Tivoli IDM Integration with GRC 10

Similar Messages

• Oracle IAM integration with GRC 10

  Hi All,
  Our client is using Oracle IAM for user provisioning process. Now they have SAP GRC being implemented for two of their SAP systems. Now client wants to integrate SAP GRC Access Risks analysis (ARA) for SOD analysis and User Access Management(UAM) for user provisioning modules of SAP GRC 10 with Oracle IAM.
  As far as i know, webservices needs to be activated in GRC 10 and has done that. Now i want to know how Oracle IAM communicates with GRC 10. How connectors needs to be developed, User account to be created for web service access and how the parameters are passed from oracle to grc.
  Also how many different scenarios are there in oracle IAM for this integration?
  In SAP IDM vs SAP GRC integration we have 2 scenarios.
  1. Request raised in IDM -> SOD analysis in GRC -> Provisioning in GRC -> Return success/failure status back to IDM
  2. Request raised in IDM -> SOD analysis in GRC -> Return SOD success/failure status back to IDM -> Provisioning in IDM
  So can anyone help with possible scenarios for this integration process??

  Hi vikas and Frank,
  Do you have any information related on How to enable the webservices in the GRC 10 (does NWBC holds the key). if you have any information related to it  please share it with me.
  Thanks and regards,
  keerthi

• SUN idM integrate with GRC AC

  There are documents available for best practice on provisioning using CUP by integrating SUN idM with GRC AC...I have not found any document on best practice for deprovisioning when some one leaves organization...
  Is there any one who has worked on the same or are there any best practice guide on how it can be implemented...What should be architecture or data flow?
  Regards,
  Milan

  Hi Milan,
  here is the document you need:
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e0b2e5c5-fa62-2c10-9687-ff98bc0b99f8
  Best,
  Frank

• SAP IDM Integration with LDAP VS Rest.

  Hi,
  I'm looking for an best approach through I can integrate my custom application with SAP IDM 7.2. I have read couple of article and found IDM is based on VDS and allow LDAP as well as Restful web services.
  Would like to know the best approach.
  Here what I want to achieve:
  1. Dynamic Schema detection for User, Role and Employee
  2. Get all User List and there corresponding Role.
  3. Password Reset/Set/Change
  Thanks
  Shital

  Hi Nits,
  This guide presents the official SAP Connectors for IdM. SAP and 3rd-party.
  It seems that are no official connector for ADOBE CQ and HYBRIS.
  But you can build you own connector. (JDBC, WebServices, LDAP)
  Using the same concept as the SAP Standard connectors, Folders (Aplication Actions, Plugins) HOOK Tasks.
  It will depended in what integration layer this solutions offer.

• IDM connected with GRC

  Hi All,
  Would like to check a question with you. As I know SAP IDM can be connected with SAP GRC for risk analysis during user request. Does anyone know if there are any other IDM solutions (other than SAP IDM) which can be connected with SAP GRC and do risk analysis during user request?
  Thanks in advance.
  Benny Ren

  Hi Ankur,
  Thanks for your reply. As I understand the GRC adapter in ITIM works only with SAP resource (please correct me if I am wrong) and not any other ERP or non-ERP resource. Is there any way so that I can directly use webservices with ITIM without using ITIM adapter.
  Hi Frank,
  If I can integrate the webservice directly with ITIM, then what I can do is using the risk analysis find out what are the roles which violates the SoD. If web services can return that, then I can use the following steps:
  - Create a Life cycle rule to find all the violations.
  - Once violations are identified then send an approval for the violations.
  - If this are approved, then the role can remain with the person.
  - If rejected then the role will be removed through the life cycle it self.
  Please let me know if what I think can be done and is feasible.
  Thanks to all for your replies.
  Regards,
  Ashish Choudhary

• Level of IDM integration with SAP

  Hello.
  I'd like to know the amount of integration IDM can have with a SAP ERP system. Specifically, (SAP) role assignment. Can you provision users with their SAP roles from the IDM?
  I'm also curious as to whether you can control User organizations with IDM in a similar way as an LDAP resource. With the available creation and edition of the resource objects.
  I know that it's possible to provision permissions to Users in the resource, along with password changes and so.
  Is there any identity based operation that can't be done from IDM?
  thanks for your time.
  Jorge Garrido
  Message was edited by: jgarrido
  jgarrido

  Hi Frank,
  Thnx for the useful doc, can you share also the step by step document which can be used for user provisioning in IDM.
  Basically I need a doc which talks about the following steps :
  1.  Insert a user with the correct roles(s) into one of the SAP Development boxes from IDM.  (I found out yesterday the Portal handles users a bit differently - I think we should include the portal and one of the other systems too).  The insertion of the user should be triggered through the Active Directory web interface.
  2.  Change the user roles through IDM.
  3.  Delete the user roles through IDM.
  4.  Have the user login to the SAP system with said account and test aforementioned roles.
  Lemme know
  Appreciate your prompt response

• Oracle IdM integration with Microsoft ILM 2007/FIM 2010

  We currently have ILM 2007 in our environment with limited usage at the moment. We are looking at purchasing Oracle Identity Manager to implement an enterprise wide IAM solution.
  We were wondering if it is possible to continue using ILM like a middleware between our AD forests and the Oracle IdM. Where the Oracle IdM is the overarching IAM solution and Microsoft ILM 2007/FIM 2010 is like the metadirectory for our AD forests.
  Is this possible without installing the Oracle Management Connector on any of our DCs and using ILM as the directory that Oracle IdM connects to. All AD account provisioning/de-provisioning, acct updates, password sync/reset will be initiated from the Oracle IdM to ILM and then implemented on AD. In order words no direct interaction with AD domain controllers from Oracle IdM, everything will go to ILM and ILM in turn applies it to AD.
  Is this possible?
  Is there a custom connector that will work with ILM 2007/FIM 2010
  Is this a simple customization or something that can be problematic and expensive?
  Any feedback is much appreciated
  Thanks

  user1106726 wrote:
  We currently have ILM 2007 in our environment with limited usage at the moment. We are looking at purchasing Oracle Identity Manager to implement an enterprise wide IAM solution.
  We were wondering if it is possible to continue using ILM like a middleware between our AD forests and the Oracle IdM. Where the Oracle IdM is the overarching IAM solution and Microsoft ILM 2007/FIM 2010 is like the metadirectory for our AD forests.
  Is this possible without installing the Oracle Management Connector on any of our DCs and using ILM as the directory that Oracle IdM connects to. All AD account provisioning/de-provisioning, acct updates, password sync/reset will be initiated from the Oracle IdM to ILM and then implemented on AD. In order words no direct interaction with AD domain controllers from Oracle IdM, everything will go to ILM and ILM in turn applies it to AD.
  Is this possible?yes
  >
  Is there a custom connector that will work with ILM 2007/FIM 2010Yes, if you write one you will have a custom connector
  >
  Is this a simple customization or something that can be problematic and expensive?It won't be simple. Problematic and expensive maybe, depends on how good you are with OIM and ILM

• Reg_GRC 10.0 Integration with backend systems

  Hi Everyone,
  Could you please help me to find out  which all of the below products can be integrated with GRC 10.0 Access control.
  Click  Schedule
  PI System
  BOBJ - CMS
  BOBJ-DS-CMS
  SAP Mobile Platform - Derby
  Afaria
  ADP
  ARIS Cloud
  SOLMON
  Adobe Live Cycle
  SAP Mobile Platform - Agentry
  Click Plan
  Click Roster
  Success Factors - LMS
  Success Factors - EC
  Success Factors - Talent Management
  Success Factors - Performance Management
  Benefitfocus
  BOOMI
  KNOA
  SAP Central Process Scheduling by Redwood
  SAP Extended Diagnostics by CA Wily
  SAP Quality Center by HP, enterprise edition, bundle
  SAP Test Acceleration and Optimization
  SAP NetWeaver Landscape Virtualization Mgmt enterprise
  Thanks and Regards,
  Naga.

  Hi Hemant
  SAP has made a lot of the transport functionality in GRC10. I find that they hereby created a huge expectation with the customer, that in fact is not true.
  For instance Exclusion Objects and Mitigation Controls are NOT transported. What about Organizations? Critical Roles and Profiles are also not transportable.
  As for the Connectors - system specific parameters are transported. Therefore you end up having to delete the DEV and QA connectors in the PRD GRC system.
  On this question, has anyone used CLM yet? It seems that only Functions and Risks will be extracted to CLM and then deployed in the other system (DEV to QA for example). Does CLM even work?
  SAP provide not guidance on all of these important issues. I agree that it is about time that SAP takes some leadership and produce a proper best practise guide for this software. By the way, an offical sizing document from SAP is still to be delivered.
  Thanks
  Will

• GRC-IDM Integration: missing web-service?

  Hi Experts,
  I have been loading the GRC provisioning framework for SAP Netweaver IDM, as well as the VDS configuration file (in the templates available, I used SAP Netweaver > GRC Access Control 5.3 SP2). The integration is working fine and IDM is correctly communicating with CUP (I can create requests through IDM, and once the request is approved in CUP, the status is updated in IDM).
  However, in IDM when the GRC Provisioning framework gets a status "OK" from CUP, it triggers another task called "read provisioning log" (I am assuming that this is to retrieve the list of approved roles from CUP). This request gives me a fata error:
  uLDAPGetEntry got exception
  javax.naming.NameNotFoundException: [LDAP: error code 32 -
  Couldn't perform DN to Data source mapping]; remaining name '
  After some investigations, I noticed that the GRC repository has a constant for the provisioning log web service called VDS2GRC_BRANCH_PROVISIONINGLOG (also described in the GRC integration configuration guide). Default value is ou=provisioninglog. When looking at the VDS, there is NO virtual tree for ou=provisioninglog ... so I am assuming this is the reason why the task fails.
  Does anybody went through this already? Is there a procedure for creating this missing VDS entry or does VDS 7.1 SP3 solves this issue? FYI, I am using Netweaver IDM 7.1 SP2 with the same version of the VDS. The GRC provisioning framework is the one currently available on SDN.
  Any idea would be appreciated!
  Kind regards,
  Jean-Christophe

  Hi ,
  After further investigation and testing, it appears that VDS 7.1 SP3 comes with the correct set of Data sources and web services, therefore solving this integration issue.
  Actually, we were facing other technical limitations due to the fact that the latest version of the GRC provisioning framework (available on the SDN) only works if we use VDS 7.1 SP3. For example, the attribute GRC_REQUEST_ID (used in the IDM task for tracking the CUP request ID) was not correctly updated in IDM.
  Updating the others components from SP2 to SP3 (IC, RT, webdynpro, etc) was not necessary for us to make this provisioning log web-service work, although I think it is better to keep a consistent patch level accross the components.
  Kind regards,
  JC

• GRC -IdM integration (HCM IdM GRC IdM)

  Hi IdM & GRC Gurus,
  We want to implement a scenario where IdM (7.1) gets user data from HCM, followed by Workflow and SoD analysis in GRC (5.3) and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM), however I donu2019t see any documentation for this exact scenario. If SAP's direction is for IdM being provisioning solution and not GRC (CUP), the above scenario should be implemented. SAP documentation "SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF" is similar but here GRC (CUP) is doing the final provisioning.
  I have following questions
  1     Which Framework should be imported in IdM to implement IdM - GRC integration, where IdM gets user data from HCM, followed by Workflow and SoD analysis in GRC and Finally IdM performing the Provisioning (HCM > IdM > GRC > IdM)?
  2     GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) that is available on SDN, is based on HCM to IdM followed by GRC conducting SoD analysis and provisioning. Can the same framework be used for a scenario where IdM does the provisioning in the last step (same as question 1)?
  3     "If answer to question 2 is yes? What are the changes/customization required to GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc)? As per the limitations (page 37) mentioned in the document SAP IdM Compliant Provisioning using GRC Access Control Configuration Guide. PDF, ""It is not possible to only carry out a check for Segregation of Duties, without having the
  request provisioned to the GRC Access Control back-ends. It means that the Identity Center
  cannot just ask if a certain entitlement assignment is valid.
  If the request is approved, the accounts and role assignments will always be performed in
  the GRC Access Control back-end systems."" If this is true, how can we impliment HCM > IdM > GRC > IdM (IdM doing provisioning in the end)?"
  4     If GRC Provisioning Framework (GRC 53 Provisioning Framework_Folder.mcc) is implemented along with HCM framework (SAP Provisioning Framework_Folder.mcc) and HCM_Staging_Area_Identity store.mcc, which Identity Store should GRC Provisioning Framework be imported (HCM_Staging_Area OR SAP_Master)?
  Regards,
  Anurag

  Hi Joel,
  within the VDS you create a local user ('HR_USER') and you choose some password. Later while configuring the HCM system you use these credentials to define the connection from HCM to the VDS.
  Kind regards
  Frank

• SAP GRC - SAP IDM integration

  Hello,
  may I ask you how SAP GRC Access Control can be integrated with Identity Management?
  I would like a description of the model and to understand if CUP, ERM, RAR are all mandatory components to do the integration (it's not clear to me if only CUP should be use to integrate IDM).
  Thank you to all
  Daniela

  Hi Daniela,
  there are two basic options of integrating Netweaver Identity Management and SAP BusinessOBjects Access Control:
  - CUP can call IdM to provision roles to non-SAP systems through IdM
  - IdM can call CUP to hand over a request (or parts of it) for SoD and critical transaction checks
  As a third option, I have seen customers using both tools in parallel, provisioning users and master data through IdM and assigning SAP authorizations through CUP/RAR.
  The best kind of integration for your scenario is something that depends on your requirements and your desired processes. Technically you can do a lot, but it makes sense to invest the effort to find out what the best option is in your exact case.
  Kind regards,
  Frank.

• Integrating BOBJ XI 3.1 with GRC AC 5.3

  Hi all
  Has anyone worked on integrating BOBJ with GRC Access Control 5.3.
  We have been using GRC CUP for access provisioning all the SAP (ECC, BI, Portal) systems. Now, we have integrated SAP Business Objects Enterprise XI 3.1 with our SAP BW system.
  We are looking to provision the BOBJ groups to users when they request BI roles. Has any one done this integration or do you have any documentation on this topic?
  Appreciate your response.
  Thanks
  Kee

  Hi Kee,
  AC 5.3 CUP can only provision ABAP roles and via the portal RTA UME and portal roles.
  Best,
  Frank

• Solution Manager Integration with Tivoli and TSRM

  Hi,
  Has anyone done an integration of SAP Solution manager with Tivoli or TSRM. Solution Manager can perform the same capabilities of Tivoli or TSRM of monitoring and Service desk. However we want to use the best of both. I would appreciate if if someone can share thier thoughts on this.
  Regards
  Jasvinder

  Hi,
  Heres a good news for you.
  IBM Tivoli Service Request Manager version 7.1 software has now SAP-certified for integration with SAP Solution Manager 7.0 via the service desk interface scenario (SMG-SDI 4.0).
  [The News|http://www.cbronline.com/news/ibm_launches_new_service_to_help_automate_it_service_desk_operations_091013]
  To Inegrate refer [this guide.|http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/e3eeb4a8-0b01-0010-bd99-f4a700a49d32]
  Hope this will solve your problem.
  Feel free to revert back.
  -=-Ragu

• GRC integration with LMS

  Hi,
  My new project is about to begin and came to know that it's about GRC integration with Learning Management System (LMS). I want to make ready before this project starts and searched for integration documents but i couldn't.
  Could anyone help me.
  Thanks
  Ashok

  Hi Prevo,
  SAP Business One is Netweaver application. Application like SRM, CRM which sits on ABAP as well as in Java stack also, are part of netweaver.
  Access control is web based application which can integrates with applications which sits on ABAP & Java both.
  As per your clients requirement you can deploy Access Control.
  Regards,
  Mohit
  Edited by: mohit shrivastava on Sep 9, 2009 6:31 PM

• FA with IDM (integration) flow solution

  hi all,
       I just would like to share with you guys this post that is very helpful if you are looking to integrate your current IDM enterprise with Oracle FA(+IDM soultion inside of it):
  http://thiagoleoncio.blogspot.com/2014/05/how-oracle-fusion-apps-works-with-idm.html
  I hope this helps you on your own solution.
  thx and have a great day,
  Thiago Leoncio.

  Hi vikas and Frank,
  Do you have any information related on How to enable the webservices in the GRC 10 (does NWBC holds the key). if you have any information related to it  please share it with me.
  Thanks and regards,
  keerthi