• State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 94 subscribers
  • Views 14859 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAP-GRC integration: Best Practices to use SAP-GRC for SoD analysis (Risk assesment)

GeKo
over 7 years ago

SAP-GRC integration: Best Practices to use SAP-GRC for SoD analysis (Risk assessment)

 

Hello Experts,

Quick: I am wondering how to integrate SAP-GRC for SoD analysis in the best way.

For sure, Identity Managers in-built risk module could be use in order to totally get rid of the need to use SAP-GRC for SoD analysis. However, this will not be achieved short-term. Therefore, I am looking for your experience in how to integrate SAP-GRC in a Request Access process.

By using SAP-GRC WebServices, a lot of scenarios are possible.

e.g.:

Shop roles in 1IM => route the request to SAP-GRC for SoD check => provision from 1IM once status of SoD is “OK”.

Shop roles in 1IM => route the request to SAP-GRC for SoD check => provision from SAP-IDM once status of SoD is “OK”.

Considerations:

  • The request passed to SAP-GRC by WebServices (e.g. GRAC_USER_ACCES_WS) has to bundle roles requested for same system. S in case I do shop 2 roles for same SAP system that is SoD relevant, both roles have to be combined in one request (XML) in order get the cross-roll SoD risk checked
  • WebService GRAC_REQUEST_DETAILS_WS has to be used rather than GRAC_REQUEST_STATUS_WS as there is always the possibility only one role out of more for same request gets approved
  • Is it worth performing SOD check by using WebServices GRAC_RISK_ANALYSIS_WITH_NO_WS and GRAC_RISK_ANALYSIS_WOUT_NO_WS in order to also check user’s full risk in combination of already assigned roles?

 Any Suggestions very welcome.

Thank you.

GeKo

 

 

 

ible 

  • 0 over 7 years ago

    Hi,

     

    GRC Integration is a large topic, but we can give an idea of what is possible and has been done already with Identity Manger.

     

    Technically, Identity Manager has all the integration points needed to integrate with SAP GRC: the approval workflows can invoke an external source (via the pre-defined EX step), the Web Services integration can be accelerated via code generators, and the Identity Manager Web Portal can report effectively on detected compliance violations during the request.

     

    Identity Manager can make use of SAP GRC services in the following ways.  In order of increasing delegation to SAP GRC:

     

    • To validate the requested entitlements against the SAP GRC policy rules
      • In this case, we can just take these results and process entirely in Identity Manager.  In this way we make use of the rich rules that GRC provides, but keep the approvals and decisions entirely within the IAM governance solution. Given that we must use those rules, if we nevertheless had some choice, this would probably be our preference.

     

    • To request manual approvals from SAP parties
      • If violations are detected then Identity Manager can ask for an approval from the SAP side.  This means creating an access request in SAP GRC and allowing that process to complete.  Again, we will process the results, update the request status and take provisioning actions accordingly.

     

    • To provision the requested entitlements
      • In this case we can let SAP GRC handle the entitlement provisioning.  There can be good reasons to delegate to an in-situ solution (and it also comes up in non-SAP environments like Azure, Oracle etc.).  However, this requires care as it can significantly complicate the deployment operationally.

     

    The included graphic shows a sample flow, as an example, with those mentioned behaviors included.

     

    HTH to clarify to some extent.