1.2 How It Works

The SAP GRC Access Control driver works in two different scenarios. Use the scenario that works best for your environment.

1.2.1 Subscriber Channel

The GRC Access Control system is an asynchronous system, and Identity Manager is a synchronous system. This means when a request is sent to the GRC Access Control system from the SAP GRC Access Control driver, that request can be processed immediately or it can be processed at some time in the future.

For Identity Manager to work correctly, it must know what the status of the request is. The SAP Business Logic driver is used with the SAP GRC Access Control driver to provide a way to track the status of each request. The SAP Business Logic driver acts like a timer.

Following the diagram is an explanation of how the SAP GRC Access Control driver works with the SAP Business Logic driver.

Figure 1-1 Subscriber Channel

  1. A role is assigned to a user in the Identity Vault through the Roles Based Provisioning Module.

  2. Because the role that is assigned is associated with a GRC Access Control entitlement, the GRC Access Control entitlement is granted.

  3. The GRC Access Control entitlement causes the SAP GRC Access Control driver to submit a request to the GRC Access Control system.

  4. When a request is successful submitted to the GRC Access Control by the SAP GRC Access Control driver, the SAP Access Control driver creates a Work Order object.

  5. The SAP Business Logic detects that the Work Order object is created, then the SAP Business Logic driver creates a Work To Do object. The Work To Do object contains the request number and the status of the request. The Work To Do object exist until the request to the GRC Access Control system is completed.

  6. The SAP Business Logic driver checks the status of the request. One of three things can occur, depending upon the status of the request:

    • If the status is closed, the Work Order object remains and the GRC Access Control entitlement is updated with the results of the request.

    • If the status is rejected, the Work Order object remains and the GRC Access Control entitlement is updated with the results of the request.

    • If the status is something either than closed or rejected, the Work Order object is rescheduled.

1.2.2 Publisher Channel

The Publisher channel receives on the SAP GRC Access Control driver receives SPML requests from the GRC Access Control system.

Figure 1-2 Publisher Channel

The driver has an SPML listener and waits to receive the SPML requests from the GRC Access Control system. When the driver receives the SPML requests, it acts on that request in the Identity Vault. The driver can create, modify, or delete a user object in the Identity Vault.

Every time a request comes through the driver, a request object is created under the SAP GRC Access Control driver in the Identity Vault. These objects store the status of the request from the GRC Access Control system. At anytime, the GRC Access Control system can query Identity Manager to find out the status of the request it sent the SAP GRC Access Control driver.

These request objects are persistent. When you configure the driver for this scenario, you must also plan on managing these objects. These objects are stored under the driver object.