Upload
sapgrcsme
View
107
Download
12
Embed Size (px)
DESCRIPTION
GRC AC10.0 Customizing workflows for AccessManagement
Citation preview
Customer Solution AdoptionJune 2011
AC 10.0 Customizing Workflows for Access Management
Version 2.0
Purpose of this documentThis document allows implementation consultants and administrators to setup the required functionality for enabling the workflow engine in AC 10.0. You will learn the main components of the new workflow engine and how to customize them, also how to create agents and initiators using Function Modules and BRFplus.
© 2011 SAP AG. All rights reserved. 3
Disclaimer
This presentation outlines our general product direction and should not be relied on in making a purchase decision. This presentation is not subject to your license agreement or any other agreement with SAP. SAP has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation. This presentation and SAP's strategy and possible future developments are subject to change and may be changed by SAP at any time for any reason without notice. This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. SAP assumes no responsibility for errors or omissions in this document, except if such damages were caused by SAP intentionally or grossly negligent.
© 2011 SAP AG. All rights reserved. 4
Agenda
Workflows in Access Control
Streamlined User Access Management in SAP BusinessObjects Access Control 10.0
Configuring MSMP Workflows
Extending Workflows Using Function Modules
Extending Workflows Using BRFplus
Wrap-Up
Workflows in Access Control
© 2011 SAP AG. All rights reserved. 6
Structure of a WorkflowAccess Control’s Compliant User Provisioning Functionality
Standard Path
Initiator Stage 1 Stage 2 Stage n Provisioning(optional)
Stage 1 Stage n Provisioning(optional)
Detour Path
Streamlined User Access Management inSAP BusinessObjects Access Control 10.0
© 2011 SAP AG. All rights reserved. 8
What Does It Do? � What Is the Value?Focus Area
New Feature HighlightsStreamlined User Access Management
� Lowers TCO by eliminating redundancy in administration, configuration, setup, and end-user training.
� An enterprise GRC platform approach allows you to have complete management of all risks and controls from a single environment.
� Tailoring of routing requirements for simple to highly complex organizations. New request forms improve user adoption and usability.
� Streamlines management of technical roles and eases identification and selection of appropriate roles for users, positions, and jobs.
� Reduces the effort required to grant and provision emergency access to multiple systems. Provides a structured,documented process around emergency access.
� Provides flexibility to ensure an enterprise wide, compliant provisioning process.
� Unifies all Access Control capabilities on a standardized ABAP platform, offering enterprise supportability, granular security, transport, and archiving.
� Harmonizes Access Control with Risk Management & Process Control offers shared processes, data, and user interface across the GRC suite.
� Standardizes on improved workflow that supports flexible, multi-tiered routing and approval matrices. Dynamic user request forms based on user or system selected.
� Provides a standardized role complianceframework, centralized across organizations, systems, and applications. Translates roles into terms business users can understand.
� Centralizes firefighting and administration across all systems. New workflow provides an auditable process for tracking log report approval.
� Improves compliant provisioning for customers already using IdM. Allows for initiation of risk analysis and remediation from IdM or enables use of IdM to provision compliant requests.
Access Control Harmonization
Unified Compliance Platform
Streamlined User Access Management
Improved Identity Management Integration
Centralized Emergency Access
Business Role Governance
© 2011 SAP AG. All rights reserved. 9
� Business workflow reduces manual tasks and streamlines access request processing
� Leverage existing resources for workflow administration and configuration
� Faster and easier for users to request the roles they need
� Utilize existing HR structure for automated and compliant position-based role assignment
� Improved security and richer request context
Access Control standardizes on SAP Business workflow technology and supports more flexible and tailored access request and approver views, simplifying the provisioning process.
� Standardized on SAP Business Workflow technology
� Access requests enhancements:� New customizable access
request forms� New template-based access
requests� New position-based role
assignment requests� New end-user display of
profile, access assignments, and request history
� Enhanced search for roles, groups, and system based on authorization
� New customizable approver views
� New multiple rule set support
� Enhanced periodic reviews for user access and access risks
Solution Enhancements Key Benefits
Streamlined User Access ManagementSAP BusinessObjects Access Control 10.0
© 2011 SAP AG. All rights reserved. 10
Workflow Key Terms in SAP BusinessObjects AC 10.0Mapping Previous Workflow Terms to the New Workflow Functionality
One process ID can have multiple request typesy Access Request: Create Request,
Change Request, etc.y Function Approval: Update Function,
Delete Function, etc.
One initiator rule is able to trigger multiple paths based on the rule result value
SAP BusinessObjects
AC 5.X
SAP BusinessObjects
AC 10.0
Configuring MSMP Workflows
© 2011 SAP AG. All rights reserved. 12
Prerequisites
The following configuration should have been completed as part of the initial post-installation steps:y GRC_MSMP_CONFIGURATION BC Set has been enabledy Perform Automatic Workflow Customizingy Perform Tasks Specific Customizingy Activate Event Linkagey Define number ranges for Access Requestsy Connectors assigned to the PROV integration scenario
© 2011 SAP AG. All rights reserved. 13
Roles and Users
Please create users and roles as required. You need at least the admin for configuration, an approver and a standard business user for request creation.
For workflow maintenance:y SAP_GRAC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflowsy SAP_GRAC_MSMP_WF_CONFIG_ALL Configuration role for MSMP workflows
For workflow management:y SAP_GRAC_ACCESS_APPROVER Approver for Access Request and User Access Reviewy SAP_GRAC_CONTROL_APPROVER Approver for Control Maintenance and Assignments
requestsy SAP_GRAC_SUPER_USER_MGMT_OWNER Approver for Firefighter Logy SAP_GRAC_FUNCTION_APPROVER Approver for Function Maintenancey SAP_GRAC_RISK_OWNER Approver for Risk Maintenance and SoD Risk Reviewy SAP_GRAC_ROLE_MGMT_ROLE_OWNER Approver for Role Maintenance
© 2011 SAP AG. All rights reserved. 14
Configuration Parameters
The configuration parameters are set in IMG under Governance, Risk and Compliance Æ Access Control Æ Maintain Configuration Settings. Make sure they reflect your needs.
© 2011 SAP AG. All rights reserved. 15
Provisioning Settings
The provisioning settings are configured in IMG under Governance Risk and Compliance Æ Access Control Æ User Provisioning Æ Maintain Provisioning Settings.Maintain at least the Global Provisioning settings.
© 2011 SAP AG. All rights reserved. 16
Maintain MSMP WorkflowOverview
The configuration tool can be launched in IMG under Governance, Risk and Compliance Æ Access Control Æ Workflow for Access Control Æ Maintain MSMP Workflows
These activities allow you to customize and maintain the Multi-Stage Multi-Path (MSMP) process workflows for Access Control 10.0
Ready to use components are delivered by SAP under BC Set GRC_MSMP_CONFIGURATION
© 2011 SAP AG. All rights reserved. 17
Maintain MSMP Workflow 1. Process Global Settings
Predelivered Process IDs:y Access Request Approval Workflowy Access Request Approval Workflow for
HR OM Objectsy Control Assignment Approval Workflowy Mitigation Control Maintenance Workflowy Fire Fighter Log Report Review Workflowy Function Approval Workflowy Risk Approval Workflowy Role Approval Workflowy SOD Risk Review Workflowy User Access Review Workflow
In this step settings that apply to all process IDs are configured, such as escape conditions and notifications settings
© 2011 SAP AG. All rights reserved. 18
Maintain MSMP Workflow1. Process Global Settings
© 2011 SAP AG. All rights reserved. 19
Maintain MSMP Workflow1. Process Global Settings
© 2011 SAP AG. All rights reserved. 20
Maintain MSMP Workflow1. Process Global Settings
© 2011 SAP AG. All rights reserved. 21
Maintain MSMP Workflow1. Process Global Settings
© 2011 SAP AG. All rights reserved. 22
Maintain MSMP Workflow 2. Maintain Rules
There are different Rule Kinds according to the rule’s objective:y Initiator Rule y Agents Rule y Routing Ruley Notification Variables Rule
Rules can be coded in different ways, these are the different Rule Types:y Function Module Based Ruley ABAP Class Based Ruley BRFplus Rule
Maintain Rules includes a list of all available rules to be used when configuring a workflow. If a new rule is created it must be added to this list. This is also where the default initiator is configured.
© 2011 SAP AG. All rights reserved. 23
Maintain MSMP Workflow2. Maintain Rules: Rule Kinds
Rule Kinds:• Initiator Rule – determines the path upon submission of the request• Agents Rule – determines the recipients of a stage• Routing Rule – determines a detour routing based upon an attribute of the request (for
example, SoD Violations Exist, Training Verification, No Role Owner)• Notification Variables Rule – determines the variable values at runtime used in the
notification e-mails.
© 2011 SAP AG. All rights reserved. 24
Maintain MSMP Workflow2. Maintain Rules: Rule Types
Rule Types:• BRFplus Rule: is a rule defined in the BRFplus application to fetch rule results, depending
on conditions inside the rule.• Function Module Based Rule: Function module is coded to output rule results.• ABAP Class Based Rule: ABAP Class is coded to output rule results• BRFplus Flat Rule (Line-item by Line-item): BRFplus rule which is defined for only one
line item (rule will be called once for each line-item in the request). Also referred to as BRF+ Easy.
© 2011 SAP AG. All rights reserved. 25
Maintain MSMP Workflow2. Maintain Rules: Results for Initiator and Routing Rules
It is required to maintain a list of all possible results returned by an initiator/routing rule by using the Results button. These values will be mapped to a path on step 6.
© 2011 SAP AG. All rights reserved. 26
Maintain MSMP Workflow3. Maintain Agents
Agent Purposey Notification: Recipients for email y Approval: Recipients to process request
Agent Typesy API Rules, coded as per rule’s typey Directly Mapped Usersy PFCG Roles, and y User Groups
A list of all available agents for a workflow is maintained in step 3. Agents have a type and a purpose assigned.
© 2011 SAP AG. All rights reserved. 27
Maintain MSMP Workflow3. Maintain Agents: Agent Types
Directly Mapped Users
PFCG Roles PFCG User Groups
GRC API Rules
© 2011 SAP AG. All rights reserved. 28
Maintain MSMP Workflow3. Maintain Agents: Directly Mapped Users
Directly Mapped Users allows you to define static user groups
© 2011 SAP AG. All rights reserved. 29
Maintain MSMP Workflow3. Maintain Agents: PFCG Roles and User Groups
These two agent types will determine the recipients of a workflow based on a role or a user group assignment
© 2011 SAP AG. All rights reserved. 30
Maintain MSMP Workflow3. Maintain Agents: GRC API Rules
API to be completed
This agent type will determine the recipients based on a rule maintained in step 2.
© 2011 SAP AG. All rights reserved. 31
Maintain MSMP Workflow4. Variables and Templates
Notifications can be sent on different events, such as:y New Work Itemy Approvaly Rejectiony Escalationy Request submissiony Request closurey Reminder
In this step all templates for email notifications are maintained. The templates are created using transaction SE61.
This topic is covered in a separate guide in detail, please check the references at the end of the presentation
© 2011 SAP AG. All rights reserved. 32
Maintain MSMP Workflow 5. Maintain Paths
Here the actual workflows are configured. Multiple paths relevant to a specific Process ID are configured by assigning a sequence of stages.
Each stage is configured in this screen as well as notifications settings specific to stage
© 2011 SAP AG. All rights reserved. 33
Maintain MSMP Workflow 5. Maintain Paths: Stage Details
Stage settings specific to Path and Stage Sequence Number
Default Stage Details Settings
Stage details can be configured globally for the specific process ID and can be overwritten at a specific path/stage sequence.
© 2011 SAP AG. All rights reserved. 34
Maintain MSMP Workflow 5. Maintain Paths: Modify Task Settings
When adding a stage to a path it is possible to configure all stage settings by clicking on Modify Task Settings. These settings will apply to the stage anytime this is used in a particular path.
© 2011 SAP AG. All rights reserved. 35
Maintain MSMP Workflow6. Maintain Route Mapping
In this step you define the mapping between rule results and paths to route the requests
Always the Global Initiator must be used, if multiple paths are required the Global Initiator must return different result values
Routing rules for detours can be added here as well
© 2011 SAP AG. All rights reserved. 36
Maintain MSMP Workflow7. Generate Versions
In the last step all changes will be saved and activated. If necessary, a transport request can be configured.
Extending Workflows Using Function Modules
© 2011 SAP AG. All rights reserved. 38
Creating a Function Module RuleOverview
Function Module rules allow developers to create complex rules by using ABAP Code. These are the activities needed for creating a FM rule:
y Create Function Group in SE37: Function Modules will be added to the group
y Define Workflow Related MSMP Rules: For generating the FM rule content from a template before maintaining it.
y Maintain Function Module in SE37: For maintaining the FM rule contents.
© 2011 SAP AG. All rights reserved. 39
Create Function Group in SE37Preparing for creating a Function Module
Go to SE37 and create a Function Group as shown below.
© 2011 SAP AG. All rights reserved. 40
Define Workflow Related MSMP RulesGenerating a Function Module
Generate each Rule ID (FM) to the Function Group created in the previous step. Testing of the rule is optional and will be done when the rule is generated. After generation the FM will be ready to be maintained.
© 2011 SAP AG. All rights reserved. 41
Maintain Function Module in SE37Customizing the ABAP code
Now you can maintain the FM content in SE37. A default template is created on generation.
Extending Workflows BRFplus
© 2011 SAP AG. All rights reserved. 43
BRFplus Workbenchy The BRFplus Workbench is a User Interface (UI) that enables users to define,
test and maintain rules for various business scenarios without the need of ABAP code. Rules can be created for initiators, agents, and also for routing workflows on specific conditions.
Business Rule FrameworkOverview
© 2011 SAP AG. All rights reserved. 44
Creating a BRFplus RuleOverview
There are two main activities that are relevant to maintaining BRFplus rules, they are located in IMG under Governance, Risk and Compliance ÆAccess Control Æ Workflow for Access Control
y Define Workflow Related MSMP Rules: For generating the rule before maintaining it
y Define Business Rule Framework: Launches the UI for maintaining the rule’s conditions using BRFplus
© 2011 SAP AG. All rights reserved. 45
Define Workflow Related MSMP RulesOverview
Using this activity you can create rules for initiators, agents, and for routing. This will only create an empty rule that will be maintained later
© 2011 SAP AG. All rights reserved. 46
Define Workflow Related MSMP RulesRule Info
Generate each Rule ID (Function) to its own unique application/Funct. Group when using BRF rules.
© 2011 SAP AG. All rights reserved. 47
Define Workflow Related MSMP RulesGeneration of Options
Select both Generate Rule and Generate Result Work-Area
© 2011 SAP AG. All rights reserved. 48
Define Workflow Related MSMP RulesTest Rule
FM Rules can be tested on generation. Testing for BRF Rules can be executed once the rule has been activated
© 2011 SAP AG. All rights reserved. 49
Define Business Rule FrameworkMaintaining Conditions
Using this activity you maintain the request fields that will be checked in a decision table
The decision table is empty by default and is located under Expression Æ Decision Table where the necessary request fields can be added by inserting columns
© 2011 SAP AG. All rights reserved. 50
By using the Table Settings button the condition columns can be maintained
Setting up an Initiator/Agent RuleTable Settings
© 2011 SAP AG. All rights reserved. 51
Setting up an Initiator/Agent RuleCondition Columns
In the Conditions Columns, click Insert Column, then select Context Data Objects in order to add items that will be used as the Condition Factors in the Decision Table:
© 2011 SAP AG. All rights reserved. 52
Navigate to the structure that contains the Condition Items: GRAC_S_REQUEST_RULE_HEADER. Notice that custom fields will only be available to rules created AFTER the creation of the custom field.
Setting up an Initiator/Agent RuleCondition Columns
© 2011 SAP AG. All rights reserved. 53
Items can be selected from multiple structures, role line items are located in structure GRAC_S_REQUEST_RULE_LINE.
Setting up an Initiator/Agent RuleCondition Columns
© 2011 SAP AG. All rights reserved. 54
Setting up an Initiator/Agent RuleTable Settings
The Condition columns are now selected into the Decision Table settings.y Click OK, on the bottom of the screen, to complete Table Settings:
© 2011 SAP AG. All rights reserved. 55
Setting up an Initiator/Agent RuleDecision Table Values
Click on Insert New Row to configure new conditions statements and results:
© 2011 SAP AG. All rights reserved. 56
Now the Condition Statement can be configured. y Click the icon in each field. Select Direct Value Input to enter value(s) for the
Condition:
Setting up an Initiator/Agent RuleDecision Table Values
© 2011 SAP AG. All rights reserved. 57
Input each Condition Statement:y Choose the Expression Type (is equal to, is not equal to) from the dropdown list.y Enter the value that the Condition should match. User the icon to continue to enter,
OR, more Condition Values, if needed, to complete the Condition Statement.y Repeat, as needed, for other Condition fields:
Setting up an Initiator/Agent RuleDecision Table Values
© 2011 SAP AG. All rights reserved. 58
Setting up an Initiator/Agent RuleCondition Statements
Condition Example:
The condition statement above means:y Request Type is equal to 001 and Priority is NOT equal to 001, and Employee Type is
between 000 and 999y If all of the conditions are true, then the statement is true and will return the result
value(s)
Note: • All condition statements can be easily imported and exported to Microsoft Excel
© 2011 SAP AG. All rights reserved. 59
Finally, set the results column values. The result objects are highlighted in green. • Initiator/Routing Rules: the result column is RULE_RESULT which will be used for
mapping the path in the MSMP Workflow Configuration• Agent Rules: the result column is USER_ID, which will return an agent (notification or
approval).
Notes: • Always configure LINE_ITEM_KEY with Context Parameter ITENNUM. • Remember to add a “catch-all” entry with no values if needed
Setting up an Initiator/Agent RuleResult Columns
© 2011 SAP AG. All rights reserved. 60
You need to make sure there is a green light next to the decision table and function names. You need to click on Save and then Activate to achieve this.Now you are ready to use your BRFplus rule in MSMP Workflows. Notice that you will use the Function ID instead of the rule name.
Setting up an Initiator/Agent RuleSave Changes
Wrap-Up
© 2011 SAP AG. All rights reserved. 62
Resources
AC 10.0 How to Customize Notification Templates http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/605077fc-3577-2e10-e1a6-a743514d4eb3
SAP Community Networkhttp://www.sdn.sap.com/irj/bpx Go to Key Topics Æ Access Control
SAP Service Marketplace Documentation *https://service.sap.com/instguides
SAP Helphttp://help.sap.com Go to SAP Business User Æ GRC Solutions
SAP BusinessObjects GRC Solutionshttp://www.sap.com/grc
* Requires login credentials to the SAP Service Marketplace
© 2011 SAP AG. All rights reserved. 63
Wrap-Up
SAP’s comprehensive approach to GRC leverages the standard SAP Business Workflow technology
SAP provides ready to use content for configuring basic workflow scenarios
Complex criteria can be coded for routing requests and determining workflow and notification recipients by using ABAP code
Workflow recipients can be easily determined by using role and user group assignments
Email notification can be customized on specific events
New request form improves user adoption with a consistent user experience in all GRC components
No ABAP development skills are required for setting up rules using the SAP Business Rule Framework
© 2011 SAP AG. All rights reserved. 65
No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation. IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.Oracle is a registered trademark of Oracle Corporation.UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World Wide Web Consortium, Massachusetts Institute of Technology. Java is a registered trademark of Sun Microsystems, Inc.JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape. SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer, StreamWork, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.
© 2011 SAP AG. All rights reserved
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Sybase, Inc. Sybase is an SAP company.All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.The information in this document is proprietary to SAP. No part of this document may be reproduced, copied, or transmitted in any form or for any purpose without the express prior written permission of SAP AG.This document is a preliminary version and not subject to your license agreement or any other agreement with SAP. This document contains only intended strategies, developments, and functionalities of the SAP® product and is not intended to be binding upon SAP to any particular course of business, product strategy, and/or development. Please note that this document is subject to change and may be changed by SAP at any time without notice.SAP assumes no responsibility for errors or omissions in this document. SAP does not warrant the accuracy or completeness of the information, text, graphics, links, or other items contained within this material. This document is provided without a warranty of any kind, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, or non-infringement.SAP shall have no liability for damages of any kind including without limitation direct, special, indirect, or consequential damages that may result from the use of these materials. This limitation shall not apply in cases of intent or gross negligence.The statutory liability for personal injury and defective products is not affected. SAP has no control over the information that you may access through the use of hot links contained in these materials and does not endorse your use of third-party Web pages nor provide any warranty whatsoever relating to third-party Web pages.