Configuring Risk Analysis workflow extension

This workflow extension allows IBM® Security Identity Manager to send a risk analysis request for a specific access request ID to SAP GRC Access Control 10.0 and 10.1.

About this task

The risk analysis result is recorded by IBM Security Identity Manager workflow as a string output parameter named“riskDetail”. Risk results returned from SAP GRC Access Control are indicated by a ‘#’ character. Each risk consists of a number of name-value pairs. These name-value pairs are separated by a ‘|’ character. The risk name and its value are separated by a ‘:’ character. If the value is multi-valued, then the set of values is enclosed by ‘[ ]' characters, and each value in the set is separated by a ‘,' character.

An example of the riskDetail returned to IBM Security Identity Manager workflow looks like:

#Risk Number:1|Risk Id:B009|Risk Description:Basis Table Maintenance & System Administration|Risk Level:High|System Name:GC7CLNT001|User Id:AC102509|Role List:[SAP_XI_ADMINISTRATOR_ABAP, SAP_XI_CONFIGURATOR, SAP_XI_BPE_ADMINISTRATOR_ABAP, SAP_XI_ADMINISTRATOR]|Action List:[SXMB_ADM, SM30, SM12, SXMB_ADM_BPE, SM59]|

If necessary, the output parameter can be parsed in IBM Security Identity Manager workflow to catch risk violations that have been detected by SAP GRC Access Control 10.0 and 10.1. Detail on how to parse the riskDetail output parameter is out-of-scope of this guide.

Define Risk Analysis workflow extensions for the existing SAP GRC NetWeaver account type.

Procedure

  1. Log on to IBM Security Identity Manager.
    1. Select Configure System > Manager Operations.
    2. For the Operation Level, select Entity level.
    3. Select Account as the Entity type.
    4. Select SAP GRC NetWeaver Account as the type of account to be configured with the SAP GRC Access Control workflow extension.
  2. Click the Add button to create an add operation if it does not already exist.
    The operation diagram is displayed. Provided the same changes as those shown in the following screen capture.
  3. Remove the transition line from the GRC_ADD extension node to the CREATEACCOUNT extension node.
  4. Add a new extension node between GRC_ADD and CREATEACCOUNT.
  5. Double-click on the new Extension node.
    A pop-up window displays all the extensions registered using workflowextensions.xml.
  6. Select the Extension Name as SAPGRC10RiskAnalysisRequest and fill in the Activity ID with GRC_RiskAnalysis. Set the Activity Name to GRC RiskAnalysis.
  7. Select OR for the Split Type.
    1. For account, click Search Relevant Data to specify account as the Relevant Data ID value.
    2. For service, click Search Relevant Data to specify service as the Relevant Data ID value.
    3. Under Output Parameters, enter result in the ID field. Ensure that Type is set to String and leave Default Value blank.
    4. Click Ok.
    5. Select Search Relevant Data to specify result as a value for Relevant Data ID and click Ok.
  8. Click OK and attach the transitions to the newly-added extension.
  9. Click the Properties button.
  10. Click the Add button next to Relevant Data.
  11. Create a new reqid Relevant Data. Enter reqid in the ID field.
    Ensure that the Type is String and leave Default Value as blank. Click OK to finish.
  12. Create a new riskDetail Relevant Data. Enter riskDetail in the ID field.
    Ensure that the Type is String and leave Default Value as blank. Click OK to finish.
  13. Double-click on the transition connecting the newly-added extension to the CREATEACCOUNT extension node and key in the condition activity.resultSummary=="SS". Name the transition "approved". Click OK to close the transition properties window.
  14. Double-click on the transition connecting the newly-added extension to the END node and key in the condition activity.resultSummary!="SS". Name the transition "rejected". Click OK to close the transition properties window.
  15. Click Update and then click OK to close the Operations window.
  16. Repeat Steps 2 to 14 above for another operation when risk analysis is applicable.