SAP GRC - SAP IDM integration

Hello,
may I ask you how SAP GRC Access Control can be integrated with Identity Management?
I would like a description of the model and to understand if CUP, ERM, RAR are all mandatory components to do the integration (it's not clear to me if only CUP should be use to integrate IDM).
Thank you to all
Daniela

Hi Daniela,
there are two basic options of integrating Netweaver Identity Management and SAP BusinessOBjects Access Control:
- CUP can call IdM to provision roles to non-SAP systems through IdM
- IdM can call CUP to hand over a request (or parts of it) for SoD and critical transaction checks
As a third option, I have seen customers using both tools in parallel, provisioning users and master data through IdM and assigning SAP authorizations through CUP/RAR.
The best kind of integration for your scenario is something that depends on your requirements and your desired processes. Technically you can do a lot, but it makes sense to invest the effort to find out what the best option is in your exact case.
Kind regards,
Frank.

Similar Messages

  • CAreer in SAP BASIS comaprision with SAP GRC/Security

    Hi Everyone,
    I am an SAP BASIS consultant with 2 years of experience working in a MNC company,
    I want to change my career to SAP GRC/SAP Security, i have some basic knowledge on SAP Security,
    COuld you please advice me, which one to choose,?
    Does  SAP GRC/Security has demand , and can we get oportunities to work abroad compared to SAP BASIS ?
    which one has more scope SAP BASIS or SAP Security/GRC ?
    Because in BASIS, i am not getting enough scope to work on some good things like Installation, upgrades, Migration,
    i am doing a very basic kind of work like tranports, job scheduling, monitoring, and other small activities ?
    So request you people to advice me ?
    <removed_by_moderator>
    Read the "Rules of Engagement"
    regards
    Rakesh  Rao
    Message was edited by: Juan Reyes

    Hi Rakesh
    I saw your post in GRC and was waiting of it to appear here
    First up - 2 years is still junior. You may find batch jobs, transports, monitoring, etc all mundane but it is a foundation and learning ground work and foundations to being a good Basis Administration. And one things for sure, an awesome basic (I name my best-techy-friend) makes a huge difference on project timelines and deliverables for the rest of us.
    Installation and Upgrades come with time. Whilst still performing junior tasks you could focus on reading up on approaches in case an opportunity in your job comes us and be prepared to prove to your management that you are ready for a bigger responsibility.
    Switching to GRC/Security would be pointless unless you have a desire to learn GRC or Security. These are my background and they are undervalued until things go wrong (insurance policy in a way).
    If you do switch you will reset your 2 years of domain experience back to 0 and you will start off with password resets and basic user administration
    It takes time to work through the ranks. It was 3 years before I got to build my first role. I spent my first few years in security on email chasing approvals, password resets, user account creation, running reports for audit - sounds familiar to what you are doing now?
    You have to master the basics before you are trusted and ready for the more complex activities. By knowing what you are doing now you will be more successful when the time comes to step up and do migrations, upgrades and installations. Support production by mastering you technical analysis skills is how you can break through being a fresher/junior
    Regards
    Colleen
    Ps - if your motivation is more than "good things" happy to answer questions specific to security and GRC.
    Also, boring doesn't mean it can't get interesting nor does it mean it's a worthless activity: SPAU transport imported before patching!!
    Message was edited by: Colleen Lee
    Added link for when transports go bad

  • Sap grc note require

    Hello all.,
    Can someone tell me how to view java table (on GRC server) to see all tcode and object are there. None our full sod roles not showing any conflictions. we have su24 action and permision level file uploaded but still no confliction.
    can please anyone know the sap note number where they define the procedure how to view java table on grc server.
    Thanks

    Hi Junaid,
    If you're looking for a list of tables and definitions for generating custom reports, check note 1369045.
    But i guess you just look for tables to see if are filled, check some threads like this:
    Most commonly used tables in SAP GRC & SAP HR
    I guess check the database tables could be OK as a first view, but it should not be the way to do the error analysis. The naming convention for the tables is clear.
    Cheers,
    Diego.
    Edited by: Diego I. Yaryura on Dec 15, 2011 4:37 AM

  • SAP IDM 7.0 connecting to SAP GRC 10.1

    Hi Gurus,
    I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
    Could any of you provide some guidance on how to make this connections.
    Thanks and Regards,
    Juan

    If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
    7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
    VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
    If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
    Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
    regards, Tero

  • ActiveDirectory - SAP IDM integration in Identity Life cycle Management

    Hi Experts
    In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
    Here are the questions
    1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
    2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
    3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
    Thank you in advance for your help.

    Hi Matt,
    Thank you very much.
    Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
    I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
    Also  I am describing the exact steps that will follow . Correct me if I am wrong.
    1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
    2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
    3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
    4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
    With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
    So some other information i wanted is
    1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
    for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
    Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

  • SAP GRC AC 5.3 integrated with BW

    Hi all,
    Has anyone of you implemented integration between SAP GRC AC 5.3 and BW and develop custom reports?
    Thanks in advance. Regards,
       Imanol

    Imanol,
    There is documentation available for the integration.  You can find that here:
    http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/e05a9879-d204-2c10-54a9-ebc94eaddc4e?quicklink=index&overridelayout=true
    Also, there are numerous pre-delivered queries already developed.  However, if you wish to develop your own reports, then you will need a BW resource to do so.
    Pre-delivered queries:
    For RAR:
    Alert Detail Listing
    Alert Header Listing
    Critical Action Violations by User
    Critical Role Viols Analysis with Long Portal IDs
    Current User Permission Risk-Perm Violation Analysis Breakdowns
    Current User Permission Risk Violation Analysis Breakdowns
    Management Summary Total Listing
    Mitigated Users Analysis
    Risk Long Descriptions
    Risk-Rule Set Relationship Listing
    Role Permission Risk Violation Analysis
    Role (Portals) Permission Risk Violation Analysis
    Supplementary Rule Detail Listing
    Supplementary Rule Header Listing
    User Permission Risk Violation with Functions
    User Permission Risk Violation with Remediation by User
    User Permission Risk Violation with Remediation by User (Top 10)
    User Permission Violation with Remediation by Risk
    User Permission Violation with Remediation by Risk (Top 10)
    For CUP:
    Access Requests
    Risk Violations
    Role Provisioning
    Service Levels
    SOD Review
    User Access Review
    User Provisioning
    Thanks!
    Ankur
    SAP GRC RIG

  • SAP GRC AC with SAP IdM and without SAP Idm

    Hello,
    Could anyone provide me what are the advantages implementing SAP IdM with SAP AC suite?
    Can I use SAP GRC User Provisioning tool with SAP HCM position based concept?
    Thanks in advance.
    -Harry

    Hi ,
    In GRC 10 there is no concept of web services . GRC 10 uses native SQL query for calling risk analysis which mean no need to configure web service in GRC 10
    Thanks & Regards
    Asheesh

  • SAP IDM Integration with LDAP VS Rest.

    Hi,
    I'm looking for an best approach through I can integrate my custom application with SAP IDM 7.2. I have read couple of article and found IDM is based on VDS and allow LDAP as well as Restful web services.
    Would like to know the best approach.
    Here what I want to achieve:
    1. Dynamic Schema detection for User, Role and Employee
    2. Get all User List and there corresponding Role.
    3. Password Reset/Set/Change
    Thanks
    Shital

    Hi Nits,
    This guide presents the official SAP Connectors for IdM. SAP and 3rd-party.
    It seems that are no official connector for ADOBE CQ and HYBRIS.
    But you can build you own connector. (JDBC, WebServices, LDAP)
    Using the same concept as the SAP Standard connectors, Folders (Aplication Actions, Plugins) HOOK Tasks.
    It will depended in what integration layer this solutions offer.

  • SAP IDM vs SAP GRC

    Hi All,
    One basic question is coming again and again due to overlapping features of SAP IDM and SAP GRC. Why SAP IDM is required when all most all use cases can be fulfilled by SAP GRC? Is there any document available which can tell me why customer can choose IDM when he already has GRC?
    1. SAP IDM and GRC both can accomplish access request and provisioning.
    2. SAP IDM and GRC both has capability of risk management.
    Then why SAP IDM is required?
    Thanks,
    Dhiman Paul.

    Hi Dhiman,
    SAP IDM is more flexible and is Java based (providing excellent customizations).  GRC 10 is ABAP based and originally designed for Access Control.  As mentioned by Chris, IDM connectors are flexible than GRC & provisioning workflow is highly variable.
    I'd say if there are quite a few number of Legacy systems to be connected for IDM solution, SAP IDM would be an ideal choice than SAP GRC, as it can be implemented with less cost and customization.
    My simple opinion.  There may be other points as well.
    BR,
    Ganesh

  • SAP GRC integration with Oracle IDAM.

    We are looking to implement SAP-ISU and have a proposal to implement a SAP solution which integrates Oracle IDAM (for user provisioning) and SAP GRC. Does anyone have experience of pros/cons, possible pitfalls of this integration.
    In addition, there is some debate over whether GRC is actually an unnecessary duplication in this circumstance, as there is a view that Oracle IDAM has the ability to deal with all the role management that GRC will be doing. Would appreciate any views?

    Hi Alessandro,
    thank you very much for your responce. But as per oracle integration docuemnt we are using stadard SAP web services for this integration peice.
    GRAC_LOOKUP_WS for Lookup
    GRAC_RISK_ANALYSIS_WOUT_NO_WS for Risk analysis with out Request.
    Please suggest..

  • Cross-enterprise integration of SAP GRC Access Control with PeopleSoft

    Friends,
    Does anybody has/have/had the owner to implement Cross-enterprise integration of SAP GRC Access Controls 5.2 with PeopleSoft ?
    If yes, what are the key points and approach one should keep in mind while going for this kind of cross-enterprise implementation.
    Is there any reference material, blog, wiki or such informative resource regarding cross enterprise GRC implementation available on the web?
    I tried to search, but could not get good results.
    Any help would be highly appreciated.
    Best Regards,
    Amol Bharti

    Amol-
    From my experience:
    CC 5.2 with Peoplesoft: as long as you have the RTA's installed in the Peoplesoft system and create the connectors in CC, you are good to go.
    AE 5.2 with Peoplesoft: cannot provision to Peoplesoft, however you can connect with Peoplesoft HR for Password Self-Service.  You have the capability to provision to SAP HR.
    FF 5.2 with Peoplesoft: N/A
    RE 5.2 with Peoplesoft: N/A
    I am not sure if there are any standalone docs out there for AC integration with Peoplesoft.  And the 5.2 manuals have sparse information on integration.  However, the AC 5.3 manuals have more detailed info on the integration piece with various other non-SAP systems.
    Sorry, I couldn't share more info, as that is all I know for now...
    Ankur
    GRC Consultant

  • Installation SAP IDM 7.1/SAP GRC Access Control 5.3

    Hello,
    I can install Access Control products with Solution Manager, Enterprise Portal... But it is possible to install Access Controll 5.3 and IDM 7.1 on the same server?
    Thanks and best Regards
    Alexander

    Hi Alexander,
    SAP IDM 7.1 is still in the ramp up state.  as per the product availability matrix [pam|https://websmp104.sap-ag.de/~form/handler?_APP=00200682500000001303&_EVENT=DISP_NEW&00200682500000002804=01200314690900001014] ,  I am not yet sure if  SAP IDM is available for 64 bit servers.
    SAP GRC AC 5.3 should be installed on as java netweaver
    server after properly sizing. If your hardware can support sizing for both GRC AC 5.3 and SAP IDM 7.1 , then you can install both on them. usually netweaver 7.0 sp12  will be in 64 bit system.
    You can get GRC AC 5.3 sizing information from [link|http://service.sap.com/~form/sapnet?_SHORTKEY=00200797470000071612&_SCENARIO=01100035870000000112&_OBJECT=011000358700000435122007E]

  • SAP GRC 5.3 Ramp up

    Does SAP GRC 5.3 Ramp up have complete integration with NW IDM 7.0?
    Note:
    We have enaged with SAP for GRC 5.3 Ramp up program and also we have the plans of integrating NW IDM 7.0 & GRC 5.3.

    Well, my previous project we have integrated Siteminder with AE 5.2 using Apache as the web server and its production now.
    Netweaver IDM can be integrated with AE and CC.
    Check out for the document.,
    SAP NetWeaver® Identity Management GRC Integration
    Thanks.
    Regards,
    Muthu Kumaran KG

  • GRC -IdM integration (HCM IdM GRC IdM)

    Hi IdM & GRC Gurus,
    We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
    I have following questions
    1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
    2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
    3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
    request provisioned to the GRC Access Control back-ends. It means that the Identity Center
    cannot just ask if a certain entitlement assignment is valid.
    If the request is approved, the accounts and role assignments will always be performed in
    the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
    4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
    Regards,
    Anurag

    Hi Joel,
    within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
    Kind regards
    Frank

  • Advice on SAP GRC career

    Hello,
    My name is Vijay and I am from Denver, CO. I will be graduating with a Master's degree in Information Systems next month from Colorado State University. I have got a job as a ITPA Associate with a big four firm. My job description reads
    1. Assisting clients in matters of Data Assurance, ERP Controls, IT Risk and Security Assurance,Data Protection and Privacy, Project Assurance, and Advanced Risk and Compliance Analytics
    2. Providing ERP controls services to help audit and non-audit clients address risk and control needs around ERP systems
    3. Assessing, recommending, designing and configuring controls as they relate to businessprocesses, ERP application security, and Governance, Risk and Compliance (GRC)".
    4.Designing and assessing control related services around major ERP systems; and
    5.Translating business requirements to efficient and integrated ERP control frameworks.
    I am very new to SAP GRC. Can you please guide me through how to form a career path in SAP GRC?
    Thanks,
    Vijay

    Hi Vijay,
    SAP GRC is  good career path however you start your career basically as a sap security junior associate and finally lands up in the jobs like:
    SAP Security and Controls Consultant
    Senior SAP Security and Controls Consultant
    SAP Security and Controls Administrator
    SAP Security & GRC Consultant
    SAP GRC Manager
    SAP Process Controls Experts
    SAP Advisory Manager - IT Risk Transformation etc.
    Thanks & Regards
    Subhasish

Maybe you are looking for

  • Force creation of new segment

    Hello all, I have a problem with a map. In the ORIGIN schema, I have fields : ShipmentStatus LOCCode DeliveryCode In the DESTINATION Schema : LOC (with it's several child fields) I'm creating 1 LOC based in the values of ShipmentStatus and LOCCode an

  • HP Deskjet 930 C driver help!

    i tried to manually load the driver for my printer and its not on the list? HP Deskjet 930C    can anyone help me?

  • Apache Torque date question

    I am using torque3.1 with a MySQL database, I have a date field in my database and was wondering is there any way I can search on dates only in my database. Right now if I set the Criteria object to search for a date and pass it a java.sql.Date objec

  • Coding about 'DATE_COMPUTE_DAY'

    Hello, in transfer rule I want to derive via FM 'DATE_COMPUTE_DAY' the weekday. As I have no clue about ABAP I tried following: DATA: l_weekd type /BIC/OIRBLWEEKD.   CALL FUNCTION 'DATE_COMPUTE_DAY'     EXPORTING       date = sy-datum     IMPORTING  

  • Labview beginner at motor control

    I need to make a phigits motor with encoder rotate 1 revolution change directions for another revolution and then back to the original revolution. I have tired many programs but all have crashed the system.  Any advice on how to do this effeciently?