The identity provider determines the source of the user information. The user can choose which identity providers they want to use to provide the user information, and define which source fields to be mapped to the user.
For example, if user set Net Weaver as the identity provider for the audit manager application role, then when he create an audit and assign a user as the audit manager, the user data will be provided by Net Weaver
The document will explain how the Identity provider is used in Audit Management and the related fields in the SPRO settings.
Follow path in IMG:
SPRO-> SAP Audit Management -> Basic Settings -> Application User and Role Settings -> Maintain Identity Provider Settings
The User information or User identity can be fetched either from the Net Weaver User Management (NW) or from LDAP server. Customer can also create their own identity provider
Note: if the user information needs to be picked from the LDAP , make sure to correctly configure the LDAP Server
In case of NW as identity provider,
1. Enter the identity provider ID and name for example ID : NW , Name: Net weaver
2. Check the box in the Cache column if you want the system to cache user information. Cache will help the system to fetch the user details faster as it would be not be going back to the NW system/LDAP server and look for the user. It rather use cache information to bring the data.
3. In the Class/Interface column, enter the class for the identity provider. The identity provider class can be created using interface IF_GRCAUD_IDENTITY_PROVIDER.
Standard Class used for NW CL_GRCAUD_NW_IDP and for LDAP CL_GRCAUD_LDAP_IDP
In case of LDAP as Identity provider, maintain the mapping relationships between the fields of users in SAP Audit Management and the fields from the LDAP server
You can map LDAP fields to the following IDP fields:
- USER_ID_ATTRIBUTES: The user ID. If this entry is not maintained, default value OBJECTGUID is mapped to the field.
- USER_NAME_ATTRIBUTE: The user name. If this entry is not maintained, default value CN is mapped to the field.
- USER_OBJECT_CLASS: The object class of the user. If this entry is not maintained, default value USER is mapped to the field
Note: To update the user information from LDAP server, execute program GRCAUD_SYNC_USER_CACHE
This program will update any changes in the user information and will update the cache.
You may refer to KBA 2422922 - How to sync Audit Staff in the Audit Management System
Further, will explain how identity provider works in front audit management application
Login to the Audit management Fiori application and create an Audit and navigate to the team tab.
User will find the application roles and will have to assign team members to the corresponding roles.
Open F4 help for any of the application role:
The search will actually based upon the identity provider (NW or LDAP) defined in SPRO. Based upon the PFCG and application roles assignment, User assignment can be taken place for Audit lead, Auditors, Audit manager roles respectively.
For example: Say PFCG ROLE 1 is assigned to the Audit Manager Application Role
Only those users will appear in F4 search from Identity provider (NW/LDAP) who have been assigned PFCG ROLE 1 in SU01