Skip to Content
avatar image
Former Member

End User Authentication v5.3 versus v10.0

I'm having an extremely hard time getting a straight answer to this question.

In GRC v5.3 we allow end users to log into the GRC system using their LDAP / Global Directory Credentials. Anyone who has a valid Global Directory account is part of the "Everyone" group in the UME. We've given all the UME roles required to approve CUP tickets to the "Everyone" group. So, anyone who has an account in the Global Directory can approve a CUP ticket if it has been assigned to them. This is extremely helpful, because we require supervisors to sign off directly on all access requests for their direct reports.

There does not seem to be any way to do this in GRC v10. The only solution I've been shown so far, is to sync every record in my Global Directory into the GRC system. Then, we need to identify everyone who might be an approver, and give their GRC account that authority. This is problematic for a number of reasons. First, there are over a million records in our global directory system. It's not feasible to sync all of them. Even if we did, there is no mechanism for determining who could be an approver, which people are managers; etc. Second, this would require our GRC users to manage a second account and password separate from their Global Directory credentials. Many of these users may go long periods of time between GRC logins. Their accounts are going to be locked or deleted from inactivity. We will be in a constant cycle of creating and re-creating GRC accounts.

I'm looking for some solution that will allow end users to log into GRC using their Global Directory credentials without needing an SAP account in the GRC system. It was possible in version 5.3.

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Dec 19, 2013 at 05:04 PM

    For actual usage of the GRC system, i.e. Approving requests etc, the user has to have an active account within the GRC system itself, therefore they can not log in via a generic front end using their LDAP credentials.

    The specific users (Role Owners, Risk Owners, EAM Controllers/Owners, Mitigation Control Owners etc) require the correct level of access, which is determined by the ABAP roles assigned. Version 5 was all Java/UME role based, therefore that concept was pretty relaxed and easy to manage. With GRC 10.0, authorisations has got even more detailed.

    Add comment
    10|10000 characters needed characters exceeded