AC 10.0 - Customizing Workflows For Access Management PDF

AC 10.
0 Customizing Workflows for

Access Management
Customer Solution Adoption
June 2011
Version 2.0
Purpose of this document

This document allows implementation consultants and administrators to
setup the required functionality for enabling the workflow engine in AC 10.0.
You will learn the main components of the new workflow engine and how to
customize them, also how to create agents and initiators using Function
Modules and BRFplus.
Disclaimer
This presentation outlines our general product direction and should not be relied on
in making a purchase decision. This presentation is not subject to your license
agreement or any other agreement with SAP. SAP has no obligation to pursue any
course of business outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and SAP's strategy
and possible future developments are subject to change and may be changed by
SAP at any time for any reason without notice. This document is provided without a
warranty of any kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular purpose, or noninfringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly
negligent.
2011 SAP AG. All rights reserved.
Agenda
Workflows in Access Control

Streamlined User Access Management in SAP BusinessObjects
Access Control 10.0
Configuring MSMP Workflows
Extending Workflows Using Function Modules
Extending Workflows Using BRFplus
Wrap-Up
Workflows in Access Control
Structure of a Workflow
Access Controls Compliant User Provisioning Functionality
Standard Path
Initiator
Stage 1
Stage 2
Stage n
Stage 1
Stage n
Provisioning
(optional)
Provisioning
(optional)
Detour Path
Streamlined User Access Management in

SAP BusinessObjects Access Control 10.0
New Feature Highlights

Streamlined User Access Management
Focus Area
What Does It Do?
Access Control Harmonization
Unifies all Access Control capabilities on a

standardized ABAP platform, offering enterprise
supportability, granular security, transport, and
archiving.
Lowers TCO by eliminating redundancy in

administration, configuration, setup, and
end-user training.
Unified Compliance Platform
Harmonizes Access Control with Risk

Management & Process Control offers shared
processes, data, and user interface across the
GRC suite.
An enterprise GRC platform approach

allows you to have complete management
of all risks and controls from a single
environment.
Streamlined User Access

Management
Standardizes on improved workflow that

supports flexible, multi-tiered routing and
approval matrices. Dynamic user request forms
based on user or system selected.
Tailoring of routing requirements for

simple to highly complex organizations.
New request forms improve user adoption
and usability.
Business Role Governance
Provides a standardized role compliance

framework, centralized across organizations,
systems, and applications. Translates roles into
terms business users can understand.
Streamlines management of technical

roles and eases identification and
selection of appropriate roles for users,
positions, and jobs.
Centralized Emergency Access
Centralizes firefighting and administration

across all systems. New workflow provides an
auditable process for tracking log report
approval.
Reduces the effort required to grant and

provision emergency access to multiple
systems. Provides a structured,
documented process around emergency
access.
Improved Identity Management

Integration
Improves compliant provisioning for customers

already using IdM. Allows for initiation of risk
analysis and remediation from IdM or enables
use of IdM to provision compliant requests.
What Is the Value?
Provides flexibility to ensure an enterprise

wide, compliant provisioning process.
Streamlined User Access Management

SAP BusinessObjects Access Control 10.0
Access Control standardizes on SAP
Business workflow technology and
supports more flexible and tailored
access request and approver views,
simplifying the provisioning process.
Solution Enhancements
Standardized on SAP Business

Workflow technology
Access requests enhancements:

New customizable access
request forms
New template-based access
requests
New position-based role
assignment requests
New end-user display of
profile, access assignments,
and request history
Enhanced search for roles,

groups, and system based on
authorization
New customizable approver

views
New multiple rule set support
Enhanced periodic reviews for

user access and access risks
Key Benefits
Business workflow reduces
manual tasks and streamlines
access request processing
Leverage existing resources for
workflow administration and
configuration
Faster and easier for users to
request the roles they need
Utilize existing HR structure for
automated and compliant
position-based role assignment
Improved security and richer
request context
Workflow Key Terms in SAP BusinessObjects AC 10.0

Mapping Previous Workflow Terms to the New Workflow Functionality
SAP
BusinessObjects
AC 5.X
SAP
BusinessObjects
AC 10.0
One process ID can have

multiple request types
Access Request: Create Request,
Change Request, etc.
Function Approval: Update Function,
Delete Function, etc.
One initiator rule is able to

trigger multiple paths based on
the rule result value
10
Configuring MSMP Workflows
Prerequisites
The following configuration should have been completed as part of the initial postinstallation steps:
GRC_MSMP_CONFIGURATION BC Set has been enabled
Perform Automatic Workflow Customizing

Perform Tasks Specific Customizing
Activate Event Linkage
Define number ranges for Access Requests
Connectors assigned to the PROV integration scenario
12
Roles and Users
Please create users and roles as required. You need at least the admin for
configuration, an approver and a standard business user for request creation.
For workflow maintenance:
SAP_GRAC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows
SAP_GRAC_MSMP_WF_CONFIG_ALL Configuration role for MSMP workflows
For workflow management:

SAP_GRAC_ACCESS_APPROVER Approver for Access Request and User Access Review
SAP_GRAC_CONTROL_APPROVER Approver for Control Maintenance and Assignments
requests
SAP_GRAC_SUPER_USER_MGMT_OWNER Approver for Firefighter Log
SAP_GRAC_FUNCTION_APPROVER Approver for Function Maintenance
SAP_GRAC_RISK_OWNER Approver for Risk Maintenance and SoD Risk Review
SAP_GRAC_ROLE_MGMT_ROLE_OWNER Approver for Role Maintenance
13
Configuration Parameters
The configuration parameters are set in IMG under Governance, Risk and
Compliance Access Control Maintain Configuration Settings. Make sure they
reflect your needs.
14
Provisioning Settings
The provisioning settings are configured in IMG under Governance Risk and
Compliance Access Control User Provisioning Maintain Provisioning
Settings.
Maintain at least the Global Provisioning settings.
15
Maintain MSMP Workflow

Overview
The configuration tool can be launched in IMG under Governance, Risk and
Compliance Access Control Workflow for Access Control Maintain MSMP
Workflows
These activities allow you to customize and maintain the Multi-Stage Multi-Path
(MSMP) process workflows for Access Control 10.0
Ready to use components are delivered by SAP under BC Set

GRC_MSMP_CONFIGURATION
16

1. Process Global Settings
In this step settings that apply to all process IDs are configured, such as escape
conditions and notifications settings
Predelivered Process IDs:
Access Request Approval Workflow
Access Request Approval Workflow for
HR OM Objects
Control Assignment Approval Workflow
Mitigation Control Maintenance Workflow
Fire Fighter Log Report Review Workflow
Function Approval Workflow
Risk Approval Workflow
Role Approval Workflow
SOD Risk Review Workflow
User Access Review Workflow
17

18

19

20

21

2. Maintain Rules
Maintain Rules includes a list of all available rules to be used when configuring a
workflow. If a new rule is created it must be added to this list. This is also where the
default initiator is configured.
There are different Rule Kinds
according to the rules objective:
Initiator Rule
Agents Rule
Routing Rule
Notification Variables Rule
Rules can be coded in different

ways, these are the different Rule
Types:
Function Module Based Rule
ABAP Class Based Rule
BRFplus Rule
22

2. Maintain Rules: Rule Kinds
Rule Kinds:
Initiator Rule determines the path upon submission of the request
Agents Rule determines the recipients of a stage
Routing Rule determines a detour routing based upon an attribute of the request (for
example, SoD Violations Exist, Training Verification, No Role Owner)
Notification Variables Rule determines the variable values at runtime used in the
notification e-mails.
23

2. Maintain Rules: Rule Types
Rule Types:
BRFplus Rule: is a rule defined in the BRFplus application to fetch rule results, depending
on conditions inside the rule.
Function Module Based Rule: Function module is coded to output rule results.
ABAP Class Based Rule: ABAP Class is coded to output rule results
BRFplus Flat Rule (Line-item by Line-item): BRFplus rule which is defined for only one
line item (rule will be called once for each line-item in the request). Also referred to as
BRF+ Easy.
24

2. Maintain Rules: Results for Initiator and Routing Rules
It is required to maintain a list of all possible results returned by an initiator/routing
rule by using the Results button. These values will be mapped to a path on step 6.
25

3. Maintain Agents
A list of all available agents for a workflow is maintained in step 3. Agents have a
type and a purpose assigned.
Agent Purpose
Notification: Recipients for email
Approval: Recipients to process request
Agent Types
API Rules, coded as per rules type

Directly Mapped Users
PFCG Roles, and
User Groups
26

3. Maintain Agents: Agent Types
Directly Mapped Users
PFCG Roles
PFCG User Groups
GRC API Rules

27

3. Maintain Agents: Directly Mapped Users
Directly Mapped Users allows you to define static user groups
28

3. Maintain Agents: PFCG Roles and User Groups
These two agent types will determine the recipients of a workflow based on a role or
a user group assignment
29

3. Maintain Agents: GRC API Rules
This agent type will determine the recipients based on a rule maintained in step 2.
API to be completed
30

4. Variables and Templates
In this step all templates for email notifications are maintained. The templates are
created using transaction SE61.
Notifications can be sent on
different events, such as:
New Work Item

Approval
Rejection
Escalation
Request submission
Request closure
Reminder
This topic is covered in a separate guide in

detail, please check the references at the
end of the presentation
31

5. Maintain Paths
Here the actual workflows are

configured. Multiple paths
relevant to a specific Process
ID are configured by
assigning a sequence of
stages.
Each stage is configured in
this screen as well as
notifications settings specific
to stage
32

5. Maintain Paths: Stage Details
Stage details can be configured globally for the specific process ID and can be
overwritten at a specific path/stage sequence.
Default Stage Details Settings

Stage settings specific to Path
and Stage Sequence Number
33

5. Maintain Paths: Modify Task Settings
When adding a stage to a path it is possible to configure all stage settings by

clicking on Modify Task Settings. These settings will apply to the stage anytime
this is used in a particular path.
34

6. Maintain Route Mapping
In this step you define the mapping between rule results and paths to route the
requests
Always the Global Initiator must be used, if multiple paths are required the Global
Initiator must return different result values
Routing rules for detours can be added here as well
35

7. Generate Versions
In the last step all changes will be saved and activated. If necessary, a transport
request can be configured.
36
Extending Workflows Using Function

Modules
Creating a Function Module Rule

Overview
Function Module rules allow developers

to create complex rules by using ABAP
Code. These are the activities needed
for creating a FM rule:
Create Function Group in SE37:
Function Modules will be added to
the group
Define Workflow Related MSMP
Rules: For generating the FM rule
content from a template before
maintaining it.
Maintain Function Module in
SE37: For maintaining the FM rule
contents.
38
Create Function Group in SE37

Preparing for creating a Function Module
Go to SE37 and create a Function Group as shown below.
39
Define Workflow Related MSMP Rules

Generating a Function Module
Generate each Rule ID (FM) to the Function Group created in the previous step.
Testing of the rule is optional and will be done when the rule is generated. After
generation the FM will be ready to be maintained.
40
Maintain Function Module in SE37

Customizing the ABAP code
Now you can maintain the FM content in SE37. A default template is created on
generation.
41
Extending Workflows BRFplus
Business Rule Framework

Overview
BRFplus Workbench
The BRFplus Workbench is a User Interface (UI) that enables users to define,
test and maintain rules for various business scenarios without the need of
ABAP code. Rules can be created for initiators, agents, and also for routing
workflows on specific conditions.
43
Creating a BRFplus Rule

Overview
There are two main activities that are

relevant to maintaining BRFplus
rules, they are located in IMG under
Governance, Risk and Compliance
Access Control Workflow for
Access Control
Define Workflow Related MSMP
Rules: For generating the rule
before maintaining it
Define Business Rule
Framework: Launches the UI for
maintaining the rules conditions
using BRFplus
44

Overview
Using this activity you can create rules for initiators, agents, and for routing. This will
only create an empty rule that will be maintained later
45

Rule Info
Generate each Rule ID (Function) to its own unique application/Funct. Group
when using BRF rules.
46

Generation of Options
Select both Generate Rule and Generate Result Work-Area
47

Test Rule
FM Rules can be tested on generation. Testing for BRF Rules can be executed
once the rule has been activated
48
Define Business Rule Framework

Maintaining Conditions
Using this activity you maintain the request fields that will be checked in a decision
table
The decision table is empty by default and is located under Expression Decision
Table where the necessary request fields can be added by inserting columns
49
Setting up an Initiator/Agent Rule

Table Settings
By using the Table Settings button the condition columns can be maintained
50

Condition Columns
In the Conditions Columns, click Insert Column, then select Context Data
Objects in order to add items that will be used as the Condition Factors in the
Decision Table:
51

Condition Columns
Navigate to the structure that contains the Condition Items:
GRAC_S_REQUEST_RULE_HEADER. Notice that custom fields will only be
available to rules created AFTER the creation of the custom field.
52

Condition Columns
Items can be selected from multiple structures, role line items are located in
structure GRAC_S_REQUEST_RULE_LINE.
53

Table Settings
The Condition columns are now selected into the Decision Table settings.
Click OK, on the bottom of the screen, to complete Table Settings:
54

Decision Table Values
Click on Insert New Row to configure new conditions statements and results:
55

Now the Condition Statement can be configured.
Click the icon in each field. Select Direct Value Input to enter value(s) for the
Condition:
56

Input each Condition Statement:
Choose the Expression Type (is equal to, is not equal to) from the dropdown list.
Enter the value that the Condition should match. User the icon to continue to enter,
OR, more Condition Values, if needed, to complete the Condition Statement.
Repeat, as needed, for other Condition fields:
57

Condition Statements
Condition Example:
The condition statement above means:

Request Type is equal to 001 and Priority is NOT equal to 001, and Employee Type is
between 000 and 999
If all of the conditions are true, then the statement is true and will return the result
value(s)
Note:
All condition statements can be easily imported and exported to Microsoft Excel
58

Result Columns
Finally, set the results column values. The result objects are highlighted in
green.
Initiator/Routing Rules: the result column is RULE_RESULT which will be used for
mapping the path in the MSMP Workflow Configuration
Agent Rules: the result column is USER_ID, which will return an agent (notification or
approval).
Notes:
Always configure LINE_ITEM_KEY with Context Parameter ITENNUM.
Remember to add a catch-all entry with no values if needed
59

Save Changes
You need to make sure there is a green light next to the decision table and
function names. You need to click on Save and then Activate to achieve this.
Now you are ready to use your BRFplus rule in MSMP Workflows. Notice that
you will use the Function ID instead of the rule name.
60
Wrap-Up
Resources
AC 10.0 How to Customize Notification Templates
http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/605077fc-35772e10-e1a6-a743514d4eb3
SAP Community Network
http://www.sdn.sap.com/irj/bpx Go to Key Topics Access Control
SAP Service Marketplace Documentation *
https://service.sap.com/instguides
SAP Help
http://help.sap.com Go to SAP Business User GRC Solutions
SAP BusinessObjects GRC Solutions
http://www.sap.com/grc
* Requires login credentials to the SAP Service Marketplace
62
Wrap-Up
SAPs comprehensive approach to GRC leverages
the standard SAP Business Workflow technology
SAP provides ready to use content for
configuring basic workflow scenarios
Complex criteria can be coded for routing

requests and determining workflow and
notification recipients by using ABAP code
No ABAP development skills are required for
setting up rules using the SAP Business Rule
Framework
Workflow recipients can be easily determined
by using role and user group assignments
Email notification can be customized on specific
events
New request form improves user adoption

with a consistent user experience in all GRC
components
63
Thank You!
Contact information:
Luis Bustamante
Customer Solution Adoption (GRC)
luis.bustamante@sap.com
2011 SAP AG. All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,
z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,
OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered
trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World
Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for
technology invented and implemented by Netscape.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be
reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any
other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP product and is not intended to be binding upon SAP to any
particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not
warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind,
either express or implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct,
special, indirect, or consequential damages that may result from the use of these materials.
This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no
control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any
warranty whatsoever relating to third-party Web pages.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and other
countries.
65

AC 10.0 - Customizing Workflows For Access Management PDF

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

AC 10.0 - Customizing Workflows For Access Management PDF

Загружено:

Авторское право:

Доступные форматы

AC 10.

0 Customizing Workflows for

Purpose of this document

2011 SAP AG. All rights reserved.

Workflows in Access Control

2011 SAP AG. All rights reserved.

Workflows in Access Control

2011 SAP AG. All rights reserved.

Streamlined User Access Management in

New Feature Highlights

What Does It Do?

Access Control Harmonization

Unifies all Access Control capabilities on a

Lowers TCO by eliminating redundancy in

Unified Compliance Platform

Harmonizes Access Control with Risk

An enterprise GRC platform approach

Streamlined User Access

Standardizes on improved workflow that

Tailoring of routing requirements for

Business Role Governance

Provides a standardized role compliance

Streamlines management of technical

Centralized Emergency Access

Centralizes firefighting and administration

Reduces the effort required to grant and

Improved Identity Management

Improves compliant provisioning for customers

2011 SAP AG. All rights reserved.

What Is the Value?

Provides flexibility to ensure an enterprise

Streamlined User Access Management

Standardized on SAP Business

Access requests enhancements:

2011 SAP AG. All rights reserved.

Enhanced search for roles,

New customizable approver

New multiple rule set support

Enhanced periodic reviews for

Workflow Key Terms in SAP BusinessObjects AC 10.0

One process ID can have

One initiator rule is able to

2011 SAP AG. All rights reserved.

Configuring MSMP Workflows

Perform Automatic Workflow Customizing

2011 SAP AG. All rights reserved.

Roles and Users

For workflow management:

2011 SAP AG. All rights reserved.

2011 SAP AG. All rights reserved.

Maintain MSMP Workflow

Ready to use components are delivered by SAP under BC Set

2011 SAP AG. All rights reserved.

Maintain MSMP Workflow

Maintain MSMP Workflow

2011 SAP AG. All rights reserved.

Maintain MSMP Workflow

2011 SAP AG. All rights reserved.

Maintain MSMP Workflow

2011 SAP AG. All rights reserved.

Maintain MSMP Workflow

2011 SAP AG. All rights reserved.

Maintain MSMP Workflow