on 04-01-2015 6:06 AM
Hi experts,
We integrated SAP IDM with GRC,
Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.
But SAP said business roles and portal groups are not supported between the systems.
Kindly suggest how to accomplish this.
Regards,
Jaya
Like SAP said the risk analysis is run for combination of ABAP-roles/profiles not for Business Roles in IdM nor roles/groups in AS Java.
Approving/mitigating the access request based on IdM Business Roles in GRC is not possible AFAIK.
regards, Tero
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jaya,
Perhaps you can revise the workflow as follows to meet the requirement
1 Create a business role in IDM and add GRC privileges to it
2 Send privilege list to GRC for risk analysis and approval workflow
3 IDM gets approval from role owner
4 if no risk found or risk mitigated, then approve this business role in IDM
I did something similar in the past for a customer. For point 2,3 you need to create them because SAP doesn't provide any template.
Cheers,
Chenyang Xiong
Hi Chenyang Xiong,
Thank you for suggestion.
We created a business role in IDM and assigned GRC privileges.
clients wants request for business role was raised from IDM, and approval goes to role owner.
He will do risk analysis and mitigation before approval, via GRC.
For that we want to send business role name(created in IDM) to GRC.
But we are unable to do it.
Can you please guide us on this
Regards,
Jaya
Hi Jaya,
Composite role is from ABAP systems. Business role is in GRC or IDM.
But I think its applicable if you are using CUA.
In my 1st project, we had composite roles in CUA and it contained single roles from different systems. This mapping is loaded into GRC as well. We raise request for composite role in GRC and role owners approve it and composite role is assigned in CUA which in turn means singles in child systems. Not sure if this can be replicated into IDM world as well. Read composite role into IDM (I haven't checked if this is possible, will let you know once I read about it), raise request in IDM and send this to GRC for role owner approval and then assign the composite role in CUA via IDM.
Kind regards,
Jai
Hi Jaya,
Ok, from your use case you want to provision java systems as well and neither have CUA.
Even though irrelevant, Composite roles in CUA supports across ABAP systems, not just one ABAP system. but no provision for java system support which is main advantage of IDM over CUA.
Thanks and keep us updated if you resolve this. Would be keen to know how different people approach different use cases.
Kind regards,
Jai
Hi Jaya,
Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.
Try this URL, but perhaps your GRC consultant should read it instead of you.
After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.
I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.
Cheers,
Chenyang Xiong
Hi Chenyang/Tero,
Thank you for your valuable suggestions and discussion.
My exact requirement is we are creating a business role(which contains technical roles come from GRC and some IDM roles) and assigning to the user.
Now the owner of that role(business role owner) should login into the GRC system and perform risk analysis, and approve.
The request should go to only the Role owner/Role approver.
Can you please suggest how can achieve this.
Regards,
Jaya
Standard IDM GRC integration performs risk analysis on user level only. But GRC is capable doing risk analysis on role level too. This feature is not included into the integration (which should be).
So the work around is to specify a pseudo userID when sending the access request to GRC. The solution could be adding a java class to VDS to call risk analysis web service on role level directly. This solution can also be functional if you want to read GRC business roles into IDM and ask GRC to provision business roles, but that only works for distributed provisioning scenario. I've done the workaround for a customer, but never tried the solution. The solution means a lot of effort on the development.
Best Regards
Chenyang Xiong
Hi Jaya,
Perhaps I comprehend your requirement incorrectly. In your case, you could pass a business role name (in a custom attribute) in each line item of the access request.
But I have a doubt though. Once request to send to GRC, it includes only technical roles/privileges. Each privilege could belong to many business roles. How do you determine which business role owner should pick up the request and approve it?
Best Regards
Chenyang Xiong
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.