Would like to check a question with you. As I know SAP IDM can be connected with SAP GRC for risk analysis during user request. Does anyone know if there are any other IDM solutions (other than SAP IDM) which can be connected with SAP GRC and do risk analysis during user request?
You can use SUN IdM and ITIM (IBM Tivoli) out of the box with SAP GRC Access Control. For other IdM solutions also, you can write code to consume webservices available from Access Control.
Thanks very much for the update. Something more to check with you.
As you know SAP IDM can use SAP GRC to facilitate preventitive control, which means the SOD check can be done before the authorizations are provisioned to the target system.
Do you know if Sun IDM and ITIM can also fulfill the same preventitive control?
CUP offers a set of web services for integration with identity management systems.
Potentially, all IdM systems can provide the same level of integration. You'd have to ask the other verndors individually how well they have done this.
The exact method of integration may differ, there are many different scenarios possible. For example, you need to define if you want to initiate requests in IdM or CUP - at least with SAP IdM, both ways are possible and can even be combined.
I have integrated AC with SUN IdM and ITIM and they offer similar functionalities as SAP NW IdM. They both can proactively check SoD violations. Other vendors can also do the same by writing code to consume the webservices available with GRC AC.
I would like to integrate SAP GRC with ITIM for SoD evaluations. However, am not able to find any correct documentation on how this can be done. I read that ITIM supports this out of the box but could not get help on how this can be achieved.
Any pointers from you will be really very helpful. Am completly new to this and looking for your help.
If you are completely new with this, you have to gain an understanding on how webservices work. If you have ITIM installed in your landscape, then you will have to connect to AC via webservices available from AC.
We have an IdM overview guide that can point you to the right direction, which can be found here:
You will find more detailed web service information in the AC5.3 Config Guide, including the SAPGRC_AC_IDM_RISKANALYSIS web service. The premise is the same with all IdM's. You will have to install an AC adapter for the integration on ITIM itself.
you will find that the best way of integration is via the CUP web services. Calling a risk analysis directly will give you a result, but no way of reacting to it.
When one of your planned authorization changes runs into SoD issues, what you need is
- a way to display the information (what kind of risk, what's the root cause)
- a way to simulate alternatives, including taking away existing authorizations
- finding and assigning mitigating controls
What's your plan to do this -how are you going to deal with the Risk Analysis data in ITIM?
Thanks for your reply. As I understand the GRC adapter in ITIM works only with SAP resource (please correct me if I am wrong) and not any other ERP or non-ERP resource. Is there any way so that I can directly use webservices with ITIM without using ITIM adapter.
Hi Frank,
If I can integrate the webservice directly with ITIM, then what I can do is using the risk analysis find out what are the roles which violates the SoD. If web services can return that, then I can use the following steps:
- Create a Life cycle rule to find all the violations.
- Once violations are identified then send an approval for the violations.
- If this are approved, then the role can remain with the person.
- If rejected then the role will be removed through the life cycle it self.
Please let me know if what I think can be done and is feasible.
there is no openly published web service for risk analysis in RAR. The once you see are internal and subject to change without notice.
The documented way is to go via CUP; only there will you also ahev the GUI to deal with the result of SoD analysis. Going to RAR directly is a dead end.
Thanks for the reply! What I want to do is, query the SAP GRC for SoD compliance (through some java code or web services call) and get the result for the SoD compliance. Then, based on result take the action.
Will this be possible through CUP? If yes, can you please point me to some documentation link.
I have exactly the same requirement in my project, where I need to query GRC from ITIM to find out about any SoD confilcts.
Based on the GRC response, we have different routes to take in ITIM workflow.
The SoD analysis is required in ITIM at a step when supplemental access is requested for a user in ITIM, and before completing the request, ITIM would query the GRC by calling GRC's CUP Web Service.
I have gone through the Config Guide also, but could not find enough useful information for my requirement.
If you were able to achieve the above and/or have more information which you can share, that will be highly appreciated.
As my requirement, I just need to query (analyse) the GRC and will not submit any modification request.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.