Hi Experts,
i was wondering if you could help me. I need to connect one SAP System with a HR System and have automatic SAP Role provisioning depending on the organizational unit (special wish 
). In the moment the system is connect to a CUA. The CUA has been configured to communicate over SAP LDAP connector with microsoft active directory (ADAM).
We also have a GRC10 system which is to be implemented for all systems (firefighter, user provisioning, risk analysis)
So as i see it, i have two choices about the automatic provisioning: GRC10 or CUA
Probably to make it work over GRC10 i need to setup a workflow with BRF+ rules so i can have the automatic provisioning based on the organisational units of the employees.
I havent spoke with our AD engineer, but i suppose : organisational unit is not an Active Directory attribute. To make it work we will probably use another attribute as a place holder for organisational unit and sync this field with a sap field from user master data.
So creating a BRF+ rule i could implement a check on the organisational unit and have roles assigned depend on that.
I know this is a GRC forum, but which solution would you recommend? maybe is will be simpler using this automatic role provisioning over CUA and leave GRC10 out of it.
cheers,david