How to mapping account permissions from application, SAP ?

Dear all, 

I am learning about NetIQ solution, please help me share some of the following information: 

If integrating IAM/IGA with SAP or other apps, Can we mapping role permissions for SAP database accounts to IAM/IGA ? 

And how can IAM/IGA deeply control permissions across applications ?

So, What methods and mechanisms are there to map and synchronize application permissions with IAM/IGA ?

Thanks in advance 

  • 0  

    Yes, you can consume roles in SAP into IG. 

    I will suggest that instead of collecting every possible permission in SAP into IG, instead you should consume only the roles that are managed by your organization, and used to grant access. If you SAP permissions are setup so that everyone has exceptional one off access, and you are not using roles, then that is vary hard to manage, and adding it to IG will not help the situation.  

    IG does have tools to help identify groups of users with similar access - this is role mining.  From there you could improve how you manage access in an app.

    IG can control permissions across applications with fulfillment. When a review is conducted and a change is made to access, OR when a request for new access is approved, this creates a fulfillment item, which is then routed to the fulfillment config to each app.  That fulfiller then makes the change either directly against the app, or the fulfiller might open a ticket, or it might hand off fulfillment to an IDM system that is already doing provisioning deprovisioing.  Its very flexible.

    --Jim

  • 0 in reply to   

    Thank Jimbot, 

    So the collecting permission is one way or bidirectional ? I see on the docs, can synchronized account and permission when created user on AD or created on IG. correct ? 

  • 0   in reply to 

    Hello,

    Collectors are not bidirectional. 

    The data is pulled into Identity Governance via Collectors.  There are certain update actions that are performed via Fulfillers.  Also, not all customers want to update the backend system from Identity Governance.  For Example: some require creating tickets in ServiceNow,

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity