Solved: Active Directory, GRC, and Identity Management

Former Member · ‎10-31-2007

A client I am working at would like to explore using Active Directory groups to assign SAP roles to users, both portal roles and ABAP roles. They are currently using Microsoft AD. However they have a requirement to use GRC Access Controls (v5.2) to assist with role maintenace and assignment for SOX compliance. I have been told that the Identity Management product can assist with integrating GRC and AD that will still allow for SOD checking/SOX compliance while role assignments can take place in AD.

Does anybody have experience with using Identity Management either with or without GRC? Does in work with Microsoft AD or is it is own AD product? What was your experience with it?

Are there any other products that can be recommended that will allow for integration between GRC Access Controls and Microsoft AD?

Steve

Former Member · ‎10-31-2007

I don't have experiance with this but I think what would matter is if you are using AD to sync SAP roles to the user profile. If you are syncing SAP roles then they would just show up in the user master and GRC could report on this. As far as using GRC for role maintenance it would also depend if you are using Role expert or Access Enforcer. I think Access Enforcer has a Microsoft AD tie in that would allow reporting on AD provisioning

Dave

Former Member · ‎10-31-2007

Hi Steve, you might get some good info in the following forum:

Former Member · ‎10-31-2007

Thanks Alex. I will post there as well.

Former Member · ‎10-31-2007

I don't have experiance with this but I think what would matter is if you are using AD to sync SAP roles to the user profile. If you are syncing SAP roles then they would just show up in the user master and GRC could report on this. As far as using GRC for role maintenance it would also depend if you are using Role expert or Access Enforcer. I think Access Enforcer has a Microsoft AD tie in that would allow reporting on AD provisioning

Dave

Former Member · ‎10-31-2007

Hi David,

Thanks for the response. From what I have read, Access Enforcer interfaces with AD but for user information only (username, phone number, etc). It is not clear that it allows for interfaceing SAP roles with AD groups. This is an initial implementation at the client so right now they are not using AD to assign roles in SAP but are looking for a way to proceed on it.

Steve

koehntopp · ‎11-04-2007

Steve,

there are several options here.

Basically, using Access Enforcer (AE) over AD is preferred, because AD most likely will not perform simulations or analysis on critical authorizations before assigning roles.

Also, the SAP authorization workflow, regarding stuff like role owners, managers, mitigation approvers, functional area managers etc. can get quite complex.

Can you elaborate how the workflow looks like with AD today? Is any of the above being taken into account? If not, IMHO that would be one integral part of a GRC implementation.

If you have to use AD, there is now a published web service that allows you to call AE from any other system that manages identities.

As a third option,you could look at LDAP mapping in Access Enforcer, map your group information to a custom field and trigger role assignment based on those fields.

Let me know if you have any more questions.

Frank.