During this article, we will continue to expose the benefits and utilities of undertaking an integration between the SAP GRC system and another external to the ERP ecosystem such as, for example, the corporate employee request management tool.
Throughout the document, we will focus in particular on one of these web services, the “WS Status”, which allows to know the status of GRC requests at any time without the need to access the system.
Integration of systems involved in an onboarding
In this day and age, every company has a tool for managing employee applications, to name a few of the most popular: ServiceNow, Jira or 4ME. All of them allow, among a huge catalog of options, to initiate new employees’ registration flows.
These tools, natively, do not have the option of interacting with the productive ecosystem if this is SAP software, leaving this communication in the hands of human teams that must manage it manually as both systems are incompatible nodes.
In this type of discharge process, the involvement of at least two management teams is required:
- One conveys the requirements of the new employee.
- The other performs the registration of the accounts in the SAP system as shown graphically in the schematic.
With all this context, it is possible to consider the initiative of an integration between the SAP GRC system and the external request management tool through the system integration technology known as web services.
Web Services in SAP GRC
For this integration technology, the SAP GRC system offers a wide range of connection types via WS for different functions, depending on the required use in each implementation.
Regarding user management, the table below shows the most relevant ones:
ID Servicio Web | Funcionalidad |
GRAC_REQUEST_DETAILS_WS | Devuelve todos los detalles de una solicitud especifica. |
GRAC_REQUEST_STATUS_WS | Búsqueda del estado de una solicitud especifica. |
GRAC_USER_ACCES_WS | Crea una solicitud de ARM, devolviendo el número de la solicitud tras crearla. |
Web Service: Request Status
In this article we will show in more detail the case of the web service “GRAC_REQUEST_STATUS_WS”, which allows to inform an external tool the status of a GRC request. This can be very useful as, for example, to automate the feedback to the users of the status of their permission request in SAP GRC, being possible to consult it from the corporate ticketing tool without needing accounts of all employees to enter GRC.
To perform this integration, it is first necessary for the external system to map each request from your system to the corresponding request in GRC, as an example:
- User A creates the request REQ123 in the ServiceNow (or any other) tool.
- The authorization team creates Request ID 305 in SAP GRC to handle this request REQ123 from user A.
- The ServiceNow system must store that the REQ123 request is related to the SAP GRC 305 request.
At this point, the web service comes into play, which can provide updated information on the status of the GRC request. This only requires the construction of a SOAP query with two input parameters:
- ReqNo: Mandatory field that corresponds to the number of the GRC request whose status is to be consulted..
- Language: Optional field in which you mark the language in which you want the SAP system to send the response.
WS Status: Status Types
In this last section, we will go down to the technical details of the behavior of this SAP GRC web service.
Once a query like the example in the image above has been launched, the server system (in this case SAP GRC) will send a response that corresponds to the relation in the table below:
SAP GRC Status | Web Service Status |
Decision Pending | PENDING |
Approved | OK |
Cancelled | ABORTED |
Rejected | FAILED |
Continuing with the previous example, if the status of the GRC 305 request is pending as in the image below:
En The querying system will receive an XML response including the details of the status of the GRC request in the “ReqStatus” field, as shown in the following image with the status PENDING:
With this information, the ticketing tool can have ad-hoc up-to-date information on the status of requests within SAP GRC, and thus can inform the user or follow up on approvers to move the request forward.
Regarding the way to inform the end user, following the example, it would be to have the ticketing tool do a translation and convert the server response “PENDING” to an automatic message in the ticket such as “Your access request is still pending approval”.
For other cases, if the tool receives a “FAILED” response from the SAP server, this implies that in SAP GRC the request has been rejected at the approval stage. With this knowledge, a message such as “The request has been rejected by an approver or administrator in the risk approval tool as it does not comply with company policies” can be included in the request. In turn, it would be possible for this type of message to automatically close the request, without the need to involve the management team, resulting in recurring time savings.
Key Points
- Integration between SAP and non-SAP tools is feasible, reliable and secure.
- Value solution scalable and highly adaptable to the needs of each IT architecture.Rápido retorno de inversión.
- It solves the current problem that many companies have in connecting the user request management tool (ServiceNow, JIRA, etc.) with SAP GRC and the SAP systems environment.
- Understanding and correctly mapping fields between the two integrated tools is key.
- Important to use state translation (between the server response and the message received by the end user) to teach more “User Friendly” messages to employees.