User Access Review (UAR) Workflow Configuration and Description
Purpose
The purpose of this document is to explain the User Access Review Workflow in detail and the Configuration settings required to implement the same.
Overview
The User Access Review (UAR) feature provides a workflow-based review and approval process for user access requests. The periodic reviews of user access are performed by business managers or role owners, and the system automatically generates the requests based on the company’s internal control policy. The review asses roles assigned to users and the frequency of use for that role by the user.
Concept
Key Users for UAR
Administrator
|
This person has the Admin role assigned for Access Control. They can perform UAR-specific administrator tasks, such as cancelling UAR requests and regenerating requests for rejected users. As well as Admin review before generating workflow for request.
|
Reviewer
|
This term refers to the approver at the Reviewer stage. The Reviewer may be the user’s manager or the role owner.
|
User’s Manager
|
The direct manager of a user as defined in the User Details Data Source.
|
Role Owner
|
The role owner specified in CUP master data.
|
Coordinator
|
The Coordinator is assigned to Reviewer. They monitor the UAR process and coordinate activities to ensure the process is completed in a timely manner.
|
IMG Configurations for UAR
- Log onto the backend system.
- Enter transaction SPRO.
- Click SAP Reference IMG button.
- Navigate to Governance, Risk and Compliance ==> Access Control ==> Maintain Configuration Settings.
- The following fields can be maintained there for UAR:
- The Request Type can be maintained in IMG under Governance, Risk and Compliance-> Access Control-> User Provisioning-> Define Request Type.
- The Priority can be maintained in IMG under Governance, Risk and Compliance-> Access Control-> User Provisioning-> Maintain Priority Configuration.
- The reviewers for the UAR can be either the Manager of the User or the Role owner for the Role.
- Admin review required can be
YES
|
The request will go to the Administrator before it is generated for the Manager or Role owner (based on previous selection) to review.
|
NO
|
The request will bypass Administrator review and be directly generated and go to the Reviewer
|
NOTE: If the User does not have a manager or, the role owner does not have an owner, selecting No on Admin review will not generate workflow for request . And the role owner / manager must have a coordinator assigned to him. This mapping is defined in Manage Coordinator link under Access management tab.
Generate data for UAR
- Log onto Access Control Application
- Navigate to location( shown in below figure)
Figure 2
3. Click on Create button and enter the following data for the fields then, Click Next (Figure 3)| Schedule Name | Enter the name for the UAR job.
Figure 3
4. Define Variants/Filters for selection then, Click Next
As shown in Figure 4 below you may select any number of variants available via dropdown menu and entry fields to specify the size and target of your request.
Figure 4
5. Shows summary then, click Finish
6. Job is created and status is displayed as:
Completed: The job is completed
Terminated: The job is terminated by the Administrator
In Planning: The job is currently working on the Request or if it is a reoccurring job then it would remain in this status
Admin Review
If Admin review is selected to Yes in the section 4 of Configuration IMG for UAR then you may review the request here before it can be processed further to the reviewers. This also allows you to add reviewers and coordinators if not defined for role or user.
To Access Admin Request:
1. Navigate to (Figure 5):NWBC-> Access Management->Compliance Certification Reviews-> Request Review
Figure 5
2. Search for a job using criteria specified in the filters such as Process Type, User ID, Reviewer and Coordinator ID, Date, and Job ID (Figure 6).
3. Click Search
This shows the Request Number, the Job ID, Type of request, the reviewer for the Request, the coordinator for the request and, the status for the request (Figure 6)
4. Select the request you want to edit, then click Change Reviewers button to assign the reviewers and coordinator for the request or Cancel request button to cancel the request.
Figure 6
5. Select the Reviewer and Coordinator from the list or enter the ID the, Click OK.
6. Save your entries.
Manage Coordinators
Under this link you can manage the coordinators and reviewers for your requests. This lists coordinators for the reviewers as well as their ID, name, and email.
1. Navigate to Access Management-> Compliance Certification Reviews
2. You can select a Coordinator then, Click Open or Delete
2. You can select a Coordinator then, Click Open or Delete
3. Click Create, to create a new coordinator
4. Enter ID or select from menu.
5. Save your work
6. Now you need to run another background job ”Update UAR workflow” to generate UAR requests. This step is mandatory only if you are generating requests after admin review
UAR Workflow
Workflow settings for UAR
To manage the workflow for the request:
- Navigate to Governance, Risk and Compliance ==> Access Control ==> Workflow for Access Control ==> Maintain MSMP Workflows.
- Select the Process ID SAP_GRAC_USER_ACCESS_REVIEW.
- Click on Display/Change button to toggle between edit modes
3.1. You may define Global Escalation rules and Escape conditions here (Elective Step):
Figure 8
4. Click Next
5. Enter the Maintain Rules: These can be Function Module/ BRF plus/ ABAP Class / BRF plus Flat rules. These can be an initiator, routing, agent, or notification rule
Figure 8
4. Click Next
5. Enter the Maintain Rules: These can be Function Module/ BRF plus/ ABAP Class / BRF plus Flat rules. These can be an initiator, routing, agent, or notification rule
6. Click Next, Enter Maintain Agents
Here you may define Agents for the workflow stages. These agents can be for notification or approval purpose. Agent Type may be:
Directly Mapped Users: Approvers selected from the Approver definition.
PFCG Roles : Users with specific role will be selected
PFCG User Groups : Approvers selected from PFCG User Groups assigned to users (SU01 Groups tab)
GRC API Rules : Approvers selected from the associated function module (FM).
Figure 9: Maintain Agents
Here you may define Agents for the workflow stages. These agents can be for notification or approval purpose. Agent Type may be:
Directly Mapped Users: Approvers selected from the Approver definition.
PFCG Roles : Users with specific role will be selected
PFCG User Groups : Approvers selected from PFCG User Groups assigned to users (SU01 Groups tab)
GRC API Rules : Approvers selected from the associated function module (FM).
Figure 9: Maintain Agents
Figure 10: Add Users to Approver Groups
7. Click Next, Enter Variables & Templates
Maintain Templates for notification and Approval
Figure 11: Variables & Templates
8. Click Next, Enter Maintain Paths
9. Click Add then enter the fields for Path ID and Path Description
10. Select the Path, then click Modify or ADD to define path stages
11. Click Next, Enter Maint Route Mapping
Used for mapping the Logical Path (Initiator) to an Actual Path
12. Click Next, Generate Version
13. Click:
Save: Saves changes to the database
Save/Simulate: Save changes to the database and run a simulation to check for errors.
Activate: Generate Active Versions
13. Click:
Save: Saves changes to the database
Save/Simulate: Save changes to the database and run a simulation to check for errors.
Activate: Generate Active Versions
Update Workflow for UAR Request
1. Log onto front end Access Control Application.
2. Navigate to Access Management-> Background Jobs-> Background Scheduler
3. Click on Create button and enter the following data for the fields:
Schedule Name: Enter the name for the UAR job.
Schedule Activity: Update Workflow for UAR request
Recurring Plan: Select the radio button. If Yes then, provide date range and time.
Start Immediately: If not a recurring job, select whether you want it to start immediately or provide a date and time for the job to start.
4. Click Next then, Click Finish.
Reviewing UAR Requests
Once the Request Workflow has been updated the request follows its workflow path and gets to the right reviewer
Reviewers Inbox and Outbox
The request once generated is sent to reviewer’s inbox and outl
To work on the Request
1. Navigate to: My Home-> My Profile-> Work Inbox
Searching for UAR Requests
The requests are sent to the Reviewers inbox and email (if the email address is configured into the system)
Working on the Request
1. Click on the request you would like to work on
2. Click Administration (Open will just let you view the request and not let you work on it)
3. Select the Request you would like to work on and you may take the following actions
a. Approve: You approve the request and the Role is not removed
b. Remove Role: Role is removed from the user
c. Forward: The request can be forwarded to another reviewer with a Note.
d. Reject Role: You reject to work on role for the user
e. Reason: Reason for rejection. Maintained in IMG under: T-Code: SPRO-> Governance, Risk, and Compliance-> User Provisioning-> Maintain Review Rejection Reasons
f. Add Comment: Click Add Comment to add comment with the review request
g. Cancel Rejection: You may cancel the rejected role/user prior submitting. *Only applicable in rejected roles/user view*
4. Submit the Request
Related Notes
SAP Note: 1732890 - GRC 10.0 - Update Workflow for UAR request job does not trigger the workflow
SAP Note: 1620493 : GRC 10.0 UAR Background Job stuck
SAP Note: 1620495 : GRC 10.0 UAR - Submission failure of request