SAP SuccessFactors

Integration with GRC

AC 12.0

Prepared by: Sayantan Paul

 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

TABLE OF CONTENTS

1. Introduction
2. Integration Scenarios
2.1 User Provisioning
2.2 Role-Based Access Control

3. Preparing for Integration

3.1 Setup connector for SuccessFactors system in GRC

4. Technical Integration Steps

4.1 Create connection type definition
4.2 Activating Integration Scenarios for the SuccessFactors Connector
4.3 Map actions and connector groups in SAP Access Control
4.4 GRC Configuration Parameters for SAP SuccessFactors
4.5 Synchronization Jobs

5. User Access provisioning

6. Defining risks for the SuccessFactors system
6.1 Critical Actions
6.2 SoD Action Level and Permission Level
6.3 Cross-System Risk

P a g e 1 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

1. INTRODUCTION

SAP SuccessFactors and SAP GRC Access Control (AC) are two powerful solutions provided by SAP that
play essential roles in managing human resources and mitigating risk within an organization.

SAP SuccessFactors is a comprehensive cloud-based Human Capital Management (HCM) suite that
enables organizations to manage their workforce effectively. It covers various aspects of HR
management, including talent acquisition, performance management, learning and development, and
employee engagement.

On the other hand, SAP GRC Access Control (AC) is an application within the SAP GRC (Governance, Risk,
and Compliance) suite that focuses on managing user access to critical systems and enforcing access
controls. It helps organizations ensure that employees have the appropriate access privileges and comply
with regulatory requirements.

Integrating SAP SuccessFactors with SAP GRC AC brings together the power of HR management and
access control, enabling organizations to streamline their user provisioning processes, enforce access
controls, and improve compliance. By integrating these systems, organizations can enhance security,
reduce the risk of unauthorized access, and ensure that employees have the right access to perform their
roles effectively.

In this document, we will explore the integration between SAP SuccessFactors and SAP GRC AC in detail,
providing step-by-step instructions, configuration guidelines, and best practices. We will cover various
integration scenarios including user provisioning, role-based access control, and segregation of duties
analysis.

P a g e 2 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

2. INTEGRATION SCENARIOS
Integration scenarios define specific use cases where the integration between SAP SuccessFactors and
SAP GRC Access Control (AC) can provide significant value. In this section, we will explore the key
integration scenarios and discuss their purpose/benefits.

2.1 USER PROVISIONING

User provisioning involves the process of creating and managing user accounts across systems. The
integration between SAP SuccessFactors and SAP GRC AC enables seamless user provisioning, ensuring
that user accounts are created, modified, and deactivated consistently as well as efficiently.

By integrating these systems for user provisioning, organizations can achieve the following benefits:
- Streamlined Onboarding: New hires or employee role changes in SAP SuccessFactors can trigger
automatic user provisioning in SAP GRC AC, ensuring that access privileges are provisioned promptly and
accurately.

- Centralized User Management: User data maintained in SAP SuccessFactors can serve as the single
source of truth for user information, eliminating the need for redundant data entry and reducing the risk
of errors or inconsistencies.

- Improved Efficiency: Manual user provisioning tasks can be automated, saving time and effort for IT
and HR teams. This automation reduces the chances of manual errors and accelerates the provisioning
process.

- Enhanced Security: Integrating user provisioning with SAP GRC AC ensures that access controls, such as
segregation of duties (SoD) rules, are enforced during the provisioning process, reducing the risk of
unauthorized access.

2.2 ROLE-BASED ACCESS CONTROL

Role-Based Access Control (RBAC) is a method of managing user access based on predefined roles. SAP
SuccessFactors and SAP GRC AC can be integrated to implement RBAC consistently across both systems,
ensuring that users have the appropriate access rights based on their roles and responsibilities.

P a g e 3 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

The integration of RBAC between SAP SuccessFactors and SAP GRC AC offers the following advantages:

- Role Consistency: Roles defined in SAP SuccessFactors can be synchronized with SAP GRC AC,
maintaining consistency in role definitions across systems. This synchronization avoids manual efforts in
managing roles separately in each system.

- Access Request and Approval: When users request additional access or role changes in SAP
SuccessFactors, the integration with SAP GRC AC enables the access request to be routed for appropriate
approvals, ensuring compliance with the organization's access control policies.

- Compliance and Audit: By integrating RBAC, organizations can easily demonstrate compliance with
regulatory requirements by enforcing consistent access controls and maintaining audit trails of access
assignments and changes.

2.3 SEGREGATION OF DUTIES (SOD) ANALYSIS

Segregation of Duties (SoD) refers to the practice of ensuring that no individual has conflicting or
incompatible access privileges that could potentially result in fraud or misuse. Integrating SAP
SuccessFactors with SAP GRC AC enables organizations to perform SoD analysis and enforce SoD controls
effectively.

The integration of SoD analysis provides the following benefits:

- Automated SoD Analysis: By integrating SAP SuccessFactors with SAP GRC AC, organizations can
automate the analysis of user access against predefined SoD rules. This analysis helps identify any
potential conflicts and violations. Thus, reducing the risk of fraudulent activities.
- Audit and Compliance Reporting: The integration between systems enables comprehensive reporting
on SoD violations, access controls, and remediation activities. These reports help organizations
demonstrate compliance with internal and external regulations.

P a g e 4 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

3. PREPARING FOR INTEGRATION

3.1 SETUP CONNECTOR FOR SUCCESSFACTORS SYSTEM IN GRC

For SAP SuccessFactors integration we need an HTTP connector of Type G from SAP Access Control,
which can be created using the steps below in Customizing transaction SPRO:

1. Navigate to SAP Reference IMG by following the path: Governance, Risk, and Compliance → Common
Components → Integration Framework → Create Connectors.
2. Select "Create Connectors" from the available options.
3. Click on the Create icon and choose the folder "HTTP Connections to External Server".
4. Fill in the necessary data based on the example provided in the screenshot below. The example data
includes the following fields:

- Connector Type: Select Type G for the HTTP connector.

- Connector ID (RFC Destination): Provide a unique identifier for the connector.
- Connector Description: Enter a description for the connector.

P a g e 5 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

- HTTP Server URL (HOST): Specify the API URL of the SAP SuccessFactors datacenter.
-Port: Select port 443 if the API URL is starting with HTTPS.

- User Name: Enter the username for authentication with SAP SuccessFactors (This technical user
should be created in SuccessFactors with RBP_ADMIN access/Elevated access based on the clients
access setup)
- Password: Provide the password associated with the username.

Note: In the username field, concatenate the user with the company ID using the "@" symbol. For
example, if the user is "XYZ" and the company ID is "corpABC," the username should be maintained as
"XYZ@corpABC". By maintaining the username as user@company, we ensure that the user is
concatenated with the company ID, enabling successful authentication and authorization.
Once we have filled in the required data, the configuration for the HTTP connector Type G between SAP
Access Control and SAP SuccessFactors will be complete.
Note: Refer to the below SAP KBA to know about the latest SAP SuccessFactors API URL:
https://userapps.support.sap.com/sap/support/knowledge/en/2215682

Tips: In case of any certificate-related issue while testing the SuccessFactors connection, kindly check whether the
SuccessFactors SSL certificate has been installed in the GRC system or not. If not, kindly get it installed using the
STRUST transaction code.

P a g e 6 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

4. TECHNICAL INTEGRATION

4.1 CREATE CONNECTION TYPE DEFINITION

1. In the IMG Choose, Governance, Risk, and Compliance→ Common Components→ Integration
Framework→ Maintain Connectors and Connection Types

2. Create a connection type as indicated in the screenshots below. Choose Define

Connectors. Enter the Target Connector and Connection Type as SFEC

3. Define a connector group:

P a g e 7 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

4. Assign connector to group types and connector groups:

4.2 ACTIVATING INTEGRATION SCENARIOS FOR THE SUCCESSFACTORS CONNECTOR:

Currently, GRC AC supports the below integration scenarios for SuccessFactors:

1. Access Request Management (ARM)

2. Access Risk Analysis (ARA)
3. Business Role Management (BRM)

P a g e 8 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

Maintain connection settings as below:

• Choose IMG→ Governance, Risk, and Compliance→ Common Components→ Integration

Framework→ Maintain Connection Settings and select Integration scenario as = PROV
(Provisioning)

• Link the SuccessFactors connector to PROV.

• Select Scenario-Connector Link and link the Target Connector to the PROV Work Area.
Note: The Connection Type should be SFEC.

The above steps should be repeated for the below integration scenarios:
AUTH Authorization Management
ROLMG Role Management

P a g e 9 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

4.3 MAP ACTIONS AND CONNECTOR GROUPS IN SAP ACCESS CONTROL

1. Choose IMG→ Governance, Risk, and Compliance→ Access Control→ Maintain Mapping for Actions
and Connector Groups.
2. Enter the SuccessFactors connector group and activate it.

Also, set the environment of the SuccessFactors connector in IMG→ Governance, Risk, and
Compliance→ Access Control→Maintain connector settings:

P a g e 10 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

4.4 GRC CONFIGURATION PARAMETERS FOR SAP SUCCESSFACTORS

Below is the list of important GRC parameters which are required (Subjected to business needs) for
SuccessFactors systems:

1. 1022: In the access control solution, on the Risk Analysis screen, we specify the system and the
analysis criteria such as User, Risk Level, and so on. This parameter allows us to specify for which
systems the user ID entered is case-sensitive.

Note: If the parameter is not defined, the system is going to read the data as UPPERCASE irrespective
of how it has been entered in the field.

2. 1046: This parameter is used to identify a non-SAP system and store the system-specific data in
specific SAP tables meant for non-SAP systems. Extended objects are objects from non-SAP
systems. This parameter allows you to specify the connectors for non-SAP systems
Note: Once the parameter is set for the SuccessFactors connector the following tables are populated
with the data from the connector upon completion of the repository sync and the batch risk analysis
job:
• GRACACTRULEEXT
• GRACFUNCACTEXT
• GRACFUNCPRMEXT
• GRACPROFACTVLEXT
• GRACPROFPRMVLEXT
• GRACROLEACTVLEXT
• GRACROLEPRMVLEXT
• GRACUSERACTVLEXT
• GRACUSERPRMVLEXT
P a g e 11 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

3. 1055: When it comes to SuccessFactors, most businesses use a different user ID from the one in
SAP. It’s usually the personal number that is used in SuccessFactors for the user ID field. However,
with that, the challenge to map a user’s SuccessFactors account with an SAP account arises while
performing cross-system risk analysis. To overcome this issue, SAP has introduced this parameter
which can be used to generate a mapping for the SF Username filed to the SAP User ID Field.
Once this parameter is set, running the GRC repository synchronization job is going to auto-
populate a mapping which can be found in the GRACUSERMAP table.
Important: This mapping will get generated automatically provided we have maintained the SAP user
ID in any of the SuccessFactors user profile fields. (If not in a standard field, we can also have a custom
field where we can maintain the SAP User ID).

For example: If we are using the user ID field in SuccessFactors to have the SAP user ID, we have to
do the below group field mapping for the connector:

Note: The System Fld name is the technical ID of the field (can be a custom field too) from
SuccessFactors where we are maintaining the SAP User ID.
4.5 SYNCHRONIZATION JOBS

The below synchronization jobs should be executed to fetch the relevant details from the
SuccessFactors connector:

• PFCG Authorization sync job

• Repository object sync job
P a g e 12 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

5. USER ACCESS PROVISIONING

Access provisioning for the SuccessFactors system via GRC is only possible for Static Permission
groups and not for Dynamic groups. Before proceeding with access provisioning, the first step is to
upload the SuccessFactors permission groups into GRC. However, uploading SuccessFactors static
group into GRC is a bit different from uploading SAP roles.

While uploading the roles we need to mark the role type as SFG for all SuccessFactors static
permission groups as shown below:

Once done the static permission groups will be available for access provisioning in the GRC access
request.
Access setup for SuccessFactors users via the GRC Access request form is very similar to any ABAP
system user access setup/modification:

P a g e 13 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

Once, approved the user gets created in SuccessFactors:

Tips: The user search functionality for SuccessFactors users is not going to work if we have mapped SAMAccount
to SAP user ID in LDAP configuration. So, a simple workaround to generate the user details (First name, Last name,
Manager details, etc.) is to generate a mapping in the GRACUSERMAP table between the SAP user ID and the
SuccessFactors user id for the LDAP connector:

User ID: SAP user ID

Master User ID: SuccessFactors user ID.
Once we have this mapping in place, whenever we enter the SuccessFactors user id in the GRC Access
request form, the program first checks whether we have a mapping in place for the SuccessFactors user
ID in the GRACUSERMAP table. If yes, it takes the Master User ID for the user and looks for the details in
P a g e 14 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

the source system based on the source system configuration. Also, if we are using SuccessFactors
systems as the HR system, it can also fetch the user details from the SuccessFactors systems directly:

6. DEFINING RISKS FOR SUCCESSFACTORS SYSTEM

Risk analysis for SuccessFactors is like any other SAP system, wherein we need to define the risks (Critical
Action and SoD) based on the business requirement.
Critical Action:

P a g e 15 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

Associated Function: SFCA

Risk Analysis Report:

P a g e 16 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

The detailed report also gives details of the permission group (refer to the composite role column) and
the associated roles from where the access is coming:

SoD (Segregation of Duties):

P a g e 17 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

Action Level:

Permission Level:

Cross-System Risk Analysis:

The standard cross-system risk analysis is available for SuccessFactors too and there is no separate
configuration that we need to do. The only and most important point to note here is the mapping
between the SuccessFactors and the backend SAP user ID in the GRACUSERMAP table ( refer to
parameter 1055 on page no 12), without which cross-system risk analysis won’t work:
Sample cross-risk analysis:
Function for SAP system

P a g e 18 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

Function for SuccessFactors system:

Risk definition:

P a g e 19 | 20
 SAP SUCCESSFACTORS INTEGRATION WITH GRC AC 12.0

Risk Analysis output: Perform risk analysis with the connector group having the SuccessFactors system
and the SAP system for which we have defined a cross-system risk:

Tips: The below tables come in handy to determine the technical details of the SuccessFactors actions and
permission required to define a function:

GRACACTION

GRACACTPERMSYS

GRACPERMFLD

GRACPERMFLDVAL

**Pass application type ID as 019 to check for SuccessFactors-related details only.

P a g e 20 | 20