AC10.0-Customizing Workflows for AccessManagement

Customer Solution AdoptionJune 2011

AC 10.0 Customizing Workflows for Access Management

Version 2.0

Purpose of this documentThis document allows implementation consultants and administrators to setup the required functionality for enabling the workflow engine in AC 10.0. You will learn the main components of the new workflow engine and how to customize them, also how to create agents and initiators using Function Modules and BRFplus.

© 2011 SAP AG. All rights reserved. 3

Disclaimer

This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.


Agenda

Workflows in Access Control

Streamlined User Access Management in SAP BusinessObjects Access Control 10.0

Configuring MSMP Workflows

Extending Workflows Using Function Modules

Extending Workflows Using BRFplus

Wrap-Up

Workflows in Access Control


Structure of a WorkflowAccess Control’s Compliant User Provisioning Functionality

Standard Path

Initiator Stage 1 Stage 2 Stage n Provisioning(optional)

Stage 1 Stage n Provisioning(optional)

Detour Path

Streamlined User Access Management inSAP BusinessObjects Access Control 10.0


What Does It Do? � What Is the Value?Focus Area

New Feature HighlightsStreamlined User Access Management

� Lowers TCO by eliminating redundancy in administration, configuration, setup, and end-user training.

� An enterprise GRC platform approach allows you to have complete management of all risks and controls from a single environment.

� Tailoring of routing requirements for simple to highly complex organizations. New request forms improve user adoption and usability.

� Streamlines management of technical roles and eases identification and selection of appropriate roles for users, positions, and jobs.

� Reduces the effort required to grant and provision emergency access to multiple systems. Provides a structured,documented process around emergency access.

� Provides flexibility to ensure an enterprise wide, compliant provisioning process.

� Unifies all Access Control capabilities on a standardized ABAP platform, offering enterprise supportability, granular security, transport, and archiving.

� Harmonizes Access Control with Risk Management & Process Control offers shared processes, data, and user interface across the GRC suite.

� Standardizes on improved workflow that supports flexible, multi-tiered routing and approval matrices. Dynamic user request forms based on user or system selected.

� Provides a standardized role complianceframework, centralized across organizations, systems, and applications. Translates roles into terms business users can understand.

� Centralizes firefighting and administration across all systems. New workflow provides an auditable process for tracking log report approval.

� Improves compliant provisioning for customers already using IdM. Allows for initiation of risk analysis and remediation from IdM or enables use of IdM to provision compliant requests.

Access Control Harmonization

Unified Compliance Platform

Streamlined User Access Management

Improved Identity Management Integration

Centralized Emergency Access

Business Role Governance


� Business workflow reduces manual tasks and streamlines access request processing

� Leverage existing resources for workflow administration and configuration

� Faster and easier for users to request the roles they need

� Utilize existing HR structure for automated and compliant position-based role assignment

� Improved security and richer request context

Access Control standardizes on SAP Business workflow technology and supports more flexible and tailored access request and approver views, simplifying the provisioning process.

� Standardized on SAP Business Workflow technology

� Access requests enhancements:� New customizable access

request forms� New template-based access

requests� New position-based role

assignment requests� New end-user display of

profile, access assignments, and request history

� Enhanced search for roles, groups, and system based on authorization

� New customizable approver views

� New multiple rule set support

� Enhanced periodic reviews for user access and access risks

Solution Enhancements Key Benefits

Streamlined User Access ManagementSAP BusinessObjects Access Control 10.0


Workflow Key Terms in SAP BusinessObjects AC 10.0Mapping Previous Workflow Terms to the New Workflow Functionality

One process ID can have multiple request typesy Access Request: Create Request,

Change Request, etc.y Function Approval: Update Function,

Delete Function, etc.

One initiator rule is able to trigger multiple paths based on the rule result value

SAP BusinessObjects

AC 5.X

SAP BusinessObjects

AC 10.0

Configuring MSMP Workflows


Prerequisites

The following configuration should have been completed as part of the initial post-installation steps:y GRC_MSMP_CONFIGURATION BC Set has been enabledy Perform Automatic Workflow Customizingy Perform Tasks Specific Customizingy Activate Event Linkagey Define number ranges for Access Requestsy Connectors assigned to the PROV integration scenario


Roles and Users

Please create users and roles as required. You need at least the admin for configuration, an approver and a standard business user for request creation.

For workflow maintenance:y SAP_GRAC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflowsy SAP_GRAC_MSMP_WF_CONFIG_ALL Configuration role for MSMP workflows

For workflow management:y SAP_GRAC_ACCESS_APPROVER Approver for Access Request and User Access Reviewy SAP_GRAC_CONTROL_APPROVER Approver for Control Maintenance and Assignments

requestsy SAP_GRAC_SUPER_USER_MGMT_OWNER Approver for Firefighter Logy SAP_GRAC_FUNCTION_APPROVER Approver for Function Maintenancey SAP_GRAC_RISK_OWNER Approver for Risk Maintenance and SoD Risk Reviewy SAP_GRAC_ROLE_MGMT_ROLE_OWNER Approver for Role Maintenance


Configuration Parameters

The configuration parameters are set in IMG under Governance, Risk and Compliance Æ Access Control Æ Maintain Configuration Settings. Make sure they reflect your needs.


Provisioning Settings

The provisioning settings are configured in IMG under Governance Risk and Compliance Æ Access Control Æ User Provisioning Æ Maintain Provisioning Settings.Maintain at least the Global Provisioning settings.


Maintain MSMP WorkflowOverview

The configuration tool can be launched in IMG under Governance, Risk and Compliance Æ Access Control Æ Workflow for Access Control Æ Maintain MSMP Workflows

These activities allow you to customize and maintain the Multi-Stage Multi-Path (MSMP) process workflows for Access Control 10.0

Ready to use components are delivered by SAP under BC Set GRC_MSMP_CONFIGURATION


Maintain MSMP Workflow 1. Process Global Settings

Predelivered Process IDs:y Access Request Approval Workflowy Access Request Approval Workflow for

HR OM Objectsy Control Assignment Approval Workflowy Mitigation Control Maintenance Workflowy Fire Fighter Log Report Review Workflowy Function Approval Workflowy Risk Approval Workflowy Role Approval Workflowy SOD Risk Review Workflowy User Access Review Workflow

In this step settings that apply to all process IDs are configured, such as escape conditions and notifications settings


Maintain MSMP Workflow1. Process Global Settings

GRAC_AR_CLOSE

GRAC_USER

GRAC_AR_SUBMIT

GRAC_REQUESTER








Maintain MSMP Workflow 2. Maintain Rules

There are different Rule Kinds according to the rule’s objective:y Initiator Rule y Agents Rule y Routing Ruley Notification Variables Rule

Rules can be coded in different ways, these are the different Rule Types:y Function Module Based Ruley ABAP Class Based Ruley BRFplus Rule

Maintain Rules includes a list of all available rules to be used when configuring a workflow. If a new rule is created it must be added to this list. This is also where the default initiator is configured.


Maintain MSMP Workflow2. Maintain Rules: Rule Kinds

Rule Kinds:• Initiator Rule – determines the path upon submission of the request• Agents Rule – determines the recipients of a stage• Routing Rule – determines a detour routing based upon an attribute of the request (for

example, SoD Violations Exist, Training Verification, No Role Owner)• Notification Variables Rule – determines the variable values at runtime used in the

notification e-mails.


Maintain MSMP Workflow2. Maintain Rules: Rule Types

Rule Types:• BRFplus Rule: is a rule defined in the BRFplus application to fetch rule results, depending

on conditions inside the rule.• Function Module Based Rule: Function module is coded to output rule results.• ABAP Class Based Rule: ABAP Class is coded to output rule results• BRFplus Flat Rule (Line-item by Line-item): BRFplus rule which is defined for only one

line item (rule will be called once for each line-item in the request). Also referred to as BRF+ Easy.


Maintain MSMP Workflow2. Maintain Rules: Results for Initiator and Routing Rules

It is required to maintain a list of all possible results returned by an initiator/routing rule by using the Results button. These values will be mapped to a path on step 6.


Maintain MSMP Workflow3. Maintain Agents

Agent Purposey Notification: Recipients for email y Approval: Recipients to process request

Agent Typesy API Rules, coded as per rule’s typey Directly Mapped Usersy PFCG Roles, and y User Groups

A list of all available agents for a workflow is maintained in step 3. Agents have a type and a purpose assigned.


Maintain MSMP Workflow3. Maintain Agents: Agent Types

Directly Mapped Users

PFCG Roles PFCG User Groups

GRC API Rules


Maintain MSMP Workflow3. Maintain Agents: Directly Mapped Users

Directly Mapped Users allows you to define static user groups


Maintain MSMP Workflow3. Maintain Agents: PFCG Roles and User Groups

These two agent types will determine the recipients of a workflow based on a role or a user group assignment


Maintain MSMP Workflow3. Maintain Agents: GRC API Rules

API to be completed

This agent type will determine the recipients based on a rule maintained in step 2.


Maintain MSMP Workflow4. Variables and Templates

Notifications can be sent on different events, such as:y New Work Itemy Approvaly Rejectiony Escalationy Request submissiony Request closurey Reminder

In this step all templates for email notifications are maintained. The templates are created using transaction SE61.

This topic is covered in a separate guide in detail, please check the references at the end of the presentation


Maintain MSMP Workflow 5. Maintain Paths

Here the actual workflows are configured. Multiple paths relevant to a specific Process ID are configured by assigning a sequence of stages.

Each stage is configured in this screen as well as notifications settings specific to stage


Maintain MSMP Workflow 5. Maintain Paths: Stage Details

Stage settings specific to Path and Stage Sequence Number

Default Stage Details Settings

Stage details can be configured globally for the specific process ID and can be overwritten at a specific path/stage sequence.


Maintain MSMP Workflow 5. Maintain Paths: Modify Task Settings

When adding a stage to a path it is possible to configure all stage settings by clicking on Modify Task Settings. These settings will apply to the stage anytime this is used in a particular path.


Maintain MSMP Workflow6. Maintain Route Mapping

In this step you define the mapping between rule results and paths to route the requests

Always the Global Initiator must be used, if multiple paths are required the Global Initiator must return different result values

Routing rules for detours can be added here as well


Maintain MSMP Workflow7. Generate Versions

In the last step all changes will be saved and activated. If necessary, a transport request can be configured.

Extending Workflows Using Function Modules


Creating a Function Module RuleOverview

Function Module rules allow developers to create complex rules by using ABAP Code. These are the activities needed for creating a FM rule:

y Create Function Group in SE37: Function Modules will be added to the group

y Define Workflow Related MSMP Rules: For generating the FM rule content from a template before maintaining it.

y Maintain Function Module in SE37: For maintaining the FM rule contents.


Create Function Group in SE37Preparing for creating a Function Module

Go to SE37 and create a Function Group as shown below.


Define Workflow Related MSMP RulesGenerating a Function Module

Generate each Rule ID (FM) to the Function Group created in the previous step. Testing of the rule is optional and will be done when the rule is generated. After generation the FM will be ready to be maintained.


Maintain Function Module in SE37Customizing the ABAP code

Now you can maintain the FM content in SE37. A default template is created on generation.

Extending Workflows BRFplus


BRFplus Workbenchy The BRFplus Workbench is a User Interface (UI) that enables users to define,

test and maintain rules for various business scenarios without the need of ABAP code. Rules can be created for initiators, agents, and also for routing workflows on specific conditions.

Business Rule FrameworkOverview


Creating a BRFplus RuleOverview

There are two main activities that are relevant to maintaining BRFplus rules, they are located in IMG under Governance, Risk and Compliance ÆAccess Control Æ Workflow for Access Control

y Define Workflow Related MSMP Rules: For generating the rule before maintaining it

y Define Business Rule Framework: Launches the UI for maintaining the rule’s conditions using BRFplus


Define Workflow Related MSMP RulesOverview

Using this activity you can create rules for initiators, agents, and for routing. This will only create an empty rule that will be maintained later


Define Workflow Related MSMP RulesRule Info

Generate each Rule ID (Function) to its own unique application/Funct. Group when using BRF rules.


Define Workflow Related MSMP RulesGeneration of Options

Select both Generate Rule and Generate Result Work-Area


Define Workflow Related MSMP RulesTest Rule

FM Rules can be tested on generation. Testing for BRF Rules can be executed once the rule has been activated


Define Business Rule FrameworkMaintaining Conditions

Using this activity you maintain the request fields that will be checked in a decision table

The decision table is empty by default and is located under Expression Æ Decision Table where the necessary request fields can be added by inserting columns


By using the Table Settings button the condition columns can be maintained

Setting up an Initiator/Agent RuleTable Settings


Setting up an Initiator/Agent RuleCondition Columns

In the Conditions Columns, click Insert Column, then select Context Data Objects in order to add items that will be used as the Condition Factors in the Decision Table:


Navigate to the structure that contains the Condition Items: GRAC_S_REQUEST_RULE_HEADER. Notice that custom fields will only be available to rules created AFTER the creation of the custom field.



Items can be selected from multiple structures, role line items are located in structure GRAC_S_REQUEST_RULE_LINE.



Setting up an Initiator/Agent RuleTable Settings

The Condition columns are now selected into the Decision Table settings.y Click OK, on the bottom of the screen, to complete Table Settings:


Setting up an Initiator/Agent RuleDecision Table Values

Click on Insert New Row to configure new conditions statements and results:


Now the Condition Statement can be configured. y Click the icon in each field. Select Direct Value Input to enter value(s) for the

Condition:



Input each Condition Statement:y Choose the Expression Type (is equal to, is not equal to) from the dropdown list.y Enter the value that the Condition should match. User the icon to continue to enter,

OR, more Condition Values, if needed, to complete the Condition Statement.y Repeat, as needed, for other Condition fields:



Setting up an Initiator/Agent RuleCondition Statements

Condition Example:

The condition statement above means:y Request Type is equal to 001 and Priority is NOT equal to 001, and Employee Type is

between 000 and 999y If all of the conditions are true, then the statement is true and will return the result

value(s)

Note: • All condition statements can be easily imported and exported to Microsoft Excel


Finally, set the results column values. The result objects are highlighted in green. • Initiator/Routing Rules: the result column is RULE_RESULT which will be used for

mapping the path in the MSMP Workflow Configuration• Agent Rules: the result column is USER_ID, which will return an agent (notification or

approval).

Notes: • Always configure LINE_ITEM_KEY with Context Parameter ITENNUM. • Remember to add a “catch-all” entry with no values if needed

Setting up an Initiator/Agent RuleResult Columns


You need to make sure there is a green light next to the decision table and function names. You need to click on Save and then Activate to achieve this.Now you are ready to use your BRFplus rule in MSMP Workflows. Notice that you will use the Function ID instead of the rule name.

Setting up an Initiator/Agent RuleSave Changes

Wrap-Up


Resources

AC 10.0 How to Customize Notification Templates http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3

SAP Community Networkhttp://www.sdn.sap.com/irj/bpx Go to Key Topics Æ Access Control

SAP Service Marketplace Documentation *https://service.sap.com/instguides

SAP Helphttp://help.sap.com Go to SAP Business User Æ GRC Solutions

SAP BusinessObjects GRC Solutionshttp://www.sap.com/grc

* Requires login credentials to the SAP Service Marketplace

http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3





















http://www.sdn.sap.com/irj/bpx

http://www.sdn.sap.com/irj/bpx

https://service.sap.com/instguides

https://service.sap.com/instguides

http://help.sap.com/

http://help.sap.com/

http://www.sap.com/grc


Wrap-Up

SAP’s comprehensive approach to GRC leverages the standard SAP Business Workflow technology

SAP provides ready to use content for configuring basic workflow scenarios

Complex criteria can be coded for routing requests and determining workflow and notification recipients by using ABAP code

Workflow recipients can be easily determined by using role and user group assignments

Email notification can be customized on specific events

New request form improves user adoption with a consistent user experience in all GRC components

No ABAP development skills are required for setting up rules using the SAP Business Rule Framework

Thank You!

Contact information:

Luis BustamanteCustomer Solution Adoption (GRC)[email protected]


No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

© 2011 SAP AG. All rights reserved

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.

Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.

Documents

AC10.0-Customizing Workflows for AccessManagement