IdM GRC integration

Hi,
I am searching options how to integrate SAP GRC with Microsoft ADAM through SAP IdM, Purpose is GRC will receive a User data and that will be provisioned into ADAM via SAP IdM. As IdM is a good tool used in Identity management will this serve the purpose of Integrator between SAP GRC and Microsoft ADAM. and how to do that
I would like to know pros and cons in this case.
Thanks,
Regards,
Swapnil Lakhe

Hi Richard,
As i said before, requirment at my architecture is Provision HR data from HR system to ADAM, but GRC will be used for sorting all SoD conflicts and other security porcess. So ADAM will be used as source of User master repository where all data will be stoared in tree format. For this purpose i am finding way to Integrate ADAM and GRC, I can read data from GRC after configuring connecter in GRC, but i am not able to write data into ADAM through GRC. This is my concern. I want to get this successful.
I am looking SAP IdM as integrator, as i read it can talk with both GRC and ADAM. So architecture i am thinking is GRC <> IdM <> ADAM. I think i can integrate GRC and IdM through Web services mentioned in GRC conf guide, but not able to find how to integrate IdM-LDAP( Microsoft ADAM), i.e. Integration of Identity store to Ms ADAM. I just want to find how this option work with its pros and cons.
Some facts i came accross this can be achived by running standard templates in IdM through job wizard. option for SUN ONE is available with SAP IdM, but my worries more about Microsoft ADAM.
Thanks for your help.
Regards,
Swapnil Lakhe

Similar Messages

  • IDM GRC Integration Versions

    Hi All
    We have IDM 7.1 fully integrated with AC 5.3 and it is working well.
    We want to upgrade both applications, but what we need to understand is whether we need to upgrade both applications at the same time or whether we can have a mixture.
    AC 5.3 and IDM 7.1 - Works
    AC 5.3 and IDM 7.2 - ???
    GRC 10 and IDM 7.1 - ???
    GRC 10 and IDM 7.2 - I will assume this works.
    This information would help us to decide our strategy for upgarding ie: one application followed by eth other, or both at the same time.
    regards
    Simon

    Hi,
    here is the answer:
    AC 5.3 and IDM 7.1 - Works
    AC 5.3 and IDM 7.2 - Works
    GRC 10 and IDM 7.1 - Does not work. SAP wants you to upgrade IDM.
    GRC 10 and IDM 7.2 - I will assume this works.
    Cheers,
    Kai

  • SAP IDM - GRC Integration Scenario Query

    Hello Experts
    I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..
    Current Situation:
    SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2
    SAP GRC Access Control 10.1
    Both systems installed, configured and connected (web service connection works well)
    Desired scenario:
    Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).
    If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.
    If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.
    Problem:
    In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:
    …and the “AC Validation” task:
    Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.
    That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.
    Question:
    How can this problem be solved? Is the desired scenario feasible?
    Thanks a lot in advance.
    Regards,
    Krishna.

    Hi Krishna,
    I suppose AC Validation – Risk Analysis only" should suffice your requirement from IDM side.
    IDM prepares risk analysis request, submits the request to GRC and process the output of risk analysis.
    Rest to be config'd in SAP GRC side. GRC should receive the request from IDM, performs risk analysis and creates request for remediation and send out of request to IDM. Did you check with your SAP GRC Consultant if workflows and WS are correctly configured in GRC side?
    Kind regards,
    Jai

  • GRC -IdM integration (HCM IdM GRC IdM)

    Hi IdM & GRC Gurus,
    We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
    I have following questions
    1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
    2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
    3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
    request provisioned to the GRC Access Control back-ends. It means that the Identity Center
    cannot just ask if a certain entitlement assignment is valid.
    If the request is approved, the accounts and role assignments will always be performed in
    the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
    4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
    Regards,
    Anurag

    Hi Joel,
    within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
    Kind regards
    Frank

  • IDM GRC Business Role managment

    Hi experts,
    We integrated SAP IDM with GRC,
    Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
    But SAP said business roles and portal groups are not supported between the systems.
    Kindly suggest how to accomplish this.
    Regards,
    Jaya

    Hi Jaya,
    Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
    Try this URL, but perhaps your GRC consultant should read it instead of you.
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
    After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
    I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
    Cheers,
    Chenyang Xiong

  • GRC integration with LMS

    Hi,
    My new project is about to begin and came to know that it's about GRC integration with Learning Management System (LMS). I want to make ready before this project starts and searched for integration documents but i couldn't.
    Could anyone help me.
    Thanks
    Ashok

    Hi Prevo,
    SAP Business One is Netweaver application. Application like SRM, CRM which sits on ABAP as well as in Java stack also, are part of netweaver.
    Access control is web based application which can integrates with applications which sits on ABAP & Java both.
    As per your clients requirement you can deploy Access Control.
    Regards,
    Mohit
    Edited by: mohit shrivastava on Sep 9, 2009 6:31 PM

  • IDM & GRC (including Firefighter ) role in SAP Security

    Please provide me information reg IDM,GRC & FIREFIGHTER in SAP

    That is quite a difficult task, given the eloquent description in your question
    I suggest you have a look at the GRC area here in BPX, and browse through the GRC and Identity Management forums.
    The solution web pages (like http://www.sap.com/solutions/grc/index.epx) should also provide you with a lot of information.
    Feel free to come back here if you have detailed questions.

  • IDM - GRC AC 5.3 integration - workflow detour not working as expected

    Hi IDM Experts!
    I would greatly appreciate your help with the problem we're currently facing; when integrating IDM with GRC, we have configured 2 CUP workflows; one for handling requests with SoD violations (Workflow B) and one to handle ones without any SoD violations (Workflow C), with the former handling risk analysis followed by role approval, and the latter handling only role approval; we have one path with one stage configured as "No Stage" (Workflow A); this path is used to decide which of the primary workflows to use (i.e. SoD violations or no SoD violations) using two detours; we have one detour configured to use Workflow B if any SoD violations are found in the request and another detour configured to use Workflow C if no SoD violations are found.
    Currently what happens in our tests is that requests without risks / SoD violations work fine and actually get detoured to Workflow C, awaiting role approval from the right approver ; while requests with inherent risks / SoD violations unforutnately get automatically approved and provisioned rather than being sent to Workflow B
    Any clues as to why this could be happening? We've checked if there are any settings that might be triggering it to automatically approve requests despite any risks, but can't find anything of the sort; Would be very grateful for any insight / advice on the issue.
    Thanks a lot in advance!
    Best regards,
    Sandeep

    Hi Diego!
    Once again; thank you for your quick reply!
    I did recheck the auto-provisioning issue and I can confirm that it is definitely set to "No Auto-provisioning" and it hasn't been changed recently. The strange thing is that the detour works for NO SoD violations, but doesn't work for SoD violations; find below the audit trail for detour working:
    Request XXX Submitted by Sandeep (SANDEEP) on 01/28/2012 02:04 
       Z_111111-ECC Role Added with validity dates 01/28/2012-12/31/9999
    Request submitted for approval by admin(system) on 01/28/2012 02:04 
    Approved by Sandeep (SANDEEP) on behalf of Sandeep (SANDEEP) at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 02:04 
       Approved Z_111111-ECC role for Add action with validity dates 01/28/2012-12/31/9999
    Request has taken a detour to path C_WORKFLOW and stage C_STAGE on 01/28/2012 02:04 
       Detour condition SOD Violations with value No is satisfied at path WORKFLOW_A and stage WORKFLOW_A
    and find below the audit trail for the detour not working:
    Request YYY Submitted by Sandeep (SANDEEP) on 01/28/2012 01:53 
       Z_222222-ECC  Role Added with validity dates 01/28/2012-12/31/9999
    Request submitted for approval by admin(system) on 01/28/2012 01:53 
    Approved by Sandeep (SANDEEP)  on behalf of Sandeep (SANDEEP)  at path WORKFLOW_A and stage WORKFLOW_A on 01/28/2012 01:53 
       Approved Z_222222-ECC role for Add action with validity dates 01/28/2012-12/31/9999
    Request Closed By Sandeep (SANDEEP) on 01/28/2012 01:53 
    I even checked the CUA System section, and the "By system" tab and it was empty; there were no specific system configurations.
    And to answer your questions:
    Since Workflow A is the path with the Initiator, the detour flag is deactivated and the active flag is activated.
    WF B & C have both the active and detour flags activated.
    Thanks a lot again for your quick responses and all the help you've provided so far!
    Best regards,
    Sandeep

  • SAP IdM and GRC Integration Sample Scenario

    Has anyone implemented the sample scenario in the following document (page 11/14)?
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60a4802f-b6cd-2b10-1ebf-e269d127a634?quicklink=index&overridelayout=true
    Page: 8/48
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30027e41-b5cd-2b10-4593-df65027f8c55?quicklink=index&overridelayout=true
    Thanks
    Himadama

    Hi Kai,
    I tried to access your blog http://kaidentity.blogspot.com/ but i am getting permission denied.
    I have attached the error. Could you please provide me permission to read your blogs.
    Regards,
    C Kumar

  • IDM Database integrity checks

    Are there any routines or jobs that check / repair the integrity of the IDM database ? IOn particular the linkages between MSKEYVALUEs and MSKEYs
    In our development IDM instance in the MXIV_ENTRIES table we have some MXREF_MX_PRIVILEGE records which point to MSKEY's that dont exist. Found this problem when a user deletion through the GUI would fail with 'privilege doesnt exist' error. Since development is used for all sorts of destructive testing and initial installs of service pack upgrades it is no wonder the data integrity is suspect.
    Other option is to clear the lot and simply reload from all the clients. But I was just wondering if others have had any integrity problems and if there are 'fix' routines available

    Hi Phil,
    I'm not aware of any standard mechanism in SAP IDM that you can use to cleanup your database.
    I gues you have to implement this on your own. The following SQL command should give you all the assigned privileges that no longer exist in the identity store:
    select mskey, attrname, searchvalue
    from mxiv_sentries where
    attrname = 'MXREF_MX_PRIVILEGE' and searchvalue not in
    (select mskey from mxiv_sentries)
    You could then loop through the result and delete all the attribute values.
    Best regards
    Holger

  • IDM / GRC 10 - Post approval issue

    We are using IdM 7.2 sp8 and GRC 10 and have a full workflow created as follows:
    NOTE: Risk Validation and GRC System Auto-Approval Step are currently both disabled
    Manager -> Role Owner -> GRC Risk Analysis -> Approval -> Provision  Seems quite simple. right?  :-)  Getting every detail correct to make sure this works seemlessly is the issue I seem to be running into.
    My issue is that I am trying to assign an IdM Business role that contains privileges from two different ABAP systems (very standard).  After everything gets to approved, submitted to GRC and comes back to IdM, polling starts and the result is read back in and the check status task runs its "Approve" tasks.  It looks like the provision job is trying to provision the requested roles into the GRC10 repository instead of the ABAP systems the privileges should be provisioned in and I get the following in the log:
    This is found in the provisioning framework
    Naturally the privileges have a default repository but the Business Role does not.
    The GRC10 Repository only has the workflow (full not just AC Validation stage) in the Validate add task, no assignment tasks
    Each ABAP system only has the three normal provisioning tasks assigned, 601, 1345 and 751
    The error I get when its all said and done is "uSkip Called to skip entry"
    There is some small detail I'm missing.
    Your thoughts?

    We are using IdM 7.2 sp8 and GRC 10 and have a full workflow created as follows:
    NOTE: Risk Validation and GRC System Auto-Approval Step are currently both disabled
    Manager -> Role Owner -> GRC Risk Analysis -> Approval -> Provision  Seems quite simple. right?  :-)  Getting every detail correct to make sure this works seemlessly is the issue I seem to be running into.
    My issue is that I am trying to assign an IdM Business role that contains privileges from two different ABAP systems (very standard).  After everything gets to approved, submitted to GRC and comes back to IdM, polling starts and the result is read back in and the check status task runs its "Approve" tasks.  It looks like the provision job is trying to provision the requested roles into the GRC10 repository instead of the ABAP systems the privileges should be provisioned in and I get the following in the log:
    This is found in the provisioning framework
    Naturally the privileges have a default repository but the Business Role does not.
    The GRC10 Repository only has the workflow (full not just AC Validation stage) in the Validate add task, no assignment tasks
    Each ABAP system only has the three normal provisioning tasks assigned, 601, 1345 and 751
    The error I get when its all said and done is "uSkip Called to skip entry"
    There is some small detail I'm missing.
    Your thoughts?

  • SAP IdM / GRC 10 GRAC_REQUEST_STATUS_WS Table

    We are trying to find what tables in GRC provide the web services, like GRAC_REQUEST_STATUS_WS, their information.  We are seeing a situation where a GRC Access Request appears approved in GRC10 , but the status that gets read back into IDM (via the Polling Process) shows the status of FAILED.  So we want to be able to look at the table that has the status in it in GRC so we can verify what status was actually written to the status table and is then made available via the GRAC_REQUEST_STATUS_WS web service.  Again, we are using polling in IdM, so the status IdM is getting is actually fetched from GRC so we just need the name of the table to do some comparisons.
    If we have GRC do the provisioning instead of IDM, the status IdM receives (via the Polling Process) is OK.  Yet when IdM is to do the provisioning the status is always FAILED.  IF a resquest is disapproved in GRC, it comes back to IDM as FAILED (which is proper), but the approved requests are also coming back as FAILED.
    Has anyone seen this behavior before?

    Andrew,
    As you are looking for GRC tables, maybe you should post this to the GRC forum?  I would do it for you but I am not a moderator.  Maybe Christopher Leonard or Kristian Lehment can help?
    Matt

  • IDM, GRC and position based security

    We use position based security in our ERP  system and are implementing GRC.  In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs.  We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead.  There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.
    Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?     
    How can IdM be configured to react to a position change and update the roles appropriately?
    Has anyone implemented GRC and IDM with position based security?
    Regards,
    Wayne

    Hi Wayne,
    In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.
    You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.
    I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.
    So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.
    This is all theory though, I'm just getting started with IdM myself.
    Kind regards,
    Dagwin

  • IDM-MOSS Integration

    Has anyone tried integrating IDM with MOSS( Microsoft Office SharePoint Server ). I'm looking for docuements that will talk about how we provision/deprovision to MOSS, from IDM 7.1.

    For the most part, I think you can just provision to AD/ADAM and assign the necessary group memberships.  I'd look to examine what MOSS requires and then break it down to workflow steps.
    Cheers,
    Matt

  • SAP GRC integration with Oracle IDAM.

    We are looking to implement SAP-ISU and have a proposal to implement a SAP solution which integrates Oracle IDAM (for user provisioning) and SAP GRC. Does anyone have experience of pros/cons, possible pitfalls of this integration.
    In addition, there is some debate over whether GRC is actually an unnecessary duplication in this circumstance, as there is a view that Oracle IDAM has the ability to deal with all the role management that GRC will be doing. Would appreciate any views?

    Hi Alessandro,
    thank you very much for your responce. But as per oracle integration docuemnt we are using stadard SAP web services for this integration peice.
    GRAC_LOOKUP_WS for Lookup
    GRAC_RISK_ANALYSIS_WOUT_NO_WS for Risk analysis with out Request.
    Please suggest..

Maybe you are looking for