SAP IDM - GRC Integration Scenario Query
I want to understand if the following scenario is possible or not. Or if any alternate is available. Please share your thoughts..
SAP IDM 7.2, SP9, Patch 11, in use with SAP Provisioning Framework 2 and GRC Provisioning Framework 2
SAP GRC Access Control 10.1
Both systems installed, configured and connected (web service connection works well)
Business Roles will be requested for assignment in IDM. For each privilege that is contained in the Business Role, IDM will trigger the Risk Analysis task and GRC will perform a risk analysis (privilege grouping not yet defined).
If the GRC risk analysis does not discover a risk, IDM will continue the assignment process of the privileges (or rather Business Role) following the approval workflow defined in IDM.
If the GRC risk analysis discovers a risk, IDM will trigger the AC Validation task and GRC will create a validation request. This request has to be mitigated in GRC. The result will be handed over to IDM and will there be processed accordingly.
In IDM only one task from the GRC Provisioning Framework 2 can be triggered when a privilege will be requested for assignment. In our case it’s the “AC Validation – Risk Analysis only” task:
…and the “AC Validation” task:
Using the “Risk Analysis only” task processes the pending value object right after receiving the GRC response. This prevents us from post-processing or modifying the pending value object. The assignment will directly be assigned or rejected.
That means we can either have a risk analysis only OR we’ll have a GRC AC validation request for any privilege assignment request! This is not the foreseen scenario. We want to perform a risk analysis for eacht privilege assignment and if a risk is detected in GRC, a mitigation request shall be started in GRC.
How can this problem be solved? Is the desired scenario feasible?
Thanks a lot in advance.