GRC AC and IDM integration

Similar Messages

• GRC, CUA and IDM

  We are in process of installing GRC 10.0 in our landscape. We have following questions?
  1. Can I run my CUA from GRC box instead of say Solman?
  2. Can I hook GRC with LDAP so I import the users from active directory?
  3. Do we need IDM, if active directory is hooked up to the system where we have the CUA?
  Regards,
  Kedar
  Edited by: Kedar Joshi on Aug 8, 2011 5:57 PM

  Hi Kedar,
  The easy answer to your question is yes to all of them!
  1. It is technically possible to run CUA from the GRC box as it is an ABAP based environment.
  Depending on your user provisioning processes though, you may want to consider the scope of using CUA.
  For example, you may want to retain CUA for pre-production access but may want to have automated Access Request Management (CUP) for the production environments. Alternatively, if you are going down the full IDM route, you may wish to have everything provisioned via GRC rather than having the additional manual assignments through CUA.
  2. Yes, you can still connect to LDAP Active Directory from GRC. There is a technical change in setting up the connection as it uses an RFC destination rather than a JCo but it's still possible and actually advisable for creating a single user master source.
  3. This is slightly more difficult to say without further knowledge of your organisation. Generally, IDM is focussed on a more holistic view of User Access across the enterprise estate. IDM is still of use when managing SAP and Non SAP applications and managing the roles from a business perspective. Whilst GRC is able to offer the business role concept inherently, it is still slanted towards the management of risk rather than pure Identify Management and therefore the tools do perform a separate yet integrated function.
  I hope this helps.
  Simon

• AM and IDM Integration

  I have read http://blogs.sun.com/jo/entry/integrating_sun_java_system_identity and it is very good and it help me understand a little more.
  Still, I have the following issue:
  -AM 7.1 installed in one AS 8.2 domain
  -idm 7.1 in another AS 8.2 domain
  -have some custom java classes that need to access AM from IDM xpress code.
  -copied classpath suffix from AM domain config to IDM domain and classes work ok.
  -after adding classpaths, restarted IDM domain and get
  java.lang.SecurityException: makeResponseResponse: Authentication protocol error: response too short: 16 or -10868 < 16|#]
  in any operation using Active Directory resource adapter.
  -IDM forum tells me that it is an AM issue, not an IDM issue.
  As I read the above document and the AS documentation as well, I see there are 2 options for using JAR files:
  1) specifying them in the domains classpath suffix
  2) specifying delegate=false property in sun-web.xml descriptor and
  moving all AM jar files to WEB-INF/lib
  I am guessing the error I am getting is related to a security issue maybe with server.policy. I have specified JAR files in domain classpath suffix but
  I added IDM and also AM grants in server.policy (as per documentation).
  So the question I have is: How do I need to configure AS domain if I only want to
  use AM JAR files in a webapp (this case webapp being IDM)? I don't think I need to install a policy agent for this, I just need access to JAR files and without conflict within the webap (IDM).

  The best way to do it is to copy the necessary AM jar files to the idm WEB-INF/lib directory, just as other libraries idm uses.
  If you add it via classpath suffix you may experience some weird issues with appserver classloader because of the classloader hierarchy behavior (see appserver doc. if you want to know how it works).
  The option delegate=false is the default for every webapp in appserver, you shouldn't change this. This option means that the classloader reads the classes from your WAR first, then the appserver suffix, prefix, etc., and finally the system classes.
  Hope it helps.

• GRC-IDM Integration: missing web-service?

  Hi Experts,
  I have been loading the GRC provisioning framework for SAP Netweaver IDM, as well as the VDS configuration file (in the templates available, I used SAP Netweaver > GRC Access Control 5.3 SP2). The integration is working fine and IDM is correctly communicating with CUP (I can create requests through IDM, and once the request is approved in CUP, the status is updated in IDM).
  However, in IDM when the GRC Provisioning framework gets a status "OK" from CUP, it triggers another task called "read provisioning log" (I am assuming that this is to retrieve the list of approved roles from CUP). This request gives me a fata error:
  uLDAPGetEntry got exception
  javax.naming.NameNotFoundException: [LDAP: error code 32 -
  Couldn't perform DN to Data source mapping]; remaining name '
  After some investigations, I noticed that the GRC repository has a constant for the provisioning log web service called VDS2GRC_BRANCH_PROVISIONINGLOG (also described in the GRC integration configuration guide). Default value is ou=provisioninglog. When looking at the VDS, there is NO virtual tree for ou=provisioninglog ... so I am assuming this is the reason why the task fails.
  Does anybody went through this already? Is there a procedure for creating this missing VDS entry or does VDS 7.1 SP3 solves this issue? FYI, I am using Netweaver IDM 7.1 SP2 with the same version of the VDS. The GRC provisioning framework is the one currently available on SDN.
  Any idea would be appreciated!
  Kind regards,
  Jean-Christophe

  Hi ,
  After further investigation and testing, it appears that VDS 7.1 SP3 comes with the correct set of Data sources and web services, therefore solving this integration issue.
  Actually, we were facing other technical limitations due to the fact that the latest version of the GRC provisioning framework (available on the SDN) only works if we use VDS 7.1 SP3. For example, the attribute GRC_REQUEST_ID (used in the IDM task for tracking the CUP request ID) was not correctly updated in IDM.
  Updating the others components from SP2 to SP3 (IC, RT, webdynpro, etc) was not necessary for us to make this provisioning log web-service work, although I think it is better to keep a consistent patch level accross the components.
  Kind regards,
  JC

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• OpenSSO-Sun IDM integration

  Hi All,
  I have implemented the OpenSSO-Sun IDM integration based on the "OpenSSO Integration Guide.pdf". Now, if the users are created in Sun-IDM are provisioned to OpenSSO. Can anyone suggest me, can the users created in OpenSSO be provisioned to Sun IDM?
  Also, is there any way to have a password sync between OpenSSO and Sun IDM users? That is, if the user's password is changed in OpenSSO can it also be changed in Sun-IDM?
  Best Wishes,
  Aruna

  Hi Frank,
  Thanks for the response,
  1. This is user/pw from the AC system you need to send with the web service call from SUN to AC
  So, we create and provide user credentials to IDM team and they need to incorporate the user credentials when ever they are calling the web services in AC5.3 ?
  For this initial communication happening, what need to be done. Setting up SAP Jco is required in this case? Do we get involved with the configuration/development activity at IDM end?
  I could not find proper documentation on this, this leaves me in what amount of involvement I have to do as a SAP GRC AC5.3 consultant.
  Regards......

• Difference between SAP Access Control and IDM

  Hi Expert,
  I have one question What is the difference between SAP Access Control and SAP Identity Management ?

  Ali,
  That's a good question, but a tough one.
  While both applications can do most of what the other can do, it's a matter of specialization in my opinion.
  Access Control is all about managing and controlling access to SAP system roles and has the ability to report on role conflicts for compliance and reporting purposes. (I'm sure I'm leaving a lot out, but maybe a GRC / AC expert can fill in more details)
  SAP IDM is about managing the user life cycle with regards to landscape and enterprise systems. It will handle the creation, update and ultimately the removal (or de-provisioning) of users in SAP ABAP, SAP JAVA, LDAP, JDBC, and API based applications.  It will also do Role Management through a web based UI (User management is web based as well). and as of the latest Service pack for SAP IDM 7.2, it will do attestation (limited certification) as well. It is a definite upgrade to CUA as it will work with a greater variety of systems, include workflows and approvals.
  GRC will do some provisioning, but it's somewhat limited, as is IDM's compliance abilities.
  The applications are designed to work together, however it does not have a great track record and the integration is typically heavily modified to work as desired.
  If you have specific questions, feel free to post / DM.  Obviously I am more knowledgeable about IDM, but I'll be happy to help you in any way possible.
  Regards,
  Matt

• Understanding ERM and CUP integration in AC 10.0

  Iu2019m reaching out in hopes to get a better understanding of how AC 10.0 is meant to handle the ERM and CUP integration (Iu2019m still stuck on the old names :).  Any feedback would be greatly appreciated.
  Currently, we have a requirement to setup the GRC Production box so it can provision user access in the Production ECC but create security roles in Development ECC.  This is typically what we see since most clients want to follow their manual transport process to get the security roles from Dev --> QA --> Prod.
  Something I noticed in CUP is when a user adds a role to the request form u2013 the role is associated to a system (i.e. Production ECC or Development ECC).  If we create a role using ERM and it only gets generated in Development ECC u2013 will we be able to select this role in CUP for user assignment in Production ECC? (assuming itu2019s been transported outside of GRC)
  Note: At this point the new role will only be associated to Development ECC from a GRC perspective?  So if we assign it in CUP u2013 it will only be associated to Development ECC...?
  Do we have to manually perform another u201Crole import / syncu201D from the Production ECC to sync the roles so theyu2019re available in CUP?
  This is based on the understanding that CUP looks for available roles for assignment from ERM rather than the Production ECC.  Is that correct?  Can we have CUP look in the backend rather than ERM?
  My question is around the manual u201Crole import / syncu201D that needs to get performed for CUP.  Is this really mandatory based on the requirements?  It would mean I need to perform a u201Crole import / syncu201D every time a new role is created/deleted/changedu2026  Maybe Iu2019m missing something with the new 10.0 integration / functionality?  Are other companies doing something different?
  Please let me know what you think.  Your insight is greatly appreciated!

  Frank,
  Thanks for clarifying.
  Can you clarify what you mean when you say "you just need to tell CUP that the roles are available in PRD"? What does this mean?
  This goes back to the original question - do we need to perform another import of the roles from ECC PRD to ERM? My understanding is that the ERM role repository is looking at my original import of roles and then each role I create using ERM after that. How will it know which roles are in PRD if I don't do a routine synch?
  Also, you mentioned "each role has attributes that define in which systems it should be available for requests", where does this get defined? I believe you are referring to the "Role Status" which is set to Development, Production or Testing. I only see the ability to set this during the Role Import, but what about roles which have been created using ERM. I don't see it in the Role details screen - where is the setting?

• HCM-IdM integration in Enhancement Pack 4

  Hello there
  Are any of the BAdI's available for HCM delta extracts and better integration between IdM and SAP target systems put in HCM business functions that are not switched on by default once Enh. Pack 4 is implemented?
  Best regards,
  Anders

  So far the answer seems to be no... ./Anders

• HCM - IDM Integration issues

  Hello Experts,
  I am working on the HCM & IDM Integration and I have done the configurations on HCM & VDS as per the Systems Landscape document.
  When I Run the export query from the HCM, The data is not coming to the staging area.
  I have turned on the Operational log trace and reran the query and found the following is logged in the logs. But it is not of much help to understand why the roll back is happening.
  Could anyone face such kind of error earlier ? Any thoughts on how to proceed further !!
  I am on IDM 7.2 SP7
  Thanks,
  Krishna.

  Hello Deepak,
  Thanks for your reply.
  Yes, I am using PERNR to calculate my MSKEYVALUE. But I believe in the current issue, it is not going to that stage at all.
  1. When we run the extract programme from HCM, VDS first writes the data to HCM_Staging_Area identity store to the MX_HCM_EMPLOYEE entry type.
  2. When this happens, based on the event tasks defined on MX_HCM_EMPLOYEE type attribute, the job "Write HCM Employee To SAP Master" will be triggered where the MSKEYVALUE is calculated and be written to Master ID store.
  In the current scenario,VDS is not writing the data to HCM_Staging_Area at all.
  When examined, the logs i got entry rejection as mentioned the screenshot in my initial post.
  ~ Krishna.

• SAP GRC v10 and OIM 11g SoD

  Hi,
  I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
  We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
  best
  mp

  See if this helps:
  http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
  regards,
  GP

• AC 53 IdM Integration Implementation Assistance Guide released in BPX

  Hi Everyone,
  The first version of AC 53 IdM Integration Implementation Assistance Guide has been released in BPX.  You can find this document directly via this link:
  https://www.sdn.sap.com/irj/bpx/index?rid=/library/uuid/20bfb824-ea45-2c10-b093-bd097a579793&overridelayout=true
  Thanks!
  Ankur Baishya
  SAP GRC RIG

• HCM IDM Integration

  I'm working on integrating HCM with IDM. I came across the following limitations in one of the documents i happened to glance.
  1. When replicating the data to the Identity Center from SAP HCM over the Virtual
  Directory Server, you can only use scheduled synchronization. You can not
  synchronize the data based on events. This is a limitation of SAP HCM.
  2. The delta mechanism is not pre-configured when importing the data from the SAP
  HCM system into the staging area in the Identity Center. A full load is always
  performed.
  Can someone suggest me ways to achieve this integration. Is there are document available?

  Hi Joel,
  in general, the delta mechanism is only availabe if you are using the Business Suite 6.0 Ehp4 and NW IdM 7.1.
  The documentation describes shortly which BADIs have to be activated to use the delta mechanism (usually you will modify the BADI implementation to catch changes of employee master records which are relevant for your IdM installation only):
  Retrieval of Employee-Related Data by SAP ERP HCM 
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/75/28be4785c247828834285cc3aefc11/frameset.htm
  If you are using this delta mechanism you can schedule the LDAP export with a short repetition period - as a result you get something like nearly event driven synchronization between HCM and IdM.
  Kind regards
  Frank

• RE: CUP and IDM

  Dear Experts,
  Even after reading IDM documentation, I am not able to figureout the difference between CUP and Identity management. Can any explain me the difference. CUP and IDM both provides user provisioning, Password self service. what is the advantage of integrating IDM with CUP?
  Thanks
  raj

  Hi,
  SAP IDM helps companies to centrally manage their user accounts (identities) in a Complex system landscape. This can provision into both SAP and      non-SAP systems.
  Suppose any request for role assignment is there in SAP IDM and if role assignment requires compliance check then it will be sent for request processing and risk analysis in CUP.  Based risk approved /declined request status will be sent to SAP IDM. If request is approved IDM will start provisioning to target SAP system else no provisioning.
  And if role assignment do not require compliance check IDM will directly provision to target system.
  CUP: Workflow for risk analysis and mitigating controls and Provides web services for compliance checks, status checks.
  Regards
  Dilip

• Oracle Portal and Discoverer Integration

  Portal Version: 9.0.2.0.1
  RDBMS Versjion: 9.0.1.3
  OS/Vers. Where Portal is Installed:: Suse 7 SLES
  Error Number(s)::
  Oracle Portal and Discoverer Integration
  We're trying to integrate Discoverer with Portal unsuccessfully.
  We made many things in accordance with oracle's documentation until add discoverer portlets (worksheet and list of workbooks) in a test page.
  In view mode, the worksheet portlet shows the error:
  "The portlet has not been defined. The publisher must define the portlet by clicking on Edit Defaults for the portlet on the edit mode of this page. Please contact the publisher of this page."
  We think we have to edit properties before. Is this? Anyway edit worksheet portlet crashes between step 1 and 2. The error is: "The listener returned the following Message: 500 Internal Server Error".
  We have a public conection created in EM and a discoverer application which can be viewed using plus or viewer.
  Furthermore, it's not possible delete the added portlets neither the page that contain it. The error at delete is:
  Error: An unexpected error occurred: User-Defined Exception (WWC-44082)
  (WWC-00000)
  An unexpected error has occurred in portlet instances: User-Defined Exception (WWC-
  44846)
  An unexpected error occurred: User-Defined Exception (WWC-43000)
  The following error occurred during the call to Web provider:
  oracle.portal.provider.v2.PortletNotFoundException
  at oracle.portal.utils.v2.ContainerException.fillInStackTrace(Unknown Source)
  at java.lang.Throwable.<init>(Throwable.java:78)
  at java.lang.Exception.<init>(Exception.java:29)
  at oracle.portal.utils.v2.ContainerException.<init>(Unknown Source)
  at oracle.portal.provider.v2.PortletException.<init>(Unknown Source)
  at oracle.portal.provider.v2.PortletNotFoundException.<init>(Unknown Source)
  at oracle.disco.portlet.provider.DiscoPortletPersonalizationMgr.destroy
  (DiscoPortletPersonalizationMgr.java:65)
  at oracle.portal.provider.v2.DefaultPortletInstance.deregister(Unknown Source)
  at oracle.webdb.provider.v2.adapter.soapV1.ProviderAdapter.deregisterPortlet
  (Unknown Source)
  at java.lang.reflect.Method.invoke(Native Method)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.doMethodCall(Unknown Source)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.processInternal(Unknown Source)
  at oracle.webdb.provider.v2.utils.soap.SOAPProcessor.process(Unknown Source)
  at oracle.webdb.provider.v2.adapter.SOAPServlet.doSOAPCall(Unknown Source)
  at oracle.webdb.provider.v2.adapter.SOAPServlet.service(Unknown Source)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:336)
  at com.evermind.server.http.ResourceFilterChain.doFilter
  (ResourceFilterChain.java:59)
  at oracle.security.jazn.oc4j.JAZNFilter.doFilter(JAZNFilter.java:283)
  at com.evermind.server.http.ServletRequestDispatcher.invoke
  (ServletRequestDispatcher.java:523)
  at com.evermind.server.http.ServletRequestDispatcher.forwardInternal
  (ServletRequestDispatcher.java:269)
  at com.evermind.server.http.HttpRequestHandler.processRequest
  (HttpRequestHandler.java:735)
  at com.evermind.server.http.AJPRequestHandler.run(AJPRequestHandler.java:151)
  at com.evermind.util.ThreadPoolThread.run(ThreadPoolThread.java:64)
  (WWC-43147)
  Edit properties for portlet List of Workbook works but in view mode we have the error in the portlet area:
  "Failed to refresh portlet. Please verify that the information used to create the
  portlet instance or customization is still valid. Otherwise, please contact your
  iAS administrator. oracle.discoiv.controller.FatalControllerException:
  DiscoNetworkException - Nested exception: org.omg.CORBA.OBJECT_NOT_EXIST: minor
  code: 0 completed: No null"
  Any ideas?
  Thanks

  Hi there,
  Have you applied any patches to 9ias since it was first installed? We had the same problem and had to apply a couple of patches to get the portlets working.
  1. Apply the 9.0.2.53.16 one-off patch for Oracle 9iAS Discoverer which takes Discoverer up to 9.0.2.53.16. This patch appears to be password protected and you need to get someone at Oracle support to give you a password.
  2. Apply the Discoverer Portlet Provider: 9.0.2.53.00c patch (patch no. 2595444) which gives you a new discportal.xsl file that actually works. It's this second step that solves your problem but you need to do step 1 before this. This is password protected as well.
  3. As you've upgraded Disco on the server to 9.0.2.53, you'll need to upgrade Disco Admin & Desktop within your 9iDS installation using patch no. 2555265. This is because Disco 9.0.2.53 uses an upgraded EUL that Disco Admin & Desktop need to be patched to use.
  This was the course of action Oracle support advised us about nine months ago. Of course they may have released a further patch to Disco that does 1 & 2 in one go, but we regularly carry out steps 1 and 2 on servers we use and we can use the Disco portlets successfully.
  Hope this helps
  Mark Rittman
  [email protected]