We are implementing SAP GRC integration in SailPoint IdentityIQ using the legacy Risk Analysis integration module, based on client requirements.
The client’s primary use case for SAP GRC is SoD (Segregation of Duties) checks, but they also want to manage Firefighter access through the same integration.
While reviewing SailPoint Compass discussions, I found references indicating that the SAP GRC connector was enhanced in IIQ 8.4p3 and later to support Firefighter ID management in addition to Risk Analysis capabilities.
I would like clarification on the following points:
Can the SAP GRC connector support both:
Risk Analysis (SoD checks), and
Firefighter access management
simultaneously within the same implementation?
Is Firefighter functionality supported when using the legacy Risk Analysis integration mode, or does it require a different integration approach/module?
Are there any prerequisites, configuration changes, or specific SAP GRC versions required to enable Firefighter management in IIQ 8.4p3+?
Has anyone implemented this successfully in a production environment? If yes, are there any limitations or best practices to be aware of?
Any guidance or documentation references would be appreciated.
Hi @nitinbibm - in short, yes the SAP GRC connector supports both, however the caveat is that you have to select one or the other as it will not do both simultaneously on the same connector. One option is to setup 2 connectors with the different configurations.
It cannot operate in Risk Analysis mode and Access Management (Firefighter) mode simultaneously within a single Application definition. you must configure two separate Application objects in IIQ pointing to the same SAP GRC instance.
Application A (Risk Analysis): Configure this with the integration mode set to Risk Analysis. This is used during the Access Request workflow to intercept the plan and send it to GRC for SoD validation.
Application B (Access Management: Firefighter Provisioning): Configure this using the Access Management integration mode. This application will manage the Firefighter IDs and Roles as requestable entitlements.
Legacy Risk Analysis mode is strictly for checking. Firefighter management requires the Access Management integration module.
Please make sure your version and dependecies are updated as per SAP GRC Documentation. You need to setup few FireFighterID Permissions.
Based on the documents here are some recommendation for Prod:
If you try to run Risk Analysis on a Firefighter request, GRC will often fail because FF access is designed to bypass SoD. So skip analysis for FF.
Both Apps should have exact same native identifier.
You need to introduce a custom workflow for proper routing. If FF is selected, you don’t need sod analysis.
for Firefighter i understood we will have to create separate application, but i did not understand why we need custom workflow for routing. if we dont select enable risk analysis on secondary application], will it still call grc for risk analysis. can you please help more on Both Apps should have exact same native identifier.
@nitinbibm IIQ is using standard SAP Library to make necessary API calls for GRC Risk analysis. If you uncheck Risk Analysis, IIQ should skip the analysis (but we need to test it out to confirm).
Keeping the same identifier means the same Identity Attribute so that you can use the same config for both apps for proper correlation.
