GRC, CUA and IDM

We are in process of installing GRC 10.0 in our landscape. We have following questions?
1. Can I run my CUA from GRC box instead of say Solman?
2. Can I hook GRC with LDAP so I import the users from active directory?
3. Do we need IDM, if active directory is hooked up to the system where we have the CUA?
Regards,
Kedar
Edited by: Kedar Joshi on Aug 8, 2011 5:57 PM

Hi Kedar,
The easy answer to your question is yes to all of them!
1. It is technically possible to run CUA from the GRC box as it is an ABAP based environment.
Depending on your user provisioning processes though, you may want to consider the scope of using CUA.
For example, you may want to retain CUA for pre-production access but may want to have automated Access Request Management (CUP) for the production environments. Alternatively, if you are going down the full IDM route, you may wish to have everything provisioned via GRC rather than having the additional manual assignments through CUA.
2. Yes, you can still connect to LDAP Active Directory from GRC. There is a technical change in setting up the connection as it uses an RFC destination rather than a JCo but it's still possible and actually advisable for creating a single user master source.
3. This is slightly more difficult to say without further knowledge of your organisation. Generally, IDM is focussed on a more holistic view of User Access across the enterprise estate. IDM is still of use when managing SAP and Non SAP applications and managing the roles from a business perspective. Whilst GRC is able to offer the business role concept inherently, it is still slanted towards the management of risk rather than pure Identify Management and therefore the tools do perform a separate yet integrated function.
I hope this helps.
Simon

Similar Messages

  • GRC AC and IDM integration

    Hello community,
    Someone knows if web can configure the IDM role requests workflow (configured at the IDM side) to use Role Assigner and Role Content Approval configured at the GRC AC side?
    Regards,
    SAP Legend

    Legend,
    In addition to Dilip's suggestion, you can also refer to:
    SAP Access Control 10.0 Interface for Identity Management
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d09f0171-02e8-2d10-be90-a4ad042a0e6e?QuickLink=index&…
    Understanding the IdM 7.2 - GRC10 interface
    Let us know if these help you.
    Regards,
    Ameet

  • CUA Vs IDM Vs GRC

    Hello All,
    We are implementing a brand new SAP software.
    We have GRC and IDM license.
    There is overlap of functionality (CUA,IDM,GRC).
    What is the best approach of effectively using these tools ?
    We configured the GRC-RAR now.
    Thank you in Advance for the recommendations...

    Hi Saayi,
    You can have multiple scenarios, either you can have GRC as the leading provisioning system or IdM as the leading provisioning system.
    SAP IdM -> GRC AC -> CUA
    Have a look at the GRC AC 5.3 Configuration guide, it has a dedicated unit on "Access Control and Identity Manager Integration", which describes the two scenarios very well.
    PS : Please do not cross post, you have the same question in the GRC Forum
    Cheers !!
    Zaheer

  • Integrate GRC 10.1 with CUA and how to import roles from CUA & Child systems into GRC for provisioning

    Hello,
    I am trying to integrate CUA into our GRC 10.1 system through the below steps and so far I have completed the below steps following SAP Notes 1680108 and 1616121:
    1. Connected CUABOX to GRCBOX like a plug-in system.
    2. Updated CUA Global System and CUA Model Distribution in Maintain CUA settings under User Provisioning.
    3. Next I am trying to import the roles from CUA(CUABOX) into GRC(GRCBOX) to be able to provision roles in CUA Child Systems(ECCBOX).
    After reading few discussions in SCN, I have figured that we have to download a template in Role Import and populate it accordingly to upload the CUA child system roles into GRC system for provisioning in CUA Child Systems.
    Unfortunately, this template has multiple fields and I am unable to determine the fields that should be populated as CUA Global System and CUA Child System to import into GRC. Also, when we upload CUA Child System Roles template what selections should be made in Role Import window.
    Any help in this regard is very helpful.
    Thank you,
    Pawan

    Hi Alessandro,
    I have "Create user if does not exist" setting checked for both change action and assign role action and also have CUA enabled. Here is the list of steps that I am performing:
    1. Create an access request for new account, T-CUA_CHILD and select a role from a child system ECC Z_ECC_ROLE_IN_CHILD_SYSTEM.
    2. Approvals provided to assign the ECC role.
    3. I see the following in GRFNMW_DBGMONITOR_WD.
               Auto provisioning activity at end of request at Path GRAC_DEFAULT_PATH and Stage              GRAC_SECURITY
                   New User:T-CUA_CHILD created in System(s): ECC (created without role assignments)
                   T-CUA_CHILD User does not exist in target system CUA
    GRC created an account without role assignment in ECC but also throwed me an error that the user does not exist in CUA.
    However, if I select roles from both CUA and ECC it creates the account in both systems with the selected role assignments.
    So I am wondering if there is way to provide CUA access to users by default for new account requests types. I have tried setting up default roles for CUA but it does not assign the roles by default until I select the CUA system.
    Thank you for your help!
    Pawan

  • CUA to IDM migration

    Hi all,
    Can you suggest me how to go with below questions
    1) how do we migrate CUA to IDM ? any step guide available.
    IDM SAP insder document approach says
        u30FBu3000Install SAP NetWeaver Identity Management on top of CUA.
        u30FBu3000Start connecting the ABAP systems to SAP NetWeaver Identity Management and
        u3000u3000disconnecting   them from CUA.
        u30FB When you have disconnected the last ABAP system from CUA, you can then
         u3000shut down CUA to complete a successful migration
    >> my understanding is CUA Is SU01 transaction in ABAP, what does it mean by install iDM on top of CUA and shutdown CUA after migration..
    Need clarification on this
    2) for IDM setup, Seperate server is must? and does it require seperate licence other than Netweaver.

    Hi Jaichan,
    1) During CUA migration to IDM, Does it require any settup inside CUA system required or not.
    No Changes in current CUA required. IDM will be installed separately.
    This article might be useful for you.(Page 14)
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f0ad23d3-3664-2a10-8aa7-e9c3c8616d48
    2) Does the collecting process from Non-SAP/SAP to IDM system is just copying to User master tables or its really mapping one to one(and synchronising automatically). Need more details technically.
    No. In IDM, HCM or any other system can supply the basic data. However before connecting other systems, it will be better idea to take all users data from CUA.
    Once the Users are in IDM, have to do role/priv settings and provisioning the same to other systems.
    This article might be useful for you.
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e04a0800-1cdf-2b10-218a-94ba2cfeb2dd
    3) Also i would like to know technically how Non-SAP-ADS source can be synchronised with IDM.
    Can you specify the document name for this.
    4) I think customers Using LDAP with Java to synchronise with CUA, how LDAP part is
    taken care by IDM. Suggestion please
    This article might be useful for you.
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a73a89d3-0901-0010-5a8b-f2e03467117f
    https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb
    These Documents will also help you.
    [Installation Overview|https://websmp205.sap-ag.de/~sapidb/011000358700000062312008E]
    [Installing the Management Console and Runtime Components|https://websmp205.sap-ag.de/~sapidb/011000358700000061872008E]
    [Operations Guide |https://websmp205.sap-ag.de/~sapidb/011000358700001876292008E]
    Hope this helps,
    + An

  • Question: CUA to IDM Migration Guide?

    Is there a guide/document that talks about Migrating from CUA to IDM
    Thanks!

    Hi
    This one: Identity Management for SAP System Landscapes: Architectural Overview
    and this one: Identity Management for SAP System Landscapes: Configuration Guide
    talk briefly about the integration into an existing CUA landscape.
    AFAIK one connects the IdM to the CUA system and reads all the data. Afterwards you remove the systems step by step from CUA and allow IdM to handle them.
    Hope I could help
    Michael

  • How to create automatically users&roles in CUA and in chlid systems?

    Hi,
    i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
    i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
    are there any standard BAPI or Funcion modules that can do this job?
    is the role created automatically in CUA can be seen automaticall in the portal child system?
    any help?
    Thanks&Best regards

    You can use one of the various ways Java EE provides you, e.g. container managed authentication.
    It's also all in the Java EE tutorial: [http://java.sun.com/javaee/5/docs/tutorial/doc/bncas.html].
    You can configure it in the application server as well: [http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html].
    Here is an example how to use it in JSF: [http://ocpsoft.com/java/acegi-spring-security-jsf-login-page/].

  • How to create automatically users&roles in CUA and child systems

    Hi,
    i have a CUA on a 2 chlid R/3 systems (test and training) and 2 portal systems (test and training).
    i need to create a web application to create automatically users test and users training in CUA and see them in the R/3 chlid systems and at the same time to create autmatically a roles in CUA and R/3 chlid systems for those users (we sppose that the role is already stored in a table).
    are there any standard BAPI or Funcion modules that can do this job?
    is the role created automatically in CUA can be seen automaticall in the portal child system?
    any help?
    Thanks&Best regards

    Thank you all. I got the solution.
    Regards
    Rajesh

  • Difference between Oracle GRC product and Identity management

    Hi
    I want to know the difference between Oracle GRC product and Oracle Identity and Access Management product. Also what I see that the features Acces manager is providing is also provided by the grc access control governor and transaction control governor. So why two different technology for same task.
    Regards

    Any answer.
    regards

  • Im using firefox 4.0.1 and Idm 6.05, I get an error while i click download button.

    Im using firefox 4.0.1 and Idm 6.05, I get an error while i click download button.
    ERROR Displyed is : "cannot connect to dl120.duckload.com:80" and "permission denied. check your Firewall settings and ensure IDM has permits to access internet"
    But i have disabled Windows firewall and i dont have Antivirus.. Plz help me...
    For more plz see tis screen shot : [http://img845.imageshack.us/img845/5234/idmerr1.png link text]

    See if the "stable" version released on 30 June is compatible with Firefox 5.0. That page doesn't mention which versions of Firefox it is compatible with, a serious oversight, IMO. <br />
    https://www.torproject.org/torbutton/
    Plus, it looks like that developer hasn't updated his AMO page in over a year, which makes it impossible for users of that add-on to get automatic updates as each new version of Firefox is released. <br />
    https://addons.mozilla.org/en-US/firefox/addon/torbutton/

  • Integrate Password CUA and Active Directory (AD)

    Hello Everybody,
    We have integrated AD with our CUA system.
    Is it possible integrated the same password CUA and AD?
    How can I configure this?
    Thank you,
    Luciana

    Luciana,
    I am not sure if you are aware, but the Active Directory domain controller uses a protocol called Kerberos to authenticate a user when they logon to the domain. Therefore, to logon to SAP in the way you require it is best to use Kerberos so that the credentials for the user already available on the workstation, in the credentials cache can be used to securely authenticate the same user to the SAP system, e.g. CUA ABAP via SAP GUI. This means that no passwords need to be transmitted or stored anywhere, and the only authentication needed is that already done using Active Directory when the user logs onto their Workstation. Also, you can use this method to encrypt the communications - giving you added benefit, rather than just using the authentication provided.
    This is achieved using an interface which SAP provided in SAP GUI and in SAP application servers called SNC (Secure Network Communications). For SNC to work, you need a GSS-API library installed on each workstation where SAP GUI is installed, and on the app servers you want to logon to using this secure authentication method. SAP provide SNC libraries, but they are only available if your SAP app server is on Windows. In your case where SAP is on HP/UX, you need to use an SNC library available from a SAP partner. This partner will provide you with all the software and support you need to make the solution work, and meet your needs.
    I would like to recommend one such partner, but I am biased because I work for the vendor providing this product :-). The partner is called CyberSafe. You can make contact with me offline and I can arrange a free evaluation of the products, or you can visit the CyberSafe website at <a href="http://www.cybersafe.com/links/snc.htm">this site</a> to find out more. Or, you may decide to look for other partners who have solutions to help you, in which case you need to look on the SAP website for SAP SNC partners.
    I hope this is useful ?
    Thanks,
    Tim

  • GRC version and SP level

    Hi Guys,
    Can anyone tell me where I can find my GRC version and SP level? I went to System info but did not find the specific location on where I can see my GRC version and SP level.
    Thanks.
    Raymond

    Hi Dirk,
    I was actually using the above mentioned paths (was hoping it could be the solution for me as a central olocation for monitoring) but was only able to see certain SP for certain GRC components.
    I've checked "Development Components Vendor" and also "Provider", and all I can see is only as below:
    1) virsa  ccappcomp  null (0.2007.09.13.22.08.49)  LOKAL  LOKAL  20071220141100  null/null 
    2) sapgrc  ffappcomp  null (0.2007.09.25.16.06.33)  LOKAL  LOKAL  20071218104251  null/null 
    3) sapgrc  ffume  null (20061001181959)  LOCAL  LOCAL  20071218104206  null/null 
    4) virsa  ccxsysactionws  null (20070913155905)  DNJ  DNJ_CCSP3_D  20071220153828  virsasystems.com/COMPLIANCECALIBRATOR 
    5) virsa  ccxsysbe  null (20061205153153)  DNJ  DNJ_CCSP3_D  20071220140901  virsasystems.com/COMPLIANCECALIBRATOR 
    5) virsa  ccxsysbehr  null (20061205150240)  DNJ  DNJ_CCSP3_D  20071220140946  virsasystems.com/COMPLIANCECALIBRATOR 
    6) virsa  ccxsysbgear  null (20070913155835)  DNJ  DNJ_CCSP3_D  20071220141441  virsasystems.com/COMPLIANCECALIBRATOR 
    7) virsa  ccxsysdb  null (20070308113442)  DNJ  DNJ_CCSP3_D  20071220140623  virsasystems.com/COMPLIANCECALIBRATOR 
    8) virsa  ccxsysws  null (20070913155752)  DNJ  DNJ_CCSP3_D  20071220141305  virsasystems.com/COMPLIANCECALIBRATOR 
    9) sapgrc  ffdb  null (20070909125827)  DNJ  DNJ_FF_D  20071218103726  sapgrc/FIREFIGHTER 
    Thus, you can see that the above monitoring does not give a full GRC components overview, and thats why I've asked if there are other options to see the needed info centrally.
    Any other possible suggestions?
    Thanks.
    Raymond

  • SAP GRC v10 and OIM 11g SoD

    Hi,
    I need some information about implementing integration with SAP GRC v10 and SoD. Does anyone of you has any experience in that configuration?
    We have only base information in SAP UM Connector doc and on metalink either. Dooes anyone work with SAP GRC v10 and OIM 11g?
    best
    mp

    See if this helps:
    http://www.oracle.com/technetwork/testcontent/oimconnectordatasheet-saperp-134222.pdf
    regards,
    GP

  • Netbeans IDE and IDM 8

    Since BPE is deprecated in IDM 8, we need to use Netbeans IDE. I installed Netbeans 6 and IDM 8 but they are not compatible. Does anyone have any luck using it or know if they are working on updating the IDE plugin?

    Joseph.Smith wrote:
    First, I don't recall 6.1 being a supported version. Only 6.0 ! If you use the current development build of the plugin (v8.1) it works with NB 6.1 and IDM 8.0. It fixes the bugs which prevented the use of NB 6.1.
    That an issue with the the IDE being a separate product. There isn't any documentation that came out the same time as 8.0. We all know, the last thing the engineers wanna do is document and I don't think Sun has a writer doing open source stuff ! (Although this java.net project is closed)
    I'd recommend you follow the 7.1 documentation on how to configure.If you use the wizard to create a new IDM project you will get a file README.txt which explains how to work with the project. The plugin extends also the Netbeans help with a chapter "Identity Manager IDE".

  • ObjectGUID as matching attribute for reconciliation between AD and IdM

    Hello together,
    I want to use the AD attribute objectGUID as matching attribute between AD and IdM. It is one of the attribute which will never be changed (in case of name changes of a person or similiar changes).
    Our IdM can read this attribute and save it (with the help of a java script). This works fine.
    But if I want write back something to AD I do not know how the "To LDAP directory" path must be configured. I get always the error that the account can not be found in the AD. Maybe the attribute must be changed with a java script ...
    Has anyone already used this attribute?
    Thanks!
    BR
    Michael

    Michael, I have done this many times in pretty much the same way you have indicated.  While DN is good for basic LDAP / AD operations, ObjectGUID is preferred for ModRDN operations or if you want to change the user's DN.  I have written about these operations in a blog, Using modRDN with SAP NW IDM.
    Hope it helps!
    Regards,
    Matt

Maybe you are looking for

  • Error in Simple PID

    The LabVIEW supplied "Simple PID" vi contains an error which disables the Integral function. The "First Call?" node is located outside of the main loop and is therefore only evaluated once. Consequently, each time around the loop the value selected f

  • Iweb 3.0.3 upload issue

    Hi Guys, I have tried to upload iweb to mobile me since last night. But I always got the " an unknown error occurred" response. Does anyone know how to fix this problem?

  • Reg Keyfigures data type in Transfer structure

    Hi Guys,   When we create a transfer structure for a falt file source system, keyfigures data type is getting converted into CHAR automatically and even the length is assigned . Whats the reason behind this?? How do we get the lenght of a keyfigure?

  • Need to delete a table join in ABAP query

    Hi   I have created an ABAP query with a join over AUFK, AFIH, AFKO, AFVV, AFVC and AFRU.   I need to delete the table AFRU from the join. I tried to delete the table in the edit option in the Join table option. I deleted the links between the table

  • Photoshop CC 2014 pattern overlay tooltip not showing

    It appears the tooltip in pattern overlay dialog box is broken. It makes it very hard to create background images when you can't see the image dimensions. Anyone have a fix for this?