CUA Vs IDM Vs GRC

Hello All,
We are implementing a brand new SAP software.
We have GRC and IDM license.
There is overlap of functionality (CUA,IDM,GRC).
What is the best approach of effectively using these tools ?
We configured the GRC-RAR now.
Thank you in Advance for the recommendations...

Hi Saayi,
You can have multiple scenarios, either you can have GRC as the leading provisioning system or IdM as the leading provisioning system.
SAP IdM -> GRC AC -> CUA
Have a look at the GRC AC 5.3 Configuration guide, it has a dedicated unit on "Access Control and Identity Manager Integration", which describes the two scenarios very well.
PS : Please do not cross post, you have the same question in the GRC Forum
Cheers !!
Zaheer

Similar Messages

  • CUA Feature now in GRC 10??

    Dear Colleagues,
    We have a GRC 10 and a CUA based on Solution Manager 7.1. The setup is working. We got the information from SAP that it is possible (now) to use all CUA features directly with GRC. The advantage would be that role assignments would be directly checked in regards of segregation of duty.
    I searched in the forum but could not find any information regarding that topic.
    Regards,
    Alexander

    Hi Alexander,
    All those features can be performed from Access Requests from GRC, which will then perform the actions via the CUA system into the child systems.
    You need to maintain the CUA-Child system mappings in SPRO in the User Provisioning section of the GRC node.
    Also ensure that your SCUM settings for Role Provisioning and User Maintenance etc are set accordingly.

  • CUA to IDM migration

    Hi all,
    Can you suggest me how to go with below questions
    1) how do we migrate CUA to IDM ? any step guide available.
    IDM SAP insder document approach says
        u30FBu3000Install SAP NetWeaver Identity Management on top of CUA.
        u30FBu3000Start connecting the ABAP systems to SAP NetWeaver Identity Management and
        u3000u3000disconnecting   them from CUA.
        u30FB When you have disconnected the last ABAP system from CUA, you can then
         u3000shut down CUA to complete a successful migration
    >> my understanding is CUA Is SU01 transaction in ABAP, what does it mean by install iDM on top of CUA and shutdown CUA after migration..
    Need clarification on this
    2) for IDM setup, Seperate server is must? and does it require seperate licence other than Netweaver.

    Hi Jaichan,
    1) During CUA migration to IDM, Does it require any settup inside CUA system required or not.
    No Changes in current CUA required. IDM will be installed separately.
    This article might be useful for you.(Page 14)
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0ad23d3-3664-2a10-8aa7-e9c3c8616d48
    2) Does the collecting process from Non-SAP/SAP to IDM system is just copying to User master tables or its really mapping one to one(and synchronising automatically). Need more details technically.
    No. In IDM, HCM or any other system can supply the basic data. However before connecting other systems, it will be better idea to take all users data from CUA.
    Once the Users are in IDM, have to do role/priv settings and provisioning the same to other systems.
    This article might be useful for you.
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e04a0800-1cdf-2b10-218a-94ba2cfeb2dd
    3) Also i would like to know technically how Non-SAP-ADS source can be synchronised with IDM.
    Can you specify the document name for this.
    4) I think customers Using LDAP with Java to synchronise with CUA, how LDAP part is
    taken care by IDM. Suggestion please
    This article might be useful for you.
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a73a89d3-0901-0010-5a8b-f2e03467117f
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb
    These Documents will also help you.
    [Installation Overview|https://websmp205.sap-ag.de/~sapidb/011000358700000062312008E]
    [Installing the Management Console and Runtime Components|https://websmp205.sap-ag.de/~sapidb/011000358700000061872008E]
    [Operations Guide |https://websmp205.sap-ag.de/~sapidb/011000358700001876292008E]
    Hope this helps,
    + An

  • Question: CUA to IDM Migration Guide?

    Is there a guide/document that talks about Migrating from CUA to IDM
    Thanks!

    Hi
    This one: Identity Management for SAP System Landscapes: Architectural Overview
    and this one: Identity Management for SAP System Landscapes: Configuration Guide
    talk briefly about the integration into an existing CUA landscape.
    AFAIK one connects the IdM to the CUA system and reads all the data. Afterwards you remove the systems step by step from CUA and allow IdM to handle them.
    Hope I could help
    Michael

  • GRC, CUA and IDM

    We are in process of installing GRC 10.0 in our landscape. We have following questions?
    1. Can I run my CUA from GRC box instead of say Solman?
    2. Can I hook GRC with LDAP so I import the users from active directory?
    3. Do we need IDM, if active directory is hooked up to the system where we have the CUA?
    Regards,
    Kedar
    Edited by: Kedar Joshi on Aug 8, 2011 5:57 PM

    Hi Kedar,
    The easy answer to your question is yes to all of them!
    1. It is technically possible to run CUA from the GRC box as it is an ABAP based environment.
    Depending on your user provisioning processes though, you may want to consider the scope of using CUA.
    For example, you may want to retain CUA for pre-production access but may want to have automated Access Request Management (CUP) for the production environments. Alternatively, if you are going down the full IDM route, you may wish to have everything provisioned via GRC rather than having the additional manual assignments through CUA.
    2. Yes, you can still connect to LDAP Active Directory from GRC. There is a technical change in setting up the connection as it uses an RFC destination rather than a JCo but it's still possible and actually advisable for creating a single user master source.
    3. This is slightly more difficult to say without further knowledge of your organisation. Generally, IDM is focussed on a more holistic view of User Access across the enterprise estate. IDM is still of use when managing SAP and Non SAP applications and managing the roles from a business perspective. Whilst GRC is able to offer the business role concept inherently, it is still slanted towards the management of risk rather than pure Identify Management and therefore the tools do perform a separate yet integrated function.
    I hope this helps.
    Simon

  • Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

    Hello,
    I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
    1. Connected CUABOX to GRCBOX like a plug-in system.
    2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
    3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
    After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
    Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
    Any help in this regard is very helpful.
    Thank you,
    Pawan

    Hi Alessandro,
    I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
    1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
    2. Approvals provided to assign the ECC role.
    3. I see the following in GRFNMW_DBGMONITOR_WD.
               Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                   New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                   T-CUA_CHILD User does not exist in target system CUA
    GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
    However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
    So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
    Thank you for your help!
    Pawan

  • [Initial Password] CUA vs IdM

    Hi,
    Please correct me if I am wrong: when the CUA cha,ges to password in the child systems, they are set as initial. It means that, on the first logon, the user has to change it.
    Is there a possibility for IdM to set "definitive" password. It seems so to me after reading
    |                     |        CUA        |  Identity Management       |
    | Password management | Initial passwords | yes incl. workflow support |
    in https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/7037d982-40aa-2a10-e283-a76a9dfc93ab, page 29
    Thanks in advance.
    Best regards,
    Guillaume

    IdM can only do what SAP permits.  Depending on how one is authenticating determines the password policy.  An initial password, an expired password and a password reset by an administrator all set the same flag.  The user must change their password on next logon.  The only way around this to write directly to the db with SAP's hash.  A terrible idea and a big security risk. 
    UME uses a delegated model so the password policy depends on what you are authenticating against.  This question is normally asked because a company wants to do password synchronization; one is better off doing SSO.

  • SAP IDM and GRC 5.3

    Hi all,
    I'm running SAP IDM 7.0 with GRC Provisioning Framework 5.3 and GRC 5.3 with AE/CC/...
    When I  test web task from the GRC Provisioning Framework "Sample WF Create GRC User" the process launched works but I'm facing the following problem:
    If I put on the previous request 2 SAP Roles (with no conflict one first time), I see 2 requests created as "NEW" with 1 role each time. If I add 3 SAP Roles, I got 3 requests, ....
    You understand so I never got conflict detected by Compliance Calibrator.
    How should I proceed to get only 1 request with all SAP Role requested from SAP Identity Management?
    I tried as well to change Priority, Type and Employee Type request attributes directly on the task "GRC - create account user with a single privilege", but sounds like SAP Identity Management does not send the correct value to SAP GRC 5.3
    Thanks for your help,
    Benjamin

    Hi all,
    Due to following notes
    https://service.sap.com/sap/support/notes/1318053
    https://service.sap.com/sap/support/notes/1168508
    I upgrade SAP GRC 5.3 to SP7 Patch 1.
    But now, when the SUMIT REQUEST is send to GRC from VDS, I'm facing an error that I did not get with SP5 or SP6 :
    Exception from Add operation:javax.naming.NamingException: [LDAP: error code 1 - (GRC Submit Request:1:[msgcode=2010;msgdescription=SqlException occured while getting Global DueDate;msgtype=JAVA ERROR])]; remaining name 'cn=ZTEST0001,ou=submitrequest,o=grc'
    I looked at VDS log files and VDS sounds to send a correct request :
    FULL OUTPUT: {requestreason=[Sent by Netweaver IdM], request_employeetype=[EMP_IT_EXTERNAL], roledata=[MSKEYVALUE=PRIV:GRC:A:MM:C:PUR_REQ_REL____:SITE-20!!MX_ENTRYTYPE=MX_PRIVILEGE!!MXREF_MX_APPLICATION=34653!!SYSID=SID-110!!DESCRIPTION=MM-PUR: PURCHASE REQUISITIONS - ASSIGN - RELEASE - 20!!TYPE=S!!VALIDFROM=2009-04-21!!VALIDTO=9999-12-31!!ROLEID=A:MM:C:PUR_REQ_REL____:SITE-20!!DISPLAYNAME=PRIV_GRC_A:MM:C:PUR_REQ_REL____:SITE-20!!MX_REPOSITORYNAME=GRC!!MX_PRIVILEGE_TYPE=GRC!!MX_ADD_MEMBER_TASK=479!!MX_DEL_MEMBER_TASK=479], mskeyvalue=[X9393664], requestorlastname=[MyLastName], request_priority=[HIGH], isid=[1], validfrom=[2009-04-21], validto=[9999-12-31], requestorfirstname=[MyFirstName], grc_operation=[ADD], mgrid=[XMGRID], lastname=[Manag]erLastNane], requestorid=[X9393664], auditid=[9970], cn=[X9393664], request_type=[NEW_HIRE], firstname=[MyFirstname], emailaddress=[myemail'at'company.com], requestoremailaddress=[myemail'at'company.com], application=[SID-110]}
    Some of you have already facing this problem ?
    Benjamin

  • Can you have IDM and GRC on the same stack?

    HI, I am new to IDM and am a Netweaver Basis professional with some performance experience around GRC. Is it wise to place the two together on the same stack?
    The customer will have 190,000 employees and lord knows what the roles will look like at this stage but I'm just a bit worried as I have seen the GRC jobs run for an awfully long time with a lot less users/roles and chew things up a bit
    the right advice appreciated.

    Now thats interesting.
    My architect told me that we were using the 7.1 version but in affect it runs on a 7.0 J2EE.... perhaps he is having me on. If you know for sure then let me know.... regardless I'll have a dig in the documentation.
    Naturally having Project and dev share with GRC should not be considered an issue but having production, pre-production and validation instances running combined with GRC is my concern as I have seen the GRC really slow up the system. The argument they are saying is the heavy jobs will run overnight and mostly just collection and configuration of GRC during the day. They are intending to run in production with 2 instances of 3 servers.

  • Request roles IdM to GRC - Error remaining name

    Hi experts!
    We are with a problem on Idm/GRC, when we try to change his function in
    the company to another function on User Interface, for example:
    -System Analyst I to System Analyst "II".
    Idm sends the role to approval in the GRC, then when we try to change
    the occupation of this employee, ex to "System Analyst II" (changing the
    occupation) IdM Send the new request to GRC with the role and approve,
    we approve, but in the backend ECC, GRC just "adds" the new role.
    We need to remove the previous role look error at the attachments!
    Thanks
    Melkin

    Hi Matt,
    The WS is running ok on the GRC side, look below, "006"= approved and "009" = rejected.
    Thanks
    Melkin

  • Additional fields required for CUA to IDM IDOC

    Hi,
    I am deploying the Remote Loader for Novell IDM 3.5on my SAP system. (not using the HR driver.)
    But I need to add additional fields to allow the logic within the Driver to differentiate between external users and internal users.
    How can I amend the IDOC produced by the CUA framework within SAP to add the additional fields, my developer has already created a BADI to grab the additional information to populate into the IDOC.
    I just need a way to add it to the IDOC for processing into the Remote Loader.
    TIA
    Chris

    Chris,
    you simply have to extend the schema mapping rule inside your driver configuration.
    At the mapping rule, you can map your new infotypes to Novell eDirectory attributes manually without changing your HRMDA_xx.meta file.
    To make the mapping more handy, you can edit your HRMDA_xx.meta file and re-read it during the schema mapping process. Afterwards you can use the GUI wizard to process the mapping definition.
    - Holger

  • SAP IdM and GRC Integration Sample Scenario

    Has anyone implemented the sample scenario in the following document (page 11/14)?
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60a4802f-b6cd-2b10-1ebf-e269d127a634?quicklink=index&overridelayout=true
    Page: 8/48
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30027e41-b5cd-2b10-4593-df65027f8c55?quicklink=index&overridelayout=true
    Thanks
    Himadama

    Hi Kai,
    I tried to access your blog http://kaidentity.blogspot.com/ but i am getting permission denied.
    I have attached the error. Could you please provide me permission to read your blogs.
    Regards,
    C Kumar

  • IDM - GRC AC 5.3 integration - workflow detour not working as expected

    Hi IDM Experts!
    I would greatly appreciate your help with the problem we're currently facing; when integrating IDM with GRC, we have configured 2 CUP workflows; one for handling requests with SoD violations (Workflow B) and one to handle ones without any SoD violations (Workflow C), with the former handling risk analysis followed by role approval, and the latter handling only role approval; we have one path with one stage configured as "No Stage" (Workflow A); this path is used to decide which of the primary workflows to use (i.e. SoD violations or no SoD violations) using two detours; we have one detour configured to use Workflow B if any SoD violations are found in the request and another detour configured to use Workflow C if no SoD violations are found.
    Currently what happens in our tests is that requests without risks / SoD violations work fine and actually get detoured to Workflow C, awaiting role approval from the right approver ; while requests with inherent risks / SoD violations unforutnately get automatically approved and provisioned rather than being sent to Workflow B
    Any clues as to why this could be happening? We've checked if there are any settings that might be triggering it to automatically approve requests despite any risks, but can't find anything of the sort; Would be very grateful for any insight / advice on the issue.
    Thanks a lot in advance!
    Best regards,
    Sandeep

    Hi Diego!
    Once again; thank you for your quick reply!
    I did recheck the auto-provisioning issue and I can confirm that it is definitely set to "No Auto-provisioning" and it hasn't been changed recently. The strange thing is that the detour works for NO SoD violations, but doesn't work for SoD violations; find below the audit trail for detour working:
    Request XXX Submitted by Sandeep (SANDEEP) on 01/28/2012 02:04 
       Z_111111-ECC Role Added with validity dates 01/28/2012-12/31/9999
    Request submitted for approval by admin(system) on 01/28/2012 02:04 
    Approved by Sandeep (SANDEEP) on behalf of Sandeep (SANDEEP) at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 02:04 
       Approved Z_111111-ECC role for Add action with validity dates 01/28/2012-12/31/9999
    Request has taken a detour to path C_WORKFLOW and stage C_STAGE on 01/28/2012 02:04 
       Detour condition SOD Violations with value No is satisfied at path WORKFLOW_A and stage WORKFLOW_A
    and find below the audit trail for the detour not working:
    Request YYY Submitted by Sandeep (SANDEEP) on 01/28/2012 01:53 
       Z_222222-ECC  Role Added with validity dates 01/28/2012-12/31/9999
    Request submitted for approval by admin(system) on 01/28/2012 01:53 
    Approved by Sandeep (SANDEEP)  on behalf of Sandeep (SANDEEP)  at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 01:53 
       Approved Z_222222-ECC role for Add action with validity dates 01/28/2012-12/31/9999
    Request Closed By Sandeep (SANDEEP) on 01/28/2012 01:53 
    I even checked the CUA System section, and the "By system" tab and it was empty; there were no specific system configurations.
    And to answer your questions:
    Since Workflow A is the path with the Initiator, the detour flag is deactivated and the active flag is activated.
    WF B & C have both the active and detour flags activated.
    Thanks a lot again for your quick responses and all the help you've provided so far!
    Best regards,
    Sandeep

  • SAP IDM or CUA

    Hello Gurus,
    We have GRC 10 implementation project going on, there are like 5 systems which we proposed to be added to CUA and then connected to GRC for role provisioning.
    We have some confusion as to whether to go for IDM to manage the accounts centrally or to choose CUA.
    Please can you advise whether CUA or IDM is beneficial.
    Regards,
    Pooja Saste

    Hello Pooja,
    My personal suggestion is to use IDM.
    Even our own SAP IT moved from CUA to IDM for several reasons - easy maintanance, better provisioning and simplified maintanance.
    IDM 7.2 goes with GRC integration framework that works like charm and many more other connectors for both SAP and non-SAP systems, so it would be easier for you if you will have to integrate with another system in the future.
    Regards
    Todor

  • GRC: User not created in backend (CUA client)

    Hello expert,
    We have GRC 10, SP13.
    I have configured the connectors and setting for my CUA client.
    I also configured my CUA client in SPRO.
    I am able to select my CUA client in ARQ. When submitting, the request is approved.
    Audit Log is showing:
    Application log is showing:
    But there is no user provisioned in my CUA client, not any IDOC or log in showing in my CUA master.
    Did I missed something? Any advise is appriciated.
    Regards Nguyen

    Hi Ameet, thanks for your info.
    1) Maintain CUA Settings. Did you maintain CUA system/client as the target client. --> Sorry, I am not sure what you mean? I have configured CUA for my backend and I can create a user via my CUA master, the CUA client is provisioned by sended IDOC from the master. Now I would like GRC provisioning the user to the CUA client instead of the CUA master.
    2) Can you see all the child connectors under Maintian CUA settings. Check the tables:  GRACCUADIST and GRACCUAMSTR --> yes, my configured CUA client is listed in table GRACCUADIST, table GRACCUAMSTR is empty as I don't want my GRC to use CUA as a global tool.
    3) Have you installed CUA plug-ins in CUA system. --> My CUA client and master have the GRC Plugin.
    4) Check for the FM: /GRCPI/GRIA_ASSIGN_OBJECT_NH --> FM exist in CUA client/ master and GRC. What is this FM good for?
    Thanks for advise, regards Nguyen

Maybe you are looking for