Thursday, March 21, 2013

The future of SAP GRC

THEFUTURE_id_4414647645_CC_BY_H.L.I.T._29311691@N05There has been quite a bit of  discussion about the potential futures of SAP IDM and SAP GRC. SAP has just started a survey so that they can get customer input. I would encourage all customers using or considering these products to take the poll.

I've worked with the integration between the two products several times now, and I can honestly say that I have never achieved the results that I wanted. As I've thought about the issues that have kept me from getting what I (and of course, my clients) want, it all seems to come down to the architecture.

The way SAP would have it, GRC is the brains, VDS the nervous system, and IDM is the muscle.  IDM workflow does all the work using the various frameworks (Provisioning, Exchange, GRC, Lotus Notes, etc.) while it checks with GRC via VDS to tell it what to do.

The problem as I see it is that there are:
  • Too many moving parts -  IDM, VDS via WebServices to GRC, back to IDM
  • Not enough information that passes back from GRC - We don't see why things are rejected and it's not clear what is happening.
  • A lack of ways that conflicts can be addressed from IDM - This means that the "Security Desk" needs to get involved so they can fix the issue.
So how should this be addressed?  I think through either a tighter integration that is more direct and thicker, that is one where more information is passed, so that IDM becomes the "face" of GRC allowing for mitigation and remediation activities.  However I do not know that the current SAP architecture really supports this. therefore I think it makes more sense for IDM to "consume" GRC and make the GRC functionality part of IDM.

IDM already has a very basic concept of Segregation of Duties through Role Mutual Exclusion functionality.  Having logic that determines what should be "Mutually Excluded" from GRC type functionality makes sense.

However as SAP Roles map to IDM Privileges it would also be necessary for this concept to be extended to the IDM Privilege level.

Finally this new functionality would need to include the ability to implement periodic entitlement reviews (sometimes referred to as attestation or certification) Since in a typical SAP Landscape implementation IDM is connected to HCM with Manager and Organizational properties already defined, IDM is in an excellent position to use it's Presentation Layer, Notifications and Identity Store Database to support this.

This just my opinion and I have registered it via the survey posted above.  Go register yours!

No comments: