GRC, CUA and IDM
We are in process of installing GRC 10.0 in our landscape. We have following questions?
1. Can I run my CUA from GRC box instead of say Solman?
2. Can I hook GRC with LDAP so I import the users from active directory?
3. Do we need IDM, if active directory is hooked up to the system where we have the CUA?
Regards,
Kedar
Edited by: Kedar Joshi on Aug 8, 2011 5:57 PM
Hi Kedar,
The easy answer to your question is yes to all of them!
1. It is technically possible to run CUA from the GRC box as it is an ABAP based environment.
Depending on your user provisioning processes though, you may want to consider the scope of using CUA.
For example, you may want to retain CUA for pre-production access but may want to have automated Access Request Management (CUP) for the production environments. Alternatively, if you are going down the full IDM route, you may wish to have everything provisioned via GRC rather than having the additional manual assignments through CUA.
2. Yes, you can still connect to LDAP Active Directory from GRC. There is a technical change in setting up the connection as it uses an RFC destination rather than a JCo but it's still possible and actually advisable for creating a single user master source.
3. This is slightly more difficult to say without further knowledge of your organisation. Generally, IDM is focussed on a more holistic view of User Access across the enterprise estate. IDM is still of use when managing SAP and Non SAP applications and managing the roles from a business perspective. Whilst GRC is able to offer the business role concept inherently, it is still slanted towards the management of risk rather than pure Identify Management and therefore the tools do perform a separate yet integrated function.
I hope this helps.
Simon
Similar Messages
-
Hello community,
Someone knows if web can configure the IDM role requests workflow (configured at the IDM side) to use Role Assigner and Role Content Approval configured at the GRC AC side?
Regards,
SAP LegendLegend,
In addition to Dilip's suggestion, you can also refer to:
SAP Access Control 10.0 Interface for Identity Management
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d09f0171-02e8-2d10-be90-a4ad042a0e6e?QuickLink=index&…
Understanding the IdM 7.2 - GRC10 interface
Let us know if these help you.
Regards,
Ameet -
Hello All,
We are implementing a brand new SAP software.
We have GRC and IDM license.
There is overlap of functionality (CUA,IDM,GRC).
What is the best approach of effectively using these tools ?
We configured the GRC-RAR now.
Thank you in Advance for the recommendations...Hi Saayi,
You can have multiple scenarios, either you can have GRC as the leading provisioning system or IdM as the leading provisioning system.
SAP IdM -> GRC AC -> CUA
Have a look at the GRC AC 5.3 Configuration guide, it has a dedicated unit on "Access Control and Identity Manager Integration", which describes the two scenarios very well.
PS : Please do not cross post, you have the same question in the GRC Forum
Cheers !!
Zaheer -
Hello,
I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
1. Connected CUABOX to GRCBOX like a plug-in system.
2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
Any help in this regard is very helpful.
Thank you,
PawanHi Alessandro,
I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
2. Approvals provided to assign the ECC role.
3. I see the following in GRFNMW_DBGMONITOR_WD.
Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage GRAC_SECURITY
New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
T-CUA_CHILD User does not exist in target system CUA
GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
Thank you for your help!
Pawan -
Hi all,
Can you suggest me how to go with below questions
1) how do we migrate CUA to IDM ? any step guide available.
IDM SAP insder document approach says
u30FBu3000Install SAP NetWeaver Identity Management on top of CUA.
u30FBu3000Start connecting the ABAP systems to SAP NetWeaver Identity Management and
u3000u3000disconnecting them from CUA.
u30FB When you have disconnected the last ABAP system from CUA, you can then
u3000shut down CUA to complete a successful migration
>> my understanding is CUA Is SU01 transaction in ABAP, what does it mean by install iDM on top of CUA and shutdown CUA after migration..
Need clarification on this
2) for IDM setup, Seperate server is must? and does it require seperate licence other than Netweaver.Hi Jaichan,
1) During CUA migration to IDM, Does it require any settup inside CUA system required or not.
No Changes in current CUA required. IDM will be installed separately.
This article might be useful for you.(Page 14)
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0ad23d3-3664-2a10-8aa7-e9c3c8616d48
2) Does the collecting process from Non-SAP/SAP to IDM system is just copying to User master tables or its really mapping one to one(and synchronising automatically). Need more details technically.
No. In IDM, HCM or any other system can supply the basic data. However before connecting other systems, it will be better idea to take all users data from CUA.
Once the Users are in IDM, have to do role/priv settings and provisioning the same to other systems.
This article might be useful for you.
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e04a0800-1cdf-2b10-218a-94ba2cfeb2dd
3) Also i would like to know technically how Non-SAP-ADS source can be synchronised with IDM.
Can you specify the document name for this.
4) I think customers Using LDAP with Java to synchronise with CUA, how LDAP part is
taken care by IDM. Suggestion please
This article might be useful for you.
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a73a89d3-0901-0010-5a8b-f2e03467117f
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb
These Documents will also help you.
[Installation Overview|https://websmp205.sap-ag.de/~sapidb/011000358700000062312008E]
[Installing the Management Console and Runtime Components|https://websmp205.sap-ag.de/~sapidb/011000358700000061872008E]
[Operations Guide |https://websmp205.sap-ag.de/~sapidb/011000358700001876292008E]
Hope this helps,
+ An -
Question: CUA to IDM Migration Guide?
Is there a guide/document that talks about Migrating from CUA to IDM
Thanks!Hi
This one: Identity Management for SAP System Landscapes: Architectural Overview
and this one: Identity Management for SAP System Landscapes: Configuration Guide
talk briefly about the integration into an existing CUA landscape.
AFAIK one connects the IdM to the CUA system and reads all the data. Afterwards you remove the systems step by step from CUA and allow IdM to handle them.
Hope I could help
Michael -
How to create automatically users&roles in CUA and in chlid systems?
Hi,
i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
are there any standard BAPI or Funcion modules that can do this job?
is the role created automatically in CUA can be seen automaticall in the portal child system?
any help?
Thanks&Best regardsYou can use one of the various ways Java EE provides you, e.g. container managed authentication.
It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/]. -
How to create automatically users&roles in CUA and child systems
Hi,
i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
are there any standard BAPI or Funcion modules that can do this job?
is the role created automatically in CUA can be seen automaticall in the portal child system?
any help?
Thanks&Best regardsThank you all. I got the solution.
Regards
Rajesh -
Difference between Oracle GRC product and Identity management
Hi
I want to know the difference between Oracle GRC product and Oracle Identity and Access Management product. Also what I see that the features Acces manager is providing is also provided by the grc access control governor and transaction control governor. So why two different technology for same task.
RegardsAny answer.
regards -
Im using firefox 4.0.1 and Idm 6.05, I get an error while i click download button.
ERROR Displyed is : "cannot connect to dl120.duckload.com:80" and "permission denied. check your Firewall settings and ensure IDM has permits to access internet"
But i have disabled Windows firewall and i dont have Antivirus.. Plz help me...
For more plz see tis screen shot : [http://img845.imageshack.us/img845/5234/idmerr1.png link text]See if the "stable" version released on 30 June is compatible with Firefox 5.0. That page doesn't mention which versions of Firefox it is compatible with, a serious oversight, IMO. <br />
https://www.torproject.org/torbutton/
Plus, it looks like that developer hasn't updated his AMO page in over a year, which makes it impossible for users of that add-on to get automatic updates as each new version of Firefox is released. <br />
https://addons.mozilla.org/en-US/firefox/addon/torbutton/ -
Integrate Password CUA and Active Directory (AD)
Hello Everybody,
We have integrated AD with our CUA system.
Is it possible integrated the same password CUA and AD?
How can I configure this?
Thank you,
LucianaLuciana,
I am not sure if you are aware, but the Active Directory domain controller uses a protocol called Kerberos to authenticate a user when they logon to the domain. Therefore, to logon to SAP in the way you require it is best to use Kerberos so that the credentials for the user already available on the workstation, in the credentials cache can be used to securely authenticate the same user to the SAP system, e.g. CUA ABAP via SAP GUI. This means that no passwords need to be transmitted or stored anywhere, and the only authentication needed is that already done using Active Directory when the user logs onto their Workstation. Also, you can use this method to encrypt the communications - giving you added benefit, rather than just using the authentication provided.
This is achieved using an interface which SAP provided in SAP GUI and in SAP application servers called SNC (Secure Network Communications). For SNC to work, you need a GSS-API library installed on each workstation where SAP GUI is installed, and on the app servers you want to logon to using this secure authentication method. SAP provide SNC libraries, but they are only available if your SAP app server is on Windows. In your case where SAP is on HP/UX, you need to use an SNC library available from a SAP partner. This partner will provide you with all the software and support you need to make the solution work, and meet your needs.
I would like to recommend one such partner, but I am biased because I work for the vendor providing this product :-). The partner is called CyberSafe. You can make contact with me offline and I can arrange a free evaluation of the products, or you can visit the CyberSafe website at <a href="http://www.cybersafe.com/links/snc.htm">this site</a> to find out more. Or, you may decide to look for other partners who have solutions to help you, in which case you need to look on the SAP website for SAP SNC partners.
I hope this is useful ?
Thanks,
Tim -
Hi Guys,
Can anyone tell me where I can find my GRC version and SP level? I went to System info but did not find the specific location on where I can see my GRC version and SP level.
Thanks.
RaymondHi Dirk,
I was actually using the above mentioned paths (was hoping it could be the solution for me as a central olocation for monitoring) but was only able to see certain SP for certain GRC components.
I've checked "Development Components Vendor" and also "Provider", and all I can see is only as below:
1) virsa ccappcomp null (0.2007.09.13.22.08.49) LOKAL LOKAL 20071220141100 null/null
2) sapgrc ffappcomp null (0.2007.09.25.16.06.33) LOKAL LOKAL 20071218104251 null/null
3) sapgrc ffume null (20061001181959) LOCAL LOCAL 20071218104206 null/null
4) virsa ccxsysactionws null (20070913155905) DNJ DNJ_CCSP3_D 20071220153828 virsasystems.com/COMPLIANCECALIBRATOR
5) virsa ccxsysbe null (20061205153153) DNJ DNJ_CCSP3_D 20071220140901 virsasystems.com/COMPLIANCECALIBRATOR
5) virsa ccxsysbehr null (20061205150240) DNJ DNJ_CCSP3_D 20071220140946 virsasystems.com/COMPLIANCECALIBRATOR
6) virsa ccxsysbgear null (20070913155835) DNJ DNJ_CCSP3_D 20071220141441 virsasystems.com/COMPLIANCECALIBRATOR
7) virsa ccxsysdb null (20070308113442) DNJ DNJ_CCSP3_D 20071220140623 virsasystems.com/COMPLIANCECALIBRATOR
8) virsa ccxsysws null (20070913155752) DNJ DNJ_CCSP3_D 20071220141305 virsasystems.com/COMPLIANCECALIBRATOR
9) sapgrc ffdb null (20070909125827) DNJ DNJ_FF_D 20071218103726 sapgrc/FIREFIGHTER
Thus, you can see that the above monitoring does not give a full GRC components overview, and thats why I've asked if there are other options to see the needed info centrally.
Any other possible suggestions?
Thanks.
Raymond -
Hi,
I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
best
mpSee if this helps:
http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
regards,
GP -
Since BPE is deprecated in IDM 8, we need to use Netbeans IDE. I installed Netbeans 6 and IDM 8 but they are not compatible. Does anyone have any luck using it or know if they are working on updating the IDE plugin?
Joseph.Smith wrote:
First, I don't recall 6.1 being a supported version. Only 6.0 ! If you use the current development build of the plugin (v8.1) it works with NB 6.1 and IDM 8.0. It fixes the bugs which prevented the use of NB 6.1.
That an issue with the the IDE being a separate product. There isn't any documentation that came out the same time as 8.0. We all know, the last thing the engineers wanna do is document and I don't think Sun has a writer doing open source stuff ! (Although this java.net project is closed)
I'd recommend you follow the 7.1 documentation on how to configure.If you use the wizard to create a new IDM project you will get a file README.txt which explains how to work with the project. The plugin extends also the Netbeans help with a chapter "Identity Manager IDE". -
ObjectGUID as matching attribute for reconciliation between AD and IdM
Hello together,
I want to use the AD attribute objectGUID as matching attribute between AD and IdM. It is one of the attribute which will never be changed (in case of name changes of a person or similiar changes).
Our IdM can read this attribute and save it (with the help of a java script). This works fine.
But if I want write back something to AD I do not know how the "To LDAP directory" path must be configured. I get always the error that the account can not be found in the AD. Maybe the attribute must be changed with a java script ...
Has anyone already used this attribute?
Thanks!
BR
MichaelMichael, I have done this many times in pretty much the same way you have indicated. While DN is good for basic LDAP / AD operations, ObjectGUID is preferred for ModRDN operations or if you want to change the user's DN. I have written about these operations in a blog, Using modRDN with SAP NW IDM.
Hope it helps!
Regards,
Matt
Maybe you are looking for
-
The LabVIEW supplied "Simple PID" vi contains an error which disables the Integral function. The "First Call?" node is located outside of the main loop and is therefore only evaluated once. Consequently, each time around the loop the value selected f
-
Iweb 3.0.3 upload issue
Hi Guys, I have tried to upload iweb to mobile me since last night. But I always got the " an unknown error occurred" response. Does anyone know how to fix this problem?
-
Reg Keyfigures data type in Transfer structure
Hi Guys, When we create a transfer structure for a falt file source system, keyfigures data type is getting converted into CHAR automatically and even the length is assigned . Whats the reason behind this?? How do we get the lenght of a keyfigure?
-
Need to delete a table join in ABAP query
Hi I have created an ABAP query with a join over AUFK, AFIH, AFKO, AFVV, AFVC and AFRU. I need to delete the table AFRU from the join. I tried to delete the table in the edit option in the Join table option. I deleted the links between the table
-
Photoshop CC 2014 pattern overlay tooltip not showing
It appears the tooltip in pattern overlay dialog box is broken. It makes it very hard to create background images when you can't see the image dimensions. Anyone have a fix for this?