AC 10.0 Customizing Workflows for Access Management

Customer Solution Adoption June 2011

AC 10.0 Customizing Workflows for

Access Management

Purpose of this document

This document allows implementation consultants and administrators to

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license

agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any

functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the

implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this

Agenda

Workflows in Access Control

Streamlined User Access Management in SAP BusinessObjects Access Control 10.0

Configuring MSMP Workflows

Extending Workflows Using Function Modules Extending Workflows Using BRFplus

Structure of a Workflow

Access Control’s Compliant User Provisioning Functionality

Standard Path

Initiator Stage 1 Stage 2 Stage n Provisioning (optional)

Stage 1 Stage n Provisioning (optional)

What Does It Do?  What Is the Value? Focus Area

New Feature Highlights

Streamlined User Access Management

 Lowers TCO by eliminating redundancy in administration, configuration, setup, and end-user training.

 An enterprise GRC platform approach allows you to have complete management of all risks and controls from a single environment.

 Tailoring of routing requirements for simple to highly complex organizations. New request forms improve user adoption and usability.

 Streamlines management of technical roles and eases identification and selection of appropriate roles for users, positions, and jobs.

 Reduces the effort required to grant and provision emergency access to multiple systems. Provides a structured,

documented process around emergency access.

 Provides flexibility to ensure an enterprise

 Unifies all Access Control capabilities on a standardized ABAP platform, offering enterprise supportability, granular security, transport, and archiving.

 Harmonizes Access Control with Risk

Management & Process Control offers shared processes, data, and user interface across the GRC suite.

 Standardizes on improved workflow that supports flexible, multi-tiered routing and approval matrices. Dynamic user request forms based on user or system selected.

 Provides a standardized role compliance framework, centralized across organizations, systems, and applications. Translates roles into terms business users can understand.

 Centralizes firefighting and administration across all systems. New workflow provides an auditable process for tracking log report approval.

 Improves compliant provisioning for customers already using IdM. Allows for initiation of risk

Access Control Harmonization

Unified Compliance Platform

Streamlined User Access Management

Improved Identity Management Centralized Emergency Access

 Business workflow reduces manual tasks and streamlines access request processing

 Leverage existing resources for workflow administration and configuration

 Faster and easier for users to request the roles they need

 Utilize existing HR structure for automated and compliant position-based role assignment

 Improved security and richer request context

Access Control standardizes on SAP Business workflow technology and supports more flexible and tailored access request and approver views, simplifying the provisioning process.

 Standardized on SAP Business Workflow technology

 Access requests enhancements:  New customizable access

request forms

 New template-based access requests

 New position-based role assignment requests  New end-user display of

profile, access assignments, and request history

 Enhanced search for roles, groups, and system based on authorization

 New customizable approver views

 New multiple rule set support

 Enhanced periodic reviews for user access and access risks

Solution Enhancements Key Benefits

Streamlined User Access Management

Workflow Key Terms in SAP BusinessObjects AC 10.0

Mapping Previous Workflow Terms to the New Workflow Functionality

One process ID can have multiple request types

 Access Request: Create Request, Change Request, etc.

 Function Approval: Update Function, Delete Function, etc.

One initiator rule is able to

trigger multiple paths based on the rule result value

Prerequisites

The following configuration should have been completed as part of the initial post-installation steps:

 GRC_MSMP_CONFIGURATION BC Set has been enabled

 Perform Automatic Workflow Customizing

 Perform Tasks Specific Customizing

 Activate Event Linkage

 Define number ranges for Access Requests

Roles and Users

Please create users and roles as required. You need at least the admin for configuration, an approver and a standard business user for request creation.

For workflow maintenance:

 SAP_GRAC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows

 SAP_GRAC_MSMP_WF_CONFIG_ALL Configuration role for MSMP workflows

For workflow management:

 SAP_GRAC_ACCESS_APPROVER Approver for Access Request and User Access Review

 SAP_GRAC_CONTROL_APPROVER Approver for Control Maintenance and Assignments requests

 SAP_GRAC_SUPER_USER_MGMT_OWNER Approver for Firefighter Log

 SAP_GRAC_FUNCTION_APPROVER Approver for Function Maintenance

 SAP_GRAC_RISK_OWNER Approver for Risk Maintenance and SoD Risk Review

Configuration Parameters

The configuration parameters are set in IMG under Governance, Risk and

Provisioning Settings

The provisioning settings are configured in IMG under Governance Risk and Compliance  Access Control  User Provisioning  Maintain Provisioning Settings.

Maintain MSMP Workflow

Overview

The configuration tool can be launched in IMG under Governance, Risk and

Compliance  Access Control  Workflow for Access Control  Maintain MSMP Workflows

These activities allow you to customize and maintain the Multi-Stage Multi-Path (MSMP) process workflows for Access Control 10.0

Maintain MSMP Workflow

1. Process Global Settings

Predelivered Process IDs:

 Access Request Approval Workflow

 Access Request Approval Workflow for HR OM Objects

 Control Assignment Approval Workflow

 Mitigation Control Maintenance Workflow

 Fire Fighter Log Report Review Workflow

 Function Approval Workflow

 Risk Approval Workflow

 Role Approval Workflow

 SOD Risk Review Workflow

 User Access Review Workflow

Maintain MSMP Workflow

Maintain MSMP Workflow

Maintain MSMP Workflow

Maintain MSMP Workflow

Maintain MSMP Workflow

2. Maintain Rules

There are different Rule Kinds according to the rule’s objective:

 Initiator Rule

 Agents Rule

 Routing Rule

 Notification Variables Rule

Rules can be coded in different ways, these are the different Rule Types:

 Function Module Based Rule

 ABAP Class Based Rule

Maintain MSMP Workflow

2. Maintain Rules: Rule Kinds

Rule Kinds:

• Initiator Rule – determines the path upon submission of the request

• Agents Rule – determines the recipients of a stage

• Routing Rule – determines a detour routing based upon an attribute of the request (for example, SoD Violations Exist, Training Verification, No Role Owner)

Maintain MSMP Workflow

2. Maintain Rules: Rule Types

Rule Types:

• BRFplus Rule: is a rule defined in the BRFplus application to fetch rule results, depending on conditions inside the rule.

• Function Module Based Rule: Function module is coded to output rule results.

• ABAP Class Based Rule: ABAP Class is coded to output rule results

Maintain MSMP Workflow

2. Maintain Rules: Results for Initiator and Routing Rules

Maintain MSMP Workflow

3. Maintain Agents

Agent Purpose

 Notification: Recipients for email

 Approval: Recipients to process request

Agent Types

 API Rules, coded as per rule’s type

 Directly Mapped Users

 PFCG Roles, and

 User Groups

Maintain MSMP Workflow

3. Maintain Agents: Agent Types

Directly Mapped Users

PFCG Roles PFCG User Groups

Maintain MSMP Workflow

3. Maintain Agents: Directly Mapped Users

Maintain MSMP Workflow

3. Maintain Agents: PFCG Roles and User Groups

Maintain MSMP Workflow

3. Maintain Agents: GRC API Rules

API to be completed

Maintain MSMP Workflow

4. Variables and Templates

Notifications can be sent on different events, such as:

 New Work Item

 Approval  Rejection  Escalation  Request submission  Request closure  Reminder

In this step all templates for email notifications are maintained. The templates are created using transaction SE61.

Maintain MSMP Workflow

5. Maintain Paths

Here the actual workflows are configured. Multiple paths relevant to a specific Process ID are configured by

assigning a sequence of stages.

Each stage is configured in this screen as well as

Maintain MSMP Workflow

5. Maintain Paths: Stage Details

Stage settings specific to Path and Stage Sequence Number

Default Stage Details Settings

Maintain MSMP Workflow

5. Maintain Paths: Modify Task Settings

Maintain MSMP Workflow

6. Maintain Route Mapping

In this step you define the mapping between rule results and paths to route the requests

Always the Global Initiator must be used, if multiple paths are required the Global Initiator must return different result values

Maintain MSMP Workflow

7. Generate Versions

Creating a Function Module Rule

Overview

Function Module rules allow developers to create complex rules by using ABAP Code. These are the activities needed for creating a FM rule:

 Create Function Group in SE37:

Function Modules will be added to the group

 Define Workflow Related MSMP Rules: For generating the FM rule

content from a template before maintaining it.

Create Function Group in SE37

Preparing for creating a Function Module

Define Workflow Related MSMP Rules

Generating a Function Module

Maintain Function Module in SE37

Customizing the ABAP code

BRFplus Workbench

 The BRFplus Workbench is a User Interface (UI) that enables users to define, test and maintain rules for various business scenarios without the need of ABAP code. Rules can be created for initiators, agents, and also for routing workflows on specific conditions.

Business Rule Framework

Creating a BRFplus Rule

Overview

There are two main activities that are relevant to maintaining BRFplus

rules, they are located in IMG under Governance, Risk and Compliance  Access Control  Workflow for

Access Control

 Define Workflow Related MSMP Rules: For generating the rule

before maintaining it

 Define Business Rule

Framework: Launches the UI for

Define Workflow Related MSMP Rules

Overview

Define Workflow Related MSMP Rules

Rule Info

Define Workflow Related MSMP Rules

Generation of Options

Define Workflow Related MSMP Rules

Test Rule

Define Business Rule Framework

Maintaining Conditions

Using this activity you maintain the request fields that will be checked in a decision table

By using the Table Settings button the condition columns can be maintained

Setting up an Initiator/Agent Rule

Setting up an Initiator/Agent Rule

Condition Columns

Navigate to the structure that contains the Condition Items:

GRAC_S_REQUEST_RULE_HEADER. Notice that custom fields will only be available to rules created AFTER the creation of the custom field.

Setting up an Initiator/Agent Rule

Items can be selected from multiple structures, role line items are located in

structure GRAC_S_REQUEST_RULE_LINE.

Setting up an Initiator/Agent Rule

Setting up an Initiator/Agent Rule

Table Settings

Setting up an Initiator/Agent Rule

Decision Table Values

Now the Condition Statement can be configured.

 Click the icon in each field. Select Direct Value Input to enter value(s) for the Condition:

Setting up an Initiator/Agent Rule

Input each Condition Statement:

 Choose the Expression Type (is equal to, is not equal to) from the dropdown list.

 Enter the value that the Condition should match. User the icon to continue to enter, OR, more Condition Values, if needed, to complete the Condition Statement.

 Repeat, as needed, for other Condition fields:

Setting up an Initiator/Agent Rule

Setting up an Initiator/Agent Rule

Condition Statements

Condition Example:

The condition statement above means:

 Request Type is equal to 001 and Priority is NOT equal to 001, and Employee Type is

between 000 and 999

 If all of the conditions are true, then the statement is true and will return the result value(s)

Note:

Finally, set the results column values. The result objects are highlighted in green.

• Initiator/Routing Rules: the result column is RULE_RESULT which will be used for mapping the path in the MSMP Workflow Configuration

• Agent Rules: the result column is USER_ID, which will return an agent (notification or approval).

Notes:

• Always configure LINE_ITEM_KEY with Context Parameter ITENNUM.

• Remember to add a “catch-all” entry with no values if needed

Setting up an Initiator/Agent Rule

You need to make sure there is a green light next to the decision table and function names. You need to click on Save and then Activate to achieve this. Now you are ready to use your BRFplus rule in MSMP Workflows. Notice that you will use the Function ID instead of the rule name.

Setting up an Initiator/Agent Rule

Resources

AC 10.0 How to Customize Notification Templates

http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3

SAP Community Network

http://www.sdn.sap.com/irj/bpx Go to Key Topics  Access Control

SAP Service Marketplace Documentation * https://service.sap.com/instguides

SAP Help

http://help.sap.com Go to SAP Business User  GRC Solutions

Wrap-Up

SAP’s comprehensive approach to GRC leverages the standard SAP Business Workflow technology SAP provides ready to use content for

configuring basic workflow scenarios

Complex criteria can be coded for routing requests and determining workflow and notification recipients by using ABAP code

Workflow recipients can be easily determined by using role and user group assignments

Email notification can be customized on specific events

New request form improves user adoption with a consistent user experience in all GRC components

Thank You!

Contact information: Luis Bustamante

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries. Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2011 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.

This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice. SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of

merchantability, fitness for a particular purpose, or non-infringement.

SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.