cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

IDM - GRC Integration

Go to solution
madhusap
Active Contributor

on ‎11-20-2013 4:23 AM

Hi All,

My client is looking for IDM - GRC 10 integration. I have following workflows already setup in GRC 10 with proper approval stages and workflows are working fine.

  • Create User Account
  • Change User Account
  • Terminate User Account
  • Lock/Unlock User Account
  • Emergency User Access Request

Now if we integrate with IDM solution, first i will be activating the webservices in GRC and they would be used by IDM. My doubt is, whatever workflows working now in GRC will work the same way [Means workflows following all the stages and approvals defined as of now] even if the request gets initiated from IDM or Do i need to make any changes to existing worklfow scenarios in GRC for integrating with IDM.

GRC users will raise GRC request by selecting details from access request form and based on that it will go to available workflows. Will there be a mapping between IDM and AC fields so that requests go to the workflow scenarios already defined in GRC though request gets initiated from IDM.

InitiateRequest in IDM -> Passes Request Parameters to GRC Webservice -> GRC web service processes and sends back the response [Success/Failure]

Regards,

Madhu.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎11-26-2013 7:45 AM
0 Kudos

Hi Madhu,

If you are looking at integrating SAP IDM with GRC, there is a standard provisioning framework which you can use. In order to know how to configure this, refer to the corresponding configuration guide here and also the documents/blogs mentioned by Matt in his reply post.

If you are using any other Identity Management solution other than SAP, then it depends on how you are going to design your integration framework.

In a nutshell, its like what you have mentioned.

Initiate Request in IDM -> Passes Request Parameters to GRC Webservice -> GRC web service processes and sends back the response [Success/Failure]

But, its up to you to decide how to initiate request from your IDM solution and how to handle the complete Access Control process. Say in SAP IDM, when integrated with GRC, a role assignment request is submitted in IDM, SAP IDM sets a pending value on the request, then triggers the GRC provisioning framework, which using Virtual directory server communicates with SAP GRC and submits the request for Risk analysis. Once the risk analysis request is submitted, based on the result handling(event based/polling) configuration, SAP IDM receives the status/response of the request.

Based on the response received SAP IDM applies the pending on the assignment, after which the SAP Provisioning framework does the provisioning.

The above scenario I am explaining is based on the Centralized provisioning configuration where only the risk analysis is done on  the GRC side.

So, in the case of other Identity Management products, I am not sure how the provisioning framework is built and how the requests are held in pending state till the response is received from SAP GRC after the request is submitted.

Probably you need to discuss with your IDM guys and understand how it works in Identity Management product you are using. Some sort of custom connectors / customization is required on the IDM product side.

I would suggest the following way.

1. Submit the role assignment from IDM.

2. IDM checks whether the requested role requires Risk Analysis or not !!

3. If Risk analysis is not required, your IDM solution directly processes the assignment requested and user is assigned with role.

4. If Risk analysis is required for the role, trigger your custom GRC integration framework which calls the Submit User Access Request Web Service – GRAC_USER_ACCESS_WS

5. In the above step, the request is submitted to GRC system.

6. After the request is submitted, you have to probably call Request Status Web Service – GRAC_REQUEST_STATUS_WS to know the status of the request.

7. Once the status of the request is received by IDM, provision accordingly.

You can refer to the document SAP Access Control 10.0 Interface for Identity Management for more information.

All the best !!

~Krishna

Show replies
Show replies

Answers (2)

Answers (2)

Former Member
‎09-29-2015 11:12 AM
0 Kudos

Hi Madhu,

I understand the thread is pretty old, however I am having a similar doubt and couldnt find anything concrete.

Have found any answer for the question you have raised. Would be greatful if you can guide me.

Thank you.

Best Regards,

Umesh.

Show replies
Show replies
suman_puthadi
Explorer
‎05-30-2016 9:22 AM
0 Kudos

This message was moderated.

former_member2987
Active Contributor
‎11-21-2013 3:18 PM
0 Kudos

Madhu,

Have you taken a look at the IDM / GRC integration documents / posts:

http://scn.sap.com/community/netweaver-idm/blog/2013/04/03/understanding-the-idm-72--grc10-interface

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d09f0171-02e8-2d10-be90-a4ad042a0...

http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&ved=0CFMQFjAE&url=http%3A%2F%...

They might offer some help...

Matt

Show replies
Show replies
Ask a Question