SAP IDM and GRC 5.3

Similar Messages

• SAP IdM and GRC Integration Sample Scenario

  Has anyone implemented the sample scenario in the following document (page 11/14)?
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/60a4802f-b6cd-2b10-1ebf-e269d127a634?quicklink=index&overridelayout=true
  Page: 8/48
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/30027e41-b5cd-2b10-4593-df65027f8c55?quicklink=index&overridelayout=true
  Thanks
  Himadama

  Hi Kai,
  I tried to access your blog http://kaidentity.blogspot.com/ but i am getting permission denied.
  I have attached the error. Could you please provide me permission to read your blogs.
  Regards,
  C Kumar

• SAP GRC AC with SAP IdM and without SAP Idm

  Hello,
  Could anyone provide me what are the advantages implementing SAP IdM with SAP AC suite?
  Can I use SAP GRC User Provisioning tool with SAP HCM position based concept?
  Thanks in advance.
  -Harry

  Hi ,
  In GRC 10 there is no concept of web services . GRC 10 uses native SQL query for calling risk analysis which mean no need to configure web service in GRC 10
  Thanks & Regards
  Asheesh

• SAP IDM and SAP Ariba Integration

  is there any connector available for the integration from sap ariba? or has anyone any experience with the sap ariba integration?!
  we want create,change and archive the ariba user with sap idm 7.2.

  hi fedya,
  the case is very simple - we must create / change and deactivte Enterprise users on the ariba Portal!
  I attached the ariba screenshot:
  bg thomas

• Can you have IDM and GRC on the same stack?

  HI, I am new to IDM and am a Netweaver Basis professional with some performance experience around GRC. Is it wise to place the two together on the same stack?
  The customer will have 190,000 employees and lord knows what the roles will look like at this stage but I'm just a bit worried as I have seen the GRC jobs run for an awfully long time with a lot less users/roles and chew things up a bit
  the right advice appreciated.

  Now thats interesting.
  My architect told me that we were using the 7.1 version but in affect it runs on a 7.0 J2EE.... perhaps he is having me on. If you know for sure then let me know.... regardless I'll have a dig in the documentation.
  Naturally having Project and dev share with GRC should not be considered an issue but having production, pre-production and validation instances running combined with GRC is my concern as I have seen the GRC really slow up the system. The argument they are saying is the heavy jobs will run overnight and mostly just collection and configuration of GRC during the day. They are intending to run in production with 2 instances of 3 servers.

• SAP Workflow and GRC 10.1 Workflow

  Hi all,
      We are in the midst of upgrading our GRC system up to 10.1 and some questions are coming up about the workflows.  In short are GRC workflows and SAP workflows the "same thing", i.e. if someone outside of the upgrade project were to learn how to create/maintain workflows within GRC 10.1 would they be able to turn around and run the same transactions within an ECC 6.0 environment and create SAP Business workflows?  From what I have seen so far in my searching is that, they have the same basic principle but very different implementation/maintenance.
  Any documentation that you are aware of from SAP showing this would be helpful as well.
  Thanks

  The basic mechanism is the same, but the GRC workflows are more fixed (they leave less room for the workflow to be changed) have build in screens, and relay on the BRF engine to determine approvers etc.
  Workflows in the ECC give you a lot more room for implanting the workflow however you wish (use a decision task, asynchronous tasks, develop your own custom approval screen etc.) and some time required you to implement changes to the workflow object (set a user status, release a document etc.) and don't usually use the BRF.
  So I would have to say that the answer is no, someone who learned how to implement the GRC workflows will not be able to turn around and immediately create workflows in the ECC.  

• SAP IDM vs SAP GRC

  Hi All,
  One basic question is coming again and again due to overlapping features of SAP IDM and SAP GRC. Why SAP IDM is required when all most all use cases can be fulfilled by SAP GRC? Is there any document available which can tell me why customer can choose IDM when he already has GRC?
  1. SAP IDM and GRC both can accomplish access request and provisioning.
  2. SAP IDM and GRC both has capability of risk management.
  Then why SAP IDM is required?
  Thanks,
  Dhiman Paul.

  Hi Dhiman,
  SAP IDM is more flexible and is Java based (providing excellent customizations).  GRC 10 is ABAP based and originally designed for Access Control.  As mentioned by Chris, IDM connectors are flexible than GRC & provisioning workflow is highly variable.
  I'd say if there are quite a few number of Legacy systems to be connected for IDM solution, SAP IDM would be an ideal choice than SAP GRC, as it can be implemented with less cost and customization.
  My simple opinion.  There may be other points as well.
  BR,
  Ganesh

• Advantage and disadvantages of SAP IDM & Microsoft Identity management Tool

  Hi Folks,
  I am looking some points on SAP IDM and Microsoft tool for Identity Management. I am looking below mention points.
  1. Difference in the feature and prize.
  2. Limitation
  3. Solution architecture for both
  Relevant answers will be rewarded.
  Regards,
  Akshay Shail

  Hi,
  I can add some points about SAP NW IdM. Regarding your question about the prize: If you only connect SAP systems (it can handle all types of SAP ABAP and SAP Java Systems) they don't charge you extra, because it's already in the NetWeaver license. Furthermore, if you use the SAP Central User Administration: It isn't further developed and will be replaced by SAP NW IdM.
  The systems you mentioned can be connected, I think these are basics for everey IdM solution. HR interation is possible with SAP IdM, don't know about the other solution in this point.
  There are some whitepapers and presentations about SAP NW IdM: https://www.sdn.sap.com/irj/sdn/nw-identitymanagement?rid=/webcontent/uuid/f0b68fb1-d8af-2a10-2a8e-cc431c15bb39&anchor=section2.
  Nevertheless, your question about limitations and solution architecture probably needs a PoC if you want to answer them in deep.
  Best regards,
  Nils

• SAP IDM vs Microsoft Forefront Client(FIM)

  Hi experts,
  Actually my companyBig Company) is planning to implement tool for Identity Management but there are couple of options which we are thinking of considering particularly the last  2 options are SAP IDM and Microsoft Forefront(FIM) ... But I am not able to enough information or comparision points that will help me in convincing to my sr management to finally say to one of these tool.
  I would really appreciate a quick response, if some one can explain the comparisions points among these 2 tools.
  Thanks
  SAP_Enthu

  Hi All ,
  Just to add to my previous question as currently we have MS Active Directory already and as per plan implementing SAP in almost all areas entreprise wide with GRC. So with this background , I will appreciate the advantages and disadvantages of SAP IDM 7.1(might use 7.2 if it comes within next 3 months as planned) with MS Forefront IDM(FIM 2010) in terms of Technical , functionally , architecture ,economic point of view.
  This will help in selecting the best tool among them.
  Thanks
  SAP_Enthu

• SAP IDM  7.0 integration with third party system

  Hi Experts,
  I know SAP IDM  7.0 can integrate with third party systems and create user ids on most of the third party systems.
  But I need to know regarding If it is possible to integrate with following systems
  1) Microsoft Exchange 2007 (  I know till exchange 2003 SAP  IDM support )
  2)  Microsoft  Active directory 2008 ( I know till Actice directory 2003)
  3) EMC  Documentum 6.5
  4)  ARIS 7.1.0
  5)  BlackBoard, Release 9.0
  6) Oracle 10g  ( Is it possible to create users at oracle level ? or at what level ? )
  7)  Sun Solaris Sparc  ( Is it possible to create users at  OS level )
  If you have information how on this please share. I know that  provisioning framework will have templates for most of the target systems. I want to know if they are available for above systems on SAP IDM 7.0 or if not have we can connect to them?

  Hi Matthew
  Your expertise in SAP IDM is indeed a great help!!
  >Can't see why not, it's all done via SQL commands. I've done similar things with MSSQL
  You mean that there will be oracle 10g drivers/oledb connectors in SAP IDM and in through SQL commands like "create user alfredo identified by alfredos_secret; " we can create user  in oracle database ?. As you said this should be possible.  What about creating user( user management ) in oracle 10g application  like dba or scot  and assigning the privileges in oracle application?
  >might need to do via UNIX scripts, but it can be done
  You mean that Unix scripts will be defined in SAP IDM and SAP IDM will execute these scripts in the Sun Solaris Sparc ?. It should be possible as you said. By the way how we will be able connect to Sun Solaris sparc ?  Is it via  the option "file " under the "Repositories" with repositories wizard  and later executing the file from SAP IDM ?
  Thank you once again for your expert answers on third party systems.

• SAP IDM 7.2 Questions

  Hi,
  I just recently started with SAP IDM and have a few Questions, maybe someone has the time to explain, thanks in advance!
  - What for is VDS (Virtual Directory Server)? I can write directly into AD? why another target system?
  - If I create a Role in Identity Center for testing its available on the idm portal http://localhost:50000/idm but not in /useradmin or Umeadmin?
  - Repository, does it matter in which repository I upload (CSV Import) users? I have multiple repositories and didn't understand the exact purpose of a repository?
  - Org Units? how can I create Org Units and assign roles for inheritance? is this only available on a Netweaver AS ABAP installation? (I installed AS JAVA) According this link: Indirect Role Assignment Using Organizational Management (OM) - Identity Management - SAP Library
  Thanks, Patrick

  Hi Patrick,
  here is some answers:
  Main purpose of VDS is to be an interface INTO IdM. It is an LDAP interface into the data stored in IdM database. It allows you for example to search, read, write and authenticate to IdM data via LDAP interface.
  IdM has its own UI (http:host:port/idm). You are not supposed to see business roles in useradmin of the J2EE. It is objects known to IdM, not to the J2EE.
  Repositories are objects representing mostly a source or target system. For example AD could be a source system where you get users from. An ABAP client can be a target system where you provision users to. Uploading users is just a way of creating users that you cannot get from some other source system like HCM, AD or ABAP. It depends on your scenarios and user life cycle where you get your user information from (source system) and where you provision to (target system).
  The link you shared regarding the org units is not really related to IdM as a product. If you do some automatic assignments in ABAP directly, you might need to reconcile with IdM. IdM is supposed to be a central user administration tool. If you have information about org units in IdM and want to use it to automatically assign authorizations you can do that for example by using dynamic groups.
  IdM is a very powerful tool opening a lot of possibilities as you can basically implement every requirement if you only have the required information available somewhere. It might be helpful for you to have someone to answer all your questions and help you solving your requirements in best way in the beginning, enabling you to use it in the most efficient way.
  Regards
  Norman

• Authentication Question in SAP IDM 7.1

  Hi All,
  I am currently working on SAP IDM 7.1 , My requirement is to set authentication question in SAP IDM and enforce the same at the first time login of the user. Presently I am setting my authentication question answer in OOB attributes -- MX_AUTH_Q01   - Q05.
  For the first time login user i am getting the default password change screen , thereafter i need to enforce Set Authentication for every user , logged in for first time. Please, suggest if SAP provides any feature like this to  set authentication question, at the time of login. Thanks in advance
  Regards
  Swati Pandey

  Hi Christian,
  I have implemented the security question using the same concept i.e by limiting access to process throgh access control.  Now, my requirement is to store Dynamic question in user profile, i.e users can store his/her own custom question /answer. Do we have any such facility in sap idm, presently the auth question provided are static for each user profile.
  Thanks
  Swati Pandey

• SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?

  Hello IDM-experts,
  where can my customer find information about
  SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?
  Customer situation description:
  The situation is that we are using SAP IDM 7.2. We are using a functionality to allow our users to access a webpage from where they can gain
  SSO access to the Abap systems via the SAPGui. See screenshot as an example.
  Now what we want is to access the CRM and GRC WebUI also with the same SSO possibility. We cannot find any guide/best practice on how to do
  this or if it is possible via SAP IDM 7.2.
  You can see a weblink in the first screenshot but it does not work. It will ask you for a username and password, see second screenshot.
  Kind regards,
  Daniela

  Do you know how the SAP GUI SSO is setup ? Is it using SNC/Kerberos ?
  If it is (I suspect it is), then you will need to use similar method of authentication for the ICF Services. These cannot use SNC since they are accessed via browser, but what you want is possible.
  Thanks
  Tim

• SAP IDM 7.0 connecting to SAP GRC 10.1

  Hi Gurus,
  I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
  Could any of you provide some guidance on how to make this connections.
  Thanks and Regards,
  Juan

  If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
  7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
  VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
  If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
  Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
  regards, Tero

• SAP IDM - GRC Integration Scenario Query

  Hello Experts
  I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..
  Current Situation:
  SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2
  SAP GRC Access Control 10.1
  Both systems installed, configured and connected (web service connection works well)
  Desired scenario:
  Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).
  If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.
  If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.
  Problem:
  In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:
  …and the “AC Validation” task:
  Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.
  That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.
  Question:
  How can this problem be solved? Is the desired scenario feasible?
  Thanks a lot in advance.
  Regards,
  Krishna.

  Hi Krishna,
  I suppose AC Validation – Risk Analysis only" should suffice your requirement from IDM side.
  IDM prepares risk analysis request, submits the request to GRC and process the output of risk analysis.
  Rest to be config'd in SAP GRC side. GRC should receive the request from IDM, performs risk analysis and creates request for remediation and send out of request to IDM. Did you check with your SAP GRC Consultant if workflows and WS are correctly configured in GRC side?
  Kind regards,
  Jai