Академический Документы
Профессиональный Документы
Культура Документы
Version 2.0
Disclaimer
This presentation outlines our general product direction and should not be relied on
in making a purchase decision. This presentation is not subject to your license
agreement or any other agreement with SAP. SAP has no obligation to pursue any
course of business outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and SAP's strategy
and possible future developments are subject to change and may be changed by
SAP at any time for any reason without notice. This document is provided without a
warranty of any kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular purpose, or noninfringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly
negligent.
Agenda
Structure of a Workflow
Access Controls Compliant User Provisioning Functionality
Standard Path
Initiator
Stage 1
Stage 2
Stage n
Stage 1
Stage n
Provisioning
(optional)
Provisioning
(optional)
Detour Path
Solution Enhancements
Key Benefits
Business workflow reduces
manual tasks and streamlines
access request processing
Leverage existing resources for
workflow administration and
configuration
Faster and easier for users to
request the roles they need
Utilize existing HR structure for
automated and compliant
position-based role assignment
Improved security and richer
request context
SAP
BusinessObjects
AC 5.X
SAP
BusinessObjects
AC 10.0
10
Prerequisites
The following configuration should have been completed as part of the initial postinstallation steps:
GRC_MSMP_CONFIGURATION BC Set has been enabled
12
Please create users and roles as required. You need at least the admin for
configuration, an approver and a standard business user for request creation.
For workflow maintenance:
SAP_GRAC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows
SAP_GRAC_MSMP_WF_CONFIG_ALL Configuration role for MSMP workflows
requests
SAP_GRAC_SUPER_USER_MGMT_OWNER Approver for Firefighter Log
SAP_GRAC_FUNCTION_APPROVER Approver for Function Maintenance
SAP_GRAC_RISK_OWNER Approver for Risk Maintenance and SoD Risk Review
SAP_GRAC_ROLE_MGMT_ROLE_OWNER Approver for Role Maintenance
2011 SAP AG. All rights reserved.
13
Configuration Parameters
The configuration parameters are set in IMG under Governance, Risk and
Compliance Access Control Maintain Configuration Settings. Make sure they
reflect your needs.
14
Provisioning Settings
The provisioning settings are configured in IMG under Governance Risk and
Compliance Access Control User Provisioning Maintain Provisioning
Settings.
Maintain at least the Global Provisioning settings.
15
The configuration tool can be launched in IMG under Governance, Risk and
Compliance Access Control Workflow for Access Control Maintain MSMP
Workflows
These activities allow you to customize and maintain the Multi-Stage Multi-Path
(MSMP) process workflows for Access Control 10.0
16
In this step settings that apply to all process IDs are configured, such as escape
conditions and notifications settings
Predelivered Process IDs:
Access Request Approval Workflow
Access Request Approval Workflow for
HR OM Objects
Control Assignment Approval Workflow
Mitigation Control Maintenance Workflow
Fire Fighter Log Report Review Workflow
Function Approval Workflow
Risk Approval Workflow
Role Approval Workflow
SOD Risk Review Workflow
User Access Review Workflow
2011 SAP AG. All rights reserved.
17
18
19
20
21
Maintain Rules includes a list of all available rules to be used when configuring a
workflow. If a new rule is created it must be added to this list. This is also where the
default initiator is configured.
There are different Rule Kinds
according to the rules objective:
Initiator Rule
Agents Rule
Routing Rule
Notification Variables Rule
22
Rule Kinds:
Initiator Rule determines the path upon submission of the request
Agents Rule determines the recipients of a stage
Routing Rule determines a detour routing based upon an attribute of the request (for
example, SoD Violations Exist, Training Verification, No Role Owner)
Notification Variables Rule determines the variable values at runtime used in the
notification e-mails.
23
Rule Types:
BRFplus Rule: is a rule defined in the BRFplus application to fetch rule results, depending
on conditions inside the rule.
Function Module Based Rule: Function module is coded to output rule results.
ABAP Class Based Rule: ABAP Class is coded to output rule results
BRFplus Flat Rule (Line-item by Line-item): BRFplus rule which is defined for only one
line item (rule will be called once for each line-item in the request). Also referred to as
BRF+ Easy.
24
25
A list of all available agents for a workflow is maintained in step 3. Agents have a
type and a purpose assigned.
Agent Purpose
Notification: Recipients for email
Approval: Recipients to process request
Agent Types
26
PFCG Roles
27
28
These two agent types will determine the recipients of a workflow based on a role or
a user group assignment
29
This agent type will determine the recipients based on a rule maintained in step 2.
API to be completed
30
In this step all templates for email notifications are maintained. The templates are
created using transaction SE61.
Notifications can be sent on
different events, such as:
31
32
33
34
In this step you define the mapping between rule results and paths to route the
requests
Always the Global Initiator must be used, if multiple paths are required the Global
Initiator must return different result values
Routing rules for detours can be added here as well
35
In the last step all changes will be saved and activated. If necessary, a transport
request can be configured.
36
38
39
40
41
BRFplus Workbench
The BRFplus Workbench is a User Interface (UI) that enables users to define,
test and maintain rules for various business scenarios without the need of
ABAP code. Rules can be created for initiators, agents, and also for routing
workflows on specific conditions.
43
44
45
46
47
48
Using this activity you maintain the request fields that will be checked in a decision
table
The decision table is empty by default and is located under Expression Decision
Table where the necessary request fields can be added by inserting columns
49
50
51
52
53
54
Click on Insert New Row to configure new conditions statements and results:
55
56
57
Condition Example:
Note:
All condition statements can be easily imported and exported to Microsoft Excel
58
Notes:
Always configure LINE_ITEM_KEY with Context Parameter ITENNUM.
Remember to add a catch-all entry with no values if needed
2011 SAP AG. All rights reserved.
59
60
Wrap-Up
Resources
AC 10.0 How to Customize Notification Templates
http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/605077fc-35772e10-e1a6-a743514d4eb3
SAP Community Network
http://www.sdn.sap.com/irj/bpx Go to Key Topics Access Control
SAP Service Marketplace Documentation *
https://service.sap.com/instguides
SAP Help
http://help.sap.com Go to SAP Business User GRC Solutions
SAP BusinessObjects GRC Solutions
http://www.sap.com/grc
62
Wrap-Up
SAPs comprehensive approach to GRC leverages
the standard SAP Business Workflow technology
SAP provides ready to use content for
configuring basic workflow scenarios
63
Thank You!
Contact information:
Luis Bustamante
Customer Solution Adoption (GRC)
luis.bustamante@sap.com
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,
z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,
OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered
trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World
Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for
technology invented and implemented by Netscape.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be
reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any
other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP product and is not intended to be binding upon SAP to any
particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not
warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind,
either express or implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct,
special, indirect, or consequential damages that may result from the use of these materials.
This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no
control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any
warranty whatsoever relating to third-party Web pages.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and other
countries.
65