Hi ,

I would totally agree with Julius , most of the companies have started implementing SAP IDM,

if you have GRC 5.3 ( CUP ) you can do it using the compliant user provisioning tool

you will need JCO connectors to all the systems including active directory to have the users created all at the same time.

In this case it can be done simply with an LDAP sync, but if you want to provision users with roles through to the backend systems because your authentication methods support it then IdM is the way to go.

SAP IdM also supports SAML 2.0 as a provider.

This is not a small project but is the correct approach to stagger implementations with a view to the future.

SAPgui scripting is at the other end of the spectrum of investment and realizable security......

Cheers,

Julius

>

> Hi,

>

>

>  I would  totally agree with Julius , most of the companies have started implementing SAP IDM,
> 

>

> do you have any numbers for this? For small landscape you can be fine (I understand that iDM is much more than user distribution between systems) with CUA when we are talking about SAP systems only. There are other IdM solutions from different vendors as well. So it's hard to believe that most of the companies have started implementing IdM from SAP.

>

> Anyway, I agree that usually homemade synchronizing solution is a way to hell. LDAP is way to go.

>

> Cheers

"most of the companies have started implementing SAP IDM" is a re-definition of the term most. Where most = minority.

When IDM 7.2 comes out I expect there to be a fair bit more uptake as there are a good number of improvements that make it easier to integrate into SAP environments. I think a lot of the problems with the gestation of the product under the SAP brand is that SAP have told customers that they should stop using CUA and use IDM instead when they are designed to do very different things.

Hi Martin,

I have commented that way because most of the consulting work I have been doing recently is in the field of SAP GRC

the past one year almost all of my clients have asked for SAP IDm solution.

User base for one of the client was - 25,000+

another is with 12000+

My practical experience now is that SAP GRC 5.3 also clients are interested only in RAR 5.3/SPM 5.3

after implementing these two tools, they straight away jump to SAP IDM.

I think SAP IDm is able to do what CUA /any other centralized tool can do for user administration for both SAP and Non-SAP system the only think it cannot perform is Compliant user provisioning.

This is my opinion.

> My practical experience now is that SAP GRC 5.3 also clients are interested only in RAR 5.3/SPM 5.3 after implementing these two tools, they straight away jump to SAP IDM.

This is also SAP's official recommendation since a few months. I would not invest any effort in CUP nor ERM at the moment to be honest.

Cheers,

Julius

Hi Martin,

I have a customer with 16 million users in SU01. They don't use IdM and don't need it either at the moment.

I have another customer with 700 users and they are implementing IdM because it makes sense. They need it to reduce complexity.

There are no IdM license costs, unless you provision non-SAP systems.

You can skip GRC by using a well designed concept for report RSUSR008_009_NEW if it meets your requirements - particularly the number of systems. It does however have it's limits (per ABAP client) and is not user friendly at first. Also no nice pie-charts for managers, etc.

Emergency User Access comes in many shapes and sizes... SAP declined a development suggestion from me to improve the "FireFighter" tool so I developed it on my own for my customers using BAPIs and they are happy. The main requiremenent not fullfilled is that the user context changes so that you loose access to HR data, queries, variants, workflow items, purchase orders, etc. The FireFighter users also become obvious targets of attacks and the application users (dialog) need authority to change the FireFighter's passwords to use the application - which means that they can use RFC to do the same without using the FireFighter transactions / logs / etc.

Regarding other IdMs, I have experience with some, but documented here on SDN is only the password syncronization problems which Novell suffers from. These "problems" are intentional - or better said --> their own fault for using "hacks"...

If you search for "Novell" you will find them.

Cheers,

Julius

> I guess you don't want to release your solution as open source

I thought about it after SAP declined the development suggestion, but now throw it in for customers who are only missing that segment of the pie once they get there on their own.

You can contact me via my SDN Business Card as it is not a commercial topic for SDN nor a competitor product if customers are on the right track of enterprize licenses.

> Still you need to run project and pay resources (internal or external) to implement it.

That is omnipresent, depending on the product and the project management. You can also spend a fortune and never go-live...

I would describe the SAP IdM more as a development environment than a system which only requires some basic config and hit the "Go" button. But you dont have to make it look like Michael Jackson in the end when Winnitou does the trick - this is particularly true of the workflows and requirements for them.

I think we are drifting a bit off topic now... we wanted an AD sync to ABAP (without AD admins being able to logon as emergency users...?)

Cheers,

Julius