Hello Experts

I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..

Current Situation:

SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2

SAP GRC Access Control 10.1

Both systems installed, configured and connected (web service connection works well)

Desired scenario:

Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).

If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.

If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.

Problem:

In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:

…and the “AC Validation” task:

Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.

That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.

Question:

How can this problem be solved? Is the desired scenario feasible?

Thanks a lot in advance.

Regards,

Krishna.