• State Not Answered
  • Replies 1 reply
  • Subscribers 96 subscribers
  • Views 937 views
  • Users 0 members are here
Options
Related

SAP GRC Access Control, audit rules "import"

alexeyf
over 2 years ago

Hello all,

in the training video, https://www.oneidentity.com/de-de/video/identity-manager-sap-sap-authorization-model-basics-for-grc-8145622/, it is said that "audit rules defined in SAP Access Control can be exported from SAP GRC and imported into One Identity Manager.".

Can someone explain what exactly is meant by this? Can we actually somehow import complete GRC rules exported from SAP? Is there anything out of the box to do it?

Thanks in advance and best regards

Parents
  • 0 over 1 year ago

    Hi Alexey,

    Sorry for the delay in replying here, but to clarify this for you.

    What is out-of-the-box in this case is the Identity Manager SoD Data Model.  This is designed with an emphasis on SAP, though it supports SoD as a general concept.  So the idea is that the customer exports the relevant SAP GRC rules out to CSV, say.  There may be post processing to massage to a convenient format.  Then we import those rules directly to the Identity Manager SoD (Identity Audit) tables.  Some technology partners, like IBS Schreiber, have built this flow and offer it as a consulting service and some customers have put it together themselves.

    Usually customers are working with a business relevant subset of SAP GRC rules.  The whole rule set or more typically, a targeted business user relevant subset would be imported to Identity Manager.  For example, rules that govern combinations of requestable SAP entitlements.

    A typical such mapping from SAP GRC->Identity Manager is shown below.

    hth,

    Rob.

    SAP GRC

    Identity Manager

    Function

    Function

    Function BP

    Relation Function to Function categories

    FunctionAction

    Relation Action to Function

    FunctionPerm

    Relation Permission to Function

    RuleSets

    Rule groups

    Risk

    Relation of risks

    RiskDescription

    Rule

    RiskRuleSetRel

    Relation Risk to Rule Set

    RiskOwners

    Rule Supervisor
Reply
  • 0 over 1 year ago

    Hi Alexey,

    Sorry for the delay in replying here, but to clarify this for you.

    What is out-of-the-box in this case is the Identity Manager SoD Data Model.  This is designed with an emphasis on SAP, though it supports SoD as a general concept.  So the idea is that the customer exports the relevant SAP GRC rules out to CSV, say.  There may be post processing to massage to a convenient format.  Then we import those rules directly to the Identity Manager SoD (Identity Audit) tables.  Some technology partners, like IBS Schreiber, have built this flow and offer it as a consulting service and some customers have put it together themselves.

    Usually customers are working with a business relevant subset of SAP GRC rules.  The whole rule set or more typically, a targeted business user relevant subset would be imported to Identity Manager.  For example, rules that govern combinations of requestable SAP entitlements.

    A typical such mapping from SAP GRC->Identity Manager is shown below.

    hth,

    Rob.

    SAP GRC

    Identity Manager

    Function

    Function

    Function BP

    Relation Function to Function categories

    FunctionAction

    Relation Action to Function

    FunctionPerm

    Relation Permission to Function

    RuleSets

    Rule groups

    Risk

    Relation of risks

    RiskDescription

    Rule

    RiskRuleSetRel

    Relation Risk to Rule Set

    RiskOwners

    Rule Supervisor
Children
No Data