API Specification for ITSM Interface

Using Greenlight Enterprise

Integration System

Greenlight Technologies, Inc.

info@greenlightcorp.com | +1-908-782-5700 | 270 S. Main Street Flemington, NJ 08822

www.greenlightcorp.com
 SailPoint – Greenlight Integration Pre-requisites

Copyright Notice

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved.

The information in this document is provided for informational purposes only, is subject to change without
notice, and should not be construed as a commitment by Greenlight Technologies, Inc. Greenlight
Technologies, Inc. assumes no responsibility or liability for any errors or inaccuracies that may appear in
this book.

Except as permitted by license, no part of this document may be reproduced, stored in a retrieval system,
or transmitted, in any form or by any means – electronic, mechanical, recording, or otherwise – without
the prior written permission of Greenlight Technologies, Inc.
Printed in the U.S.A.

CAUTION
This document contains proprietary, confidential information that is the exclusive property of Greenlight
Technologies, Inc. If you do not have a valid contract with Greenlight Technologies for the use of this
document, or have not signed a non-disclosure agreement with Greenlight Technologies, then you
received this document in an unauthorized manner and are not legally entitled to possess or read it.
Use, duplication, and disclosure are subject to restrictions stated in your contract with Greenlight
Technologies, Inc. Use, duplication, and disclosure by the Government are subject to restrictions for
commercial software and shall be deemed to be Restricted Rights software under Federal Law.

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 2

 SailPoint – Greenlight Integration Pre-requisites

Revision History

Release Version Release Date Description

<<Version Number>> <<DD.MM.YYYY>> <<Content to be added>>

<<Version Number>> <<DD.MM.YYYY>> <<Content to be added>>

<<Version Number>> <<DD.MM.YYYY>> <<Content to be added>>

Approvals

Role Name Title Date

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 3

 SailPoint – Greenlight Integration Pre-requisites

Table of Contents
Objective................................................................................................................................... 5

Overview ................................................................................................................................... 5

Services Details for ServiceNow ITSM, SailPoint IdentityIQ with SAP Access Control
v5.3,10.0,10.1,12 .................................................................................................................... 5

Output Parameter: com.greenlight.wrappers.output.ACAuditLogResult ............................ 14

Miscellaneous Production Functions ..............................................................................................14
SOD Module ........................................................................................................................14
Operating Environment ..................................................................................................................15
Design and Implementation Constraints .........................................................................................15
Assumptions and Dependencies ....................................................................................................15
Identity Master .....................................................................................................................15
Repo Sync Job.....................................................................................................................15
Authentication in Greenlight EBCP .......................................................................................16
Business Risks.....................................................................................................................16

Prerequisites .......................................................................................................................... 16

Appendix ................................................................................................................................ 17
List of Acronyms ............................................................................................................................17
Related Documents .......................................................................................................................18

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 4

 SailPoint – Greenlight Integration Pre-requisites

Objective

This document provides the technical details of all the available GL Services to integrate ITSM/ IDM
solutions with SAP GRC using Greenlight Enterprise Integration System, an EBCP service.

Overview

Greenlight EIS, the integration insight and controls automation engine provides integration to business
applications that collects and correlates all relevant user access data including application identities,
groups, roles, profiles, specific authorizations and specific activities/actions within applications. The
platform then normalizes disparate application security models, breaking down policy silos, to provide
a unified view of user access risks and transactional activities across multiple applications and business
processes.

Greenlight EIS transforms cryptic security information into actionable analytics, providing business
users with information that is in a context they can understand, is relevant to users they manage and
processes that they oversee, has the continuous controls automation to understand where risks are
occurring and the insight to know how to properly respond to conditions that introduce risk to the
organization.

EIS also provides integration services between Non-ABAP, Non-SAP applications and SAP GRC. The
services are also extended to IDM solutions to seamlessly integrate with the compliance capabilities
from SAP GRC.

Services Details for ServiceNow ITSM, SailPoint

IdentityIQ with SAP Access Control
v5.3,10.0,10.1,12

WS Interface Name: GL_SAPGRC_IDM_INBOUND

Operation Name: GET_SAPGRC_AC_APPLICATION

Input Parameter: com.greenlight.wrappers.input.SelectApplication

Description: This operation gives the system related details.

It provides systemid, system category and system type.

SelectApplication
Type Name Mandatory Sample Data
String systemType N PROD

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 5

 SailPoint – Greenlight Integration Pre-requisites

String applicationType N
String Locale N EN

Output Parameter: com.greenlight.wrappers.output.SystemSelectionResult

SystemSelectionResult
Type Name
com.greenlight.wrappers.output.ArrayOfSystemDatas systems
com.greenlight.wrappers.output.ServiceStatusDTO status

ArrayOfSystemDatas
com.greenlight.wrappers.output.SystemData[ ] systemData

SystemData
java.lang.String Description
java.lang.String systemCategory
java.lang.String systemId
java.lang.String systemType

ServiceStatusDTO
java.lang.String msgCode
java.lang.String msgDesc
java.lang.String msgType

Operation Name: GET_SAPGRC_AC_ROLES

Input Parameter: com.greenlight.wrappers.input.SearchRole

Description: This operation gives the roles related to the application.

Details like Role name, description lead owner, type are provided

SearchRole
Type Name Mandatory Sample Data
String Application N SAPIDES18
String accessType N ROLES
String businessProcess N
String subProcess N
String Role N
String roleDesc N
String functionalArea N
String Company N

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 6

 SailPoint – Greenlight Integration Pre-requisites

String transactionCode N
String userId N
String Locale N EN
int hitCount N 10

Output Parameter: com.greenlight.wrappers.output.SearchRolesResult

SearchRolesResult
Type Name
com.greenlight.wrappers.output.ArrayofRolesDTO1 rolesDTO
com.greenlight.wrappers.output.ServiceStatusDTO Status

ArrayofRolesDTO1
com.greenlight.wrappers.output.RolesDTO[] rolesDTO

RolesDTO
java.lang.String Application
java.lang.String leadOwner
java.lang.String roleDescription
java.lang.String roleName
java.lang.String roleType
java.lang.String validFrom
java.lang.String validTo

ServiceStatusDTO
java.lang.String msgCode
java.lang.String msgDesc
java.lang.String msgType

Operation Name: GET_SAPGRC_AC_ROLEDETAILS

Input Parameter: com.greenlight.wrappers.input.RoleDetails

Description: This operation gives the details of the specified role.

It gives details like role name, description, system, critical level.

RoleDetails
Type Name Mandatory Sample Data
String roleName N Z_TRUST
String System N SAPIDES18
String Locale N EN

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 7

 SailPoint – Greenlight Integration Pre-requisites

Output Parameter: com.greenlight.wrappers.output.RoleDetailsResult[]

RoleDetailsResult
Type Name
java.lang.String businessProcess
java.lang.String businessProcessDesc
com.greenlight.wrappers.output.CompanyResultDTO[] companyResultDTO
java.lang.String criticalLevel
java.lang.String detailDesc
facmpRoleApproverResultDT
com.greenlight.wrappers.output.FACMPRoleApproverResultDTO[] O
com.greenlight.wrappers.output.FunctionalAreaResultDTO[] functionalAreaResultDTO
java.lang.String lastReaffirmDate
java.lang.String reaffirmPeriod
com.greenlight.wrappers.output.RoleApproverResultDTO[] roleApprResultDTO
java.lang.String roleDesc
java.lang.String roleName
java.lang.String roleType
com.greenlight.wrappers.output.ServiceStatusDTO status
java.lang.String subProcess
java.lang.String subProcessDesc
com.greenlight.wrappers.output.SystemResultDTO[] systemResultDTO
com.greenlight.wrappers.output.TCodeResultDTO[] transactionCodeResultDTO

CompanyResultDTO
java.lang.String company

FACMPRoleApproverResultDTO
java.lang.String company
java.lang.String companyId
java.lang.String funcArea
java.lang.String functionalArea
com.greenlight.wrappers.output.RoleApprResultDTO[] roleAprv

RoleApprResultDTO
java.lang.String alternateApprover
java.lang.String roleApprover

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 8

 SailPoint – Greenlight Integration Pre-requisites

FunctionalAreaResultDTO
java.lang.String functionalArea

RoleApproverResultDTO
java.lang.String roleAltApproverId
java.lang.String roleAltApproverName
int roleAltApproverType
java.lang.String roleApproverId
java.lang.String roleApproverName
int roleApproverType
java.lang.String roleProfName

ServiceStatusDTO
java.lang.String msgCode
java.lang.String msgDesc
java.lang.String msgType

SystemResultDTO
java.lang.String actualDate
java.lang.String Client
int Days
int months
java.lang.String roleStatus
java.lang.String sysId
java.lang.String system
java.lang.String validityType
int Years

TCodeResultDTO
java.lang.String riskId
java.lang.String roleDesc
java.lang.String Tcode
java.lang.String tcodeDesc

Operation Name: SET_SAPGRC_AC_REQUEST

Input Parameter: com.greenlight.wrappers.input.RequestDetailsData

Description: This operation is used to submit a request to SAPGRC.

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 9

 SailPoint – Greenlight Integration Pre-requisites

RequestDetailsData
Type Name
com.greenlight.wrappers.input.RequestDetailsData requestDetails

RequestDetailsData
Type Name Mandatory Sample Data
java.lang.String application Y SAPIDES18
java.lang.String company N

com.greenlight.wrappers.input.CustomFieldsDTO[] customField Y
java.lang.String department N
java.lang.String emailAddress Y mandar.deshmukh@greenlightcorp.net
java.lang.String employeeType N
java.lang.String firstName Y Mandar
java.lang.String functionalArea N
java.lang.String lastName Y Deshmukh
java.lang.String Locale N EN
java.lang.String location N
java.lang.String managerTelephone N
java.lang.String mgrEmailAddress N
java.lang.String mgrFirstName N
java.lang.String mgrId N
java.lang.String mgrLastName N
java.lang.String priority Y HI
java.lang.String requestReason N
java.lang.String requestType Y LASERFOCUS
java.lang.String requestorEmailAddress Y mandar.deshmukh@greenlightcorp.net
java.lang.String requestorFirstName Y Mandar
java.lang.String requestorId Y SAPUSER
java.lang.String requestorLastName Y Deshmukh
java.lang.String requestorTelephone N

com.greenlight.wrappers.input.RoleData[] Roles Y
java.lang.String sNCName N
java.lang.String telephone N
java.lang.Boolean unsecureLogon N FALSE
java.lang.String userId Y
java.util.Calendar validFrom N 2011-08-19T04:30:28.844Z
java.util.Calendar validTo N

CustomFieldsDTO Mandatory Sample Data

java.lang.String name Y SYSTEMID
java.lang.String value Y SAPIDES18

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 10

 SailPoint – Greenlight Integration Pre-requisites

RoleData Mandatory Sample Data

java.lang.String Action N
java.lang.String Comments N
java.lang.String Company N
java.lang.String roleId Y Z_TRUST
java.lang.String sysId Y SAPIDES18
java.util.Calendar validFrom N
java.util.Calendar validTo N

Output Parameter: com.greenlight.wrappers.output.RequestSubmissionResult

RequestSubmissionResult
Type Name
java.lang.String requestNo
com.greenlight.wrappers.output.ServiceStatusDTO Status

ServiceStatusDTO
java.lang.String msgCode
java.lang.String msgDesc
java.lang.String msgType

Operation Name: GET_SAPGRC_AC_RISKANALYSIS

Input Parameter: com.greenlight.wrappers.input.RADetails

Description: This operation provides the risk details (if any exists) for the specified request.

RADetails
Type Name Mandatory Sample Data
String requestId Y1 123
String Userid Y1
String sysKey[] Y SAPIDES18
String locale N EN

Output Parameter: com.greenlight.wrappers.output.RiskAnalysisResults

RiskAnalysisResults
Type Name
com.greenlight.wrappers.output.TCodeDetailsPO[] criticalTCodes
com.greenlight.wrappers.output.RiskDetailsPO[] riskDetailPOs
com.greenlight.wrappers.output.ServiceStatusDTO resultDTO

TCodeDetailsPO
java.lang.String roleDesc

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 11

 SailPoint – Greenlight Integration Pre-requisites

java.lang.String system
java.lang.String tcodeDesc
java.lang.String tcodeId

RiskDetailsPO
java.lang.String[] orgRuleDetails
java.lang.String risk
java.lang.String riskDesc
java.lang.String riskLevel
java.lang.String system
com.greenlight.wrappers.output.TCodeDetailsPO[] tCodePOs
java.lang.String violationCount

ServiceStatusDTO
java.lang.String msgCode
java.lang.String msgDesc
java.lang.String msgType

Operation Name: GET_SAPGRC_AC_AUDITTRAIL

Input Parameter: com.greenlight.wrappers.input.AuditTrailInput

Description: This operation provides the details of the status of the request.
It provides details on the action taken by various users on the request like Submitted,
Approved /
Rejected along with the user details taking the action.
It also provides the last / current status of the request.

AuditTrailInput
Type Name Mandatory Sample Data
String requestId N 123
String userFirstName N
String userLastName N
String fromDate N
String toDate N 2011-08-18T06:26:21.384Z
String action N
String locale N EN

Output Parameter: com.greenlight.wrappers.output.AuditLogResult

AuditLogResult
Type Name
com.greenlight.wrappers.output.ArrayOfAuditLogDTO1 auditLogDTO

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 12

 SailPoint – Greenlight Integration Pre-requisites

com.greenlight.wrappers.output.ServiceStatusDTO status

ArrayOfAuditLogDTO1
com.greenlight.wrappers.output.AuditLogDTO[] auditLogDTO

AuditLogDTO
java.util.Calendar createDate
java.lang.String logDetails
java.lang.String priority
com.greenlight.wrappers.output.RequestHistoryDTO[] requestHst
java.lang.String requestId
java.lang.String requestedBy
java.lang.String status
java.lang.String submittedBy

RequestHistoryDTO
java.util.Calendar actionDate
java.lang.String actionValue
com.greenlight.wrappers.output.RequestHistoryDTO[] childDTOs
java.lang.String dependentId
java.lang.String description
java.lang.String displayString
java.lang.String id
java.lang.String path
java.lang.String reqNo
java.lang.String stage
java.lang.String userId

ServiceStatusDTO
java.lang.String msgCode
java.lang.String msgDesc
java.lang.String msgType

Operation Name: GET_SAPGRC_AC_REQSTATUS

Input Parameter: com.greenlight.wrappers.input.ResquestStatus

Description: This operation gives the current status of the specified request.

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 13

 SailPoint – Greenlight Integration Pre-requisites

ResquestStatus
Type Name Mandatory Sample Data
String requestId N 123
String language N EN

Output Parameter: com.greenlight.wrappers.output.RequestStatusDTO

RequestStatusDTO
Type Name
java.lang.String dueDate
java.lang.String msgCode
java.lang.String msgDesc
java.lang.String msgType
java.lang.String requestNumber
java.lang.String stage
java.lang.String status
java.lang.String userName

WS Interface Name: GL_SAPGRC_IDM_OUTBOUND

This WS interface is rarely used by the customers. If customers wish to make SAP GRC AC as the central
repository for all the requests handling activities then the following 2 operations come into picture.

Operation Name: SET_SAPGRC_AC_REQUEST_TO_IDM

This operation is used for submitting request to IDM from AC
Input Parameter: com.greenlight.wrappers.input.ACRequestDetailsData
Output Parameter: com.greenlight.wrappers.output.ACRequestSubmissionResult

Operation Name: GET_SAPGRC_AC_AUDITRAIL_FROM_IDM

This operation is used to get the comprehensive audit trail information from IDM for the requests
processed within IDM.
Input Parameter: com.greenlight.wrappers.input.ACAuditTrailInput

Output Parameter: com.greenlight.wrappers.output.ACAuditLogResult

Miscellaneous Production Functions

Greenlight EBCP refers to Integrated Risk Management. It comprises of the following new modules:

SOD Module

Using the SOD Module customers will be able to ‘pro-actively’ identity user(s) having risky access, and
update users' access such that users no longer have risky access. If a user won’t have access to perform
any risky transaction then we have eliminated the risk pro-actively.

• Daily Monitoring of Risks (all users, all risks).

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 14

 SailPoint – Greenlight Integration Pre-requisites

• Evaluate the Risk for a specific user.

• Mitigate exception - by applying mitigation control.
• Remediate exception - by changing the access of the user so the user does not have risky
access anymore.
• WhatIf Analysis.
• Integration with IAM systems.

Operating Environment

• ServiceNow NY, Madrid editions

• SailPoint IdentityIQ version 8.X
• GRC plug-in framework vX.X
• Greenlight EBCP Sep-2020

Design and Implementation Constraints

• Outbound communication between Greenlight EBCP - EIS and ServiceNow or SailPoint

IdentityIQ should be open.
• Similarly, any inbound communication to Greenlight EBCP-EIS should be open.

Assumptions and Dependencies

Identity Master

To build Identity Master Following is required:

• Export from HR Source e.g. AD, Workday, SAP HR, SuccessFactors. Refer to section 3.2
Related Documents
• Notes about the file:
o CSV UTF-8 format
o Must contain header

Repo Sync Job

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 15

 SailPoint – Greenlight Integration Pre-requisites

For the Repo Sync following is needed:

• Greenlight integration is installed, or SAP AC is connected to in scope target system

Authentication in Greenlight EBCP

Greenlight EBCP supports for SAML and Native Authentication:

Note: If the customer does not have any Identity provider then Greenlight can install Keycloak for SAML
authentication.

Business Risks

• Business Risks in Greenlight EBCP format. Refer to section 3.2 Related Documents

Prerequisites

Prerequisite 1

Description

Request Details

Response

Prerequisite 2

Description

Request Details

Response

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 16

 SailPoint – Greenlight Integration Pre-requisites

Prerequisite 3

Description

Request Details

Response

Prerequisite 4

Description

Request Details

Response

Prerequisite 5

Description

Request Details

Response

Appendix

List of Acronyms

Term Description

EBCP Enterprise Business Control Platform

SOD Segregation of Duties

SAML Security Assertion Markup Language

IAM systems Identity and access management

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 17

 SailPoint – Greenlight Integration Pre-requisites

Related Documents

• Sample Identity Master File

Identity Master File

.csv

• SOD rule-sets

Greenlight-IRM_Rule
Set.xls

©2004-2020 Greenlight Technologies, Inc. All Rights Reserved. Page | 18