IDM GRC Integration Versions

Similar Messages

• IdM GRC integration

  Hi,
  I am searching options how to integrate SAP GRC with Microsoft ADAM through SAP IdM, Purpose is GRC will receive a User data and that will be provisioned into ADAM via SAP IdM. As IdM is a good tool used in Identity management will this serve the purpose of Integrator between SAP GRC and Microsoft ADAM. and how to do that
  I would like to know pros and cons in this case.
  Thanks,
  Regards,
  Swapnil Lakhe

  Hi Richard,
  As i said before, requirment at my architecture is Provision HR data from HR system to ADAM, but GRC will be used for sorting all SoD conflicts and other security porcess. So ADAM will be used as source of User master repository where all data will be stoared in tree format. For this purpose i am finding way to Integrate ADAM and GRC, I can read data from GRC after configuring connecter in GRC, but i am not able to write data into ADAM through GRC. This is my concern. I want to get this successful.
  I am looking SAP IdM as integrator, as i read it can talk with both GRC and ADAM. So architecture i am thinking is GRC <> IdM <> ADAM. I think i can integrate GRC and IdM through Web services mentioned in GRC conf guide, but not able to find how to integrate IdM-LDAP( Microsoft ADAM), i.e. Integration of Identity store to Ms ADAM. I just want to find how this option work with its pros and cons.
  Some facts i came accross this can be achived by running standard templates in IdM through job wizard. option for SUN ONE is available with SAP IdM, but my worries more about Microsoft ADAM.
  Thanks for your help.
  Regards,
  Swapnil Lakhe

• SAP IDM - GRC Integration Scenario Query

  Hello Experts
  I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..
  Current Situation:
  SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2
  SAP GRC Access Control 10.1
  Both systems installed, configured and connected (web service connection works well)
  Desired scenario:
  Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).
  If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.
  If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.
  Problem:
  In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:
  …and the “AC Validation” task:
  Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.
  That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.
  Question:
  How can this problem be solved? Is the desired scenario feasible?
  Thanks a lot in advance.
  Regards,
  Krishna.

  Hi Krishna,
  I suppose AC Validation – Risk Analysis only" should suffice your requirement from IDM side.
  IDM prepares risk analysis request, submits the request to GRC and process the output of risk analysis.
  Rest to be config'd in SAP GRC side. GRC should receive the request from IDM, performs risk analysis and creates request for remediation and send out of request to IDM. Did you check with your SAP GRC Consultant if workflows and WS are correctly configured in GRC side?
  Kind regards,
  Jai

• GRC -IdM integration (HCM IdM GRC IdM)

  Hi IdM & GRC Gurus,
  We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
  I have following questions
  1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
  2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
  3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
  request provisioned to the GRC Access Control back-ends. It means that the Identity Center
  cannot just ask if a certain entitlement assignment is valid.
  If the request is approved, the accounts and role assignments will always be performed in
  the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
  4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
  Regards,
  Anurag

  Hi Joel,
  within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
  Kind regards
  Frank

• IDM GRC Business Role managment

  Hi experts,
  We integrated SAP IDM with GRC,
  Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
  But SAP said business roles and portal groups are not supported between the systems.
  Kindly suggest how to accomplish this.
  Regards,
  Jaya

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• GRC RAR version relative to SAP upgrade to ECC 6

  Hi,
  Currently we are on GRC RAR version AC-RAR 5.3-13.3. We are upgrading our SAP from ECC 5 to ECC 6 and the latest support pack. What GRC RAR version do we need to be on to identify any potential SOD issues on the ECC 6 system? Are there any other potential pitfalls that we should be aware of?
  Thanks,
  John Burk

  Hello John,
  Are you using a customized rule set?
  SAP provides rule updates periodically:
  For example:
  1446680 - Risk Analysis and Remediation Rule Update Q2 2010
  You'll find that some specific changes are performed in these rule updates, and some of these changes are only for ECC 6.
  You might want to check also here:
  Note 986996 - GRC Access Control- Best Practice for Rules and Risks
  Then, the point is not the GRC version, but the rule set. Of course, you have to upgrade the RTAs.
  Cheers,
  Diego.

• JCOM 8.1 vs J-Integra version

  does anyone know what is the corresponding J-Integra version used in JCOM of WLS8.1?
  Is it the same codebase?
  IHAC using J-Integra 1.6 and would like to migrate to JCOM 8.1. Will there be
  any compatibility issues?
  thanks.

  try contacting the mods and see if they can clarify what you are on fast/interleaved  http://bt.custhelp.com/app/contact_email/c/4951
  If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
  If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

• GRC integration with LMS

  Hi,
  My new project is about to begin and came to know that it's about GRC integration with Learning Management System (LMS). I want to make ready before this project starts and searched for integration documents but i couldn't.
  Could anyone help me.
  Thanks
  Ashok

  Hi Prevo,
  SAP Business One is Netweaver application. Application like SRM, CRM which sits on ABAP as well as in Java stack also, are part of netweaver.
  Access control is web based application which can integrates with applications which sits on ABAP & Java both.
  As per your clients requirement you can deploy Access Control.
  Regards,
  Mohit
  Edited by: mohit shrivastava on Sep 9, 2009 6:31 PM

• IDM & GRC (including Firefighter ) role in SAP Security

  Please provide me information reg IDM,GRC & FIREFIGHTER in SAP

  That is quite a difficult task, given the eloquent description in your question
  I suggest you have a look at the GRC area here in BPX, and browse through the GRC and Identity Management forums.
  The solution web pages (like http://www.sap.com/solutions/grc/index.epx) should also provide you with a lot of information.
  Feel free to come back here if you have detailed questions.

• Link to download sun idm 5.x version

  Hey, can any one send the link to download the idm 5.x version. I am new to idm ( i mean in learning process). Mine target is to learn the migration process i mean migrating a developed application from idm 5.x to idm 6.x version.
  I am able to find the download link to idm 6.x, 7.x but i didnt find the link to download the sun idm 5.x version
  please can any help me out finding the sun idm 5.x version so that i can download and do some R&D in migration process.
  thankx in advance

  Stop blaming Sun for your inability to find stuff:
  http://java.sun.com/ -> click "Java SE" under "Popular Downloads" -> click "Previous Releases" -> click "Archived Releases" -> Select whatever you like.
  Every release that is superseeded by some other release will be archived, because there is very little reason to install it (and any Software that runs on Update 12 but not on Update 13 is broken by design).
  Have you tried running on Update 13?

• Enhanced backend integration version of the CRM organizational model

  Hi,
  I want switch from Enhanced org Model to Standard Org Model While doing client copy in EHP 1
  Existing client is with Enhanced Org Model.
  Any Suggestions?

  Hi,
  As per SAP , if you are already using enhanced backend integration model , you can " NOT"  return to the standard backend integration version,
  http://help.sap.com/saphelp_sm40/helpdata/en/15/fbbb3ee5bf7173e10000000a114084/content.htm
  Hope it helps,
  regards,
  PRASHANT

• IDM - GRC AC 5.3 integration - workflow detour not working as expected

  Hi IDM Experts!
  I would greatly appreciate your help with the problem we're currently facing; when integrating IDM with GRC, we have configured 2 CUP workflows; one for handling requests with SoD violations (Workflow B) and one to handle ones without any SoD violations (Workflow C), with the former handling risk analysis followed by role approval, and the latter handling only role approval; we have one path with one stage configured as "No Stage" (Workflow A); this path is used to decide which of the primary workflows to use (i.e. SoD violations or no SoD violations) using two detours; we have one detour configured to use Workflow B if any SoD violations are found in the request and another detour configured to use Workflow C if no SoD violations are found.
  Currently what happens in our tests is that requests without risks / SoD violations work fine and actually get detoured to Workflow C, awaiting role approval from the right approver ; while requests with inherent risks / SoD violations unforutnately get automatically approved and provisioned rather than being sent to Workflow B
  Any clues as to why this could be happening? We've checked if there are any settings that might be triggering it to automatically approve requests despite any risks, but can't find anything of the sort; Would be very grateful for any insight / advice on the issue.
  Thanks a lot in advance!
  Best regards,
  Sandeep

  Hi Diego!
  Once again; thank you for your quick reply!
  I did recheck the auto-provisioning issue and I can confirm that it is definitely set to "No Auto-provisioning" and it hasn't been changed recently. The strange thing is that the detour works for NO SoD violations, but doesn't work for SoD violations; find below the audit trail for detour working:
  Request XXX Submitted by Sandeep (SANDEEP) on 01/28/2012 02:04 
     Z_111111-ECC Role Added with validity dates 01/28/2012-12/31/9999
  Request submitted for approval by admin(system) on 01/28/2012 02:04 
  Approved by Sandeep (SANDEEP) on behalf of Sandeep (SANDEEP) at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 02:04 
     Approved Z_111111-ECC role for Add action with validity dates 01/28/2012-12/31/9999
  Request has taken a detour to path C_WORKFLOW and stage C_STAGE on 01/28/2012 02:04 
     Detour condition SOD Violations with value No is satisfied at path WORKFLOW_A and stage WORKFLOW_A
  and find below the audit trail for the detour not working:
  Request YYY Submitted by Sandeep (SANDEEP) on 01/28/2012 01:53 
     Z_222222-ECC  Role Added with validity dates 01/28/2012-12/31/9999
  Request submitted for approval by admin(system) on 01/28/2012 01:53 
  Approved by Sandeep (SANDEEP)  on behalf of Sandeep (SANDEEP)  at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 01:53 
     Approved Z_222222-ECC role for Add action with validity dates 01/28/2012-12/31/9999
  Request Closed By Sandeep (SANDEEP) on 01/28/2012 01:53 
  I even checked the CUA System section, and the "By system" tab and it was empty; there were no specific system configurations.
  And to answer your questions:
  Since Workflow A is the path with the Initiator, the detour flag is deactivated and the active flag is activated.
  WF B & C have both the active and detour flags activated.
  Thanks a lot again for your quick responses and all the help you've provided so far!
  Best regards,
  Sandeep

• SAP IdM and GRC Integration Sample Scenario

  Has anyone implemented the sample scenario in the following document (page 11/14)?
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60a4802f-b6cd-2b10-1ebf-e269d127a634?quicklink=index&overridelayout=true
  Page: 8/48
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30027e41-b5cd-2b10-4593-df65027f8c55?quicklink=index&overridelayout=true
  Thanks
  Himadama

  Hi Kai,
  I tried to access your blog http://kaidentity.blogspot.com/ but i am getting permission denied.
  I have attached the error. Could you please provide me permission to read your blogs.
  Regards,
  C Kumar

• Unable to download Oracle Data Integrator-Version 11.1.1.6(Important)

  Unable to download Oracle Data Integrator with version 11.1.1.6.Hope this could be resolved ASAP.

  966234 wrote:
  Unable to download Oracle Data Integrator with version 11.1.1.6.Hope this could be resolved ASAP.What is the file you are trying to download? Is it for Windows or Linux or All Platforms?
  Thanks,
  Hussein

• IDM Database integrity checks

  Are there any routines or jobs that check / repair the integrity of the IDM database ? IOn particular the linkages between MSKEYVALUEs and MSKEYs
  In our development IDM instance in the MXIV_ENTRIES table we have some MXREF_MX_PRIVILEGE records which point to MSKEY's that dont exist. Found this problem when a user deletion through the GUI would fail with 'privilege doesnt exist' error. Since development is used for all sorts of destructive testing and initial installs of service pack upgrades it is no wonder the data integrity is suspect.
  Other option is to clear the lot and simply reload from all the clients. But I was just wondering if others have had any integrity problems and if there are 'fix' routines available

  Hi Phil,
  I'm not aware of any standard mechanism in SAP IDM that you can use to cleanup your database.
  I gues you have to implement this on your own. The following SQL command should give you all the assigned privileges that no longer exist in the identity store:
  select mskey, attrname, searchvalue
  from mxiv_sentries where
  attrname = 'MXREF_MX_PRIVILEGE' and searchvalue not in
  (select mskey from mxiv_sentries)
  You could then loop through the result and delete all the attribute values.
  Best regards
  Holger