As mentioned previously in our blog CIRM: Compliant Identity and Role Management in Practice, you can integrate your SAP Access Control (GRC) and SAP Identity Management (IDM) to leverage its functionalities. In this blog, I would like to give you an overview of the possibilities of how to connect your SAP Identity Management (IDM) and SAP Access Control (GRC) system. Also, which integration scenarios are available and how do they look like in a GRC IDM Integration.

Which integration scenario should we use?

There are at least five different scenarios which we could choose from. Every scenario is a combination of a landscape and result handling scenario. First of all, let me explain the different landscape and result handling scenarios.

Landscape Scenarios

Centralized Provisioning: In this scenario, the SAP Identity Management is the only system that provisions assignments, both on SAP and non-SAP systems. The GRC system analyzes and performs the risk analysis only. SAP IDM handles all additional steps that are part of the provisioning process. We recommend this scenario from the two alternatives.

Distributed Provisioning: When using this scenario, SAP IDM provisions non-ABAP systems while SAP Access Control (GRC) takes care of ABAP systems. Performing compliance checks only against ABAP systems that are in scope of SAP Access Control. This scenario doesn’t require an ABAP repository in SAP IDM.

Result Handling Scenarios

Polling: Using the Polling scenario means that the SAP Identity Management system sends the request for risk analysis, using a web service, to the GRC Access Control system and getting the result by asking the GRC system in an interval (which is configurable). This scenario is fail-safe (e.g., for lost network connection). We recommend this scenario.

Event-Based (AC Callback Service): Instead of polling for the risk analysis result, SAP IDM is waiting to be informed by the GRC system about the result of the risk analysis. The result is being sent when GRC executes its Web Service (GRAC_EXIT_FROM_IDM_WS). The disadvantage is that the result is sent only once, and in case of a network issue, the result could be lost.

 AC Validation – Risk Analysis Only: This scenario is used if no result handling is necessary. That means that only the Risk Analysis is performed, but no result is needed in IDM.

Combining different Scenarios

By now we know the different scenarios and can decide which combination of scenario we can leverage. The following graphic shows the available integrations:

1. AC Validation – Risk analysis only.
2. Centralized Scenario with AC Polling as a result handling scenario.
3. Centralized Scenario with AC callback service as a result handling scenario.
4. Distributed provisioning with polling.
5. Distributed provisioning with callback service.

SAP GRC IDM Integration

We recommend using the Centralized Scenario so that you have only one provisioning system. That has the advantage that you can find all provisioning details and logs in a single instance. When using this scenario, we recommend the AC Polling method to ensure GRC compliance during provisioning.

The benefits of using the recommended scenario are:

• Only one provisioning system -> everything comes from one system.
• High-reliability -> Polling ask for a result until it gets the result.
• Synchronization between IDM and GRC ensures compliance.

Our highly specialized SAP Access Control (GRC) and SAP Identity Management (IDM) consultants can assist you with questions on this topic, as well as consult during the GRC IDM Integration implementation.