- SAP Community
- Products and Technology
- Additional Q&A
- Stable API's for GRC 2010 - simulation function ne...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Stable API's for GRC 2010 - simulation function needed
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 01-26-2011 10:09 PM
Dear gurus,
I have an ABAP application I want to integrate with GRC 2010 (on the ABAP stack). I understand this is ramp-up and not all API's are available yet, but need one which is pretty basic so was hoping it would exist with documentation and is released.
My intention:
1) The user with various authorizations already exists.
2) My application wants to generate an additional role for the user because they are missing some auths during testing of the roles.
3) Each authorization generated should call the GRC API to simulate whether this would cause an SOD for the user.
4) I will generate and assign anyway, but export those authorizations for which SOD warning messages were raised.
5) Messages are logged for rework / mitigation, but the role build and test can continue.
Is there any documented API with a stable interface for a function which returns messages based information for SOD's which can be reacted to for an existing user and all their ABAP authorization object based auths AND a simulation of whether authorization data sent to it would produce an SOD.
Plan B would be to generate the role and simulate the assignment and return messages of which auths in the role caused the SOD.
I would expect that GRC is open minded enough to release such APIs to the ruleset , but if I am mistaken then "show stopper" answers are also appreciated as being a lesser evil...
Cheers,
Julius
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Guess I found it:
FM GRAC_API_RISK_ANALYSIS
cheers
Markus
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thanks for the infos. Yes, with a role you can do the check here (although the FM is not documented, so you might have hassles to get the call working).
What I was looking for was an API to sent raw authorization data (from trace, or SU53) to an API and work out the risks based on that data + the roles which already exist and are assigned.
I wanted it at the time of analysis of the problem (e.g. during testing).
As SAP does not provide an API for that, we were forced to go the route without GRC in that case and built our own relatively simple ruleset for low brainers and own APIs to it.
Real pity, because GRC would have been cool.. 😞
Cheers,
Julius
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Julius,
Thanks for letting me know. At this point, I just needed to know if something exists. So if the client really wanted to integrate GRC to their existing solution, there would be at least an entry point.
Your solution sounds interesting, having your "own" API sounds tempting. I was already wondering how you guys do these checks in your solution.
Just out of curiosity: I'm not an ABAP developer (although some years of PL/SQL coding) so I might be wrong. But let's say this API works with passing on a role as a input parameter, it should be possible to put a role toghether with your raw data, pass it on to the API and delete it afterwards. Well I agree, not the most beautiful piece of code I've ever seen (and the target system is even altered) but it could work...
Cheers,
Markus
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Unfortunately there is no entry point as API and SAP only supports GRC triggering the process or the role itself must exist and be generated already.
So we in the end were forced to create our own outbound API definitions and anyone with a ruleset who respects that can provide their API for it to call so that a runtime analysis is possible (and licensing the ruleset is more attractive to customers who might not have one yet).
It is not my intention to provide or support any rulesets myself - but 4 years down the line I am now officially giving up on trying to persuade SAP GRC that APIs can make GRC cooler, not less useless. So also closing this thread.
Cheers and all the best for 2015!
Julius
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Julius,
If i correctly understood your query. you are trying to do SOD analysis and simulation of user with roles assigned with your custom program.
I am not sure if GRC 10 will have API for this........
however the same functionality you can perform using GRC RAR 10.
simulation is one of the key feature of RAR, in earliar version (4.0), COMBINED ANALYSIS option was there.
I assume still you can do same simulation in RAR 10.
Regards,
Surpreet Bal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thanks Supreet,
I know that GRC can do an SOD check and also simulation of an SOD check "as if" the user had an additional role (which you want to assign but know in advance whether that will cause an SOD conflict). In it's previous life on the ABAP stack it was known as "Risk Rerminator". I am aware of the "old" /VIRSA/ function modules and the coding technique they used.... but have some doubts that GRC 2010 still uses those nor the same approach, which is why I am looking for a stable API.
My application makes the assumption that GRC is already installed and wants to generate a role for a user based on a test case they are executing. In my UI where the trace data is being analyzed, I want to add some intuitive highlighting and warnings for SOD conflicts which would happen if the role were generated and assigned.
At this ponit in time, the role does not actually exist yet so ideally I would want to send the API the authorization data and not just the role name. I could however for simplicity sake generate the role anyway but need at least the API to tell me which authorizations in the role are causing the SoD conflict with the user's already existing authorizations.
I am very much hoping to find something like a BAPI_GRC_SIMULATE_SOD which is documented and stable and offers an import parameter with a structure something like this for the authorization data:
OBJECT CHARACTER 10
LFDNR NUMC 3
FIELD CHARACTER 10
LOW CHARACTER 40
HIGH CHARACTER 40
MODIFIER CHARACTER 12
MODDATE DATE
MODTIME TIME... together with the user name of course, and then returns SOD warnings per OBJECT and LFDNR (which is just a sequencial number for the authorization instance).
Of course it only works if GRC is installed....
Cheers,
Julius
Edited by: Julius Bussche on Jan 27, 2011 7:56 AM
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Dear Julius
I know the thread is a bit older, but I'm curious if you found a solution to your problem in the meantime. I'm also looking for a BAPI or funtion module which can be used to perform an SOD check on the ABAP stack.
Ideally, the input value is either a role (or somthing like your defined structure) and the return value is not only a boolean, but a structure like an array of SOD risks and roles involved. Basically a simplified report.
Any help on this matter would be highly appreciated.
Cheers, Markus
- What is wave simulation, what is its use and what configuration (if any) needs to be done? in Enterprise Resource Planning Q&A
- SAC Custom Widget for Uploading a load file(.xls) customization using Data Import API in Technology Q&A
- It has never been easier to print from SAP with Microsoft Universal Print in Technology Blogs by Members
- explore the business continuity recovery sap solutions on AWS DRS in Technology Blogs by Members
- Business Rule Framework Plus(BRF+) in Enterprise Resource Planning Blogs by Members
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.