We have onboarded SAP GRC with Access Management mode in IdentityIQ 8.3p1 and able to submit provision/deprovision request on GRC for Business Roles.
We would also like to perform a Risk Analysis for requested GRC Business roles before submitting provisioning request to GRC.
While understanding the Risk Analysis configuration and custom Workflows as per documentation, it seems Risk Analysis is performed only for SAP-Direct and SAP Portal application types.
Customer is planning to request GRC Business Roles only, and wasn’t considering onboarding SAP-Direct and SAP Portal applications integrated with SAP GRC in IdentityIQ.
I am wondering if there is way to perform Risk Analysis on SAP GRC Roles?
You might be able to alter the workflow steps that perform the Risk Analysis requests and act on the responses manually, but that’s not a use-case that is supported by Sailpoint, so the burden to support that integration will fall solely on you and your team.
The Access Management integration mode has 3 major benefits:
It abstracts the downstream SAP systems from IIQ, giving you a single integration point for the entire SAP landscape
It offloads the SAP/GRC risk management, policy definitions, SOD controls, mitigating controls, etc. to the GRC system, allowing the SAP GRC team to wholly manage them on their end as their needs dictate
It offloads provisioning to GRC, which simplifies the IIQ side of the integration by not having to manage or maintain integrations with the various different SAP systems in the SAP landscape
If you really do have a need to incorporate a Risk Analysis component to your GRC integration, the 2 main options that come to mind:
Build a custom process for loading in and modelling the GRC-side risk definitions into native IIQ constructs (like SOD policies, entitlement classifications, risk scores, etc.).
Contact Professional Services and work with them to define your requirements to extend the OOB GRC integration to support your use cases
Obviously #2 will require paid services to build and customize, but part of what you’re paying for in that case is for Sailpoint to provide support for the customizations that they make on your behalf, which will be critical for a long-term integration like this.