Hello Experts,

In our scenario, We already have SAP GRC Access Control 10.1 implemented in our landscape and is used for access provisioning activities.

We have a new Outsystem application developed for procurement.

So basically this is a web based application used by user to create the purchase requisitions or PO etc. but backend would still be ECC.


Now we need to integrate the SAP GRC with this new outsystem for user provisioning.

We also need to integrate this Outsystem with SAP ERP as a backend.


We have few options, Hence we have decided to use Web service call via BAPI in the Outsystem.


Please help me find a step by step process for integrating this Outsystem with our GRC for user provisioning and Integrated with ECC as a Backend for Outsystem.


I couldnt find any documents for this scenario and any help would be much regarded.


Hi Sonal,

I see this question is pending for a while, so let me try to help you.

I am not familiar with SAP GRC not even proficient with SAP, but from your explanation I believe SAP GRC wil be your end-user and authorization roles management. This typically falls into an integration approach we use at OutSystems that wraps both the platform's login and the external system's into a single logic. In other words, an end-user logging in to OutSystems would also login into SAP GRC simultaneously. To accomplish this, in a typical OutSystems module I would proceed the following way:
   1. Open the Common Flow of your application module (this flow is typically created when a new module/application is created in Service Studio)
   2. Open the Login screen action inside the Login web screen
   3. Wrap the Login action in a new Login_Unified action (or some other name of your preference) to do two things:
     a) use your preferred integration method (Web Service, BAPI, RFC, etc.) to login the user into SAP first;
     b) check if the login to SAP GRC was successful, if so then search the username in the User system entity. If the user does not exist then create it with the bare minimum information (name, username, created date, active flag to true), then use the System Login Action (the one that accepts a UserId) and remove the previous Users_Login Action (since we're no longer need a username and password, by confirming that the user logged in correctly in SAP GRC) - a similar design approach is done in the Platform's User eSpace module, which you can clone to see the contents of the Users_Login Action

One other thing: are you using OutSystems for SAP Edition? If that's the case, then SAP integration should be much simpler and you can even look up the necessary BAPIs through Service Studio (not sure about SAP GRC); if this is not possible then you can still use your mentioned approach (Web Services) or the (deprecated) SAP Wizard in Integration Studio

Please let us know if this put you on the right track.