Initially as a Security consultant and then Architect I have used and implemented SAP GRC Access Control tool for user provisioning and creation along with many other features for most of the SAP and some Non-SAP landscapes. SAP came out with new strategy for GRC AC  and after Success Factors they will not extend standard integration of GRC AC with any new SAP cloud product.

As an alternative or new way SAP came with a new tool  called Identity Access Governance (IAG)- which is kind of Cloud version of GRC AC with less more flexible and without GRC AC MSMP engine. The SAP Cloud Identity Access Governance solution (IAG) is built on the SAP Cloud Platform and it uses SAP NetWeaver APIs to fetch data from target systems and perform multiple actions.

There are many SAP customers like us who have GRC AC setup as their primary provisioning tool and with new cloud systems not part of standard GRC integration this is a big challenge. Also, moving completely from GRC AC is a long-term process.

To resolve this SAP came up with a new licensing type of IAG called “IAG-GRC Bridge”- This still use GRC AC as our primary provisioning tool by integrating GRC and IAG and then IAG will integrate with Cloud application to perform the provisioning.

This part of Blog will provide detailed Configuration steps required for Integrating IAG with ARIBA Cloud Application only.

In this blog I will go through the steps to Integrate GRC AC with IAG Bridge Integration with ARIBA. When we say SAP Cloud IAG integrates with SAP Ariba, it natively integrates with Ariba Buying (and Invoicing) module, and from there if the applications are suite integrated, it will also integrate the users and authorizations to Strategic Sourcing Suite applications too. and this is ideally the Best Practice too.

The IAG Integration Flow:

The technical communication between IAG and Ariba is based on SOAP API calls. IAG reads the users from Ariba via MDNI by accessing the fetchUsers and fetchGroups locations specified in the destination. IAG sends via MDNI provisioning requests (users creation request/authorization assignment operations) to SAP Ariba at the location defined under uploadXMLUserData.

I have broadly defined the Integration into 5 step process and will go through them:

1. Complete the integration process for SAP Cloud Identity Access Governance and target cloud application, for instance, SAP Ariba.


2. In the SAP Cloud Identity Access Governance launchpad, sync the repository data from target app to the IAG repository.


3. Complete the integration process for the SAP Access Control on-premises system and SAP Cloud Identity Access Governance.


4. In the SAP Access Control system, sync the repository data from the IAG repository to the SAP Access Control system.


5. In the SAP Access Control system, create access requests for target cloud application.

 

1. Complete the integration process for SAP Cloud Identity Access Governanceand target cloud application, for instance, SAP Ariba.

• 
  
  
  
  • In the SAP Cloud Platform, set up destination for the SAP Ariba solution.
  
  
  
  

Click Connectivity->Destinations, and then click New Destination

SAP BTP Destination Config.(Setup below properties):

Add ARIBA in IAG BTP

https://blogs.sap.com/2021/03/01/how-to-integrate-sap-cloud-identity-access-governance-with-sap-arib...

Property	Value
*Name	ARIBA_DEST
Type:	HTTP
Description:	Ariba Sync
*URL	ARIBA team will provide
Proxy Type	Internet
Authentication:	BasicAuthentication
User	Create User in AribaEnd Point Configuration
Password:	Password of above created user
apiKey*	Generate the API key with your ARIBA DSC Contact
fetchGroups**	ARIBA team will provide
fetchUsers**	ARIBA team will provide
objectName	User
serviceURL	ARIBA team will provide
tenantId***	AN-Id provided as part of the Ariba system
uploadXMLUserData	ARIBA team will provide

ARIBA Destination Properties

*You need to generate API key

**ARIBA Team needs to activate MDN

***ARIBA team will provide TenantID

Please refer this blog: SAP ARIBA Properties

Observation: In Cloud Integration with IAG this is very common that when you test connection it errors out but this works.

• Create an instance for SAP Ariba in the Systems app in IAG Launchpad

Add System in IAG App

2.  Sync User Data and Provision Access Requests

Open the Job Scheduler app. In the Job Category dropdown, schedule the Repository Sync job.

Setup Repos Sync Job

Steps 1 and 2 which is explained above allows the User Data to be synced from ARIBA to IAG.

The next steps will be how to sync Data from IAG to GRC.

3. Complete the integration process for the SAP Access Control on-premises system and SAP Cloud Identity Access Governance

Please make sure all the Prerequisite is completed and procced to next steps and Maintain Cloud Connector.

• In Cloud Connector Configuration:

• In IAG BTP Cockpit:

IAG BTP Cockpit

• Maintain RFC Destinations for the IAGTRIGGER App

Before setting up the RFC Destination you have to make sure that IAS is setup correctly please refer this blog for the configuration SAP Cloud Identity Access Governance – Initial Setup

For customers in the United States subscribing to the standard edition use the link in RFC: grc-iag-us10-grc-iag-core-us10-java-rest-authentication.cfapps.us10.hana.ondemand.com

RFC Setup in GRC AC

User = PUSERID@IAG Subdomain

Password = IAS Password for P USER

Subdomain

 

• Destination for SOD check

For customers in the United States use the below link in another RFC:

grc-iag-us10-grc-iag-core-us10-java-rest-trigger.cfapps.us10.hana.ondemand.com

RFC Setup in GRC AC

• Destination for the ARIBA Destination

RFC Destination = This name should correspond to the one listed in the Systems app in IAGHost

URL - Same as the trigger URL from the previous step. (grc-iag-us10-grc-iag-core-us10-java-rest-trigger.cfapps.us10.hana.ondemand.com)

Leave the login blank (do not provide any user/password) and select SSL active.

Path Prefix= /com/sap/grc/iag/service/roleSimulationService.svc/

Port= 443

ARIBA RFC in GRC AC

 

• Configure the Identity Authentication Service in SAP-BTP

1. In SAP-BTP, create destination for Identity Authentication.


2. Go to your subaccount and open Connectivity Destinations New Destinations.


3. Create destinations as specified below.

IAS Setup

SAP BTP

• Configure Parameters for Cloud Integration in GRC AC

GRC Parameter

• Create Connectors and Connector Groups in GRC AC

Define Connector in GRC : Add the ARIBA RFC Just like any other system.

GRC AC Configuration

• Create Destinations for SAP Cloud Identity Access Governance Service

This delivered service is used by SAP Cloud Identity Access Governance to push provisioning status updates to SAP Access Control. This enables the proper and accurate display of provisioning status for access requests.

1. Go to SPRO Governance, Risks and Compliance SAP NetWeaver SAP Gateway Administration General Settings Activate and Maintain Services.


2. In the Service Catalog screen, select IAG_PROVISION_STATUS_UPDATE_SRV and activate it.


3. In the System Aliases pane, choose Add System Alias, and add it as local host, and Save.


4. In the ICF Nodes pane, choose SAP Gateway Client, and Execute.


5. In the html pane, copy the href link. You need it for the next step.

• In the Cloud Connector, create a system mapping for the provisioning status update service.

1. Open the SAP Cloud Platform Connector, select the subaccount, and choose Cloud To On-Premise.


2. Go to the Access Control tab and choose the plus (+) sign to add a new system mapping.


3. For Backend Type, select ABAP System and choose Next.


4. For Protocol, select HTTPS, and choose Next.


5. Enter the internal host and port information and choose Next. Also enter the virtual host (Please check screen shot)You can copy this information from the services URL. Refer to the  step 5 of previous setup. Internal Host: enter the root URL; do not include the protocol(https) and Internal Port: enter the port number.


6. For Principal Type, select X.509 Certificate (General Usage) and choose Next.


7. Select the Check the Internal Host box and choose Finish.


8. Add a resource path. In the Mapping Virtual To Internal System table, select the new mapping. In the ResourcesAccessible On section, choose the pencil icon to edit it.In the URL Path field, make sure /sap/opu/odata/sap/IAG_PROVISION_STATUS_UPDATE_SRV is entered, and save.


9. Test the configuration. In the Mapping Virtual To Internal System table, select the new mapping, and choose then check-availability icon.


10. In SAP-BTP, create a destination for the Provisioning Status Update virtual mapping.Go to Connectivity, choose Destinations and the plus sign (+) to add a destination. Add the destination. Enter the name as IAGProvisionStatusUpdate.For the URL , copy and paste the URL from the services configuration step and save.

4. In the SAP Access Control system, sync the repository data from the IAG repository to the SAP Access Control system

Go to SPRO Governance, Risks and Compliance Synchronization Jobs and run the Repository Object Sync.

1. In Select Sync Job, select all three jobs.


2. In Select Connector and Sync mode, select the cloud connector.


3. In Advance Options, select IAG Import.

5. In the SAP Access Control system, create access requests for target cloud application

After the successful Sync job the ARIBA groups will be imported in GRC AC system. You need to make sure that groups are in PRODUCTION status to be selected in GRC Access Request form.

Once you have completed the Integration steps above ARIBA system and Groups will be available for provisioning .

You need to setup Provision Job in IAG to make sure the data and provisioning is consistent between ARIBA->IAG->GRC.

Provisioning Job in IAG

For troubleshooting in IAG you can check the Provisioning status of the GRC request number.

Provisioning Report in IAG

These steps completes the End to End Integration of ARIBA and GRC using IAG Bridge.

Note: Please share your feedback or thoughts in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance  or https://answers.sap.com/tags/01200615320800000796