GRC -IdM integration (HCM IdM GRC IdM)

Similar Messages

• GRC-IDM Integration: missing web-service?

  Hi Experts,
  I have been loading the GRC provisioning framework for SAP Netweaver IDM, as well as the VDS configuration file (in the templates available, I used SAP Netweaver > GRC Access Control 5.3 SP2). The integration is working fine and IDM is correctly communicating with CUP (I can create requests through IDM, and once the request is approved in CUP, the status is updated in IDM).
  However, in IDM when the GRC Provisioning framework gets a status "OK" from CUP, it triggers another task called "read provisioning log" (I am assuming that this is to retrieve the list of approved roles from CUP). This request gives me a fata error:
  uLDAPGetEntry got exception
  javax.naming.NameNotFoundException: [LDAP: error code 32 -
  Couldn't perform DN to Data source mapping]; remaining name '
  After some investigations, I noticed that the GRC repository has a constant for the provisioning log web service called VDS2GRC_BRANCH_PROVISIONINGLOG (also described in the GRC integration configuration guide). Default value is ou=provisioninglog. When looking at the VDS, there is NO virtual tree for ou=provisioninglog ... so I am assuming this is the reason why the task fails.
  Does anybody went through this already? Is there a procedure for creating this missing VDS entry or does VDS 7.1 SP3 solves this issue? FYI, I am using Netweaver IDM 7.1 SP2 with the same version of the VDS. The GRC provisioning framework is the one currently available on SDN.
  Any idea would be appreciated!
  Kind regards,
  Jean-Christophe

  Hi ,
  After further investigation and testing, it appears that VDS 7.1 SP3 comes with the correct set of Data sources and web services, therefore solving this integration issue.
  Actually, we were facing other technical limitations due to the fact that the latest version of the GRC provisioning framework (available on the SDN) only works if we use VDS 7.1 SP3. For example, the attribute GRC_REQUEST_ID (used in the IDM task for tracking the CUP request ID) was not correctly updated in IDM.
  Updating the others components from SP2 to SP3 (IC, RT, webdynpro, etc) was not necessary for us to make this provisioning log web-service work, although I think it is better to keep a consistent patch level accross the components.
  Kind regards,
  JC

• HCM - IDM Integration issues

  Hello Experts,
  I am working on the HCM & IDM Integration and I have done the configurations on HCM & VDS as per the Systems Landscape document.
  When I Run the export query from the HCM, The data is not coming to the staging area.
  I have turned on the Operational log trace and reran the query and found the following is logged in the logs. But it is not of much help to understand why the roll back is happening.
  Could anyone face such kind of error earlier ? Any thoughts on how to proceed further !!
  I am on IDM 7.2 SP7
  Thanks,
  Krishna.

  Hello Deepak,
  Thanks for your reply.
  Yes, I am using PERNR to calculate my MSKEYVALUE. But I believe in the current issue, it is not going to that stage at all.
  1. When we run the extract programme from HCM, VDS first writes the data to HCM_Staging_Area identity store to the MX_HCM_EMPLOYEE entry type.
  2. When this happens, based on the event tasks defined on MX_HCM_EMPLOYEE type attribute, the job "Write HCM Employee To SAP Master" will be triggered where the MSKEYVALUE is calculated and be written to Master ID store.
  In the current scenario,VDS is not writing the data to HCM_Staging_Area at all.
  When examined, the logs i got entry rejection as mentioned the screenshot in my initial post.
  ~ Krishna.

• HCM IDM Integration

  I'm working on integrating HCM with IDM. I came across the following limitations in one of the documents i happened to glance.
  1. When replicating the data to the Identity Center from SAP HCM over the Virtual
  Directory Server, you can only use scheduled synchronization. You can not
  synchronize the data based on events. This is a limitation of SAP HCM.
  2. The delta mechanism is not pre-configured when importing the data from the SAP
  HCM system into the staging area in the Identity Center. A full load is always
  performed.
  Can someone suggest me ways to achieve this integration. Is there are document available?

  Hi Joel,
  in general, the delta mechanism is only availabe if you are using the Business Suite 6.0 Ehp4 and NW IdM 7.1.
  The documentation describes shortly which BADIs have to be activated to use the delta mechanism (usually you will modify the BADI implementation to catch changes of employee master records which are relevant for your IdM installation only):
  Retrieval of Employee-Related Data by SAP ERP HCM 
  http://help.sap.com/erp2005_ehp_04/helpdata/EN/75/28be4785c247828834285cc3aefc11/frameset.htm
  If you are using this delta mechanism you can schedule the LDAP export with a short repetition period - as a result you get something like nearly event driven synchronization between HCM and IdM.
  Kind regards
  Frank

• Installation SAP IDM 7.1/SAP GRC Access Control 5.3

  Hello,
  I can install Access Control products with Solution Manager, Enterprise Portal... But it is possible to install Access Controll 5.3 and IDM 7.1 on the same server?
  Thanks and best Regards
  Alexander

  Hi Alexander,
  SAP IDM 7.1 is still in the ramp up state.  as per the product availability matrix [pam|https://websmp104.sap-ag.de/~form/handler?_APP=00200682500000001303&_EVENT=DISP_NEW&00200682500000002804=01200314690900001014] ,  I am not yet sure if  SAP IDM is available for 64 bit servers.
  SAP GRC AC 5.3 should be installed on as java netweaver
  server after properly sizing. If your hardware can support sizing for both GRC AC 5.3 and SAP IDM 7.1 , then you can install both on them. usually netweaver 7.0 sp12  will be in 64 bit system.
  You can get GRC AC 5.3 sizing information from [link|http://service.sap.com/~form/sapnet?_SHORTKEY=00200797470000071612&_SCENARIO=01100035870000000112&_OBJECT=011000358700000435122007E]

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• OpenSSO-Sun IDM integration

  Hi All,
  I have implemented the OpenSSO-Sun IDM integration based on the "OpenSSO Integration Guide.pdf". Now, if the users are created in Sun-IDM are provisioned to OpenSSO. Can anyone suggest me, can the users created in OpenSSO be provisioned to Sun IDM?
  Also, is there any way to have a password sync between OpenSSO and Sun IDM users? That is, if the user's password is changed in OpenSSO can it also be changed in Sun-IDM?
  Best Wishes,
  Aruna

  Hi Frank,
  Thanks for the response,
  1. This is user/pw from the AC system you need to send with the web service call from SUN to AC
  So, we create and provide user credentials to IDM team and they need to incorporate the user credentials when ever they are calling the web services in AC5.3 ?
  For this initial communication happening, what need to be done. Setting up SAP Jco is required in this case? Do we get involved with the configuration/development activity at IDM end?
  I could not find proper documentation on this, this leaves me in what amount of involvement I have to do as a SAP GRC AC5.3 consultant.
  Regards......

• AC 53 IdM Integration Implementation Assistance Guide released in BPX

  Hi Everyone,
  The first version of AC 53 IdM Integration Implementation Assistance Guide has been released in BPX.  You can find this document directly via this link:
  https://www.sdn.sap.com/irj/bpx/index?rid=/library/uuid/20bfb824-ea45-2c10-b093-bd097a579793&overridelayout=true
  Thanks!
  Ankur Baishya
  SAP GRC RIG

• FA with IDM (integration) flow solution

  hi all,
       I just would like to share with you guys this post that is very helpful if you are looking to integrate your current IDM enterprise with Oracle FA(+IDM soultion inside of it):
  http://thiagoleoncio.blogspot.com/2014/05/how-oracle-fusion-apps-works-with-idm.html
  I hope this helps you on your own solution.
  thx and have a great day,
  Thiago Leoncio.

  Hi vikas and Frank,
  Do you have any information related on How to enable the webservices in the GRC 10 (does NWBC holds the key). if you have any information related to it  please share it with me.
  Thanks and regards,
  keerthi

• Oracle IdM integration with Microsoft ILM 2007/FIM 2010

  We currently have ILM 2007 in our environment with limited usage at the moment. We are looking at purchasing Oracle Identity Manager to implement an enterprise wide IAM solution.
  We were wondering if it is possible to continue using ILM like a middleware between our AD forests and the Oracle IdM. Where the Oracle IdM is the overarching IAM solution and Microsoft ILM 2007/FIM 2010 is like the metadirectory for our AD forests.
  Is this possible without installing the Oracle Management Connector on any of our DCs and using ILM as the directory that Oracle IdM connects to. All AD account provisioning/de-provisioning, acct updates, password sync/reset will be initiated from the Oracle IdM to ILM and then implemented on AD. In order words no direct interaction with AD domain controllers from Oracle IdM, everything will go to ILM and ILM in turn applies it to AD.
  Is this possible?
  Is there a custom connector that will work with ILM 2007/FIM 2010
  Is this a simple customization or something that can be problematic and expensive?
  Any feedback is much appreciated
  Thanks

  user1106726 wrote:
  We currently have ILM 2007 in our environment with limited usage at the moment. We are looking at purchasing Oracle Identity Manager to implement an enterprise wide IAM solution.
  We were wondering if it is possible to continue using ILM like a middleware between our AD forests and the Oracle IdM. Where the Oracle IdM is the overarching IAM solution and Microsoft ILM 2007/FIM 2010 is like the metadirectory for our AD forests.
  Is this possible without installing the Oracle Management Connector on any of our DCs and using ILM as the directory that Oracle IdM connects to. All AD account provisioning/de-provisioning, acct updates, password sync/reset will be initiated from the Oracle IdM to ILM and then implemented on AD. In order words no direct interaction with AD domain controllers from Oracle IdM, everything will go to ILM and ILM in turn applies it to AD.
  Is this possible?yes
  >
  Is there a custom connector that will work with ILM 2007/FIM 2010Yes, if you write one you will have a custom connector
  >
  Is this a simple customization or something that can be problematic and expensive?It won't be simple. Problematic and expensive maybe, depends on how good you are with OIM and ILM

• Cross-enterprise integration of SAP GRC Access Control with PeopleSoft

  Friends,
  Does anybody has/have/had the owner to implement Cross-enterprise integration of SAP GRC Access Controls 5.2 with PeopleSoft ?
  If yes, what are the key points and approach one should keep in mind while going for this kind of cross-enterprise implementation.
  Is there any reference material, blog, wiki or such informative resource regarding cross enterprise GRC implementation available on the web?
  I tried to search, but could not get good results.
  Any help would be highly appreciated.
  Best Regards,
  Amol Bharti

  Amol-
  From my experience:
  CC 5.2 with Peoplesoft: as long as you have the RTA's installed in the Peoplesoft system and create the connectors in CC, you are good to go.
  AE 5.2 with Peoplesoft: cannot provision to Peoplesoft, however you can connect with Peoplesoft HR for Password Self-Service.  You have the capability to provision to SAP HR.
  FF 5.2 with Peoplesoft: N/A
  RE 5.2 with Peoplesoft: N/A
  I am not sure if there are any standalone docs out there for AC integration with Peoplesoft.  And the 5.2 manuals have sparse information on integration.  However, the AC 5.3 manuals have more detailed info on the integration piece with various other non-SAP systems.
  Sorry, I couldn't share more info, as that is all I know for now...
  Ankur
  GRC Consultant

• GRC AC 5.3 and GRC Process Control on the same server

  Hello,
  Can we install SAP GRC AC 5.3 and GRC Process Control 3.0 and GRC Risk Management 3.0 on the same box/ same server.
  Is there a OSS Note, which talks about having the above 3 components on one box?
  Thanks,
  Imran

  Hello Imran,
    1- My 3 question ARE do I need a separate JAVA Stack for GRC Process Control and seperate JAVA Stack for GRC Access Control
  -> No, you can have them installed on save Java stack.
  OR
  Can I use the same JAVA Stack for GRC Process Control & GRC Access Control?
  -> Yes, you can. You have to make sure that you are on SP10 or above for Access Control as only then it will support NW Java 7.01.
  2- Can I use EP 7.0.1 installed on same server for both GRC PC 3.0 and GRC AC 5.3?
  -> Yes, you can.
  3- Can 1 single AS JAVA Database contain both GRC Access Control VIRSA Tables and GRC Process control tables at the same time?
  -> For process Control the tables reside on the backend SAP as it is webdynpro ABAP application and for access control the tables reside on the Java database as it is java and webdynpro JAVA application.
  Regards, Varun

• SAP GRC - SAP IDM integration

  Hello,
  may I ask you how SAP GRC Access Control can be integrated with Identity Management?
  I would like a description of the model and to understand if CUP, ERM, RAR are all mandatory components to do the integration (it's not clear to me if only CUP should be use to integrate IDM).
  Thank you to all
  Daniela

  Hi Daniela,
  there are two basic options of integrating Netweaver Identity Management and SAP BusinessOBjects Access Control:
  - CUP can call IdM to provision roles to non-SAP systems through IdM
  - IdM can call CUP to hand over a request (or parts of it) for SoD and critical transaction checks
  As a third option, I have seen customers using both tools in parallel, provisioning users and master data through IdM and assigning SAP authorizations through CUP/RAR.
  The best kind of integration for your scenario is something that depends on your requirements and your desired processes. Technically you can do a lot, but it makes sense to invest the effort to find out what the best option is in your exact case.
  Kind regards,
  Frank.

• GRC AC and IDM integration

  Hello community,
  Someone knows if web can configure the IDM role requests workflow (configured at the IDM side) to use Role Assigner and Role Content Approval configured at the GRC AC side?
  Regards,
  SAP Legend

  Legend,
  In addition to Dilip's suggestion, you can also refer to:
  SAP Access Control 10.0 Interface for Identity Management
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d09f0171-02e8-2d10-be90-a4ad042a0e6e?QuickLink=index&…
  Understanding the IdM 7.2 - GRC10 interface
  Let us know if these help you.
  Regards,
  Ameet

• Tivoli IDM Integration with GRC 10

  Hi All ,
  Can someone please help me with the information about webservices that we need to enable on GRC 10 so that it can integrate with the IDM Solution (IBM Tivoli ) . I had a look at the GRC 10 docs in market place , however couldnt find any help on this.
  Thanks for your time.
  Vikas

  Hi vikas and Frank,
  Do you have any information related on How to enable the webservices in the GRC 10 (does NWBC holds the key). if you have any information related to it  please share it with me.
  Thanks and regards,
  keerthi