Skip to Content
avatar image
Former Member

IDM, GRC and position based security

We use position based security in our ERP system and are implementing GRC. In our BI system the roles are directly assigned to the User ID, but we need them to dynamically update if a position change occurs. We have this functionality working in QAS by implementing CUA, but we are considering if IDM can be used instead. There seems to much less documentation on how to configure IDM with position based security (compared to CUA), so I have a few questions.

Assuming IDM is receiving its provisioning requests from GRC, can it be configured to provision a role to the position on one system and a user on another?

How can IdM be configured to react to a position change and update the roles appropriately?

Has anyone implemented GRC and IDM with position based security?



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Nov 03, 2009 at 07:34 AM

    Hi Wayne,

    In IdM, you can define business roles (for your positions) and map these to the technical roles that you can distribute to your SAP systems.

    You can configure IdM to react to changes in your HCM system and automatically create and distribute roles based upon e.g. the new job description of a user.

    I've attended Teched, and the SAP recommendation is to use IdM to manage your users and do the provisioning and to use GRC for compliance checking.

    So in HCM the position of a user changes (e.g. promotion), IdM picks this up and proposes a set of roles for the user, IdM sends this to GRC via web service, GRC checks for compliance (SOD) issues and if there are none, GRC tells IdM all is OK, then IdM starts the provisioning. If GRC reports issues, you should have a workflow in place to handle these.

    This is all theory though, I'm just getting started with IdM myself.

    Kind regards,


    Add comment
    10|10000 characters needed characters exceeded