Skip to end of metadata
Go to start of metadata


The identity provider determines the source of the user information. The user can choose which identity providers they want to use to provide the user information, and define which source fields to be mapped to the user.

For example, if user set Net Weaver as the identity provider for the audit manager application role, then when he create an audit and assign a user as the audit manager, the user data will be provided by Net Weaver

The document will explain how the Identity provider is used in Audit Management and the related fields in the SPRO settings.

Follow path in IMG:

SPRO-> SAP Audit Management -> Basic Settings -> Application User and Role Settings -> Maintain Identity Provider Settings

The User information or User identity can be fetched either from the Net Weaver User Management (NW) or from LDAP server. Customer can also create their own identity provider

Note: if the user information needs to be picked from the LDAP , make sure to correctly configure the LDAP Server

In case of NW as identity provider,

1. Enter the identity provider ID and name for example ID : NW , Name: Net weaver

2. Check the box in the Cache column if you want the system to cache user information. Cache will help the system to fetch the user details faster as it would be not be going back to the NW system/LDAP server and look for the user. It rather use cache information to bring the data. 

3. In the Class/Interface column, enter the class for the identity provider. The identity provider class can be created using interface IF_GRCAUD_IDENTITY_PROVIDER.
Standard Class used for NW CL_GRCAUD_NW_IDP and for LDAP CL_GRCAUD_LDAP_IDP

In case of LDAP as Identity provider, maintain the mapping relationships between the fields of users in SAP Audit Management and the fields from the LDAP server

You can map LDAP fields to the following IDP fields:

    • USER_ID_ATTRIBUTES: The user ID.       If this entry is not maintained, default value OBJECTGUID is mapped to       the field.
    • USER_NAME_ATTRIBUTE: The user       name. If this entry is not maintained, default value CN is mapped to the       field.
    • USER_OBJECT_CLASS: The object       class of the user. If this entry is not maintained, default value USER is       mapped to the field

Note: To update the user information from LDAP server, execute program GRCAUD_SYNC_USER_CACHE
This program will update any changes in the user information and will update the cache.

You may refer to KBA 2422922 - How to sync Audit Staff in the Audit Management System 

Further, will explain how identity provider works in front audit management application

Login to the Audit management Fiori application and create an Audit and navigate to the team tab.

User will find the application roles and will have to assign team members to the corresponding roles.

See below:

Open F4 help for any of the application role:

The search will actually based upon the identity provider (NW or LDAP) defined in SPRO. Based upon the PFCG and application roles assignment, User assignment can be taken place for Audit lead, Auditors, Audit manager roles respectively.

For example: Say PFCG ROLE 1 is assigned to the Audit Manager Application Role
Only those users will appear in F4 search from Identity provider (NW/LDAP) who have been assigned PFCG ROLE 1 in SU01