Upload
independent
View
0
Download
0
Embed Size (px)
Citation preview
A Complete Guide to Automate User Provisioning by Integrating SAP Access Control with SAP ERP HCM
Johan WoutersExpertum
Produced by Wellesley Information Services, LLC, publisher of SAPinsider. © 2015 Wellesley Information Services. All
rights
In This Session
• Understand the main purpose of HR integration with SAP Access Control• Look at ARM as an important SAP Access Control component• Understand the interaction process flow between HR and GRC• Take benefit of HR triggers to automate (de-)provisioning in ARM• Investigate possible hurdles
1
SAP Access Control as an integration tool to streamline HR and user management processes
Focus on SAP Access Control release 10.0/10.1
What We’ll Cover
• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned• Wrap-up
2
What We’ll Cover (cont.)
• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned• Wrap-up
3
• Objective of integrating SAP ERP HCM with SAP Access Control
HR vs. User Access Management
New Hire
• Create user• Password communication
Contract Extension
• Change validity period for user
Position Change
• Remove old access rights• (Support hand-over period)• Provide new access rights
4
HR vs. User Access Management (cont.)
Termination
• Lock user• Change validity period for user• Remove access rights
Extended leave
• Lock user
Rehire
• Unlock user• Change validity period for user
5
HR vs. User Access Management (cont.)
• Communication fails• Double maintenance• More time consuming
HRUser AccessManagement
6
Objectives
• Solution for Key Communication Failure• Integration of two seperate processes into one• Automation, Acceleration, Correction
HRUser AccessManagement
7
SAPAccess Control
Process Flow Using SAP Access Control
Update
Provisioning
HR Master Data
GRC
Back End
Creation Access Request
Approval Workflow
What We’ll Cover
• Objective of integrating SAP ERP HCM with SAP Access Control
• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned• Wrap-up
9
• SAP Access Control components with special role for ARM
SAP Access Control — Components
EAMEmergency Access Management ARM Access Request
Management
ARA
RT
Access Risk Analysis
Risk Terminator
BRM
UAR
Business Role Management
User Access Review
Process Flow Using SAP Access Control
Update
Provisioning
HR Master Data
Back End
GRC CreationAccess Request
Approval Workflow
ARM — Access Request Management Overview
• Homogenized process for user access requests• Automated access provisioning, requesting approval to the appropriate business and risk
owner• Preventive SoD analysis at time of request• User access assignment/removal in back-end systems• Automatic logging of request approvals and modification
BRM
ARM
ARA
12
ARM — Process Overview
User Initiate Request
No
NoApprove?
Yes
Mail Provisioning
Role Owner
Risk
Mail Risk?
Yes
NoApprove?
Yes No Yes
Owner Mail Approve? MitigateRisk
ARM — Workflow
• Standard MSMP workflow process
• BRF+ to initiate and route access requests
CreationAccess Request
MSMP Approval Workflow
BRF+
14
What We’ll Cover
• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM
• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned• Wrap-up
15
• HR Trigger as integration point with ARM
Process Flow Using SAP Access Control
Update
Provisioning
HR Master Data
GRC
Back End
Creation Access Request
Approval Workflow
HR Trigger
HR Data Relevant for User Access Management
• When registering HR processes in SAP, different data elements (infotypes) are maintained that are also used in the User Master Data
• Examples: User ID User Contact details (email, phone, ...) User Validity First name Last name
17
Check on the GRC the structure /GRCPI/GRIA_S_VALIDUSERDATA_HR to see which HR master data is fetched
Setup — HR Plug-In System
• Installation of components GRCPINW and GRCPIERP
• RFC connections HR Plug-in Connector GRC connector
• Configuration parameters
Param ID Short description Value1000 Please maintain Plug-in Connector HR Plug-in RFC connector1001 Please maintain GRC Connector GRC RFC Connector1003 Enable HR trigger Yes
18
--
Use system client namingProtect with generic RFC user
Setup — SAP Access Control
• Installation of component GRCFND_A
• Customizing activities RFC connection for GRC Mapping to connector group Linking to integration scenarios
19
SAP Note 1562760 – Integration scenarios to connector link
Setup — SAP Access Control (cont.)
• Customizing activities Linking to application type and environment Mapping to actions and connector group
0004 (Provisioning) 0005 (HR Trigger)
20
Perform field mapping if specific HR data needs to be mapped with GRC access requests
Setup — SAP Access Control (cont.)
• Customizing activities (cont.) Request type:
21
Create new request types:- Independent of normal access
request flow- With clear description
Setup — SAP Access Control (cont.)
• Customizing activities (cont.) BRF+ mapping
BRF+ Function ID > rule logic
22
Setup — SAP Access Control (cont.)
• Customizing activities (cont.) BRF+ Function ID > rule logic
BRF+ rule with decision table BRF+ rule linked to ABAP class
Decision: Choose complete logic in BRF+ or Choose BRF+ in combination with ABAP coding
23
SAP Note 1591291 – GRC 10.0 – HR Trigger configurationBuilding BRF+ Rule using Procedure Call
Setup — SAP Access Control (cont.)
• Customizing activities (cont.) BRF+ rule logic building:
HR data = input criteria: Infotypes/subtypes Technical fields Values
24
Input OutputHR data 1 Action ID 1HR data 2 Action ID 2HR data 3 Action ID 3
Action ID
Setup — SAP Access Control (cont.)
• Customizing activities (cont.)
HR Trigger settings Enter Action ID Enter Request Type Enter Connector
25
Action ID Request Type Connector
For Action ID, use a clear naming convention in ID (max. 5 characters) and description
Process Flow Using SAP Access Control
HR
GRC
UpdateMaster Data
CreationAccess Request
Class /GRCPI/CL_IM_GRIA_HRINFADD Method IF_EX_HRPAD00INFTY~IN_UPDATE
Function Module GRAC_HR_TRIGGER_EVENT_RECIEVER
Class CL_GRAC_HR_TRIGGER Method CREATE_REQUEST
27
What We’ll Cover
• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM
• Commonly used HR scenarios• Lessons learned• Wrap-up
28
• Provisioning engine as key feature for ARM
Process Flow Using SAP Access Control
Update
Provisioning
HR Master Data
GRC
Back End
Creation Access Request
Approval Workflow
Setup for Provisioning
• Installation of component for: All provisioning systems CUA (if in use)
• Customizing activities CUA settings (if in use)
Global System
Central client
Child 1 Child 2
Model Distribution
Setup for Provisioning (cont.)
• Provisioning settings Global provisioning System provisioning
Setting RecommendationProvisioning Type DirectProvisioning Options Auto provisioning at end of requestRole assignment Provisioning effective immediatelyE-mail status Sent password = YES
31
System provisioning overrules global provisioning
What We’ll Cover
• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM
• Lessons learned• Wrap-up
32
• Commonly used HR scenarios
Commonly Used HR Triggers
• New hire• Position change• Termination
New hire Termination
Position change
33
New Hire
• HR functionality PA30/PA40 procedure Future new hire
• GRC functionality: Creation of user ID Automatic generation of password Automatic multi-system provisioning
New hire
Improve process with user defaults and default roles
34
Position Change
• HR functionality: PA40 procedure Update of
position
Position change
• GRC functionality: Standard:
Use of position-based security role(s) related to position for access request Not standard:
Delimit current role assignments to 60 days Validation of current and required access
Termination
• HR functionality: PA40 procedure Future termination
• GRC functionality: Delimitation of user ID Automatic multi-system provisioning
Termination
Removal or delimitation of role assignments requires custom development
38
What We’ll Cover
• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios
• Wrap-up
40
• Lessons learned
Lessons Learned
• HR communication queue (SMQ1): Ensure monitoring process is in place > for example: extract of SM58
• HR Customizing changes in PA30/PA40 procedure can impact the integration with GRC• Upgrades in any of the involved systems may impact your integration
flow: HCM – GRC – Back-end systems Communication Intensive testing
• Shared data is critical to GRC process Procedures
41
What We’ll Cover
• Objective of integrating SAP ERP HCM with SAP Access Control• SAP Access Control components with special role for ARM• HR Trigger as integration point with ARM• Provisioning engine as key feature for ARM• Commonly used HR scenarios• Lessons learned
42
• Wrap-up
Where to Find More Information
• http:// wiki.scn.sap.com/wiki/display/GRC/Understanding+HR+Triggers+in+Access+Contr ol+10.0 Puneet Kohli, “Understanding HR Triggers in Access Control 10.0” (SCN,
December2012).
• http ://wiki.scn.sap.com/wiki/display/GRC/GRC+10.0+ - + HR+Trigger+configuration Manik Saldi, “GRC 10.0 – HR Trigger configuration” (Reference to SAP Note
1591291)(SCN, December 2012).
• http://sapexperts.wispubs.com/Financials/articles/integrate - sap - access - control - 10 - 0 - with - sap - erp - human - capital - management? id=4dc5d9eee25841309437acce0d8705f7#. VR0oIzpCQic Alpesh Parmar, “Integrate SAP Access Control 10.0 with SAP ERP Human Capital
Management” (Financials Expert, August 2013).
7 Key Points to Take Home
• HR processes can be integrated with SAP Access Control• User access management flow can run from HR over GRC to back-end systems• HR Trigger can be set to initiate different workflows in ARM• BRF+ can be used to steer HR Trigger and ARM workflows• ARM allows high level of automation in user access provisioning• Scenarios like new hire, position change and termination can be configured• HR and GRC activities need to be aligned and system dependencies monitored
44
Your Turn!
Please remember to complete your session evaluation45
How to contact me: Johan
WoutersEmail:
DisclaimerSAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
46