SAP GRC 10.1-12.0 Integration With HANA DB For User Access Provisioning
SAP GRC 10.1-12.0 Integration With HANA DB For User Access Provisioning
SAP GRC 10.1-12.0 Integration With HANA DB For User Access Provisioning
0 integration with
HANA DB for User Access Provisioning
9 Likes 8,549 Vi ews 10 C omments
The details discussed below will be more on the technical setup which will include DB
Connection Setup from GRC to HANA DB, Deployment of Delivery Unit in HDB, Synching the
Users and Roles of HANA DB to GRC, Importing the HANA DB roles into GRC BRM and then
user access provisioning to HANA DB through GRC.
GRC can provisioning following different types of roles to users in HANA DB:
Let’s see how you can setup this functionality and can test in GRC 12.0 system (End to End).
Create HANA database connector in GRC system using transaction code DBCO (Database
Connection Maintenance)
DB Connection: Fill in the DB Connection name. This name will be used in the connector setup
so name it accordingly.
DBMS: Select the type of Database Management System as “HDB” (HANA Database)
User Name and Password: Valid user authentication details to connect to HANA DB. User
should have been already created in HANA DB and assigned with required privileges.
Since the RFC user (GRC_FF in this case) is used for integration between GRC and HANA DB
and not for interactive use or manual login to database, it is recommended that password of this
user is disabled (i.e. no change required for the password).
Connection Info: HANA database system details (Hostname details along with Port Number)
Save the database connection after entering all required details as mentioned above.
Create a connector in SM59 with connection type as “L” (Logical Destination) and connector
name same as the connection created in DBCO.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain
Connectors and Connection Types -> Define Connectors
Define connector groups in the following IMG path and assign HANA DB connectors to this
connector group
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain
Connectors and Connection Types ->Define Connector Groups
Connectors must be assigned to the all integration scenarios (AM, ROLMG, SUPMG, AUTH,
PROV) available as it is a good practice.
SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain
Connection Settings
Maintain Connector Settings
SPRO -> IMG -> GRC -> Access Control -> Maintain Connector Settings
Delivery Unit deployment into HANA DB and activating the SQL procedures under AC folder in
HANA DB is a prerequisite and must be followed according to the steps mentioned in following
SAP Note:
https://launchpad.support.sap.com/#/notes/1869912
GRC Procedures Activation
For details on how the corresponding SQL procedures under ARA and ARQ folders are required
to be activated are available in SAP Note 1869912.
SQL Procedures under ARQ folder – Execute procedures starting with ‘IS’ or ‘INS’ first followed
by procedures starting with GRANT and REVOKE and finally remaining procedures.
“GET_USERS_SYNC” procedure has an updated version released through the following SAP
Note. Hence, download this from the note and activate it as it is not updated in the latest version
by default.
2451688 – Repository sync job not syncing back user validity dates from HANA
However, there are few errors which you will come across during SQL procedures activation like
mentioned below. Please go through the note and then implement the corresponding procedures
attached in the note to resolve the errors:
Get_action_permissions_info.sql procedure may still throw error. Please fix with code as shown
below:
Manual steps mentioned in the below note must be also executed in HANA studio or Web IDE
even though you are in latest version 12.0 as there are some updates to procedures in ARQ
folder which need to be manually updated in HANA DB.
If the manual steps mentioned in the above note are not completed then the ARQ provisioning
will fail with following errors:
GRC Repository Object Sync
Execute “Repository Object Sync” program once all the above configuration is completed which
should successfully sync the USERS and ROLES from HANA DB to GRC system
HANA Roles Import to GRC BRM
Following roles can be provisioned to users in HANA database and while importing these roles
into BRM, please use the role types as mentioned below:
Once the above mentioned steps are completed, you can raise GRC access request and can
provision HANA DB roles.
I have attached access request provisioning logs screenshots for HANA DB roles provisioning
below for your reference.
Repository or Catalog roles provisioning