SAP GRC Access Control, audit rules "import"

Hello all,

in the training video, https://www.oneidentity.com/de-de/video/identity-manager-sap-sap-authorization-model-basics-for-grc-8145622/, it is said that "audit rules defined in SAP Access Control can be exported from SAP GRC and imported into One Identity Manager.".

Can someone explain what exactly is meant by this? Can we actually somehow import complete GRC rules exported from SAP? Is there anything out of the box to do it?

Thanks in advance and best regards

0 Robert Byrne over 1 year ago

Hi Alexey,

Sorry for the delay in replying here, but to clarify this for you.

What is out-of-the-box in this case is the Identity Manager SoD Data Model. This is designed with an emphasis on SAP, though it supports SoD as a general concept. So the idea is that the customer exports the relevant SAP GRC rules out to CSV, say. There may be post processing to massage to a convenient format. Then we import those rules directly to the Identity Manager SoD (Identity Audit) tables. Some technology partners, like IBS Schreiber, have built this flow and offer it as a consulting service and some customers have put it together themselves.

Usually customers are working with a business relevant subset of SAP GRC rules. The whole rule set or more typically, a targeted business user relevant subset would be imported to Identity Manager. For example, rules that govern combinations of requestable SAP entitlements.

A typical such mapping from SAP GRC->Identity Manager is shown below.

hth,

Rob.

SAP GRC	Identity Manager
Function	Function
Function BP	Relation Function to Function categories
FunctionAction	Relation Action to Function
FunctionPerm	Relation Permission to Function
RuleSets	Rule groups
Risk	Relation of risks
RiskDescription	Rule
RiskRuleSetRel	Relation Risk to Rule Set
RiskOwners	Rule Supervisor