Add to collection(s) Add to saved
  1. No category
Uploaded by Shirish Thadla

2400908 SAP GRC approval Signoff Authentication

2021-05-24
2400908
2400908 - Reaffirm approval authentication against
LDAP instead of GRC system
Version
Language
Priority
Release Status
Component
5
English
Recommendations / Additional Info
Released for Customer
GRC-SAC-WF ( Workflow )
Type
Master Language
Category
Released On
SAP Note
English
Consulting
15.12.2016
Please find the original document at https://launchpad.support.sap.com/#/notes/ 2400908
Symptom
Authentication for reaffirm approval is done against GRC foundation system and not against LDAP system
maintained in user data source or user authentication source configuration (IMG).
You would like to perform this authentication against LDAP and not GRC SU01 data as there may be cases
where approvers might not know their GRC system password (For example, Organizations where SSO is
used to logon to all the systems including GRC system).
Steps to reproduce:
1. In MSMP Workflow, Stage Configuration the Role reaffirm is enabled for Approve/Reject.
2. Approver logs into work inbox to approve/reject request.
3. For the reaffirm, a logon screen is prompted.
Other Terms
Reaffirm, Access Request, GRC Workflow
Reason and Prerequisites
As per standard design of the application, the authentication for reaffirm approval is done against GRC
system only. A source code enhancement will be required to achieve this functionality.
Solution
This functionality can be achieved by performing a ABAP source code enhancement without modifying the
standard code. Please note that this must be done by expert ABAP developers only!
Create an overwrite-exit for standard method CL_GRAC_USER_PWD_UTIL ->
USER_PASSWORD_AUTHENTICATION.
In the enhancement code for the overwrite-exit :
- Use function module LDAP_SYSTEMBIND to create a connection to the LDAP server.
- If the connection is successful, use function module LDAP_SIMPLEBIND to authenticate against LDAP
server. Please note that this function module accepts the full DN(distinguished name) as an input. The DN
can be obtained by concatenating the sn or sAMAccountName with LDAP user path. LDAP_SIMPLEBIND
can also accept user id as userid@hostname instead of passing the DN.
- In case the authentication is successful (sy-subrc = 0), set the parameter ev_return_code = 0. In case the
authentication fails, set the parameter ev_return_code = 4.
Please refer to function module documentation for all of the function modules mentioned above to get more
© 2021 SAP SE or an SAP affiliate company. All rights reserved
1 of 2
2021-05-24
2400908
details about importing and exporting parameters.
Other Components
Component
Description
GRC-SAC-ARQ
Access Request
This document refers to
SAP Note/KBA
2176945
Title
What system does the Role Reaffirm Approval authenticate against in AC 10?
This document is referenced by
SAP Note/KBA
2485296
Title
Password required while approving request
Terms of use | Copyright | Trademark | Legal Disclosure | Privacy
© 2021 SAP SE or an SAP affiliate company. All rights reserved
2 of 2
Related documents
UYEN getBackgroundReport
UYEN getBackgroundReport
Please click on the link to
Please click on the link to
Download