Skip to Content

GRC AC integration scenario and web services

Hi experts,

I am trying to integrate IDM 8.0 with GRC AC 10.0.

By the configuration guide, I could know that there are 3 scenarios in centralized provisioning.

Risk Analysis only, Polling, Call back service.

Among them, 'Risk Analysis Only' scenario is recommended by SAP.

And IDM integrate to GRC AC with numbers of web services which is provided by GRC AC.

IDM is calling the web services through VDS.


Below is my questions ;

1. How 'Risk Analysis Only' scenario works?

For Polling and Call back service scenario, it seems clear how IDM get result from GRC AC.

But for Risk Analysis Only scenario, it is little confusing to me.

When a user request assignment for a privilege or a role, IDM will send the information to GRC AC.

And there could be 3 cases.

case 1. there is no SoD risk.

case 2. there is SoD risk and risk manager will reject it.

case 3. there is SoD risk and risk manager will mitigate it.


For case 1, IDM may know the result of risk analysis immediately with return value of web service.

For case 2 and 3, there must be a interaction of risk manager of GRC AC.

In this case, do IDM wait until it rejected of mitigated?


2. Which web service is used for each scenario?


best regards,


Add comment
10|10000 characters needed characters exceeded

1 Answer

  • Posted on Apr 24, 2019 at 04:43 AM

    In the Config Guide, I missed below paragraphs..


    Process Risk Status

    This internal execution task uses the Java library method to process the risk status. The status is handled in the following way:

    ● An error occurred when processing the risk analysis, i.e. something unpredictable has happened (something went wrong), and no status is obtainable: the utility task Group Failed is executed. It uses the Java library method and removes all pending objects in the particular pending object group without applying them to the user (i.e. the roles and privileges will not be assigned).

    ● The risk analysis is successfully performed: the roles/privileges with the risk are added to the pending value object. Roles/privileges will either be applied if no risks are discovered (and thus the subsequent provisioning tasks will be executed), or declined if any risks are discovered (no provisioning will then take place, i.e. the subsequent tasks will not run).


    So when there is any Risk, the IDM will just reject the assignment request.


    (just left this stupid question for anyone who may benefit from it)

    Add comment
    10|10000 characters needed characters exceeded

    • There are no stupid questions, especially when they are so well thought through like yours. ;)

      Don't forget to accept your own answer as the correct one. That's absolutely permitted and will not count towards your karma (well, it does on another level than the SCN karma ^^).