In SAP GRC Access Control it is common practice to provision SNC Name via Access Request. As the SNC name will be different for each user, the core question is, how to populate the correct SNC name in the Access Request form to provision in the plug-in SAP systems. The SNC name in SU01 is the name recognized by the external security software and is also known as printable name. Besides there is length limitation of SNC names, the printable name has different format for SECUDE and Kerberos.

Example for SECUDE printable SNC-Name: p:CN=TESTUSER, O=SAP-AG, C=DE

This scenario uses End User Personalization for the SNC name in access request. Default value of the SNC name in EUP can contain the following variables, which will be replaced at provisioning with their corresponding value.

#!#COMPANY#!#	SNC name could be assembled from one or more variables, depending on which part of the string can have fixed values in the environment. p:CN=#!#USERID#!#, O=SAP-AG, C=DE p:CN=#!#USERID#!#, O=#!#COMPANY#!#, C=#!#LOCATION#!# Variables have their equivalent AC fields, which have to to be filled from the user detail data source. In case LDAP connector is used as data source, group field mapping needs to be maintained. For the above example using Microsoft Active Directory: 'USERID' mapped to 'SAMACCOUNTNAME' 'COMPANY' mapped to 'COMPANY' 'LOCATION' mapped to 'C'
#!#DEPARTMENT#!#
#!#EMAIL#!#
#!#EMPLOYEETYPE#!#
#!#FIRSTNAME#!#
#!#FUNCTIONALAREA#!#
#!#LASTNAME#!#
#!#LOCATION#!#
#!#TELEPHONE#!#
#!#USERID#!#
#!#USERID_L#!# (USERID in lower case)

Example for Kerberos 5 printable SNC-Name: p:TESTUSER@DEV61.DEV-WDF.SAP.CORP

Even default value of the SNC name in EUP can be set as p:#!#USERID#!#@DEV61.DEV-WDF.SAP.CORP, another approach might be required. In the following scenario the LDAP connector is Microsoft Active Directory and the LDAP connector has been maintained as user detail data source in SAP GRC customizing.



Group field mapping can be maintained for AC field 'SNCNAME', which is easy if there is an LDAP attribute, which contains the SNC name exactly. When 'SNCNAME' is mapped to 'USERPRINCIPALNAME' from Active Directory, then it is still needed to add 'p:' before it. This could be done by enhancement implementation, creating a post-exit method to the method FILL_ADSTRUCTURE in the class CL_GRAC_AD_ACCESS_MGMT_LDAP. This WIKI provides guidance how to create a simple enhancement: ℹ

  METHOD ipo_z_snc~fill_adstructure.

*"------------------------------------------------------------------------*

*" Declaration of POST-method, do not insert any comments here please!

*"

*"methods FILL_ADSTRUCTURE

*"  importing

*"    !IV_GROUP_MAP type GRAC_T_GRPFLDMAP

*"    !IV_VALUE_TABLE type CL_GRAC_AD_ACCESS_MGMT_LDAP=>YT_SYSTEM_FIELD_VALUE

*"  changing

*"    !ES_USER_DETAIL type GRAC_S_USER_DETAIL .

*"------------------------------------------------------------------------*

    FIELD-SYMBOLS <fs_snc> TYPE grac_s_user_snc.

    ASSIGN COMPONENT 'snc' OF STRUCTURE es_user_detail TO <fs_snc>.

    IF sy-subrc = 0.

      TRANSLATE <fs_snc>-pname TO UPPER CASE.

      CONCATENATE 'p:' <fs_snc>-pname INTO <fs_snc>-pname.

    ENDIF.

    UNASSIGN <fs_snc>.

  ENDMETHOD.

SNC name for Kerberos is fetched in the access request using User-Principal-Name attribute from Active Directory.



Best Regards,

Zoltan Galik