SAP IdM / GRC 10 GRAC_REQUEST_STATUS_WS Table

Similar Messages

• SAP IDM - GRC Integration Scenario Query

  Hello Experts
  I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..
  Current Situation:
  SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2
  SAP GRC Access Control 10.1
  Both systems installed, configured and connected (web service connection works well)
  Desired scenario:
  Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).
  If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.
  If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.
  Problem:
  In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:
  …and the “AC Validation” task:
  Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.
  That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.
  Question:
  How can this problem be solved? Is the desired scenario feasible?
  Thanks a lot in advance.
  Regards,
  Krishna.

  Hi Krishna,
  I suppose AC Validation – Risk Analysis only" should suffice your requirement from IDM side.
  IDM prepares risk analysis request, submits the request to GRC and process the output of risk analysis.
  Rest to be config'd in SAP GRC side. GRC should receive the request from IDM, performs risk analysis and creates request for remediation and send out of request to IDM. Did you check with your SAP GRC Consultant if workflows and WS are correctly configured in GRC side?
  Kind regards,
  Jai

• SAP IDM 7.0 connecting to SAP GRC 10.1

  Hi Gurus,
  I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
  Could any of you provide some guidance on how to make this connections.
  Thanks and Regards,
  Juan

  If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
  7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
  VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
  If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
  Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
  regards, Tero

• SAP IDM and GRC 5.3

  Hi all,
  I'm running SAP IDM 7.0 with GRC Provisioning Framework 5.3 and GRC 5.3 with AE/CC/...
  When I  test web task from the GRC Provisioning Framework "Sample WF Create GRC User" the process launched works but I'm facing the following problem:
  If I put on the previous request 2 SAP Roles (with no conflict one first time), I see 2 requests created as "NEW" with 1 role each time. If I add 3 SAP Roles, I got 3 requests, ....
  You understand so I never got conflict detected by Compliance Calibrator.
  How should I proceed to get only 1 request with all SAP Role requested from SAP Identity Management?
  I tried as well to change Priority, Type and Employee Type request attributes directly on the task "GRC - create account user with a single privilege", but sounds like SAP Identity Management does not send the correct value to SAP GRC 5.3
  Thanks for your help,
  Benjamin

  Hi all,
  Due to following notes
  https://service.sap.com/sap/support/notes/1318053
  https://service.sap.com/sap/support/notes/1168508
  I upgrade SAP GRC 5.3 to SP7 Patch 1.
  But now, when the SUMIT REQUEST is send to GRC from VDS, I'm facing an error that I did not get with SP5 or SP6 :
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code 1 - (GRC Submit Request:1:[msgcode=2010;msgdescription=SqlException occured while getting Global DueDate;msgtype=JAVA ERROR])]; remaining name 'cn=ZTEST0001,ou=submitrequest,o=grc'
  I looked at VDS log files and VDS sounds to send a correct request :
  FULL OUTPUT: {requestreason=[Sent by Netweaver IdM], request_employeetype=[EMP_IT_EXTERNAL], roledata=[MSKEYVALUE=PRIV:GRC:A:MM:C:PUR_REQ_REL____:SITE-20!!MX_ENTRYTYPE=MX_PRIVILEGE!!MXREF_MX_APPLICATION=34653!!SYSID=SID-110!!DESCRIPTION=MM-PUR: PURCHASE REQUISITIONS - ASSIGN - RELEASE - 20!!TYPE=S!!VALIDFROM=2009-04-21!!VALIDTO=9999-12-31!!ROLEID=A:MM:C:PUR_REQ_REL____:SITE-20!!DISPLAYNAME=PRIV_GRC_A:MM:C:PUR_REQ_REL____:SITE-20!!MX_REPOSITORYNAME=GRC!!MX_PRIVILEGE_TYPE=GRC!!MX_ADD_MEMBER_TASK=479!!MX_DEL_MEMBER_TASK=479], mskeyvalue=[X9393664], requestorlastname=[MyLastName], request_priority=[HIGH], isid=[1], validfrom=[2009-04-21], validto=[9999-12-31], requestorfirstname=[MyFirstName], grc_operation=[ADD], mgrid=[XMGRID], lastname=[Manag]erLastNane], requestorid=[X9393664], auditid=[9970], cn=[X9393664], request_type=[NEW_HIRE], firstname=[MyFirstname], emailaddress=[myemail'at'company.com], requestoremailaddress=[myemail'at'company.com], application=[SID-110]}
  Some of you have already facing this problem ?
  Benjamin

• SAP GRC AC with SAP IdM and without SAP Idm

  Hello,
  Could anyone provide me what are the advantages implementing SAP IdM with SAP AC suite?
  Can I use SAP GRC User Provisioning tool with SAP HCM position based concept?
  Thanks in advance.
  -Harry

  Hi ,
  In GRC 10 there is no concept of web services . GRC 10 uses native SQL query for calling risk analysis which mean no need to configure web service in GRC 10
  Thanks & Regards
  Asheesh

• SAP IDM vs SAP GRC

  Hi All,
  One basic question is coming again and again due to overlapping features of SAP IDM and SAP GRC. Why SAP IDM is required when all most all use cases can be fulfilled by SAP GRC? Is there any document available which can tell me why customer can choose IDM when he already has GRC?
  1. SAP IDM and GRC both can accomplish access request and provisioning.
  2. SAP IDM and GRC both has capability of risk management.
  Then why SAP IDM is required?
  Thanks,
  Dhiman Paul.

  Hi Dhiman,
  SAP IDM is more flexible and is Java based (providing excellent customizations).  GRC 10 is ABAP based and originally designed for Access Control.  As mentioned by Chris, IDM connectors are flexible than GRC & provisioning workflow is highly variable.
  I'd say if there are quite a few number of Legacy systems to be connected for IDM solution, SAP IDM would be an ideal choice than SAP GRC, as it can be implemented with less cost and customization.
  My simple opinion.  There may be other points as well.
  BR,
  Ganesh

• SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?

  Hello IDM-experts,
  where can my customer find information about
  SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?
  Customer situation description:
  The situation is that we are using SAP IDM 7.2. We are using a functionality to allow our users to access a webpage from where they can gain
  SSO access to the Abap systems via the SAPGui. See screenshot as an example.
  Now what we want is to access the CRM and GRC WebUI also with the same SSO possibility. We cannot find any guide/best practice on how to do
  this or if it is possible via SAP IDM 7.2.
  You can see a weblink in the first screenshot but it does not work. It will ask you for a username and password, see second screenshot.
  Kind regards,
  Daniela

  Do you know how the SAP GUI SSO is setup ? Is it using SNC/Kerberos ?
  If it is (I suspect it is), then you will need to use similar method of authentication for the ICF Services. These cannot use SNC since they are accessed via browser, but what you want is possible.
  Thanks
  Tim

• IDM & GRC (including Firefighter ) role in SAP Security

  Please provide me information reg IDM,GRC & FIREFIGHTER in SAP

  That is quite a difficult task, given the eloquent description in your question
  I suggest you have a look at the GRC area here in BPX, and browse through the GRC and Identity Management forums.
  The solution web pages (like http://www.sap.com/solutions/grc/index.epx) should also provide you with a lot of information.
  Feel free to come back here if you have detailed questions.

• Installation SAP IDM 7.1/SAP GRC Access Control 5.3

  Hello,
  I can install Access Control products with Solution Manager, Enterprise Portal... But it is possible to install Access Controll 5.3 and IDM 7.1 on the same server?
  Thanks and best Regards
  Alexander

  Hi Alexander,
  SAP IDM 7.1 is still in the ramp up state.  as per the product availability matrix [pam|https://websmp104.sap-ag.de/~form/handler?_APP=00200682500000001303&_EVENT=DISP_NEW&00200682500000002804=01200314690900001014] ,  I am not yet sure if  SAP IDM is available for 64 bit servers.
  SAP GRC AC 5.3 should be installed on as java netweaver
  server after properly sizing. If your hardware can support sizing for both GRC AC 5.3 and SAP IDM 7.1 , then you can install both on them. usually netweaver 7.0 sp12  will be in 64 bit system.
  You can get GRC AC 5.3 sizing information from [link|http://service.sap.com/~form/sapnet?_SHORTKEY=00200797470000071612&_SCENARIO=01100035870000000112&_OBJECT=011000358700000435122007E]

• GRC  FF Tables in SAP backend

  Hi,
  Please  share with me the standard GRC  FF tables available in SAP Backend and what are the informations they have.
  Thanking you all in advance,
  Regards
  MK

  You can execute t-code se16 in your SAP system and look for tables starting with /VIRSA/*
  Thanks!
  Ankur
  SAP GRC RIG

• SAP IDM - SPML integation

  Hi,
  I was trying to integrate SAP IDM with SPML using VDS.
  While configuring VDS for SPML request I am getting an error as follows.
  "Exception: Could not load external 'attrClass' or one of its referenced classes"
  I am getting this error while starting the identity service in VDS.
  The configuration guide does not talk about adding any other jar/class files.
  Any help in this regard is highly appreciated.
  Thanks in advance.
  Regards
  Sunil

  I know that this thread is old, but when deploying the IdM Identity Service, in conjunction with GRC 10 WebServices (for the CallBack Service functionality), you can't just disable the attribute and continue; you must fix it or else you will not be able to deploy the .ear file needed to further deploy to java (i'll go into detail on this in another post).
  The way, I got past this error was to go Tools - > Options (in VDS) and update the java settings to use the java version I have installed (or as close as I could), I set VDS to use a specified complier (the same compiler for my version of Java - in the same BIN folder) then ensured the classpath was updated with all the classpath's listed in the error (I added them to the Windows CLASSPATH environment variable also):
  The service Compiled and started without issue and I was able to deploy the .ear file out of VDS for Java.
  -ALJ

• SAP IDM 7.1 Role assignment issue

  Hello IDM Experts,
  I am facing one critical issue here. We have connected SAP GRC with SAP IDM for risk analysis and CUP approvals and then once the approvers have approved the requests, IDM assigns these approved roles to users in backend SAP Systems.
  We are now facing issue here past 1-month. Before we never faced this issue.
  The issue is when the Roles are approved from GRC-CUP AC 5.3, post the approvals, the IDM is pulling the data and some of the roles are not getting assigned in SAP Backend systems. In the 1st and 2nd attempt it is not getting assigned however sometimes in the 3rd attempt it is getting assigned. This kind of weird behavior we have come across first time.  Has anyone come across such issues before?
  What could be the possible reason for the roles not getting assigned in SAP Backend system from IDM?
  We checked everything right from dispatchers, connectors, workflow, SQL Logs, Job logs but we are unable to figure out the reason for this issue.
  Do we need to restart the dispatcher or is there any issue with cache memory? 
  Can anyone help here to resolve this High Priority issue?
  Thanks in advance!

  IDM Experts,
  Can I get response on this topic from the experts?
  Will restarting the dispatchers help in this situation? Is this related to housekeeping issue of dispatcher.
  Why are some roles from IDM are not getting assigned in SAP Backend system? Also it is getting rejected 1st and 2nd time and during 3rd time it is getting approved. Please advise
  Regards
  Malini Rao

• GRC -IdM integration (HCM IdM GRC IdM)

  Hi IdM & GRC Gurus,
  We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
  I have following questions
  1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
  2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
  3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
  request provisioned to the GRC Access Control back-ends. It means that the Identity Center
  cannot just ask if a certain entitlement assignment is valid.
  If the request is approved, the accounts and role assignments will always be performed in
  the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
  4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
  Regards,
  Anurag

  Hi Joel,
  within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
  Kind regards
  Frank

• IDM GRC Business Role managment

  Hi experts,
  We integrated SAP IDM with GRC,
  Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
  But SAP said business roles and portal groups are not supported between the systems.
  Kindly suggest how to accomplish this.
  Regards,
  Jaya

  Hi Jaya,
  Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
  Try this URL, but perhaps your GRC consultant should read it instead of you.
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db2cd?QuickLink=index&overridelayout=true&51565377381172
  After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
  I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
  Cheers,
  Chenyang Xiong

• Webservice URI of SAP IdM 7.0 SP2

  Hi,
  I am trying to connect GRC AC CUP to SAP IdM 7.0 SP2, for that i was trying to get the webservice URI for IdM. Where do we get the web service URI of IdM ?
  Cheers !!
  Zaheer

  Hi Zaheer/Sunil
  >Once you have done that, you need to create an .ear file
  Can you explain how we can create tis ear file?. Is there any guide or documentation which tells these steps?
  >I deployed the EAR file generated by VDS (IdentityService.xml) configuration on a SAP WAS server
  How we can get this Identity service.xml and how we can generate teh EAR file from VDS?  Can you share any guides or documentation
  Regards
  Sahad