AC 10.0 Pre-Implementation From Post-Installation to First Access Request Customer Solution Adoption April 11th 2011 Version 1.0

AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

Embed Size (px)

Citation preview

Page 1: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

AC 10.0 Pre-Implementation

From Post-Installation to First Access Request

Customer Solution Adoption

April 11th 2011

Version 1.0

Page 2: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

Purpose of this document

This document allows implementation consultants and administrators to

setup the required functionality for creating an access request after the

post-installation has been finished, please notice that it is required to

configure Role Management before being able to request role assignments.

This is by no means a comprehensive guide for setting up MSMP

workflows, rather it allows testing the application is working properly by

setting up a basic test case.

Page 3: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 3


This presentation outlines our general product direction and should not be relied on

in making a purchase decision. This presentation is not subject to your license

agreement or any other agreement with SAP. SAP has no obligation to pursue any

course of business outlined in this presentation or to develop or release any

functionality mentioned in this presentation. This presentation and SAP's strategy

and possible future developments are subject to change and may be changed by

SAP at any time for any reason without notice. This document is provided without a

warranty of any kind, either express or implied, including but not limited to, the

implied warranties of merchantability, fitness for a particular purpose, or non-

infringement. SAP assumes no responsibility for errors or omissions in this

document, except if such damages were caused by SAP intentionally or grossly


Page 4: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 4


Requirementso Verifying default configuration parameters

o Adding connector to PROV scenario

o Creating users and assigning roles

o Configuring number ranges

o Maintain provisioning settings

Maintain MSMP Workflowo Process Global Settings

o Maintain Rules

o Maintain Agents

o Variables and Templates

o Maintain Paths

o Maintain Route Mapping

o Generate Versions

Creating an access request

Page 5: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

Requirements Verifying default configuration parameters

Adding connector to PROV scenario

Creating users and assigning roles

Configuring number ranges

Maintain provisioning settings

Page 6: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 6

Creating users and assigning roles

Please create users and roles as needed. You need at least the admin for

configuration, an approver and a standard business user for request creation. The

following roles are provided as examples.

For workflow maintenance:

SAP_GRC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows

SAP_GRC_MSMP_WF_CONFIG_ALL Configuration role for MSMP workflows

For workflow management:

SAP_GRAC_ACCESS_APPROVER Approver for Access Request and User Access Review

SAP_GRAC_CONTROL_APPROVER Approver for Control Maintenance and Assignments requests

SAP_GRAC_SUPER_USER_MGMT_OWNER Approver for Firefighter Log

SAP_GRAC_FUNCTION_APPROVER Approver for Function Maintenance

SAP_GRAC_RISK_OWNER Approver for Risk Maintenance and SoD Risk Review

SAP_GRAC_ROLE_MGMT_ROLE_OWNER Approver for Role Maintenance

Reminder: end users will require also the roles based on SAP_GRC_FN_BASE and


Page 7: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 7

Verifying default configuration parameters

Please check the AC Configuration Settings suit your needs:

Page 8: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 8

Adding connector to PROV scenario

To create access requests it is required to have the PROV scenario linked to the

connector, this is done via IMG:

Page 9: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 9

Configuring number ranges (1/3)

A number range needs to be create via transaction SNRO:

Page 10: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 10

Configuring number ranges (2/3)

Add as many intervals as needed:

Note: Make sure the “Ext” box is unchecked

Page 11: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 11

Configuring number ranges (3/3)

Then the default number range needs to be enabled in IMG under Governance Risk

and Compliance Access Control User Provisioning Define Number Ranges

for Provisioning Requests.

Add the requests created in transaction SNRO and make sure one of them is marked

as Active

Page 12: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 12

Maintain provisioning settings

The provisioning settings are configured in IMG under Governance Risk and

Compliance Access Control User Provisioning Maintain Provisioning

Settings. Maintain at least the Global Provisioning settings.

Page 13: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

Maintain MSMP workflow Process Global Settings

Maintain Rules

Maintain Agents

Variables and Templates

Maintain Paths

Maintain Route Mapping

Generate Versions

Page 14: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 14

Configure MSMP WorkflowGlobal Process Settings

Go to IMG under Access Control Workflow for Access Control Activate MSMP

Workflow. Select SAP_GRAC_ACCESS_REQUEST and click on Display/Change.

Maintain here the Process Global Settings.

Page 15: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 15

Configure MSMP WorkflowMaintain Rules

In this step the available rules to the selected process are shown. These are the

default rules. Please maintain the global rules as shown.

Page 16: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 16

Configure MSMP WorkflowMaintain Agents

In this step the available agents are added. These are the default ones. Please

notice in this scenario we are only going to use Manager approval.

Page 17: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 17

Configure MSMP WorkflowVariable and Templates

Notification variables and notification templates are maintained here. We will use

the default settings.

Page 18: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 18

Configure MSMP WorkflowMaintain Paths

Notification variables and notification templates are maintained here. We will use

the default settings. Maintain the stage settings as required using the Modify Task

Settings button

Page 19: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 19

Configure MSMP WorkflowMaintain Route Mapping

Please create the route mapping as shown below.

Page 20: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 20

Configure MSMP WorkflowGenerate Versions

Click on Save and then Activate.

Page 21: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

Creating an access request

Page 22: AC 10.0 Pre-Implementation - From Post-Installation to First Access Request

© 2011 SAP AG. All rights reserved. 22

Create first access request

Now you can create an access request. Please make sure the Manager is provided

as this will be the default approver for all requests.