Manual Provisioning of Non-SAP Roles Using SAP Access Control

  • by Kavitha Nareshetty, SAP GRC Security Senior Consultant (Lead), Capgemini
  • May 22, 2014
SAP Professional Journal
Learn how to minimize multiple access requests by configuring SAP Access Control so that you can manually provision access for non-SAP applications.
Learning Objectives

Reading this article you will learn how to:

  • Enable manual provisioning process for non-SAP systems
  • Configure file path settings
  • Configure SPRO settings
  • Set up role uploads
Key Concept
Transaction code SPRO is used for setting up SAP Access Control configuration settings. You execute SPRO to integrate non-SAP Remote Function Call (RFC) connections with the logical file path and the physical file name in SAP Access Control.

Automated provisioning of SAP access is one of the core functionalities of SAP Access Control 10.0. However, manual provisioning of non-SAP access can be enabled in SAP Access Control 10.0 without any integration with SAP or non-SAP identity management solutions. The manual provisioning feature enables tracking of approvals for non-SAP application access requests, leading to compliance with enterprise-wide access request processes.

To configure SAP Access Control 10.0 to enable the manual provisioning process for non-SAP applications, you need to complete three steps:

  1. Configure file path settings
  2. Configure SPRO settings
  3. Set up the role upload process

Configure File Path Settings

Synchronizing non-SAP roles into SAP Access Control 10.0 is a key task in enabling manual provisioning. To load non-SAP roles to SAP Access Control, upload files are leveraged. Execute transaction code FILE to define parameters as part of a one-time set-up task.

The first step is to set up the logical file path to define the file names and the file path that are required for uploading the data into the SAP GRC system. Log on to the SAP GRC system and execute transaction code FILE. After you click the Logical file Path Definition folder, the screen displays a list of all the existing file names (Figure 1). To create a new file name, click the New Entries button and enter the file path technical name and a description. Use the SAP custom naming convention Z to define role, role-action, and role-action permission files.

Figure 1
Logical file paths

Kavitha Nareshetty

Kavitha Nareshetty is a subject matter expert in implementing security solutions in ECC, BW, Business Objects, GRC, HANA, HR, Portal, and Audit Controls. She has extensive experience in all facets of designing, building, testing, implementing, and supporting complex security architecture within SAP systems. She has worked on implementing security solutions at various industry verticals. She holds a Stanford Certified Project Manager credential from Stanford University.

See more by this author


No comments have been submitted on this article. 

Please log in to post a comment.

To learn more about subscription access to premium content, click here.