![THEFUTURE_id_4414647645_CC_BY_H.L.I.T._29311691@N05 THEFUTURE_id_4414647645_CC_BY_H.L.I.T._29311691@N05](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizjaDV8bD1MZo_Aj6rSkpNe4LmneKZsUscnw0K_LafOSa44ZJD_joN65CV-amwLQ_1Ac72Q3o_L_lNkXyZkxozT3RXzA1Mtkt048ioKVtriQa19KfDFzdxZhujX27Vg68sThnY/s200/THEFUTURE_id_4414647645_CC_BY_H.L.I.T._29311691%2540N05.jpg)
I've worked with the integration between the two products several times now, and I can honestly say that I have never achieved the results that I wanted. As I've thought about the issues that have kept me from getting what I (and of course, my clients) want, it all seems to come down to the architecture.
The way SAP would have it, GRC is the brains, VDS the nervous system, and IDM is the muscle. IDM workflow does all the work using the various frameworks (Provisioning, Exchange, GRC, Lotus Notes, etc.) while it checks with GRC via VDS to tell it what to do.
The problem as I see it is that there are:
- Too many moving parts - IDM, VDS via WebServices to GRC, back to IDM
- Not enough information that passes back from GRC - We don't see why things are rejected and it's not clear what is happening.
- A lack of ways that conflicts can be addressed from IDM - This means that the "Security Desk" needs to get involved so they can fix the issue.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh7S3j8BL85tr0ch7TXzOvyZx1fuAPUdd2rLCBa9x-cfO9pa-Rw0TI4nyM-lBNIwxprpqsFb42Jicx6Gk5fReuUzaMroAoxVnebnQI9cJMX9JweT8ctGOcOLm3nM_ke10BmuTjm/s200/GRC-comsparkint-dot-com.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp5xNeBDbvpbQQzbDp1vTzk727mOd6XrZyvTaDEIth2xFYcL1YC7ITr6akU7EsEVvJa1fJS91F7p4Q-rpybkVUcZFjZP88wHODeq9XNllVwZJWBLD1LmIMaW7wIxtFwZn2X_kd/s1600/mutual+exclusions.png)
However as SAP Roles map to IDM Privileges it would also be necessary for this concept to be extended to the IDM Privilege level.
This just my opinion and I have registered it via the survey posted above. Go register yours!