SAP GRC Access Control, audit rules "import"

Hello all,

in the training video, https://www.oneidentity.com/de-de/video/identity-manager-sap-sap-authorization-model-basics-for-grc-8145622/, it is said that "audit rules defined in SAP Access Control can be exported from SAP GRC and imported into One Identity Manager.".

Can someone explain what exactly is meant by this? Can we actually somehow import complete GRC rules exported from SAP? Is there anything out of the box to do it?

Thanks in advance and best regards

Parents
  • Hi Alexey,

    Sorry for the delay in replying here, but to clarify this for you.

    What is out-of-the-box in this case is the Identity Manager SoD Data Model.  This is designed with an emphasis on SAP, though it supports SoD as a general concept.  So the idea is that the customer exports the relevant SAP GRC rules out to CSV, say.  There may be post processing to massage to a convenient format.  Then we import those rules directly to the Identity Manager SoD (Identity Audit) tables.  Some technology partners, like IBS Schreiber, have built this flow and offer it as a consulting service and some customers have put it together themselves.

    Usually customers are working with a business relevant subset of SAP GRC rules.  The whole rule set or more typically, a targeted business user relevant subset would be imported to Identity Manager.  For example, rules that govern combinations of requestable SAP entitlements.

    A typical such mapping from SAP GRC->Identity Manager is shown below.

    hth,

    Rob.

    SAP GRC

    Identity Manager

    Function

    Function

    Function BP

    Relation Function to Function categories

    FunctionAction

    Relation Action to Function

    FunctionPerm

    Relation Permission to Function

    RuleSets

    Rule groups

    Risk

    Relation of risks

    RiskDescription

    Rule

    RiskRuleSetRel

    Relation Risk to Rule Set

    RiskOwners

    Rule Supervisor

Reply
  • Hi Alexey,

    Sorry for the delay in replying here, but to clarify this for you.

    What is out-of-the-box in this case is the Identity Manager SoD Data Model.  This is designed with an emphasis on SAP, though it supports SoD as a general concept.  So the idea is that the customer exports the relevant SAP GRC rules out to CSV, say.  There may be post processing to massage to a convenient format.  Then we import those rules directly to the Identity Manager SoD (Identity Audit) tables.  Some technology partners, like IBS Schreiber, have built this flow and offer it as a consulting service and some customers have put it together themselves.

    Usually customers are working with a business relevant subset of SAP GRC rules.  The whole rule set or more typically, a targeted business user relevant subset would be imported to Identity Manager.  For example, rules that govern combinations of requestable SAP entitlements.

    A typical such mapping from SAP GRC->Identity Manager is shown below.

    hth,

    Rob.

    SAP GRC

    Identity Manager

    Function

    Function

    Function BP

    Relation Function to Function categories

    FunctionAction

    Relation Action to Function

    FunctionPerm

    Relation Permission to Function

    RuleSets

    Rule groups

    Risk

    Relation of risks

    RiskDescription

    Rule

    RiskRuleSetRel

    Relation Risk to Rule Set

    RiskOwners

    Rule Supervisor

Children
No Data