Professional Documents
Culture Documents
IAG Bridge Scenario - GRC AC 12.0 Integration With... - SAP Community
IAG Bridge Scenario - GRC AC 12.0 Integration With... - SAP Community
IAG Bridge Scenario - GRC AC 12.0 Integration With... - SAP Community
- SAP Community
Community
muthu_kumar
Product and Topic Expert
05-04-2023 10:09 AM
4 Kudos
In this blog I will go through the steps to enable SAP Access Control 12.0 (on-premise) to
use SAP Cloud Identity Access Governance as a bridge to facilitate creation of access
requests, and performing risk analysis, for cloud applications.
IAG bridge scenario is referred, if customer is using GRC system as primary System.If the
customer doesn't has GRC AC in their landscape, its recommended to go for IAG
Standard edition.
Make sure you have completed the below steps before following the blog:
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 1/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
Note: You can only connect one Access Control System with IAG.
Process Overview
The following tasks needs to be done to integrate IAG with GRC AC:
Make sure initial configuration in Cloud Connector (Ex: Creation of Self Signed
Certificate) has been completed before following below Step.
Region : < Region and Provider of your IAG Subaccount>(You can find details in the
Overview Page)
Subaccount : <Subaccount id of IAG Subaccount> (You can find details in the
Overview Page)
Display Name : <Free text>
Login Email : < S user Id or S user Email id>
Password : S user id password
Location Id : <Optional>
Description : < Free text>
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 2/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
Go to the IAG Subaccount in Cloud Connector > Cloud to On-Premise > Access
Control > Click + Symbol and give the following details.
Back-end Type: ABAP System
Protocol: RFC
Connection Type: Without load balancing (application server and instance number)
Application Server: < Give GRC AC Application Server>
Instance Number: < Give GRC AC Instance Number>
Virtual Application Server: <Give any random server details to mask the original
data>
Virtual Instance Number: <Give any random instance details to mask the original
data>
Click next and Click Check Internal Host and then save.Once you create the RFC
Connection in the Cloud Connector and add the below resources to the RFC
Connection
Naming
Function Name
Policy
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 3/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
SIAG Prefix
Exact
RFC_READ_TABLE
name
GRAC_IAG Prefix
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 4/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
You need to download the below mentioned certificates and upload it in the GRC system,
Cloud Connector respectively
1) IAG Certificate:
Identify the customer iag tenant link by referring below link and download the
certificate.
IAG tenant URL
2) GRC AC certificate:
Execute STRUST t-code in the GRC AC and download the certificate for the GRC
AC system
Login to the Cloud Connector > Configuration > ON PREMISE > Download the
System Certificate
4) Upload the IAG tenant and Cloud Connector certificate to the GRC AC System using
STRUST t-code
5) Upload the GRC AC and IAG tenant certificate to the Cloud Connector
Login to the Cloud Connector > Configuration > ON PREMISE > Upload the
Certificate to the Trust Store
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 5/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
Check the connection test for IAG_SOD_AUTH & IAG_SOD. Status HTTP Response
should be 200 and Status Text should be OK. If you check the connection test for
the cloud application RFC Connection, user credential screen will pop up which is
fine.
Check connection shows green status, but 405 Method Not Allowed
1. Login to GRC AC > SPRO >Governance, Risks and Compliance > Access
Control > Maintain Configuration Settings.
2. Maintain the following Parameters
3. 1090 - Yes
4. 1091 - IAG_SOD
5. 1092 - IAG_SOD_AUTH
Create connectors and connector groups for the target cloud application in GRC AC.
Note
For steps 3 and 4, the Systems and Business Function Group apps in SAP Identity
Access Governance must have 10 characters or less, as SAP Access Control supports
only 10 characters.
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 7/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
9.Create Destination for IAG to display the provisioning status of access request
This delivered service is used by SAP Cloud Identity Access Governance to push
provisioning status updates to SAP Access Control. This enables the proper and accurate
display of provisioning status for access requests.
1. Go to SPRO > Governance, Risks and Compliance > SAP NetWeaver > SAP
Gateway Administration > General Settings > Activate and Maintain Services.
2. In the Service Catalog screen, select IAG_PROVISION_STATUS_UPDATE_SRV and
activate it.
3. In the System Aliases pane, choose Add System Alias, and add it as local host,
and Save.
4. In the ICF Nodes pane, choose SAP Gateway Client, and Execute.
5. In the html pane, copy the href link and identify the Host and Port Number or
execute SMICM > Goto > Services > Note down the Host and Port for HTTPS
Protocol
6. In the Cloud Connector, Create a system mapping for the provisioning status
update service
Login to the Cloud Connector, select the subaccount, and choose Cloud To On-
Premise.
Go to the Access Control tab and choose the plus (+) sign to add a new system
mapping.
For Backend Type, select ABAP System and choose Next.
For Protocol, select HTTPS, and choose Next.
Enter the internal host and port information and choose Next.
You can copy this information from the services URL. Refer to the image in step 5.
Internal Host: enter the root URL; do not include the protocol.
Internal Port: enter the port number.
Virtual Host: <Give any random server details to mask the original data>
Virtual Port: <Give any random port details to mask the original data>
For Principal Type, select 509 Certificate (General Usage)and choose Next.
Select the Check the Internal Hostbox and choose Finish.
Add a resource path. In the Mapping Virtual To Internal System table, select the
new mapping. In the Resources Accessible On section, choose the pencil icon to
edit it.
In the URL Path field, make
sure /sap/opu/odata/sap/IAG_PROVISION_STATUS_UPDATE_SRV is entered,
and save.
Test the configuration. In the Mapping Virtual To Internal System table, select the
new mapping, and choose the check-availability icon.
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 8/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
10. Goto IAG Subaccount > create a destination for Provisioning status update virtual
mapping.
Go to Connectivity, choose Destinations and the plus sign (+) to add a destination. Add
the destination. Enter the name as IAGProvisionStatusUpdate.
For the URL field, copy and paste the URL from the services configuration step as
follows:
Name* IAGProvisionStatusUpdate
Type HTTP
Description /
http:<Virtual host:Virtual
URL*
port>/sap/opu/odata/sap/IAG_PROVISION_STATUS_UPDATE_SRV
Authentication BasicAuthentication
Location ID /
User RFCUSER
entity Requests
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 9/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
serviceUrl /
ACTVT 16
IAG_PROVISION_STATUS_UPDATE_SRV_0001
S_SERVICE
OData service (IWSV and IWSG)
Login to GRC AC > SPRO Governance, Risks and Compliance > Synchronization
Jobs and run the Repository Object Sync.
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 10/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
Login to IAG system > Job Scheduler and run the below Job in the Same order
Now you can use GRC AC system to raise a request for Cloud Applications.
Conclusion
These steps completes the Integration of SAP Access Control 12.0 (on-premise) to use
SAP Cloud Identity Access Governance as a bridge to facilitate creation of access
requests, and performing risk analysis, for cloud applications.. Please check the
help.sap.com for SAP Cloud Identity Access Governance for more detailed document on
how to integrate GRC with IAG.
References
IAG_SOD_AUTH error-https://me.sap.com/notes/0003279498
Labels:
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 11/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
Technology Updates
7 Comments
You must be a registered user to add a comment. If you've already registered,
sign in. Otherwise, register and sign in.
Comment
Life at SAP 785 Life at SAP9 Migrate your Data App 1 MTA 1
SAP S4HANA Cloud 1 SAP S4HANA Migration Cockpit 1 Technology Updates 6,886
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 12/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
Related Content
Benchmarking in the data-driven era
in Technology Blogs by SAP 2 hours ago
Former Member
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 13/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
ThomasJenewein
Product and Topic Expert
christine_donato
Active Participant
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 14/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
17029 60 451
ClaudiaFiess 26
philipp_herzig 11
BiserSimeonov 10
MKreitlein 8
thomas_volmering 8
david_stocker 8
KABATA_Kimikazu 7
felixjonathan 7
jeetendrakapase 7
rupamaity 7
View all
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 15/16
4/9/24, 1:10 PM IAG Bridge Scenario - GRC AC 12.0 integration with... - SAP Community
Follow
Trademark Newsletter
https://community.sap.com/t5/technology-blogs-by-sap/iag-bridge-scenario-grc-ac-12-0-integration-with-iag/ba-p/13564421 16/16