Skip to Content

Create SU01 Record for Approvers in GRC based on A.D. LDAP Group

Hello Community,

I have another question that will hopefully get more responses then my last. :)

I have completed the configuration of my GRC 10.1 SP16 system and can provision/de-provision users and roles into my back end systems.

This was an move from GRC 5.3 to 10.1.

In our 5.3 system we had an AD group call GRC_APPROVERS that users were assigned, and because 5.3 was a portal system we were able to associate the UME rights for approving roles/users/controls through there.

Now that 10.1 is ABAP and the user needs to have an SU01 record with the appropriate roles assigned, I need to come up with a way to trigger the provisioning of a users record into the backend GRC system with all of the appropriate approver roles.

I was able to get ALL users into the backend system using the RSLDAPSYNC_USER sync (though for some reason it will only update the users last name and no other fields).

Is there a way to run this program to only create users in the appropriate AD group?

Or is there some other documentation on how to create a provisioning role that sees the AD group and triggers a GRC workflow that creates the users account in GRC and assigns all appropriate roles.

Thank you for your time in reading and hopefully responding to this.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Sep 14, 2017 at 08:24 PM

    I've used RSLDAPSYNC_USER to create ALL users in AD in GRC. This program can be used to not only create the users (look at LDAPMAP to map SU01 fields to AD attributes), but also assign a security role.

    We use Manager as an approver and since we can't predict who will be a requestor, we have no way to predict who will be a manager. So our approach is to create everyone in GRC just like 5.3 allowed mapping to security group = everyone.

    Hope that helps.

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Daryl,

      If you can share any documentation regarding this that would be great.

      I have executed the LDAP sync program to bring all the users from AD,but I want to create them in GRC system with basic + access requestor access,can you please let me know how can we achieve this?