cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Replace CUA with Identity Management or use IBM SIM tool

Go to solution
Former Member

on ‎08-20-2015 9:54 PM

0 Kudos

Hi Guys, I do not have experience working with IBM SIM tool or SAP identity management tool. so looking for guidance. Any help would be greatly appreciated. Currently, we have IBM Security Identity Manager (SIM), SAP CUA and the SAP child systems in our landscape. The users IDs are provisioned from IBM Security Identity Manager System to SAP CUA and from there to SAP child systems automatically. The role provisioning is done directly in the child system.

Now we want to do role provisioning centrally from SIM to SAP systems as part of organization strategy to centrally manage provisioning to all systems. What is the best option? What are the pros and cons of each option considering the functionality each tool offers and maintenance?

Option 1: Activate central role provisioning in SAP CUA (SCUM) and have SIM provision the entitlements to SAP CUA. From SAP CUA the role assignments are automatically pushed down to Child Systems.

Option2: Have SAP adapter installed and configured in IBM SIM, and create connections from SIM to all the SAP child systems. And then provision roles from IBM SIM to each SAP child system directly.

Option3: Replace SAP CUA with SAP Identity Management; connect all SAP child systems to the SAP Identity Management. And then provision roles from IBM SIM to SAP identity manager which then provisions to the child systems automatically.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jaisuryan
Active Contributor
‎08-21-2015 12:57 AM
0 Kudos

Hi Narsing,

I have used option 3 in my previous project where we connected Tivoli -> SAP IDM -> SAP Child systems. We opted for this strategy because there were many (almost 30+) custom java systems connected to IBM Tivoli and, building connectors for those in SAP IDM seemed redundant.

Apart from SAP systems, what are the other system does IBM SIM provision in your landscape? If it is only SAP CUA and child systems, and Active Directory, then, the BEST OPTION would be to replace IBM SIM and CUA, both, with SAP IDM. Its redundant to use two identity management tool to just provision SAP systems and AD.

Option 2 is cost effective and possible. But SAP IDM can connect to SAP child systems (including successfactors and HANA) and Active Directory seamlessly and has out of box connectors which are easy to implement and support.

SAP is investing a lot of T&M in this product now and you can expect more useful identity management features in future. I leave to experts here to advocate for SAP IDM over IBM SIM.

Option 1 is not support anymore and wouldnt recommend to go with it.

Hope you find this helpful.

Kind regards,

Jai

Show replies
Show replies
Former Member
‎08-24-2015 6:48 PM
0 Kudos

Hello Jai,   Thanks for the reply. Apart from SAP systems and AD, IBM SIM provisions to many other systems. so replacing IBM SIM completely with SAP IDM is not an option for us as that would involve lot of effort. The decision we have to make is whether to use SIM to manage the sap systems directly or use SAP IDM in between SIM and SAP systems. I am looking to find what more features that SAP IDM offers compared to SIM and also the maintenance effort involved.

former_member2987
Active Contributor
‎08-25-2015 1:48 PM
0 Kudos

Hi Narsing,

I think in general you will find using SAP IDM as the "middle man" to be the best strategy.  I am aware of many organizations that use this approach, where IDM is used specifically for SAP related provisioning.

While I am sure that SIM is a good product, the fact is SAP IDM has the best connectors (as far as I have seen and experienced) for SAP via the Provisioning Framework.

The basic architecture I would use is to have SIM prepare the users for provisioning to a simple repository such as a flat file or database table and then have SAP IDM execute that provisioning on a regular basis.  The file/table would need to have the relevant information to create the account in the Identity Store and what systems need to be provisioned.

The other advantage here is that you will have a very focused and audit-able system for your SAP systems that will keep users from having to use SAP related tools that might offer more functionality than you are willing to give. Also being SAP specific you will be able to keep users from having more power over other aspects of your IAM infrastrucutre.

Just my thoughts.  Hope they are helpful.

BR,

Matt

Former Member
‎08-27-2015 4:14 PM
0 Kudos

Thanks matt of the reply. Helpful thoughts.

former_member2987
Active Contributor
‎08-27-2015 6:59 PM
0 Kudos

No problem.  Please keep us updated!

Chenyang
Contributor
‎08-27-2015 11:53 PM
0 Kudos

I think option 3 will be easier to implement and has better result.

As suggested by Matt, SAP IdM Provisioning framework almost takes care of everything for user/role management. In terms of integration between IBM SIM and SAP IDM, I think SIM has an LDAP interface that SAP IDM can connect to directly, that's the easiest solution in my mind.

Best Regards

Chenyang Xiong

Answers (1)

Answers (1)

Former Member
‎08-28-2015 8:17 PM
0 Kudos

Thanks guys for your thoughts.

Does SAP IDM support requesting Role access and the approval workflow or is it mandatory to integrate it with SAP GRC Compliant user provisioning to avail this feature.

Show replies
Show replies
former_member2987
Active Contributor
‎08-31-2015 12:18 AM
0 Kudos

Narsing,

Sure it does.  Maintaining roles is a key part of IDM's functionality.  Take a look at the Provisioning Framework documentation should give you some information in that direction.

Matt

Ask a Question