Architecture of the integration

The integration uses two profiles. The first profile contains SAP NetWeaver Adapter account and service attributes only. This profile does not enable a connection with SAP GRC Access Control. The second profile contains an extended set of account and service attributes for interaction between SAP GRC Access Control (Version 5.3, 10.0, and 10.1) and SAP NetWeaver.

This interaction enables IBM® Security Identity Manager to coordinate the account compliance checking process in SAP GRC Access Control with the SAP NetWeaver account provisioning process. This profile effectively enables a single account provisioning request to perform two tasks:

  1. Submission of an access request to SAP GRC Access Control from IBM Security Identity Manager.
  2. Submission of an account provisioning request to SAP NetWeaver from IBM Security Identity Manager, depending whether an approval or rejection is granted for the IBM Security Identity Manager request.
The relationships between components of the adapter are shown in Figure 1.
Figure 1. IBM Security Identity Manager SAP NetWeaver Adapter with Integration for SAP GRC Access Control components and relationships
A high level of control is obtained over the provisioning process by configuring IBM Security Identity Manager workflow extensions for SAP GRC Access Control. The IBM Security Identity Manager workflow extensions allow Add, Modify, Suspend, Restore, and Delete requests to be sent to SAP GRC Access Control. SoD compliance checks are then performed in SAP GRC Access Control before provisioning the account in SAP NetWeaver. The risk analysis and remediation features of SAP GRC Access Control Compliant Provisioning can be used to:
  • Modify the request
  • Submit an approval
  • Submit a rejection
  • Cancel the request
In IBM Security Identity Manager workflow, there are two possible modes to configure each type of request. These modes are referred to as Non-blocking mode and Blocking mode.

In Non-blocking mode, SAP GRC Access Control takes control of account provisioning on the target system. Following submission of an access request to SAP GRC Access Control, IBM Security Identity Manager workflow continues execution and does not wait for the result of the request in SAP GRC Access Control. This mode passes the responsibility of provisioning the account in SAP NetWeaver to SAP GRC Access Control.

In Blocking mode, IBM Security Identity Manager workflow blocks (or wait/pause) following submission of an access request to SAP GRC Access Control. The workflow continues to block until the result of the request is received from SAP GRC Access Control. A dedicated Notification Service deployed in WebSphere® is responsible for
  • Periodically querying SAP GRC Access Control
  • Relaying results of completed requests to IBM Security Identity Manager
  • Unblocking the relevant IBM Security Identity Manager workflows.
The IBM Security Identity Manager workflow becomes the central point of coordination and auditing for account provisioning. IBM Security Identity Manager determines whether an account is provisioned in SAP NetWeaver, depending on pre-conditions such as whether the request was approved or rejected in SAP GRC Access Control.