on 01-24-2014 3:41 PM
Hi Experts,
i was wondering if you could help me. I need to connect one SAP System with a HR System and have automatic SAP Role provisioning depending on the organizational unit (special wish ). In the moment the system is connect to a CUA. The CUA has been configured to communicate over SAP LDAP connector with microsoft active directory (ADAM).
We also have a GRC10 system which is to be implemented for all systems (firefighter, user provisioning, risk analysis)
So as i see it, i have two choices about the automatic provisioning: GRC10 or CUA
Probably to make it work over GRC10 i need to setup a workflow with BRF+ rules so i can have the automatic provisioning based on the organisational units of the employees.
I havent spoke with our AD engineer, but i suppose : organisational unit is not an Active Directory attribute. To make it work we will probably use another attribute as a place holder for organisational unit and sync this field with a sap field from user master data.
So creating a BRF+ rule i could implement a check on the organisational unit and have roles assigned depend on that.
I know this is a GRC forum, but which solution would you recommend? maybe is will be simpler using this automatic role provisioning over CUA and leave GRC10 out of it.
cheers,david
thanks for your answers, we will solve our problem with IDM and business roles
Best regards,
david
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hello,
As said above , GRC10 or GRC 10.1 can be integrated with CUA and IDM.
And you can have LDAP configured in GRC system as well to Pull respective information.
Prasant
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prasant,
We are having some issues with our LDAP configuration where in the LDAP connector appears to be working, and yet when I try to sync the connector within GRC, it says that 0 users are returned from Active Directory.
I've gone through all the guides and it seems like everything has been set up correctly - so I wanted to find out if there were any issues you've encountered in implementing Microsoft Active Directory that I should look into.
Thanks,
Santosh
Check read authorization.. and always use Fully qualified name in sap server under LDAP instead of ip address.
to check go to se38 and run role repository sync.
there you can see msg if its able to read it.
Is your GRC server on Linux OS?
If yes ask your basis to check if name resolution works perfect.
Regards,
prasant
Thanks. A couple of things.
The server config in the GRC 10 system for LDAP is the same as the one in the current GRC 5.3 system. The GRC 5.3 system appears to be working while I'm having issues in the GRC 10 system.
Next, the only difference in the config is the user ID used to bind to LDAP.
Next, the program you asked me to run comes back with all greens except for two yellow triangles for users DDIC and SAP*.
Next, the results of that program, with a green light, says 0 records were returned from LDAP.
So now I'm not really sure because it appears to be working, with 0 records being returned, while GRC 5.3 is apparently getting records back.
Santosh
What string is used while searching users in LDAP. Execute LDAP tcode and find the users with default string. for example ...(&(objectclass=*)(samaccountname = a*)). If you have some different string to serach users, then we need to find out from LDAP team if they can set your searchable string as default
Using GRC 10/10.1 for auto-provisioning is fairly straightforward and it will integrate with IdM very well. I'd suggest you go that route instead of CUA if there is an IdM solution in place.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.