Solved: IDM GRC Business Role managment

Hi experts,

We integrated SAP IDM with GRC,

Now our requirement is creating a business in IDM/GRC, request for business role is raised for IDM and approved by role owner in GRC after risk analysis.

But SAP said business roles and portal groups are not supported between the systems.

Kindly suggest how to accomplish this.

Regards,

Jaya

SAP Managed Tags:
SAP Identity Management

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Accepted Solutions (1)

Like SAP said the risk analysis is run for combination of ABAP-roles/profiles not for Business Roles in IdM nor roles/groups in AS Java.

Approving/mitigating the access request based on IdM Business Roles in GRC is not possible AFAIK.

regards, Tero

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Hi Tero,

we created business roles in IDM and assigned technical roles coming from GRC,

Now if we create a request for Business role in IDM request going to GRC, while all technical roles are showing in GRC instead of single business role.

Is there any fix for this issue.

Regards,

Jaya

No fix, this is the way it works with current versions.

regards, Tero

IDM Business roles can be a combination of SAP & NON SAP system and information might not present in GRC for same, I believe this could be a reason why Business role integration is not possible and only privileges are being sent to SAP GRC system

Hi Jaya,

Perhaps you can revise the workflow as follows to meet the requirement

1 Create a business role in IDM and add GRC privileges to it

2 Send privilege list to GRC for risk analysis and approval workflow

3 IDM gets approval from role owner

4 if no risk found or risk mitigated, then approve this business role in IDM

I did something similar in the past for a customer. For point 2,3 you need to create them because SAP doesn't provide any template.

Cheers,

Chenyang Xiong

Hi Chenyang Xiong,

Thank you for suggestion.

We created a business role in IDM and assigned GRC privileges.

clients wants request for business role was raised from IDM, and approval goes to role owner.

He will do risk analysis and mitigation before approval, via GRC.

For that we want to send business role name(created in IDM) to GRC.

But we are unable to do it.

Can you please guide us on this

Regards,

Jaya

(Chenyang, that's how the standard interface works not what Jaya wants to achieve.)

Hi Tero,

is it possible to pass business role name using any customized attribute from IDM to GRC?

I mean by adding extra attribute, which passes role name.

If we pass, we can fix this issue.

Regards,

Jaya

Hi Jaya,

Just got this idea but I haven't fully researched on this.

Was it not possible to use composite roles instead of business roles in GRC and read them into IDM -> assign composite role to user -> request goes to GRC -> business role owner approves the request?

Kind regards,

Jai

Hi Jai,

Composite role or business role, doesn't make any differences .

Regards,

Jaya

Hi Jaya,

Composite role is from ABAP systems. Business role is in GRC or IDM.

But I think its applicable if you are using CUA.

In my 1st project, we had composite roles in CUA and it contained single roles from different systems. This mapping is loaded into GRC as well. We raise request for composite role in GRC and role owners approve it and composite role is assigned in CUA which in turn means singles in child systems. Not sure if this can be replicated into IDM world as well. Read composite role into IDM (I haven't checked if this is possible, will let you know once I read about it), raise request in IDM and send this to GRC for role owner approval and then assign the composite role in CUA via IDM.

Kind regards,

Jai

Hi jai,

We checked with our GRC experts,

the difference between compound roles and business roles are, compound roles supports or dedicated to one system but business roles can create across systems.

we need different system roles included in one business role.

Regards,

Jaya

Hi Jaya,

Ok, from your use case you want to provision java systems as well and neither have CUA.

Even though irrelevant, Composite roles in CUA supports across ABAP systems, not just one ABAP system. but no provision for java system support which is main advantage of IDM over CUA.

Thanks and keep us updated if you resolve this. Would be keen to know how different people approach different use cases.

Kind regards,

Jai

Hi Tero,

It is slightly different. In SAP standard process, the request is sent to GRC when you assign a GRC privilege to a user. What Jaya wants is to send request when IDM business role is created.

Cheers,

Chenyang Xiong

Hi Jaya,

Yes I remember this is possible. You can setup a customize attribute in GRC privileges. And put the business role name into this attribute.

Try this URL, but perhaps your GRC consultant should read it instead of you.

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d0e2c628-2690-2e10-0d82-dbf1931db...

After creating the attribute, you need to revise the GRC framework to include this attribute (business role name) in your request.

I don't have a working IDM system (with GRC integration) with me. I could not provide you more details.

Cheers,

Chenyang Xiong

How do you propose the Business Role is then sent to GRC for approval/mitigation?

(I know how the standard works and understood what the guy asked as a lot of customers face the same issue.)

regards, Tero

Hi Chenyang/Tero,

Thank you for your valuable suggestions and discussion.

My exact requirement is we are creating a business role(which contains technical roles come from GRC and some IDM roles) and assigning to the user.

Now the owner of that role(business role owner) should login into the GRC system and perform risk analysis, and approve.

The request should go to only the Role owner/Role approver.

Can you please suggest how can achieve this.

Regards,

Jaya

Standard IDM GRC integration performs risk analysis on user level only. But GRC is capable doing risk analysis on role level too. This feature is not included into the integration (which should be).

So the work around is to specify a pseudo userID when sending the access request to GRC. The solution could be adding a java class to VDS to call risk analysis web service on role level directly. This solution can also be functional if you want to read GRC business roles into IDM and ask GRC to provision business roles, but that only works for distributed provisioning scenario. I've done the workaround for a customer, but never tried the solution. The solution means a lot of effort on the development.

Best Regards

Chenyang Xiong

Hi Jaya,

Perhaps I comprehend your requirement incorrectly. In your case, you could pass a business role name (in a custom attribute) in each line item of the access request.

But I have a doubt though. Once request to send to GRC, it includes only technical roles/privileges. Each privilege could belong to many business roles. How do you determine which business role owner should pick up the request and approve it?

Best Regards

Chenyang Xiong

Hi Chenyang,

Our requirement is send business role name instead of technical role name to GRC.

Regards,

Jaya

Answers (0)

Ask a Question

Top Q&A Solution Author

User

Count

IDM GRC Business Role managment

Accepted Solutions (1)

Accepted Solutions (1)

Answers (0)

Re: Table DDNTF is not active in the dictionary er...

CDS View Table functions Abap Class consume with p...

Re: Incorrect documentation regarding "Error Sanit...

Can CrestalReports.NET be developed even if the DB...

How-to-guide for SAP GUI Scripting