cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IdM 7.2 and GRC 10 - Deprovisioning question

Go to solution
santosh_krishnan2
Participant

on ‎06-20-2013 5:28 PM

0 Kudos

I have reviewed the integration guide, and clearly, there is an integration scenario where you can  have the user creation request originate on IdM, and then have IdM provision some roles, and GRC 10 provision the rest of the roles.  Per that guide, this is not the preferred scenario.  However, my client wants to do that.

The question is, once GRC 10 has provisioned roles, can IdM deprovision them?  In other words, will there be an issue when a user changes positions with the company and IdM is used to change entitlements?

I think not, but I'm having a hard time finding documentation showing that IdM can remove all current role assignments.

Please let me know.

Thanks,
Santosh

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-24-2013 9:53 PM
0 Kudos

Hi Santosh,

It depends a little bit on the system you are managing, but assuming it is an ABAP stack, as part of your IdM deprovision you can get IdM to remove all roles, including the ones it doesn't know about. However the challenge will be tidying up the data inside GRC, as GRC would still think the user has the roles it assigned.

In short, I would try again to persuade your customer IdM should do all the provisioning.

Cheers,

Ian

Show replies
Show replies
former_member2987
Active Contributor
‎06-27-2013 4:26 PM
0 Kudos

Ian,

I believe this will work for Java based systems as well.  And I agree that IDM should be the system to do the deprovisioning.  In my experience it is best to let IDM handle the provisioning and deprovisioning and just rely on GRC to make the decisions that happen in between regarding role provisioning and access.

Matt

Answers (0)

Ask a Question