Freelancers
Cancel
 Sign In
Join Now

In this blog post, you will learn how to add additional system(s) to provisioning environment in SAP GRC 12.0

OVERVIEW

Recently, I was asked if it would be possible to add another environment (system) in SAP GRC Access Request as part of Provisioning Environment. So I thought of checking it out and see if it can be done.

By default, SAP Access Request will have four options for Provisioning Environment:

  1. ALL
  2. Production
  3. Development
  4. Testing

Requirement: To add Sandbox system to the above list so that users could be provisioned only to sandbox system

Access%20request%20Provisioning%20Environment%20list

Access request Provisioning Environment list

Pre-requisites

To achieve this, you would a need ABAP developer to help and help from someone with S-user id that has authorizations to register object keys on support.sap.com portal

  • Object keys for Domain GRAC_SYS_TYPE and GRAC_ENVNNT

Note: No code change or enhancement (BADI / User Exit) is required

ABAP Developer Tasks

After you get the object keys for the two domains, you can have the ABAP developer add the Sandbox System

Add value SBX – Sandbox in both the domain GRAC_SYS_TYPE

 

Domain%20GRAC_SYS_TYPE

Domain GRAC_SYS_TYPE

 

Add the value SBX – Sandbox in both the domain GRAC_ENVNNT

Note: This may not be needed. But since this also has the environments list, we added the system to this domain too

Domain%20GRAC_ENVNNT

Domain GRAC_ENVNNT

 

After the domains are updated, activate screen 0011 (including screen painter layout) in Function Group GRAC_AD_MAINTAIN of program SAPLGRAC_AD_MAINTAIN

Go to transaction SE80 and enter Function Group GRAC_AD_MAINTAIN of program

Select screen 0011

Function%20Group%20GRAC_AD_MAINTAIN

Function Group GRAC_AD_MAINTAIN

Click on Activate icon

Next, click on Layout button to bring up the screen painter screen

Function%20Group%20GRAC_AD_MAINTAIN%20Screen%200011

Function Group GRAC_AD_MAINTAIN Screen 0011

 

Click on Activate  icon

SECURITY / GRC Task

Update the Maintain Connector Setting and assign the Sandbox under Environment column for your sandbox connector

Go to SPRO –> SAP REFRENCE IMG  –> GOVERANCE, RISK AND COMPLIANCE –> ACCESS CONTROL –> MAINTAIN CONNECTOR SETTINGS

Add or update the connector entry of your Sandbox system

Maintain%20Connector%20Settings

Maintain Connector Settings

 

After mapping the target connector to sandbox environment, save the configuration change.

You will be prompted include the change in a transport request. Please create a transport so that the changes can be transported

Update view GRACV_ENRONMENT list with sandbox entry

View%20GRACV_ENRONMENT

View GRACV_ENRONMENT

 

You will be prompted include the change in a transport request. You will be prompted include the change in a transport request. Please create a transport so that the changes can be transported

 

Validation

Validate these changes by submitting an access request to provision a user in the Sandbox system

In our example, FE1 system (Connector FE1CLNT001) is our sandbox system

Maintain%20Connector%20Settings

Maintain Connector Settings

 

But before we submit the request let us verify that the user id TESTUSERSBX2 that we want create does not exist in FE1 system

Validating%20User%20before%20submitting%20access%20request%20-%20SU01

Validating User before submitting access request – SU01

 

Go to NWBC and submit an access request to provision the user in Sandbox system

Access%20Request%20Submission

Access Request Submission

 

Click on Submit button to submit the request

Access%20Request

Access Request

 

Note: If you have workflow setup for provisioning users, please have the request approved.

Now let us go to FE1 and check if the user id was created

User%20Provisioning%20Validation%20-%201

User Provisioning Validation – 1

 

The role(s) will be assigned too

User%20Provisioning%20Validation%20-%202

User Provisioning Validation – 2

 

The steps described in this blog above are also described in the video below:

 

Summary

To summarize, to add additional systems to provisioning environment list, following activities needs to be performed:

  1. Register object keys for domains GRAC_SYS_TYPE and GRAC_ENVNNT
  2. Activate screen 0011 in Function Group GRAC_AD_MAINTAIN of program SAPLGRAC_AD_MAINTAIN
  3. Activate screen 0011 layout
  4. Update the Maintain Connector Setting and assign the Sandbox under Environment column for your sandbox connector
  5. Update view GRACV_ENRONMENT list with sandbox entry

The idea of adding a additional system to the provisioning list seemed interesting and prompted me to check the possibility of implementing it. It also opens up the idea for provisioning setup where you can provision and deprovision user ids to specific system in your SAP landscape via SAP GRC Access Request

I hope you will find the idea interesting too.

Any feedback, thoughts and comments on this topic are welcome.

Also, please follow these links too

SAP GRC Access Approver

Post and answer questions about SAP GRC Access Approver

Read other posts on SAP GRC Access Approver

 

Tags: SAP GRC Access Approver
Sara Sampaio

Sara Sampaio

Author Since: March 10, 2022

0 0 votes
Article Rating
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x