Total Pageviews

Thursday, 28 August 2014

MSMP Worflow - User Access Review (UAR) Configuration


User Access Review (UAR)  Workflow Configuration and Description 

Purpose

The purpose of this document is to explain the User Access Review Workflow in detail and the Configuration settings required to implement the same. 

Overview  

The User Access Review (UAR) feature provides a workflow-based review and approval process for user access requests. The periodic reviews of user access are performed by business managers or role owners, and the system automatically generates the requests based on the company’s internal control policy.  The review asses roles assigned to users and the frequency of use for that role by the user. 

Concept

                      

 Key Users for UAR

Administrator
This person has the Admin role assigned for Access Control.  They can perform UAR-specific administrator tasks, such as cancelling UAR requests and regenerating requests for rejected users. As well as Admin review before generating workflow for request.
Reviewer
This term refers to the approver at the Reviewer stage.  The Reviewer may be the user’s manager or the role owner.
User’s Manager
The direct manager of a user as defined in the User Details Data Source.
Role Owner
The role owner specified in CUP master data.
Coordinator
The Coordinator is assigned to Reviewer.  They monitor the UAR process and coordinate activities to ensure the process is completed in a timely manner. 

 IMG Configurations for UAR

  1. Log onto the backend system.
  2. Enter transaction SPRO.
  3. Click SAP Reference IMG button.
  4. Navigate to Governance, Risk and Compliance ==> Access Control ==> Maintain Configuration Settings.
  5. The following fields can be maintained there for UAR:
  • The Request Type can be maintained in IMG under Governance, Risk and Compliance-> Access Control-> User Provisioning-> Define Request Type.
  • The Priority can be maintained in IMG under Governance, Risk and Compliance-> Access Control-> User Provisioning-> Maintain Priority Configuration.
  • The reviewers for the UAR can be either the Manager of the User or the Role owner for the Role.
  • Admin review required can be
         YES
The request will go to the Administrator before it is generated for the Manager or Role owner (based on previous selection) to review.
          NO
The request will bypass Administrator review and be directly generated and go to the Reviewer
 NOTE:  If the User does not have a manager or, the role owner does not have an owner, selecting No on Admin review will not generate workflow for request . And the  role owner / manager must have a coordinator assigned to him. This mapping is defined in Manage Coordinator link under Access management tab.

Generate data for UAR

  1. Log onto Access Control Application
  2. Navigate to location( shown in below figure)
                                              
                                                                                                                    Figure 2
                 3. Click on Create button and enter the following data for the fields then, Click Next (Figure 3)| Schedule Name | Enter the name for the UAR job.                                          
                                         
                                                                                                 Figure 3 
               4. Define Variants/Filters for selection then, Click Next
                   As shown in Figure 4 below you may select any number of variants available via dropdown menu and entry fields to specify the size and target of your request. 
                                  
                                                                                                                                      Figure 4
                 5. Shows summary then, click Finish
                 6. Job is created and status is displayed as:
                                    Completed: The job is completed                                                                             
                                    Terminated: The job is terminated by the Administrator
                                     In Planning: The job is currently working on the Request or if it is a reoccurring job then it would remain in this status

Admin Review

If Admin review is selected to Yes in the section 4 of Configuration IMG for UAR then you may review the request here before it can be processed further to the reviewers. This also allows you to add reviewers and coordinators if not defined for role or user.
  To Access Admin Request:
               1. Navigate to (Figure 5):NWBC-> Access Management->Compliance Certification Reviews-> Request Review
                                                                       
                                                                                              Figure 5
                 2. Search for a job using criteria specified in the filters such as Process Type, User ID, Reviewer and Coordinator ID, Date, and Job ID (Figure 6).
                 3. Click Search
               This shows the Request Number, the Job ID, Type of request, the reviewer for the Request, the coordinator for the request and, the status for the request (Figure 6)
                 4.  Select the request you want to edit, then click Change Reviewers button to assign the reviewers and coordinator for the request or Cancel request button to cancel the request.
                                  
                                                                                                                                  Figure 6
                                                                                                                               
                   5. Select the Reviewer and Coordinator from the list or enter the ID the, Click OK.
                                        
                 6. Save your entries.

Manage Coordinators                                                                                   

Under this link you can manage the coordinators and reviewers for your requests. This lists coordinators for the reviewers as well as their ID, name, and email.
                1. Navigate to Access Management-> Compliance Certification Reviews
                2. You can select a Coordinator then, Click Open or Delete
                3. Click Create, to create a new coordinator
                4. Enter ID or select from menu.
                5. Save your work
                6. Now you need to run another background job ”Update UAR workflow” to generate UAR requests. This step is mandatory only if you are generating requests after admin review

UAR Workflow

Workflow settings for UAR

To manage the workflow for the request:
  1. Navigate to Governance, Risk and Compliance ==> Access Control ==> Workflow for Access Control ==> Maintain MSMP Workflows.
  2. Select the Process ID SAP_GRAC_USER_ACCESS_REVIEW.
  3. Click on Display/Change button to toggle between edit modes
                             3.1.    You may define Global Escalation rules and Escape conditions here (Elective Step):
                                  
                                                                                                      Figure 8
4. Click Next
5. Enter the Maintain Rules: These can be Function Module/ BRF plus/ ABAP Class / BRF plus Flat rules. These can be an initiator, routing, agent, or notification   rule
                                               
                6. Click Next, Enter Maintain Agents
                    Here you may define Agents for the workflow stages. These agents can be for notification or approval purpose. Agent Type may be:
                          Directly Mapped Users: Approvers selected from the Approver definition.
                          PFCG Roles                 : Users with specific role will be selected
                          PFCG User Groups    : Approvers selected from PFCG User Groups assigned to users (SU01 Groups tab)
                          GRC API Rules            : Approvers selected from the associated function module (FM).

                                                      
                                                                                                        Figure 9: Maintain Agents
 
                                                                                         
                                                                     Figure 10: Add Users to Approver Groups
                 7.   Click Next, Enter Variables & Templates
                      Maintain Templates for notification and Approval
 
                                                  
                                                                                        Figure 11: Variables & Templates
                  
                 8. Click Next, Enter Maintain Paths 
                 9. Click Add then enter the fields for Path ID and Path Description
                 10. Select the Path, then click Modify or ADD to define path stages 
                 11. Click Next, Enter Maint Route Mapping
                      Used for mapping the Logical Path (Initiator) to an Actual Path
                 12. Click Next, Generate Version
                 13. Click:
                        Save: Saves changes to the database
                        Save/Simulate: Save changes to the database and run a simulation to check for errors.
                        Activate: Generate Active Versions

Update Workflow for UAR Request

              1. Log onto front end Access Control Application.
              2. Navigate to Access Management-> Background Jobs-> Background Scheduler
              3. Click on Create button and enter the following data for the fields:
                    Schedule Name: Enter the name for the UAR job.
                    Schedule Activity: Update Workflow for UAR request
                    Recurring Plan: Select the radio button. If Yes then, provide date range and time.
                    Start Immediately: If not a recurring job, select whether you want it to start immediately or provide a date and time for the job to start.
              4. Click Next then, Click Finish.

Reviewing UAR Requests

Once the Request Workflow has been updated the request follows its workflow path and gets to the right reviewer

Reviewers Inbox and Outbox

The request once generated is sent to reviewer’s inbox and outl
To work on the Request
              1. Navigate to: My Home-> My Profile-> Work Inbox

Searching for UAR Requests

The requests are sent to the Reviewers inbox and email (if the email address is configured into the system)

Working on the Request

              1. Click on the request you would like to work on
              2. Click Administration (Open will just let you view the request and not let you work on it)
              3. Select the Request you would like to work on and you may take the following actions
                     a. Approve: You approve the request and the Role is not removed
                     b. Remove Role: Role is removed from the user
                     c. Forward: The request can be forwarded to another reviewer with a Note.
                     d. Reject Role: You reject  to work on role for the user
                     e. Reason: Reason for rejection. Maintained in IMG under: T-Code: SPRO->  Governance, Risk, and Compliance-> User Provisioning-> Maintain Review Rejection Reasons
                     f. Add Comment: Click Add Comment to add comment with the review request
                     g. Cancel Rejection: You may cancel the rejected role/user prior submitting. *Only applicable in rejected roles/user view*
              4. Submit the Request

Related Notes

 SAP Note: 1732890 - GRC 10.0 - Update Workflow for UAR request job does not trigger the workflow
SAP Note: 1620493 : GRC 10.0 UAR Background Job stuck
SAP Note: 1620495 : GRC 10.0 UAR - Submission failure of request