A Complete Guide to Automate User Provisioning by Integrating SAP Access Control with SAP ERP HCM

Johan WoutersExpertum

Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2015 Wellesley Information Services. All

rights

reserved.

In This Session

• Understand the main purpose of HR integration with SAP Access Control• Look at ARM as an important SAP Access Control component• Understand the interaction process flow between HR and GRC• Take benefit of HR triggers to automate (de-)provisioning in ARM• Investigate possible hurdles

1

SAP Access Control as an integration tool to streamline HR and user management processes

Focus on SAP Access Control release 10.0/10.1

What We’ll Cover

• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned• Wrap-up

2

What We’ll Cover (cont.)

• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned• Wrap-up

3

• Objective of integrating SAP ERP HCM with SAP Access Control

HR vs. User Access Management

New Hire

• Create user• Password communication

Contract Extension

• Change validity period for user

Position Change

• Remove old access rights• (Support hand-over period)• Provide new access rights

4

HR vs. User Access Management (cont.)

Termination

• Lock user• Change validity period for user• Remove access rights

Extended leave

• Lock user

Rehire

• Unlock user• Change validity period for user

5

HR vs. User Access Management (cont.)

• Communication fails• Double maintenance• More time consuming

HRUser AccessManagement

6

Objectives

• Solution for Key Communication Failure• Integration of two seperate processes into one• Automation, Acceleration, Correction

HRUser AccessManagement

7

SAPAccess Control

Process Flow Using SAP Access Control

Update

Provisioning

HR Master Data

GRC

Back End

Creation Access Request

Approval Workflow

8

What We’ll Cover

• Objective of integrating SAP ERP HCM with SAP Access Control

• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned• Wrap-up

9

• SAP Access Control components with special role for ARM

SAP Access Control — Components

EAMEmergency Access Management ARM Access Request

Management

ARA

RT

Access Risk Analysis

Risk Terminator

BRM

UAR

Business Role Management

User Access Review

10

Process Flow Using SAP Access Control

Update

Provisioning

HR Master Data

Back End

GRC CreationAccess Request

Approval Workflow

11

ARM — Access Request Management Overview

• Homogenized process for user access requests• Automated access provisioning, requesting approval to the appropriate business and risk

owner• Preventive SoD analysis at time of request• User access assignment/removal in back-end systems• Automatic logging of request approvals and modification

BRM

ARM

ARA

12

ARM — Process Overview

User Initiate Request

No

NoApprove?

Yes

Mail Provisioning

Role Owner

Risk

Mail Risk?

Yes

NoApprove?

Yes No Yes

Owner Mail Approve? MitigateRisk

13

ARM — Workflow

• Standard MSMP workflow process

• BRF+ to initiate and route access requests

CreationAccess Request

MSMP Approval Workflow

BRF+

14

What We’ll Cover

• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM

• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned• Wrap-up

15

• HR Trigger as integration point with ARM

Process Flow Using SAP Access Control

Update

Provisioning

HR Master Data

GRC

Back End

Creation Access Request

Approval Workflow

HR Trigger

16

HR Data Relevant for User Access Management

• When registering HR processes in SAP, different data elements (infotypes) are maintained that are also used in the User Master Data

• Examples: User ID User Contact details (email, phone, ...) User Validity First name Last name

17

Check on the GRC the structure /GRCPI/GRIA_S_VALIDUSERDATA_HR to see which HR master data is fetched

Setup — HR Plug-In System

• Installation of components GRCPINW and GRCPIERP

• RFC connections HR Plug-in Connector GRC connector

• Configuration parameters

Param ID Short description Value1000 Please maintain Plug-in Connector HR Plug-in RFC connector1001 Please maintain GRC Connector GRC RFC Connector1003 Enable HR trigger Yes

18

--

Use system client namingProtect with generic RFC user

Setup — SAP Access Control

• Installation of component GRCFND_A

• Customizing activities RFC connection for GRC Mapping to connector group Linking to integration scenarios

19

SAP Note 1562760 – Integration scenarios to connector link

Setup — SAP Access Control (cont.)

• Customizing activities Linking to application type and environment Mapping to actions and connector group

0004 (Provisioning) 0005 (HR Trigger)

20

Perform field mapping if specific HR data needs to be mapped with GRC access requests

Setup — SAP Access Control (cont.)

• Customizing activities (cont.) Request type:

21

Create new request types:- Independent of normal access

request flow- With clear description

Setup — SAP Access Control (cont.)

• Customizing activities (cont.) BRF+ mapping

BRF+ Function ID > rule logic

22

Setup — SAP Access Control (cont.)

• Customizing activities (cont.) BRF+ Function ID > rule logic

BRF+ rule with decision table BRF+ rule linked to ABAP class

Decision: Choose complete logic in BRF+ or Choose BRF+ in combination with ABAP coding

23

SAP Note 1591291 – GRC 10.0 – HR Trigger configurationBuilding BRF+ Rule using Procedure Call

Setup — SAP Access Control (cont.)

• Customizing activities (cont.) BRF+ rule logic building:

HR data = input criteria: Infotypes/subtypes Technical fields Values

24

Input OutputHR data 1 Action ID 1HR data 2 Action ID 2HR data 3 Action ID 3

Action ID

Setup — SAP Access Control (cont.)

• Customizing activities (cont.)

HR Trigger settings Enter Action ID Enter Request Type Enter Connector

25

Action ID Request Type Connector

For Action ID, use a clear naming convention in ID (max. 5 characters) and description

Setup — SAP Access Control (cont.)

26

Action ID

Request Type

Connector

Process Flow Using SAP Access Control

HR

GRC

UpdateMaster Data

CreationAccess Request

Class /GRCPI/CL_IM_GRIA_HRINFADD Method IF_EX_HRPAD00INFTY~IN_UPDATE

Function Module GRAC_HR_TRIGGER_EVENT_RECIEVER

Class CL_GRAC_HR_TRIGGER Method CREATE_REQUEST

27

What We’ll Cover

• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM

• Commonly used HR scenarios• Lessons learned• Wrap-up

28

• Provisioning engine as key feature for ARM

Process Flow Using SAP Access Control

Update

Provisioning

HR Master Data

GRC

Back End

Creation Access Request

Approval Workflow

29

Setup for Provisioning

• Installation of component for: All provisioning systems CUA (if in use)

• Customizing activities CUA settings (if in use)

Global System

Central client

Child 1 Child 2

Model Distribution

30

Setup for Provisioning (cont.)

• Provisioning settings Global provisioning System provisioning

Setting RecommendationProvisioning Type DirectProvisioning Options Auto provisioning at end of requestRole assignment Provisioning effective immediatelyE-mail status Sent password = YES

31

System provisioning overrules global provisioning

What We’ll Cover

• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM

• Lessons learned• Wrap-up

32

• Commonly used HR scenarios

Commonly Used HR Triggers

• New hire• Position change• Termination

New hire Termination

Position change

33

New Hire

• HR functionality PA30/PA40 procedure Future new hire

• GRC functionality: Creation of user ID Automatic generation of password Automatic multi-system provisioning

New hire

Improve process with user defaults and default roles

34

New Hire (cont.)

35

Position Change

• HR functionality: PA40 procedure Update of

position

Position change

• GRC functionality: Standard:

Use of position-based security role(s) related to position for access request Not standard:

Delimit current role assignments to 60 days Validation of current and required access

36

Position Change (cont.)

37

Termination

• HR functionality: PA40 procedure Future termination

• GRC functionality: Delimitation of user ID Automatic multi-system provisioning

Termination

Removal or delimitation of role assignments requires custom development

38

Termination (cont.)

39

What We’ll Cover

• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios

• Wrap-up

40

• Lessons learned

Lessons Learned

• HR communication queue (SMQ1): Ensure monitoring process is in place > for example: extract of SM58

• HR Customizing changes in PA30/PA40 procedure can impact the integration with GRC• Upgrades in any of the involved systems may impact your integration

flow: HCM – GRC – Back-end systems Communication Intensive testing

• Shared data is critical to GRC process Procedures

41

What We’ll Cover

• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned

42

• Wrap-up

Where to Find More Information

• http:// wiki.scn.sap.com/wiki/display/GRC/Understanding+HR+Triggers+in+Access+Contr ol+10.0 Puneet Kohli, “Understanding HR Triggers in Access Control 10.0” (SCN,

December2012).

• http ://wiki.scn.sap.com/wiki/display/GRC/GRC+10.0+ - + HR+Trigger+configuration Manik Saldi, “GRC 10.0 – HR Trigger configuration” (Reference to SAP Note

1591291)(SCN, December 2012).

• http://sapexperts.wispubs.com/Financials/articles/integrate - sap - access - control - 10 - 0 - with - sap - erp - human - capital - management? id=4dc5d9eee25841309437acce0d8705f7#. VR0oIzpCQic Alpesh Parmar, “Integrate SAP Access Control 10.0 with SAP ERP Human Capital

Management” (Financials Expert, August 2013).

43

7 Key Points to Take Home

• HR processes can be integrated with SAP Access Control• User access management flow can run from HR over GRC to back-end systems• HR Trigger can be set to initiate different workflows in ARM• BRF+ can be used to steer HR Trigger and ARM workflows• ARM allows high level of automation in user access provisioning• Scenarios like new hire, position change and termination can be configured• HR and GRC activities need to be aligned and system dependencies monitored

44

Your Turn!

Please remember to complete your session evaluation45

How to contact me: Johan

WoutersEmail:

DisclaimerSAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

46

Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026 Copyright © 2015 Wellesley Information Services. All rights reserved.