SAP IDM - GRC Integration Scenario Query

Similar Messages

• IdM GRC integration

  Hi,
  I am searching options how to integrate SAP GRC with Microsoft ADAM through SAP IdM, Purpose is GRC will receive a User data and that will be provisioned into ADAM via SAP IdM. As IdM is a good tool used in Identity management will this serve the purpose of Integrator between SAP GRC and Microsoft ADAM. and how to do that
  I would like to know pros and cons in this case.
  Thanks,
  Regards,
  Swapnil Lakhe

  Hi Richard,
  As i said before, requirment at my architecture is Provision HR data from HR system to ADAM, but GRC will be used for sorting all SoD conflicts and other security porcess. So ADAM will be used as source of User master repository where all data will be stoared in tree format. For this purpose i am finding way to Integrate ADAM and GRC, I can read data from GRC after configuring connecter in GRC, but i am not able to write data into ADAM through GRC. This is my concern. I want to get this successful.
  I am looking SAP IdM as integrator, as i read it can talk with both GRC and ADAM. So architecture i am thinking is GRC <> IdM <> ADAM. I think i can integrate GRC and IdM through Web services mentioned in GRC conf guide, but not able to find how to integrate IdM-LDAP( Microsoft ADAM), i.e. Integration of Identity store to Ms ADAM. I just want to find how this option work with its pros and cons.
  Some facts i came accross this can be achived by running standard templates in IdM through job wizard. option for SUN ONE is available with SAP IdM, but my worries more about Microsoft ADAM.
  Thanks for your help.
  Regards,
  Swapnil Lakhe

• IDM GRC Integration Versions

  Hi All
  We have IDM 7.1 fully integrated with AC 5.3 and it is working well.
  We want to upgrade both applications, but what we need to understand is whether we need to upgrade both applications at the same time or whether we can have a mixture.
  AC 5.3 and IDM 7.1 - Works
  AC 5.3 and IDM 7.2 - ???
  GRC 10 and IDM 7.1 - ???
  GRC 10 and IDM 7.2 - I will assume this works.
  This information would help us to decide our strategy for upgarding ie: one application followed by eth other, or both at the same time.
  regards
  Simon

  Hi,
  here is the answer:
  AC 5.3 and IDM 7.1 - Works
  AC 5.3 and IDM 7.2 - Works
  GRC 10 and IDM 7.1 - Does not work. SAP wants you to upgrade IDM.
  GRC 10 and IDM 7.2 - I will assume this works.
  Cheers,
  Kai

• SAP IdM / GRC 10 GRAC_REQUEST_STATUS_WS Table

  We are trying to find what tables in GRC provide the web services, like GRAC_REQUEST_STATUS_WS, their information.  We are seeing a situation where a GRC Access Request appears approved in GRC10 , but the status that gets read back into IDM (via the Polling Process) shows the status of FAILED.  So we want to be able to look at the table that has the status in it in GRC so we can verify what status was actually written to the status table and is then made available via the GRAC_REQUEST_STATUS_WS web service.  Again, we are using polling in IdM, so the status IdM is getting is actually fetched from GRC so we just need the name of the table to do some comparisons.
  If we have GRC do the provisioning instead of IDM, the status IdM receives (via the Polling Process) is OK.  Yet when IdM is to do the provisioning the status is always FAILED.  IF a resquest is disapproved in GRC, it comes back to IDM as FAILED (which is proper), but the approved requests are also coming back as FAILED.
  Has anyone seen this behavior before?

  Andrew,
  As you are looking for GRC tables, maybe you should post this to the GRC forum?  I would do it for you but I am not a moderator.  Maybe Christopher Leonard or Kristian Lehment can help?
  Matt

• GRC -IdM integration (HCM IdM GRC IdM)

  Hi IdM & GRC Gurus,
  We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
  I have following questions
  1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
  2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
  3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
  request provisioned to the GRC Access Control back-ends. It means that the Identity Center
  cannot just ask if a certain entitlement assignment is valid.
  If the request is approved, the accounts and role assignments will always be performed in
  the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
  4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
  Regards,
  Anurag

  Hi Joel,
  within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
  Kind regards
  Frank

• SAP IDM 7.0 connecting to SAP GRC 10.1

  Hi Gurus,
  I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
  Could any of you provide some guidance on how to make this connections.
  Thanks and Regards,
  Juan

  If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
  7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
  VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
  If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
  Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
  regards, Tero

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• SAP GRC AC with SAP IdM and without SAP Idm

  Hello,
  Could anyone provide me what are the advantages implementing SAP IdM with SAP AC suite?
  Can I use SAP GRC User Provisioning tool with SAP HCM position based concept?
  Thanks in advance.
  -Harry

  Hi ,
  In GRC 10 there is no concept of web services . GRC 10 uses native SQL query for calling risk analysis which mean no need to configure web service in GRC 10
  Thanks & Regards
  Asheesh

• ALE/IDOC and RFC/BAPI Integration Scenarios with SAP DS for ESA v3

  Hi,
  we are planning two PoCs of Integration Plattforms. One of our major requirement set is SAP Integration into our existing SOA.
  Because we also have R/3 4.7 Systems in production, we are planning to test ALE/IDOC and RFC/BAPI Integration scenarios with these Integration Plattforms.
  My question is:
  We are looking for are smart solution to get a SAP Test Environment, where we can test ALE/IDOC und RFC/BAPI Integration scenarios.
  It is possible to do this with SAP DS for ESA v3 or shall we better use IDES for that purpose?
  Best regards,
  Steven

  Hi Abhishek,
    This is our scenario. We are doing an integration of SAP HR r/3 system with the CRM system. We need housing information details of the employees which we have in custom infotype 9310 in SAP HR system and we need those details in the CRM system. So am planning out for an ALE/IDOC approach for the integration and gonna  maintain the 9310 details in a custom table. In the CRM system, we gonna build a BOL layer for accessing the 9310 details. Also i'm preparing a HLD for this process. I wanna read and go through few same HLD's before i submit my proposal to my client. Please suggest me and help me out.
  Thanks in advance.
  Regards,
  Arunmozhi.

• To SAP-XI Product Developement... Bug in Integration Scenario, swimlanes..?

  Hi,
  I am not sure whether such questions can be posted in this forum or not.. but i have no other alternative. If this is not the right forum i will not post such queries again.
  I have posted a query reg <b>"Integration Scenario, swimlane diagrams"</b> in XI Forum, but there were no replies to that. So i like to forward the same to the Product Develpment team and <b>like to know if this is a bug or things do work like this..?</b>
  I have designed my Integration Scenario in Design Time, imported the same into configuraton time so that the Configuration Objects (Receiver Determination, Interface Determinaiton, Receiver agreements) are automatically created. I tried the sacenario and its working fine.
  In my scenario, i have 3 swimlanes corresponding systems, Sys1, sys2, sys3.
  In Run1, a connection is made b/n sys1's and sys2's actions. Imported into Configuration, Configuration objects created,(<b>Rx Determination Created</b>) scenario working properly.
  In Run2, another connection is made b/n sys1 and sys3's actions (sys1 and sys2 still remain connected). Imported into Configuration, <b>receiver determinaition changed</b> according to the scenario, scenario working properly.
  In Run3, the connection b/n sys1 and sys2 is removed and again imported into configuration, but the receiver determination is not changed to cater to the scenario in design time. The old receiver determinaiton is not getting deleted/chaged). The <b>receiver deteminaiton reused</b> instead of being changed, which is incorrect according to the scenario.
  Is this a bug in the software or do things work like this only...  U can reach me at <b>Siva_Maranani(at)satyam(dot)com</b>
  Cheers,
  Siva Maranani.

  Hello Aamir,
  you are right, I don't need virtual receivers for my scenaro and I also don't want to use them.
  However, when modelling my scenario with an integration scenario in the design, I'm forced to do this and I would like to know whether there is any way to avoid this.
  In order to be able to use a business service on the sender side, it seems I have to select the checkbox 'External party with B2B communication' in my integration scenario. When importing & configuring the scenario in the directory, I am then able to select by business service for the sender side. However, for the receiver side I have to specify a virtual receiver, otherwise I cannot finish the config wizard.
  Any more ideas?
  Best regards,
  Matthias

• SAP IDM and GRC 5.3

  Hi all,
  I'm running SAP IDM 7.0 with GRC Provisioning Framework 5.3 and GRC 5.3 with AE/CC/...
  When I  test web task from the GRC Provisioning Framework "Sample WF Create GRC User" the process launched works but I'm facing the following problem:
  If I put on the previous request 2 SAP Roles (with no conflict one first time), I see 2 requests created as "NEW" with 1 role each time. If I add 3 SAP Roles, I got 3 requests, ....
  You understand so I never got conflict detected by Compliance Calibrator.
  How should I proceed to get only 1 request with all SAP Role requested from SAP Identity Management?
  I tried as well to change Priority, Type and Employee Type request attributes directly on the task "GRC - create account user with a single privilege", but sounds like SAP Identity Management does not send the correct value to SAP GRC 5.3
  Thanks for your help,
  Benjamin

  Hi all,
  Due to following notes
  https://service.sap.com/sap/support/notes/1318053
  https://service.sap.com/sap/support/notes/1168508
  I upgrade SAP GRC 5.3 to SP7 Patch 1.
  But now, when the SUMIT REQUEST is send to GRC from VDS, I'm facing an error that I did not get with SP5 or SP6 :
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code 1 - (GRC Submit Request:1:[msgcode=2010;msgdescription=SqlException occured while getting Global DueDate;msgtype=JAVA ERROR])]; remaining name 'cn=ZTEST0001,ou=submitrequest,o=grc'
  I looked at VDS log files and VDS sounds to send a correct request :
  FULL OUTPUT: {requestreason=[Sent by Netweaver IdM], request_employeetype=[EMP_IT_EXTERNAL], roledata=[MSKEYVALUE=PRIV:GRC:A:MM:C:PUR_REQ_REL____:SITE-20!!MX_ENTRYTYPE=MX_PRIVILEGE!!MXREF_MX_APPLICATION=34653!!SYSID=SID-110!!DESCRIPTION=MM-PUR: PURCHASE REQUISITIONS - ASSIGN - RELEASE - 20!!TYPE=S!!VALIDFROM=2009-04-21!!VALIDTO=9999-12-31!!ROLEID=A:MM:C:PUR_REQ_REL____:SITE-20!!DISPLAYNAME=PRIV_GRC_A:MM:C:PUR_REQ_REL____:SITE-20!!MX_REPOSITORYNAME=GRC!!MX_PRIVILEGE_TYPE=GRC!!MX_ADD_MEMBER_TASK=479!!MX_DEL_MEMBER_TASK=479], mskeyvalue=[X9393664], requestorlastname=[MyLastName], request_priority=[HIGH], isid=[1], validfrom=[2009-04-21], validto=[9999-12-31], requestorfirstname=[MyFirstName], grc_operation=[ADD], mgrid=[XMGRID], lastname=[Manag]erLastNane], requestorid=[X9393664], auditid=[9970], cn=[X9393664], request_type=[NEW_HIRE], firstname=[MyFirstname], emailaddress=[myemail'at'company.com], requestoremailaddress=[myemail'at'company.com], application=[SID-110]}
  Some of you have already facing this problem ?
  Benjamin

• SAP IDM and SAP Ariba Integration

  is there any connector available for the integration from sap ariba? or has anyone any experience with the sap ariba integration?!
  we want create,change and archive the ariba user with sap idm 7.2.

  hi fedya,
  the case is very simple - we must create / change and deactivte Enterprise users on the ariba Portal!
  I attached the ariba screenshot:
  bg thomas

• SAP IDM Integration with LDAP VS Rest.

  Hi,
  I'm looking for an best approach through I can integrate my custom application with SAP IDM 7.2. I have read couple of article and found IDM is based on VDS and allow LDAP as well as Restful web services.
  Would like to know the best approach.
  Here what I want to achieve:
  1. Dynamic Schema detection for User, Role and Employee
  2. Get all User List and there corresponding Role.
  3. Password Reset/Set/Change
  Thanks
  Shital

  Hi Nits,
  This guide presents the official SAP Connectors for IdM. SAP and 3rd-party.
  It seems that are no official connector for ADOBE CQ and HYBRIS.
  But you can build you own connector. (JDBC, WebServices, LDAP)
  Using the same concept as the SAP Standard connectors, Folders (Aplication Actions, Plugins) HOOK Tasks.
  It will depended in what integration layer this solutions offer.

• SAP IDM vs SAP GRC

  Hi All,
  One basic question is coming again and again due to overlapping features of SAP IDM and SAP GRC. Why SAP IDM is required when all most all use cases can be fulfilled by SAP GRC? Is there any document available which can tell me why customer can choose IDM when he already has GRC?
  1. SAP IDM and GRC both can accomplish access request and provisioning.
  2. SAP IDM and GRC both has capability of risk management.
  Then why SAP IDM is required?
  Thanks,
  Dhiman Paul.

  Hi Dhiman,
  SAP IDM is more flexible and is Java based (providing excellent customizations).  GRC 10 is ABAP based and originally designed for Access Control.  As mentioned by Chris, IDM connectors are flexible than GRC & provisioning workflow is highly variable.
  I'd say if there are quite a few number of Legacy systems to be connected for IDM solution, SAP IDM would be an ideal choice than SAP GRC, as it can be implemented with less cost and customization.
  My simple opinion.  There may be other points as well.
  BR,
  Ganesh

• SAP IDM integration in SLD

  Hi there
  one of our customers raised the question if SAP IDM can be integrated with SLD (system landscape directory)? Obviously, one of the dispatchers showed up in the SLD for one time (maybe during installation).
  best regards
  Matthias

  Hi Billy
  in fact the core components of SAP IDM are not implemented in NetWeaver. They are running on a Windows Server (e.g. the dispatchers). Those are the components we want to register in SLD.
  Only the UI components are running in an NetWeaver AS Java, but this one is already in SLD.
  best regards
  Matthias