SAP IDM vs SAP GRC

Similar Messages

• SAP IDM and SAP Ariba Integration

  is there any connector available for the integration from sap ariba? or has anyone any experience with the sap ariba integration?!
  we want create,change and archive the ariba user with sap idm 7.2.

  hi fedya,
  the case is very simple - we must create / change and deactivte Enterprise users on the ariba Portal!
  I attached the ariba screenshot:
  bg thomas

• SAP GRC AC with SAP IdM and without SAP Idm

  Hello,
  Could anyone provide me what are the advantages implementing SAP IdM with SAP AC suite?
  Can I use SAP GRC User Provisioning tool with SAP HCM position based concept?
  Thanks in advance.
  -Harry

  Hi ,
  In GRC 10 there is no concept of web services . GRC 10 uses native SQL query for calling risk analysis which mean no need to configure web service in GRC 10
  Thanks & Regards
  Asheesh

• SAP IDM  7.0 integration with third party system

  Hi Experts,
  I know SAP IDM  7.0 can integrate with third party systems and create user ids on most of the third party systems.
  But I need to know regarding If it is possible to integrate with following systems
  1) Microsoft Exchange 2007 (  I know till exchange 2003 SAP  IDM support )
  2)  Microsoft  Active directory 2008 ( I know till Actice directory 2003)
  3) EMC  Documentum 6.5
  4)  ARIS 7.1.0
  5)  BlackBoard, Release 9.0
  6) Oracle 10g  ( Is it possible to create users at oracle level ? or at what level ? )
  7)  Sun Solaris Sparc  ( Is it possible to create users at  OS level )
  If you have information how on this please share. I know that  provisioning framework will have templates for most of the target systems. I want to know if they are available for above systems on SAP IDM 7.0 or if not have we can connect to them?

  Hi Matthew
  Your expertise in SAP IDM is indeed a great help!!
  >Can't see why not, it's all done via SQL commands. I've done similar things with MSSQL
  You mean that there will be oracle 10g drivers/oledb connectors in SAP IDM and in through SQL commands like "create user alfredo identified by alfredos_secret; " we can create user  in oracle database ?. As you said this should be possible.  What about creating user( user management ) in oracle 10g application  like dba or scot  and assigning the privileges in oracle application?
  >might need to do via UNIX scripts, but it can be done
  You mean that Unix scripts will be defined in SAP IDM and SAP IDM will execute these scripts in the Sun Solaris Sparc ?. It should be possible as you said. By the way how we will be able connect to Sun Solaris sparc ?  Is it via  the option "file " under the "Repositories" with repositories wizard  and later executing the file from SAP IDM ?
  Thank you once again for your expert answers on third party systems.

• SAP IDM 7.0 connecting to SAP GRC 10.1

  Hi Gurus,
  I was looking into connecting SAP IDM 7.0 with SAP GRC AC 10.1 and I cannot find a suitable connector for this.
  Could any of you provide some guidance on how to make this connections.
  Thanks and Regards,
  Juan

  If i remember correctly the 7.0 version had only mx_provision, mx_deprovision and mx_modify -tasks so the integration would have be built on these tasks. As there is no validate add task to hang the GRC call GRC would have to do provisioning.
  7.0 datamodel is different than 7.2, I haven't studied in detail but would guess there is enough difference also in the tables that store tasks/jobs etc that the 7.2 GRC provisioning framework would not   even import to 7.0. You would need to set-up a 7.2 on the side to study the framework to see how to duplicate the tasks..
  VDS in the middle is another thing as it would need to be able to communicate with your custom connector in 7.0.
  If you must stick with 7.0 maybe the GRC connector of 7.1 is worth a try.. But you would probably need also older VDS.
  Depending on the level of your existing customisations and what data from 7.0 is worth keeping the upgrade to 7.2 is not necessarily big thing compared to the effort of building the interim custom interface.. The real question is how big and complex is your 7.0 implementation?
  regards, Tero

• SAP IDM - GRC Integration Scenario Query

  Hello Experts
  I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..
  Current Situation:
  SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2
  SAP GRC Access Control 10.1
  Both systems installed, configured and connected (web service connection works well)
  Desired scenario:
  Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).
  If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.
  If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.
  Problem:
  In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:
  …and the “AC Validation” task:
  Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.
  That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.
  Question:
  How can this problem be solved? Is the desired scenario feasible?
  Thanks a lot in advance.
  Regards,
  Krishna.

  Hi Krishna,
  I suppose AC Validation – Risk Analysis only" should suffice your requirement from IDM side.
  IDM prepares risk analysis request, submits the request to GRC and process the output of risk analysis.
  Rest to be config'd in SAP GRC side. GRC should receive the request from IDM, performs risk analysis and creates request for remediation and send out of request to IDM. Did you check with your SAP GRC Consultant if workflows and WS are correctly configured in GRC side?
  Kind regards,
  Jai

• SAP IDM and GRC 5.3

  Hi all,
  I'm running SAP IDM 7.0 with GRC Provisioning Framework 5.3 and GRC 5.3 with AE/CC/...
  When I  test web task from the GRC Provisioning Framework "Sample WF Create GRC User" the process launched works but I'm facing the following problem:
  If I put on the previous request 2 SAP Roles (with no conflict one first time), I see 2 requests created as "NEW" with 1 role each time. If I add 3 SAP Roles, I got 3 requests, ....
  You understand so I never got conflict detected by Compliance Calibrator.
  How should I proceed to get only 1 request with all SAP Role requested from SAP Identity Management?
  I tried as well to change Priority, Type and Employee Type request attributes directly on the task "GRC - create account user with a single privilege", but sounds like SAP Identity Management does not send the correct value to SAP GRC 5.3
  Thanks for your help,
  Benjamin

  Hi all,
  Due to following notes
  https://service.sap.com/sap/support/notes/1318053
  https://service.sap.com/sap/support/notes/1168508
  I upgrade SAP GRC 5.3 to SP7 Patch 1.
  But now, when the SUMIT REQUEST is send to GRC from VDS, I'm facing an error that I did not get with SP5 or SP6 :
  Exception from Add operation:javax.naming.NamingException: [LDAP: error code 1 - (GRC Submit Request:1:[msgcode=2010;msgdescription=SqlException occured while getting Global DueDate;msgtype=JAVA ERROR])]; remaining name 'cn=ZTEST0001,ou=submitrequest,o=grc'
  I looked at VDS log files and VDS sounds to send a correct request :
  FULL OUTPUT: {requestreason=[Sent by Netweaver IdM], request_employeetype=[EMP_IT_EXTERNAL], roledata=[MSKEYVALUE=PRIV:GRC:A:MM:C:PUR_REQ_REL____:SITE-20!!MX_ENTRYTYPE=MX_PRIVILEGE!!MXREF_MX_APPLICATION=34653!!SYSID=SID-110!!DESCRIPTION=MM-PUR: PURCHASE REQUISITIONS - ASSIGN - RELEASE - 20!!TYPE=S!!VALIDFROM=2009-04-21!!VALIDTO=9999-12-31!!ROLEID=A:MM:C:PUR_REQ_REL____:SITE-20!!DISPLAYNAME=PRIV_GRC_A:MM:C:PUR_REQ_REL____:SITE-20!!MX_REPOSITORYNAME=GRC!!MX_PRIVILEGE_TYPE=GRC!!MX_ADD_MEMBER_TASK=479!!MX_DEL_MEMBER_TASK=479], mskeyvalue=[X9393664], requestorlastname=[MyLastName], request_priority=[HIGH], isid=[1], validfrom=[2009-04-21], validto=[9999-12-31], requestorfirstname=[MyFirstName], grc_operation=[ADD], mgrid=[XMGRID], lastname=[Manag]erLastNane], requestorid=[X9393664], auditid=[9970], cn=[X9393664], request_type=[NEW_HIRE], firstname=[MyFirstname], emailaddress=[myemail'at'company.com], requestoremailaddress=[myemail'at'company.com], application=[SID-110]}
  Some of you have already facing this problem ?
  Benjamin

• SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?

  Hello IDM-experts,
  where can my customer find information about
  SAP IDM 7.2: How to setup SSO functionality for WebUI of CRM and GRC?
  Customer situation description:
  The situation is that we are using SAP IDM 7.2. We are using a functionality to allow our users to access a webpage from where they can gain
  SSO access to the Abap systems via the SAPGui. See screenshot as an example.
  Now what we want is to access the CRM and GRC WebUI also with the same SSO possibility. We cannot find any guide/best practice on how to do
  this or if it is possible via SAP IDM 7.2.
  You can see a weblink in the first screenshot but it does not work. It will ask you for a username and password, see second screenshot.
  Kind regards,
  Daniela

  Do you know how the SAP GUI SSO is setup ? Is it using SNC/Kerberos ?
  If it is (I suspect it is), then you will need to use similar method of authentication for the ICF Services. These cannot use SNC since they are accessed via browser, but what you want is possible.
  Thanks
  Tim

• Installation SAP IDM 7.1/SAP GRC Access Control 5.3

  Hello,
  I can install Access Control products with Solution Manager, Enterprise Portal... But it is possible to install Access Controll 5.3 and IDM 7.1 on the same server?
  Thanks and best Regards
  Alexander

  Hi Alexander,
  SAP IDM 7.1 is still in the ramp up state.  as per the product availability matrix [pam|https://websmp104.sap-ag.de/~form/handler?_APP=00200682500000001303&_EVENT=DISP_NEW&00200682500000002804=01200314690900001014] ,  I am not yet sure if  SAP IDM is available for 64 bit servers.
  SAP GRC AC 5.3 should be installed on as java netweaver
  server after properly sizing. If your hardware can support sizing for both GRC AC 5.3 and SAP IDM 7.1 , then you can install both on them. usually netweaver 7.0 sp12  will be in 64 bit system.
  You can get GRC AC 5.3 sizing information from [link|http://service.sap.com/~form/sapnet?_SHORTKEY=00200797470000071612&_SCENARIO=01100035870000000112&_OBJECT=011000358700000435122007E]

• SAP IDM - SPML integation

  Hi,
  I was trying to integrate SAP IDM with SPML using VDS.
  While configuring VDS for SPML request I am getting an error as follows.
  "Exception: Could not load external 'attrClass' or one of its referenced classes"
  I am getting this error while starting the identity service in VDS.
  The configuration guide does not talk about adding any other jar/class files.
  Any help in this regard is highly appreciated.
  Thanks in advance.
  Regards
  Sunil

  I know that this thread is old, but when deploying the IdM Identity Service, in conjunction with GRC 10 WebServices (for the CallBack Service functionality), you can't just disable the attribute and continue; you must fix it or else you will not be able to deploy the .ear file needed to further deploy to java (i'll go into detail on this in another post).
  The way, I got past this error was to go Tools - > Options (in VDS) and update the java settings to use the java version I have installed (or as close as I could), I set VDS to use a specified complier (the same compiler for my version of Java - in the same BIN folder) then ensured the classpath was updated with all the classpath's listed in the error (I added them to the Windows CLASSPATH environment variable also):
  The service Compiled and started without issue and I was able to deploy the .ear file out of VDS for Java.
  -ALJ

• SAP IDM 7.1 Role assignment issue

  Hello IDM Experts,
  I am facing one critical issue here. We have connected SAP GRC with SAP IDM for risk analysis and CUP approvals and then once the approvers have approved the requests, IDM assigns these approved roles to users in backend SAP Systems.
  We are now facing issue here past 1-month. Before we never faced this issue.
  The issue is when the Roles are approved from GRC-CUP AC 5.3, post the approvals, the IDM is pulling the data and some of the roles are not getting assigned in SAP Backend systems. In the 1st and 2nd attempt it is not getting assigned however sometimes in the 3rd attempt it is getting assigned. This kind of weird behavior we have come across first time.  Has anyone come across such issues before?
  What could be the possible reason for the roles not getting assigned in SAP Backend system from IDM?
  We checked everything right from dispatchers, connectors, workflow, SQL Logs, Job logs but we are unable to figure out the reason for this issue.
  Do we need to restart the dispatcher or is there any issue with cache memory? 
  Can anyone help here to resolve this High Priority issue?
  Thanks in advance!

  IDM Experts,
  Can I get response on this topic from the experts?
  Will restarting the dispatchers help in this situation? Is this related to housekeeping issue of dispatcher.
  Why are some roles from IDM are not getting assigned in SAP Backend system? Also it is getting rejected 1st and 2nd time and during 3rd time it is getting approved. Please advise
  Regards
  Malini Rao

• Webservice URI of SAP IdM 7.0 SP2

  Hi,
  I am trying to connect GRC AC CUP to SAP IdM 7.0 SP2, for that i was trying to get the webservice URI for IdM. Where do we get the web service URI of IdM ?
  Cheers !!
  Zaheer

  Hi Zaheer/Sunil
  >Once you have done that, you need to create an .ear file
  Can you explain how we can create tis ear file?. Is there any guide or documentation which tells these steps?
  >I deployed the EAR file generated by VDS (IdentityService.xml) configuration on a SAP WAS server
  How we can get this Identity service.xml and how we can generate teh EAR file from VDS?  Can you share any guides or documentation
  Regards
  Sahad

• ActiveDirectory - SAP IDM integration in Identity Life cycle Management

  Hi Experts
  In our landscape SAP HCM is supposed to be  the  leading data source and SAP IDM takes identity information from SAP HCM.  From SAP IDM it will provision into Active directory and other third party systems, Sap systems.
  Here are the questions
  1) How  can we leverage on the investment on Active directory after  SAP IDM -Active directory investment ?  I mean after SAP IDM comes to a landscape,  Active directory will only be used to login to domain and for authentication if for java system Active directory have been set as user data source.  What are the other advantages of Active directory- SAP IDM integration as Active directory will not be leading data source and identity information will be in identity store.?
  2) After the user details are taken from SAP HCM system, will  the user record will be created in SAP IDM on Identity store ?  Is it where we actually assign the SAP IDM business role and the related technical role  to the  user? 
  3) Suppose if we assign a business role " employee " , will IDM actually create user id in all target system and assign all the technical roles? . Or we have to manually select each repository for target system in Identity center and  select the privileges and provision it ?  Will there be any automated feature that after assigning the business role to identity in identity store users and roles get automatically provisioned on all the target systems?
  Thank you in advance for your help.

  Hi Matt,
  Thank you very much.
  Only change we have is before approval it should go to GRC AC check all the compliance   and only after that it is approved and it should come back to SAP IDM  .
  I am actually looking for a tutorial which actually shows how you assign a business role and the whole procedure of SAP IDM automatically provisioning to target systems which you have just explained.  I suppose there is no such exact tutorial and I want to know how we can configure this on SAP IDM . Any  specific clues?
  Also  I am describing the exact steps that will follow . Correct me if I am wrong.
  1) User id will be created on AD with same user name and password as it is in Identity store. Will be assigned AD groups
  2) Create same user in Portal and make the user data source as AD and will assign the technical role portal as per the business role definition
  3) create same user in all abap systems and set abap database as user data source and assign the technical role needed as per the business role definition
  4) Create same user in third party systems  and with the privileges on their target systems as per the business role definition.
  With this provisioning stops. I suppose all the above steps will be automatically done by SAP IDM with no manual interaction required after final approval. Correct me if I am wrong.
  So some other information i wanted is
  1) When you assign business role at work flow,  how exactly SAP IDM  know about the target systems that user should be created and  assigned roles and made their authentication source.
  for eg:- for  a  business role "employee"  should get  access to ERP with role X,  AD with group Y, Portal with role Z.  So in work flow when business role employee is assigned  how SAP IDM will know that user should be created on to ERP with role X,  AD with group Y, Portal with role Z. Can you explain technically along with  detail steps? Or how exactly we configure a business role which knows the target systems and their techical roles.
  Thank you once again for the fabulous help . You/Matthew is a tremendous  help in understanding SAP IDM better.

• SAP IDM or CUA

  Hello Gurus,
  We have GRC 10 implementation project going on, there are like 5 systems which we proposed to be added to CUA and then connected to GRC for role provisioning.
  We have some confusion as to whether to go for IDM to manage the accounts centrally or to choose CUA.
  Please can you advise whether CUA or IDM is beneficial.
  Regards,
  Pooja Saste

  Hello Pooja,
  My personal suggestion is to use IDM.
  Even our own SAP IT moved from CUA to IDM for several reasons - easy maintanance, better provisioning and simplified maintanance.
  IDM 7.2 goes with GRC integration framework that works like charm and many more other connectors for both SAP and non-SAP systems, so it would be easier for you if you will have to integrate with another system in the future.
  Regards
  Todor

• SAP IDM vs Microsoft Forefront Client(FIM)

  Hi experts,
  Actually my companyBig Company) is planning to implement tool for Identity Management but there are couple of options which we are thinking of considering particularly the last  2 options are SAP IDM and Microsoft Forefront(FIM) ... But I am not able to enough information or comparision points that will help me in convincing to my sr management to finally say to one of these tool.
  I would really appreciate a quick response, if some one can explain the comparisions points among these 2 tools.
  Thanks
  SAP_Enthu

  Hi All ,
  Just to add to my previous question as currently we have MS Active Directory already and as per plan implementing SAP in almost all areas entreprise wide with GRC. So with this background , I will appreciate the advantages and disadvantages of SAP IDM 7.1(might use 7.2 if it comes within next 3 months as planned) with MS Forefront IDM(FIM 2010) in terms of Technical , functionally , architecture ,economic point of view.
  This will help in selecting the best tool among them.
  Thanks
  SAP_Enthu