1.2 How It Works

The SAP Business Logic driver works differently with each driver it interacts with.

1.2.1 How it Works with the SAP HR Driver

Traditionally, the SAP HR driver sends the user records through IDocs on the Publisher channel. The users are created in a container in the Identity Vault. Changes in the Identity Vault are sent to the SAP HR system through the Subscriber channel, and changes in the SAP HR system are sent through the Publisher channel. Figure 1-1shows how the SAP HR driver works without the SAP Business Logic driver.

Figure 1-1 SAP HR Driver with a Flat File Structure

The Identity Vault can store users records in a flat structure or in an organizational structure. The SAP Business Logic driver is used in conjunction with the SAP HR driver to manage the organizational structure.Figure 1-2 displays this structure in SAP.

The SAP HR organizational structure creates a structured hierarchy to manage SAP relationships. It also has a chief and non-chief roles, which means a user record can be connected to another record indirectly. The linking does not need to follow the child/parent relationship.

The SAP HR driver takes the raw data from the SAP HR system and synchronizes that information to the Identity Vault. The SAP Business Logic driver is linked to the SAP HR driver through a GCV on the SAP HR driver. The data is sent through the SAP Business Logic driver.

The SAP Business Logic driver receives the data from the SAP HR driver and creates the same organizational structure that exists in the SAP HR system in the Identity Vault under the SAP HR driver object.

If there are changes in the Identity Vault, that information is sent back to the SAP HR system through the SAP HR driver.

Figure 1-2 SAP Business Logic Driver with the SAP HR Driver

1.2.2 How It Works with the SAP GRC Access Control Driver

The GRC Access Control system is an asynchronous system, in contrast to Identity Manager which is a synchronous system. This means when a request is sent to the GRC Access Control system from the SAP GRC Access Control driver, the request can be processed immediately or it can be processed as some time in the future.

For Identity Manager to work correctly, it must know what the status of the request is. The SAP Business Logic driver is used with the SAP GRC Access Control driver to provide a way to track the status of each request. The SAP Business Logic driver acts like a timer. Figure 1-3 illustrates this interaction.

Following the diagram is an explanation of how the SAP GRC Access Control driver works with the SAP Business Logic driver.

Figure 1-3 The SAP Business Logic Driver and the SAP GRC Access Control Driver

  1. A role is assigned to a user in the Identity Vault through the Roles Based Provisioning Module.

  2. Because the role that is assigned is associated with a GRC Access Control entitlement, the GRC Access Control entitlement is granted.

  3. The GRC Access Control entitlement causes the SAP GRC Access Control driver to submit a request to the GRC Access Control system.

  4. When a request is successful submitted to the GRC Access Control by the SAP GRC Access Control driver, the SAP Access Control driver creates a Work Order object.

  5. The SAP Business Logic detects that the Work Order object is created, then the SAP Business Logic driver creates a Work To Do object. The Work To Do object contains the request number and the status of the request. The Work To Do object exist until the request to the GRC Access Control system is completed.

  6. The SAP Business Logic driver checks the status of the request. One of three things can occur, depending upon the status of the request:

    • If the status is closed, the Work Order object remains and the GRC Access Control entitlement is updated with the results of the request.

    • If the status is rejected, the Work Order object remains and the GRC Access Control entitlement is updated with the results of the request.

    • If the status is something either than closed or rejected, the Work Order object is rescheduled.