries to define new group types. Choose on of the following from the dropdown menu. 16
Automated Monitoring Framework Logical Group Is a connector group type which consists the systems that are logically the same. Example: Oracle financials system 1, Oracle Financials system 2, etc
Logical System Group SAP (SDM) SAP (SDM) SAP (SDM) SAP (SDM) Cross System Group Is a connector group type which consists the systems with different environment Example:
Cross System Group SAP (SDM) LDAP (MS) WS (Oracle: Financials) SAP (CRM)
8.3.2 Assign Connectors to Connector Groups Used to assign connectors created in section 1 to connector Groups created in section8.3. 1. Select the Connector Group you would like to add the connectors to from Define Connector Groups section. 2. Double-click Assign Connectors to Connector Groups. 3. Enter data for appropriate fields. Target Connector Select the Connector you wish to add to this group from section above. Connection Type Select from the list (F4)
9 Maintain Connection Settings Used the maintain connection settings for Connection types and connection groups. To maintain connection settings: 1. Enter Transaction SPRO 2. Navigate to SAP Reference IMG > Governance, Risk, and Control > Common Component Settings > Integration Framework > Maintain Connection Settings. 3. Select the Integration Scenario. 17
SAP Delivered Integration Scenarios. Figure: 9-1 What is an Integration Scenario? Integration Scenarios is a component designed to work with different applications from AC 10.0. It consists of SAP delivered entries only and is also used by PC (Process Control). Within this component you can define what kind of connector you want, how you would like to maintain the connector and, how to technically deal with the connectors and connection types for each application. 9.1 Subscenario definition Consists of SAP delivered entries. This is used to classify how each and every component identifies the connector and how they want to process the connectors. The ultimate goal of the subscenario is to get the data from target connectors. Every sub-scenario has an associated class. All except Automatic Monitoring (AM) there is only one sub-scenario with same name as integration scenarios. Every sub-scenario there is a scenario connection type link. o Created connection type previously (pre-delivered) or the customer created connection type. 9.2 Scenario-Connection type Link Used to define Connection Type to Class/Interface. This are pre-delivered entries from SAP. This tells how to retrieve data from the connection type 9.2.1 Scenario Connector Link Used to maintain what connection types are used and handled within the integration sub-scenario. To define a new connector within the integration scenario and sub-scenario: 1. Select the subscenario 2. Double-click on Scenario-Connector Link 3. Click button. 4. Select or Enter the name of the target connector.
The connection type and connection type text are formulated based on the entries from section 1 for the connector. 18
9.2.1.1 Maintain file paths for Logical Connector This is used to maintain file paths for logical connector of connection type FILE. To maintain the file paths: 1. Select the Target Connector 2. Double-click Maintain file paths for logical connector. 3. Enter values for the following field: File Path Enter the logical file path File ID Enter the file ID File Type Enter the file type File Sep. Enter the file separator
10 Maintain Mapping for Actions and Connector Groups This is used to set the application type and action type for connector and connector groups along with default assignment. T-code: SPRO > Governance, Risk and Compliance > Access Control > Maintain Mapping for Actions and Connector Groups. 10.1 Maintain connector group status: Here you can assign the connector group, which were created in section 8, to an application type (Environment such as Oracle, SAP, LDAP, etc.). Conn. Group Enter or the connector group from list (F4). The groups were created in the section 8. Active Check if you want to Activate the group Appl Type Select Application Type from the list (F4). This is the environment such as Oracle, SAP, LDAP, etc
10.2 Assign default connector to connector group: Here you can assign the specific connector within the connector group to an action type (Ex. Role generation, provisioning,) Conn. Group Enter the connector group the list (F4). The groups were created in the section Maintain connectors and connection types above. Action Select a Connection action from the list (F4). Role Generation Role Risk Analysis Authorization Maintenance Provisioning HR Trigger Target Connector Enter the specific connector from the group you want to use for this action Default Check to set as default
10.2.1 Assign Group Field mapping: This is used to map default values for provisioning from a target system to a field in AC. 19
AC Field Name Enter the Field name in AC System Field Name Enter the Target system Field name Table Name Enter the Table name in Target system Subtype Enter the Subtype in Target system. Usually relevant in HR Trigger Action Connector
Example: Your objective is to have user personal number mapped as the email in AC10.0. In order to achieve this: You would select the target system connector Click on Assign Group field mapping AC Field Name: E_MAIL System Field Name: PERNR Table Name: 0006 Subtype: 5 This would map the Department value from the target system to the Role Description field in AC 10.0 10.2.2 Assign group parameter mapping: This is used for provisioning into systems that are SPML1.0 compliant like IDMs and SAP EP. These entries are based on the schema exposed by IDMs. Example: To create a user in NW IDM, the object class that should be used is MX_PERSON. Therefore; Parameter Name: CREATE_USER:OC Parameter value : MX_PERSON. OC = Object Class This configuration is purely administrative, who should have knowledge of SPML1.0 standards. Every IDM exposes a document called Schema. Administrator has to understand the schema for each of the operations like create user, change user, assign roles, Remove roles, lock user, unlock user, delete user and PSS and the same needs to be put in SPRO. 11 Maintain Connector Settings This is used to assign each connector to a specific Application type ( such as Oracle, LDAP, SAP, etc..) and Environment (Production, Test, and Development) Target Connector Created in Create Connector section above Appl Type Select Application Type from the list (F4). This is the environment such as Oracle, SAP, LDAP, etc Active Check to activate the connector Environment Specify What is the system environment: Production Test Development Path Id PSS
11.1 Assign attributes to the connector This is used to assign each connector and attribute Name and Attribute Value 20
Attribute Name Select Attribute name from list (F4) Group Path Others User Path Version Attribute Value Enter the attribute value
21
11.2 Subscenario definition Consists of SAP delivered entries. This is used to classify how each and every component identifies the connector and how they want to process the connectors. The ultimate goal of the subscenario is to get the data from target connectors. Every sub-scenario has an associated class. All except Automatic Monitoring (AM) there is only one sub-scenario with same name as integration scenarios. Every sub-scenario there is a scenario connection type link. o Created connection type previously (pre-delivered) or the customer created connection type. 11.3 Scenario-Connection type Link Used to define Connection Type to Class/Interface. This are pre-delivered entries from SAP. This tells how to retrieve data from the connection type 11.3.1 Scenario Connector Link Used to maintain what connection types are used and handled within the integration sub-scenario. To define a new connector within the integration scenario and sub-scenario: 5. Select the subscenario 6. Double-click on Scenario-Connector Link 7. Click button. 8. Select or Enter the name of the target connector.
The connection type and connection type text are formulated based on the entries from section 1 for the connector. 11.3.1.1 Maintain file paths for Logical Connector This is used to maintain file paths for logical connector of connection type FILE. To maintain the file paths: 4. Select the Target Connector 5. Double-click Maintain file paths for logical connector. 6. Enter values for the following field: File Path Enter the logical file path File ID Enter the file ID File Type Enter the file type File Sep. Enter the file separator