During this article, the benefits and utilities of undertaking an integration between the SAP GRC system and another system external to the ERP ecosystem, such as, for example, the corporate employee request management tool, will be discussed. Throughout the document, the concept will be grounded for the management of new accounts in an integrated way.
Systems involved in “Onboarding”
Currently, every company has a tool for managing employee requests, to name a few of the most popular: ServiceNow, Jira or 4ME. All of them allow, among a huge catalogue of options, to initiate onboarding flows for new employees.
Originally, these tools do not have the option of interacting with the production ecosystem if this is SAP software, leaving this communication in the hands of teams that must manage it manually as both systems are isolated nodes.
This type of registration process requires the involvement of at least two administrative teams: one team transmits the requirements of the new employee, and a different one registers the accounts in the SAP system, as shown graphically in the following diagram:
In this context, the initiative of an integration between the SAP GRC system and the external request management tool is proposed through a technology known as web services. This has the following technical characteristics:
- They work with messages using SOAP protocol and XML programming language via the HTTP web standard.
- They allow a direct data transmission channel between both ends.
- Real-time communication.
Web Services in SAP GRC
For this integration technology, the SAP GRC system offers a wide range of connection typologies via WS for different functions, which will depend on the use required in each implementation. The most relevant ones related to user management are shown below.
| ID Servicio Web | Funcionalidad |
| GRAC_REQUEST_DETAILS_WS | Devuelve todos los detalles de una solicitud especifica. |
| GRAC_REQUEST_STATUS_WS | Búsqueda del estado de una solicitud especifica. |
| GRAC_USER_ACCES_WS | Crea una solicitud de ARM, devolviendo el número de la solicitud tras crearla. |
As an example, for a case in which you wish to receive an update on the status of a specific GRC request in the ticketing tool, it is possible to use the WS with the name GRAC_REQUEST_STATUS_WS.
This only needs the request number as input value, and in real time returns the response with the status, correlated as shown in the following table:
| SAP GRC Status | Web Service Status |
| Decision Pending | PENDING |
| Approved | OK |
| Cancelled | ABORTED |
| Rejected | FAILED |
Configuration and cybersecurity of the Web Service
Going down to the configuration level, this must be done in both nodes of the communication for it to work, both the external tool and the SAP system.
In the case of the latter, this can be done through the SOAMANAGER transaction, where the desired type of web service is selected and parameterised.
At the same time, it is also possible to make certain security settings, such as those listed below:
- Encryption of communication using SSL (Secure Sockets Layer).
- HTTPS secure web protocol.
- Authentication between nodes using the User/Password pair.
Integration User
Continuing from the SAP system side, beyond the web service configuration, an integration user is also required. This will be a local account in the SAP GRC backend, of system type, which must have sufficient specific authorisations to be able to manage GRC requests (view logs, launch new requests, etc…).
The credentials of this user will be used to authenticate the service in each of the calls, thus granting access to SAP.
Example of execution
To show a practical example, the service named GRAC_USER_ACCES_WS has been executed, which allows GRC requests to be created externally to the SAP ecosystem.
To do this, it will first be necessary to build a SOAP query that carries all the necessary information collected for the new registration.
This can be obtained as easily as by pro to the requesting employee covering basic data such as: Name, email address, SAP system required, authorisations needed, manager approving the request… etc.
Once this query has been sent through the web service to the SAP system, through the integration user a new GRC request will be launched and its number will be returned to the system that originated the query, in the format shown in the following image:
From this point, the normal flow defined for each company in GRC is initiated. Once completed, the user will be created in the final system and the credentials sent to the employee:
Key Points
- Integration between SAP and non-SAP tools is feasible, reliable and secure.
- Web Service technology appears as a vehicle for interoperability.
- The SAP GRC Access Controls standard contains 16 main web services that make this integration possible.
- Scalable and highly adaptable solution to the needs of each IT architecture.
- Solves the current problem that many companies have in connecting the user request management tool (ServiceNow, JIRA, etc.) with SAP GRC and the SAP systems environment.
- External access to any SAP functionality.
- Rapid return on investment.
- Value solution delivery.
