Hi Sonal,

I see this question is pending for a while, so let me try to help you.

I am not familiar with SAP GRC not even proficient with SAP, but from your explanation I believe SAP GRC wil be your end-user and authorization roles management. This typically falls into an integration approach we use at OutSystems that wraps both the platform's login and the external system's into a single logic. In other words, an end-user logging in to OutSystems would also login into SAP GRC simultaneously. To accomplish this, in a typical OutSystems module I would proceed the following way:
   1. Open the Common Flow of your application module (this flow is typically created when a new module/application is created in Service Studio)
   2. Open the Login screen action inside the Login web screen
   3. Wrap the Login action in a new Login_Unified action (or some other name of your preference) to do two things:
     a) use your preferred integration method (Web Service, BAPI, RFC, etc.) to login the user into SAP first;
     b) check if the login to SAP GRC was successful, if so then search the username in the User system entity. If the user does not exist then create it with the bare minimum information (name, username, created date, active flag to true), then use the System Login Action (the one that accepts a UserId) and remove the previous Users_Login Action (since we're no longer need a username and password, by confirming that the user logged in correctly in SAP GRC) - a similar design approach is done in the Platform's User eSpace module, which you can clone to see the contents of the Users_Login Action

One other thing: are you using OutSystems for SAP Edition? If that's the case, then SAP integration should be much simpler and you can even look up the necessary BAPIs through Service Studio (not sure about SAP GRC); if this is not possible then you can still use your mentioned approach (Web Services) or the (deprecated) SAP Wizard in Integration Studio

Please let us know if this put you on the right track.