Access Enforcer & non-SAP apps

We were told that you can use AE 5.2 for non-SAP applications.  There are ways to set up roles for any type of system and accross systems.  I do not see any of this information in the user guides that are provided and I have not been able to figure it out by playing around with the tools. 
I saw some posts with regard to Role Expert so I will begin looking into this tool to see if it helps.
Is it possible to set this up to perform approvals/reol evaluations for some legacy applications?
Does anyone know of some web training or anything available for this?
Any links/pointers is appreciated.
Also, does the LDAP configuration actually work in AE?  We wer able to set up NetWeaver to map to an ldap instance and then log into AE if we kept the authentication pointing ad SAP UME but when we set up LDAP using the same settings, set up the LDAP mappings and user defaults I cannot authenticate.
Regards,
-J

Hi John,
    in response to the original question - you can use AE with non-SAP applications - basically anything that a Connector can be built to. This is specifically only for data retrieval (eg from LDAPs / Oracle/ Role Expert) - not for user account creation/ maintenance in the target systems (eg JDE / Bespoke systems etc). This doesn't stop you from defining workflows for non-SAP systems - just that you'll need a manual step at the end to execute the change.
Re the LDAP - connectors work fine for data retrieval (eg User details / User <> Mgr relationship) - which is totally separate from User Authentication for AE. If you are using CC & RE as well then you'll have to make a decision about whether to go with UME as primary point or LDAP (the UME User Persistence store is prob the easiest option long term - as UME roles would still need to be assigned for any user intending to use GRC..)
cheers
Paul

Similar Messages

  • IDM & Non SAP app integration

    Hi All,
    I have to integrate one Non SAP application with IDM and conduct provision and de-provision. Can somebody provide me some design/approach how provisioning tasks can be configured to fulfill the same. The Non SAP app has oracle database where I have to provision user. Is there any OOB sample available or any existing thread which I can read?
    Thanks,
    Dhiman Paul.

    Dhiman Paul wrote:
    We are using a "To Database" pass.
    In that, we have sql updating and we are using a stored procedure for insertion into non-sap application.
    The stored procedure runs fine and we get a success entry log in IDM.
    When we try to find the same user in non-sap app, it doesn't return any value.
    For connection to non-sap and sap, we are having a communication user (not mxmc_rt).
    We are using the same user for connection purpose between the app.
    Does mxmc_rt require the privileges to write into the database table? As, we are not using the user for connection purpose.
    Like Matt said if you run the procedure from SQL Developer or SQL+ does it work? If so what userid/password do you use? Use the same useid/password in the URL of your to Database-pass in IdM.
    You don't need to use mxmc_rt for the connection to "3rd party" database, probably better if you get a dedicated user for the interface that has access only to the needed table / stored procedure etc.
    regards, Tero

  • Web Server Filter Based SSO to Non-SAP Apps

    Hi,
    I am following SAP Note 442401 for configuring the Non-SAP App for Web Server Filter based SSO using SAP Logon Ticket. Also, I have downloaded the 5_0_2_8.zip file.
    The Readme doc of this zip file says:
    "<b>Changes in Web server filter plugins
    The Web server filter plug ins and the Ticket Toolkit now were separated.
    See subdirectories for further information:
    "C"          the Ticket Toolkit
    "filter"     the Web server filter plug ins
    This is the last released version (5.0.2.8) on SAPSERV.
    Pleaser refer for newer versions to SAP Service Marketplace (http://service.sap.com/patches)
    Technology Components-> SAP SSOEXT -> SAP SSOEXT</b>"
    Zip file has two folders named "C" and "filter".
    "C" folder has cpp code to varify the ticket.
    "Filter" folder has DLLs for the different web servers.
    So far so good . Now, what I want to know is that is placing the  DLL from the Filter folder onto the respective web server and doing some configs, as per the PDF provided with ZIP file, enough?
    Or do I need to do anything else, like writing any class to read and validate the Ticket?
    Thanks,
    Vivek

    See Web Server Filter Based SSO to Non-SAP Apps

  • Compliance Calibrator 5.2 RTA for Non-SAP Apps

    Hi all,
    Can SoD rules be written for analyzing a Users access to SAP and NON-SAP applications across the enterprise?
    If yes will CC RTA need to be installed on the NON-SAP application?
    If yes are there any requirements that need to be met by NON-SAP application and is there a list of NON-SAP applications (other than-Peoplesoft, Oracle, Hyperion, JD Edwards) that CC has an RTA for?
    Is there any documentation specific to aplications that can support CC RTAs and installation on these?
    -Cheers

    Hi,
    Yes SoD rules can be written for analyzing user accesses to SAP and non-SAP applications.
    Basically there is no other application for which an RTA exists, but there is a documentation discussing the technical requirements for file generation from the non-SAP systems for integration of non-SAP Systems with SAP Compliance Calibrator.
    This documentation is available in <a href="http://service.sap.com/rkt-grc">http://service.sap.com/rkt-grc</a>
    under SAP GRC Access Control 5.2 -> SAP GRC Compliance Calibrator 5.2 -> Step2: Prepare for your project -> Cross Application Material
    You'll need your OSS user-id to access that page; in case you cannot access it, please post a message in the OSS.
    Rgds,
    Karim

  • MI access to non SAP system

    Hi,
    how can I access webservices through MI.
    Also If i have a database which allows jdbc access how do I access it thru MI.?

    Hi Shalu,
      In the MI Client you can have either AWT or JSP Application.
    These are different user interface available for a MI Client.
    Since you are intrested in webservices. you should use JSP Framework applciation.
    <b>How can i access webservices through MI?</b>
    In a real scenario,
    1. You create a JSP Application using SAP-IDE. i.e SAP Netweavar Studio.
    2. Export your jsp project to a .war file.
    3. Deploy the .war file in the MI Server using WEB CONSOLE.
    4. Assign this JSP Application to your userid & password which inturn corresponds to the MI Client.
    5. Now, the MI Client has to synchronize it. So that the
    application is visible in the MI Client.
    6. MI Client sees the application as a link which he can use it later.
    If i have a database which allows jdbc access how do i access it through MI?
        Since you are going to use the application(Either JSP or AWT) in the client side and
    since you are going to write those application in the MI Client. i.e Your machine,
    The Data Source Name associated with your project is already present in your machine/client right.
    So the MI client which is installed in your machine which is either JSP or AWT, takes care of the database access. :-D.
    Check this link...
    SAP NetWeaver Developer Studio
    http://media.sdn.sap.com/public/html/submitted_docs/MI/MDK_2.5/content/eclipse/guideeclipse.html
    Hope it helps.
    Rewards Points for useful answers.
    Regards,
    Maheswaran.B
    Message was edited by: Maheswaran B

  • Connect non-sap app to XI

    Hello,
    I have an app able to create Idoc and Idoc-XML, both currently being sent to SAP R/3 up to version 4.6c via RFC (IDOC_INBOUND_ASYNCHRONOUS). Can I keep this way when connecting to XI and if not, what's the alternative? Thanks fo your help

    Hello,
    thanks for your answer. However, I'm confused a little. I thought it's necessary to connect via the RFC-Adapter of XI instead of the IDoc-Adapter.
    Thanks
    Thomas

  • OS command to access the non SAP server to create folders in the server

    Hi All,
    For the Pre press screen ABAP team need to create some WIP folders in 10.10.10.215.So I want to try out the option of using OS command to access that server to create folders at a specific location in that server.
    Can you please tell me the which OS command is used in this case.
    Thanks in advance.
    Regards,
    jhansi.

    these are very basic things. You should do a search before posting your question here.
    Thanks
    Sunny

  • SSO from non-SAP to SAP apps

    Hi All,
    Currently We have SAP applications, non-SAP applications(java, .NET, PHP etc) in our landscape.
    If the client tries to access any non-SAP application it should ask for authentication and thereby for any subsequent access to any URL's(SAP or NON-SAP apps) it should not ask for any authentication.
    FYI:
    The client logins into SAP Portal(SAP to NON-SAP) first and thereby able to achieve SSO for non-SAP applications as well.
    Currently we are stuck for the scanerio of  Non-SAP to SAP apps ?
    Please suggest.......
    Thanks,
    Mano.

    Hi samuli,
    Using SPNEGO, we can incorporate windows authentication for SAP Portal ( after desktop authentication user can logon without userid/password). But for non-sap apps this would be challenge.
    I have another option, using webdispatcher if we enable server redirect for all applications(SAP & NON-SAP) and get authenticated centrally by which SSO can be achieved across all the apps.
    Would above solution work ?
    Thanks,
    Mano.

  • Is there an IDES system of "Access Enforcer" internally at SAP?

    Hi expert,
    Is there an IDES system of "Access Enforcer" in SAP so that we can access it internally from SAP network?
    Thanks.

    Very well.
    <b>This information is only applicable within SAP's corporate network.</b>
    Access Controls 5.1 - compliant user provisioning (Virsa Access Enforcer for SAP)
    http://idphl930.phl.sap.corp:50000/AE/index.jsp
    ERP Backend: Application Server: idphl932.phl.sap.corp, System Number: 50, system ID: G13, Client: 870
    Updated Demo Scripts are located here:
    Rsophltrndb\FEPublic\Public\GRC_Workshop\DemoScripts

  • SSO from non sap application server to SAP systems

    Mysapsso2 cookie has been generated after we are login into the portal https://FQDN/irj/portal for all the backend systems in client browser. Since it is working fine. After login into the portal , while clicking the URL iview of external JBoss application sever in portal home page and it is shows the new windows pop up login page. After login into this external JBoss application server, we have configured work item for SAP ITS WEBGUI login page of the backend system inside this JBoss appliaction. Here we need to pass the mysapsso2 cookie information in SAP WEBGUI, so that login page is bypassed using SSO. Kindly do give some suggestion for fixing this issue. Kind Regards, R Rajavelu

    Try to use it Appsintegrator to access the non sap application from SAP Application

  • Upload of role in Access Enforcer 5.2.

    Hi All,
    I need to upload roles in Access Enforcer from SAP ECC system. Actually i have uploaded the roles in Access Enforcer, but all unwanted roles have also got uploaded.
    Now i need some way, first to clean entire uploaded roles & then upload selected roles.
    Please suggest.
    Thanks & Regards,
    Pravin

    Hi Pravin,
       Here are the steps:
    1) Download all the roles into an excel spreadsheet:
    Go to configuration -> Roles- Search roles -> Click on 'Export' button. This CUP, go to 'Search Roles'. Click on 'Search' button without providing any search criteria. This will return all the roles available in CUP. Now, click on Export button. CUP will export all the roles into Excel spreadsheet in the format which CUP understands.
    2) Delete all the roles from CUP: Now, in the same screen as above, select all the roles and delete them.
    3) Delete not needed roles from spreadsheet and upload it into CUP:
    Now, delete all the unwanted roles from CUP and play with the spreadsheet to manipulate other parameters like role approvers, systems, business process etc and upload that spreadsheet into CUP.
    Regards,
    Alpesh
    SAP GRC Manager (PwC)

  • Integrate 'External non-SAP Purchasing Application' with SAP SD for third party purchasing/ drop shipping?

    What is the best way to integrate 'External non-SAP Purchasing Application' with SAP SD for third party purchasing/ drop shipping?
    Details about expected process Flow.
    Receive PO from customer into SAP > SAP SD creates Sales Order > ?? SAP Integrate with External non-SAP Purchasing Application to trigger purchasing > External non-SAP Purchasing Application creates PO, Ships Material to Customer Ship to address (drop ship), Sends Shipping confirmation (FCR) & Invoices to SAP> ??Receive FCR and Invoice in SAP > ?? Initiate SAP Accounts Payable (Vendor Payments) and Accounts Receivable (Customer Invoice) > ?? Update SAP SD Sales Order with shipping status>
    Questions we need to answer;
      - How to achieve '??' steps from above process.
      - What type of Master Data we will need to configure (Say Materials Item Category, Type etc.)
      - Any standards options to configure SAP SD (Type of Sales Order)
      - We certainly don’t want to trigger SAP MM Purchasing (i.e. PR, PO etc.). How can we bypass it.
      - How to make statistical receipts against sales order line items so that SO status will be updated.
      - How to receive Invoice and FCR from External non-SAP app to trigger AP and AR transactions.
      - Are there any SAP standard configurations/ BAPIs/ BADIs available to achieve this integration.
    Any inputs on above questions are appreciable.
    Anand.

    This question is resolved. We ended up activating purchasing module and used purchasing documents PR/ PO to integrate with third party purchasing system.
    Anand.

  • Provision UserID/Password from SAP Ssyetm to Non-SAP System

    Hi,
    I have a requirement to be able to provision UserID & Password from a SAP ECC6 system to a non-SAP thick client application.  All interactions between ECC6 & the non-SAP Application will be via SAP PI.  (SAP EEC6 <-> SAP PI <-> Non-SAP App) 
    Our landscape includes:
    SAP ECC6
    SAP BI
    SAP PI
    SAP SOLMAN
    SAP Portal
    non-SAP App
    SAP IdM has been ruled out due to budget constraints, Active Directory is not suitable due to the requirement that the non-SAP application must be able to authenticate users if the WAN/LAN is down.
    Yes, we could simply maintain the users in both systems, but for the time being that has been deemed not appropriate.
    I have thought about using CUA on SOLMAN to provision to the SAP Systems & then use SAP PI somehow to provision to the non-SAP App, but I have no idea how to pass the raw user password through SAP PI.
    If anyone has any ideas or can point me to links where I can do further research would be much appreciated.
    Thanks in advance,
    Stephen Hall

    The search term "password AND synchronize" will help you further to find "flamewars" from the past.
    You cannot send "raw" passwords from CUA, as the password is represented by a "one way" hash which is not decryptable by mortals, but rather the "raw" password is encrypted and the hashes are compared locally. Non-SAP systems cannot do this... (bar trial-and-error).
    A better option would be to use a SSO mechanism. This is very easy within SAP.
    For bi-directional authentication with non-SAP you will face some challanges...
    The easiest option is to re-use a PKI certificate based authentication or re-use the native Kerberos authentication available for Windows bases PCs.
    In the SAP --> non-SAP direction you can consider using a verification library to extract the user name - but that is not "state of the art" and if such a UID should be encrypted then have fun...
    In the non-SAP --> SAP direction you are best off forgeting about the infrastructure trust or worste-case-scenario is a password sync. Rather re-authenticate the caller using a realm which already exist.
    Active Directory is not suitable due to the requirement that the non-SAP application must be able to authenticate users if the WAN/LAN is down.
    I would consider an application specific password self-service as a failover only and go for the AD or an "identity provider" which your applications trust as a service.
    If your AD or entire network goes down you will probably be in bigger trouble than passwords... so you should not expose "raw" passwords during normal operations for this eventuality...
    Cheers,
    Julius

  • Want to access non SAP system from EP

    Hey Guys,
    We are having a system (CRMS) which is a non SAP system. I know through EP we can connect to the non SAP system.
    Can somebody pls tell me the steps to do this.  I want to access the data from non SAP system on Enterprise Portal.
    Pls provide me the useful links / doc.
    Thanks in advance.
    NIkesh Shah

    Hello Nikesh,
    As I mentioned, kindly check up on help.sap.com.
    Anyways:
    Create an HTTP system using the System Templates Provided. Instead of selecting SAP Systems you select HTTP system. Provide parameters:
    Authentication method: POST
    Authentication Type: Server
    URL Parameter for Password & URL Parameter for Username: This you can get by doing a View Source on the Login Page of your CRMS appln. e.g. <input type = "hidden" name ="user"> -> So in this case you pick up user
    In User management property select Usermapping and admin,user
    Now create a URL iView:
    System: Select the 1 you created.
    URL: URL to your application till before any query string starts.
    REQUEST Methid: GET
    URL Parameter 1: <the user param from the source> TYPE = Mapped User
    URL Parameter 2: <the pwd param from the source> TYPE = Mapped Password
    Enter the user mapping for that user and test the iview.

  • SAP Access Enforcer

    Do anybody know where I can find information about Access Enforcer?   What I'm interested in is what steps are required to implement the application for user automation.

    Try these sites....
    http://www.virsa.com/products/access_enforcer.php
    http://www.sap.com/solutions/grc/accessandauthorization/index.epx
    HB

Maybe you are looking for

  • Error while transporting query

    Hi All, I am transporting query from one client to another. Initial it's generate a request number when I exported. But when I am importing the same request number in another client it's saying that 'dataset does not exit. Although I transported quer

  • Can't get Rescue and Recovery to Start

    Hey all, My computer is having hardware problems. I'm at the point of giving up completely on the computer, but I had a few files that I wanted to recover from it first. I've had Hard Drive issues before and usually just have to push the blue Thinkva

  • Mac app store update??

    I'm running 2 partitions on my mac, snow leopard and lion, app store on snow leopard shows me that update to lion is available, but as I already have lion on the other partition I don't want to update snow leopard, question is, can I stop or remove t

  • SRM SC attachment to flow to Vendor through PO..

    Hello SRM Gurus... We are in Classic Scenario and SRM 5.0 MY Requirement is.. We have a user who creates a SC with attachment and w.r.t SC a PO is created in backend. The attachment would flow to Backend PO as standard. The PO is then sent to Vendor

  • Webdynpro Development without SDM access

    Hi all, Using the Portal UserID and password provided we can do the basic development of webdynpros . I dont have SDM password with me to deploy the same on portal. Is there any alternative to do a test run of the webdynpro application with out havin