on 06-20-2013 5:28 PM
I have reviewed the integration guide, and clearly, there is an integration scenario where you can have the user creation request originate on IdM, and then have IdM provision some roles, and GRC 10 provision the rest of the roles. Per that guide, this is not the preferred scenario. However, my client wants to do that.
The question is, once GRC 10 has provisioned roles, can IdM deprovision them? In other words, will there be an issue when a user changes positions with the company and IdM is used to change entitlements?
I think not, but I'm having a hard time finding documentation showing that IdM can remove all current role assignments.
Please let me know.
Thanks,
Santosh
Hi Santosh,
It depends a little bit on the system you are managing, but assuming it is an ABAP stack, as part of your IdM deprovision you can get IdM to remove all roles, including the ones it doesn't know about. However the challenge will be tidying up the data inside GRC, as GRC would still think the user has the roles it assigned.
In short, I would try again to persuade your customer IdM should do all the provisioning.
Cheers,
Ian
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ian,
I believe this will work for Java based systems as well. And I agree that IDM should be the system to do the deprovisioning. In my experience it is best to let IDM handle the provisioning and deprovisioning and just rely on GRC to make the decisions that happen in between regarding role provisioning and access.
Matt
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.