cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Integrate external identity management solution in SAP GRC Access Control

Go to solution
Former Member

on ‎04-16-2008 4:13 PM

0 Kudos

We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.

thanks

Detlef

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

koehntopp
Product and Topic Expert
Product and Topic Expert
‎04-18-2008 9:28 AM
0 Kudos

Please get in contact with me directly, I'll try to help you find the right solution.

Frank.

Show replies
Show replies
Former Member
‎04-23-2008 6:36 PM
0 Kudos

Hi,

We are also trying to integrate a SUN IDM solution with GRC, I would appreciate the information as welll

Thanks

Former Member
‎04-24-2008 10:02 AM
0 Kudos

Does the webservices outline in the following article answer your question?

[SAP GRC Access Control: Compliant Provisioning Goes Identity Management|https://www.sdn.sap.com//irj/sdn/go/portal/prtroot/docs/library/uuid/b0aafd33-e662-2a10-a197-dd3137f7f7e0]

Former Member
‎05-13-2008 2:42 PM
0 Kudos

I have the same need for documentation about VCC web services.

We have an internal app that manages the authorization workflow, and now we want to put some info from the VCC inside this app via webservices.

We need to programatically run some simulations and to associate (and desassociate mitigating controls)

But I cant find any documentation. Someone can help me?

koehntopp
Product and Topic Expert
Product and Topic Expert
‎05-13-2008 5:22 PM
0 Kudos

Paulo,

currently mitigation is not part of the published web services, nor is simulations.

Part of the reason for that is that it would require a lot of user interaction, simulation for example is a highly dialog oriented task.

If you take your approach further, you're replicating a lot of the functionality from Risk Analysis And Remediation and Compliant User Provisioning into your application.

If you're already a GRC Access Control customer - woud it be an option to hand the SAP ERP part of your authorization workflow over to Compliant User Provisioning (formerly Access Enforcer)? That would take care of all of your analysis and mitigation issues, and then some.

Frank.

Former Member
‎05-15-2008 2:02 PM
0 Kudos

Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.

what do the published webservices do? Is there any documentation about them?

In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.

The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.

Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)

IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)

VCC has any documentation that would help me to find how I would do this integrations?

Thanks in advance

koehntopp
Product and Topic Expert
Product and Topic Expert
‎05-15-2008 7:28 PM
0 Kudos

What exactly is it that you can't do in Access Enforcer?

Frank.

Former Member
‎05-19-2008 3:35 PM
0 Kudos

listing only the 3 in the top of my head

-Not everyone can ask for a sap role here (AE follows a self served philosophy)

-AE can't put the role request "on hold" while the user does the required trainings.

-AE can't kill the mitigating controls when a role expires.

koehntopp
Product and Topic Expert
Product and Topic Expert
‎05-19-2008 4:05 PM
0 Kudos

Well,

- you can use UME to authenticate AE users, thereby limiting requests to people maintained in UME (or a directory)

- in 5.3, you can call a web service that checks training status before a role can be requested

- in 5.3, there is a report that will show you invalid/expired controls, allowing you to remove them.

Frank.

Answers (4)

Answers (4)

Former Member
‎07-15-2008 2:10 PM
0 Kudos

We are trying to use the AE Audit Log webservice to retrieve user and role information for requests to use with our training lookup tool. I have read the document about what values can be sent to and retrieved from AE, but I cannot find anything about exactly how to call the webservice and what security is needed to get information. Does anyone have anything on this? Frank? Help?

Thank you.

Jennifer

Show replies
Show replies
Former Member
‎07-07-2008 8:54 AM
0 Kudos

Hi,

We are currently in process of integrating SUN IdM with SAP GRC. If you go to the web service navigator, you will see the web services listed out including AE web services. AESubmitRequest5_2 is the web service which SUN IdM needs to call to submit a request in AE. Similarly AEExitService will return the status of the request back to SUN IdM.

Problem-- While integrating i am facing an error. The initiator is based on Functional Area and Business Process. AESubmitRequest does not allow to pass these 2 fields to Ae, hence I am not able to trigger my workflows. If anyone knows how to modify the web service, pls let me know.

Thanks

Rashmi

Show replies
Show replies
Former Member
‎07-15-2008 8:20 AM
0 Kudos

Hi Rashmi,

Access Enforcer intergartion with SUN IDM In AC 5.2 is not possible.

This is possible only in New version of SAP GRC AC 5.3.

You cant use the AESubmitRequest5_2 , AEExitService webservice for user provisioning in IDM.

Regards,

Jagat

Former Member
‎06-26-2008 10:27 PM
0 Kudos

The link to the Identy Management PDF was interesting and it implied it should work.

I want to bring in xEM (a SAP web application) into Access Enforcer - but since it is not an ABAP applications, I am unable to find techinical documents on how to do.

xEM is being used for Emmission Reporting and may be covered by a regulatory body -- so we want roles to be approved inside of AE, just like our other SAP enviroments.

So is there a document to bring in non-ABAP enviroments?

Show replies
Show replies
koehntopp
Product and Topic Expert
Product and Topic Expert
‎07-05-2008 10:41 AM
0 Kudos

There are currently two options:

- you can set up your system to use ABAP as the UMA data source, so that you can provision ABAP roles that map to UME groups.

- you can wait for 5.3, which has full UME provisioning capabilities.

Hope that helps,

Frank.

Former Member
‎05-20-2008 3:30 PM
0 Kudos

Dear board,

are you aware of documentation regarding the mentioned Web Services? We are trying to implement functionality leveraging the Request Submission to GRC-WS, but we weren't able to figure things like "account validity" yet?

Any recommendations how to get this information?

Many regards,

Richard

Show replies
Show replies
Ask a Question