A Complete Guide to Automate User

Provisioning by Integrating SAP Access

Control with SAP ERP HCM

Johan Wouters
Expertum
Produced by Wellesley Information Services, LLC, publisher of
SAPinsider. 2015 Wellesley Information Services. All rights
reserved.

In This Session

Understand the main purpose of HR integration with SAP Access Control

Look at ARM as an important SAP Access Control component
Understand the interaction process flow between HR and GRC
Take benefit of HR triggers to automate (de-)provisioning in ARM
Investigate possible hurdles
SAP Access Control as an integration tool to
streamline HR and user management processes
Focus on SAP Access Control release 10.0/10.1

What Well Cover

Objective of integrating SAP ERP HCM with SAP Access Control

SAP Access Control components with special role for ARM
HR Trigger as integration point with ARM
Provisioning engine as key feature for ARM
Commonly used HR scenarios
Lessons learned
Wrap-up

What Well Cover (cont.)

Objective of integrating SAP ERP HCM with SAP Access Control

SAP Access Control components with special role for ARM
HR Trigger as integration point with ARM
Provisioning engine as key feature for ARM
Commonly used HR scenarios
Lessons learned
Wrap-up

HR vs. User Access Management

New Hire
Create user
Password communication
Contract Extension
Change validity period for user
Position Change
Remove old access rights
(Support hand-over period)
Provide new access rights
4

HR vs. User Access Management (cont.)

Termination
Lock user
Change validity period for user
Remove access rights
Extended leave
Lock user

Rehire
Unlock user
Change validity period for user
5

HR vs. User Access Management (cont.)

Communication fails
Double maintenance
More time consuming

HR

User Access
Management

Objectives

Solution for Key Communication Failure

Integration of two seperate processes into one
Automation, Acceleration, Correction

User Access
Management

HR

SAP
Access Control
7

Process Flow Using SAP Access Control

Provisioning
HR

GRC

Back End

Update
Master Data

Creation
Access Request

Approval Workflow

Provisioning

What Well Cover

Objective of integrating SAP ERP HCM with SAP Access Control

SAP Access Control components with special role for ARM
HR Trigger as integration point with ARM
Provisioning engine as key feature for ARM
Commonly used HR scenarios
Lessons learned
Wrap-up

SAP Access Control Components

EAM

ARA

RT

Emergency Access
Management

ARM

Access Request
Management

Access Risk Analysis

BRM

Business Role
Management

Risk Terminator

UAR

User Access Review

10

Process Flow Using SAP Access Control

Provisioning
HR

GRC

Back End

Update
Master Data

Creation
Access Request

Approval Workflow

Provisioning

11

ARM Access Request Management Overview

Homogenized process for user access requests

Automated access provisioning, requesting approval to the appropriate business and risk
owner
Preventive SoD analysis at time of request
User access assignment/removal in back-end systems
Automatic logging of request approvals and modification

BRM
ARM
ARA
12

ARM Process Overview

User

Initiate
Request

No
No

Role
Owner

Mail

Approve?

Provisioning

Yes

Risk?
Yes

Approve?
Yes

Risk
Owner

Mail

Mail

No

No

Provisioning
Yes
Mitigate
Approve?
Risk
13

ARM Workflow

Standard MSMP workflow process

BRF+ to initiate and route access requests

Creation
Access Request

MSMP Approval Workflow

BRF+
14

What Well Cover

Objective of integrating SAP ERP HCM with SAP Access Control

SAP Access Control components with special role for ARM
HR Trigger as integration point with ARM
Provisioning engine as key feature for ARM
Commonly used HR scenarios
Lessons learned
Wrap-up

15

Process Flow Using SAP Access Control

Provisioning
HR

GRC

Back End

Update
Master Data

Creation
Access Request

HR Trigger

Approval Workflow

Provisioning

16

HR Data Relevant for User Access Management

When registering HR processes in SAP, different data elements (infotypes) are

maintained that are also used in the User Master Data
Examples:
User ID
User Contact details (email, phone, ...)
User Validity
First name
Last name
Check on the GRC the structure /GRCPI/GRIA_S_VALIDUSERDATA_HR
to see which HR master data is fetched
17

Setup HR Plug-In System

Installation of components
GRCPINW and GRCPIERP
RFC connections
HR Plug-in Connector
GRC connector
Configuration parameters

Param ID
1000
1001
1003

- Use system client naming

- Protect with generic RFC user

Short description
Please maintain Plug-in Connector
Please maintain GRC Connector
Enable HR trigger

Value
HR Plug-in RFC connector
GRC RFC Connector
Yes
18

Setup SAP Access Control

Installation of component
GRCFND_A
Customizing activities
RFC connection for GRC
Mapping to connector group
Linking to integration scenarios

SAP Note 1562760 Integration scenarios to connector link

19

Setup SAP Access Control (cont.)

Customizing activities
Linking to application type and environment
Mapping to actions and connector group
0004 (Provisioning)
0005 (HR Trigger)

Perform field mapping if specific HR data needs

to be mapped with GRC access requests

20

Setup SAP Access Control (cont.)

Customizing activities (cont.)

Request type:

Create new request types:

- Independent of normal access
request flow
- With clear description
21

Setup SAP Access Control (cont.)

Customizing activities (cont.)

BRF+ mapping

BRF+ Function ID > rule logic

22

Setup SAP Access Control (cont.)

Customizing activities (cont.)

BRF+ Function ID > rule logic
BRF+ rule with decision table
BRF+ rule linked to ABAP class
Decision:
Choose complete logic in BRF+ or
Choose BRF+ in combination with ABAP coding
SAP Note 1591291 GRC 10.0 HR Trigger configuration
Building BRF+ Rule using Procedure Call
23

Setup SAP Access Control (cont.)

Customizing activities (cont.)

BRF+ rule logic building:

Input
HR data 1

Output
Action ID 1

HR data 2
HR data 3

Action ID 2
Action ID 3

Action ID

HR data = input criteria:

Infotypes/subtypes
Technical fields
Values
24

Setup SAP Access Control (cont.)

Customizing activities (cont.)

Action ID

Request Type

Connector

HR Trigger settings
Enter Action ID
Enter Request Type
Enter Connector
For Action ID, use a clear naming convention in
ID (max. 5 characters) and description
25

Setup SAP Access Control (cont.)

Action ID
Request Type

Connector
26

Process Flow Using SAP Access Control

HR

GRC

Update
Master Data

Class /GRCPI/CL_IM_GRIA_HRINFADD
Method IF_EX_HRPAD00INFTY~IN_UPDATE

Creation
Access Request

Function Module
Approval Workflow
GRAC_HR_TRIGGER_EVENT_RECIEVER

Class CL_GRAC_HR_TRIGGER
Method CREATE_REQUEST
Provisioning
27

What Well Cover

Objective of integrating SAP ERP HCM with SAP Access Control

SAP Access Control components with special role for ARM
HR Trigger as integration point with ARM
Provisioning engine as key feature for ARM
Commonly used HR scenarios
Lessons learned
Wrap-up

28

Process Flow Using SAP Access Control

Provisioning
HR

GRC

Back End

Update
Master Data

Creation
Access Request

Approval Workflow

Provisioning

29

Setup for Provisioning

Installation of component for:

All provisioning systems
CUA (if in use)
Customizing activities
CUA settings (if in use)
Global System

Central client

Child 1

Child 2

Model Distribution

30

Setup for Provisioning (cont.)

Provisioning settings
Global provisioning
System provisioning
Setting
Provisioning Type
Provisioning Options
Role assignment
E-mail status

Recommendation
Direct
Auto provisioning at end of request
Provisioning effective immediately
Sent password = YES

System provisioning overrules global provisioning

31

What Well Cover

Objective of integrating SAP ERP HCM with SAP Access Control

SAP Access Control components with special role for ARM
HR Trigger as integration point with ARM
Provisioning engine as key feature for ARM
Commonly used HR scenarios
Lessons learned
Wrap-up

32

Commonly Used HR Triggers

New hire
Position change
Termination

New hire

Termination
Position change

33

New Hire

HR functionality
PA30/PA40 procedure
Future new hire

GRC functionality:
Creation of user ID
Automatic generation of password
Automatic multi-system provisioning

New hire

Improve process with user

defaults and default roles
34

New Hire (cont.)

35

Position Change

HR functionality:
PA40 procedure
Update of position

GRC functionality:
Standard:
Use of position-based security role(s) related to position for access request
Not standard:
Delimit current role assignments to 60 days
Validation of current and required access

Position change

36

Position Change (cont.)

37

Termination

HR functionality:
PA40 procedure
Future termination

GRC functionality:
Delimitation of user ID
Automatic multi-system provisioning

Termination

Removal or delimitation of role assignments

requires custom development

38

Termination (cont.)

39

What Well Cover

Objective of integrating SAP ERP HCM with SAP Access Control

SAP Access Control components with special role for ARM
HR Trigger as integration point with ARM
Provisioning engine as key feature for ARM
Commonly used HR scenarios
Lessons learned
Wrap-up

40

Lessons Learned

HR communication queue (SMQ1):

Ensure monitoring process is in place > for example: extract of SM58
HR Customizing changes in PA30/PA40 procedure can impact the integration with GRC
Upgrades in any of the involved systems may impact your integration flow:
HCM GRC Back-end systems
Communication
Intensive testing
Shared data is critical to GRC process
Procedures

41

What Well Cover

Objective of integrating SAP ERP HCM with SAP Access Control

SAP Access Control components with special role for ARM
HR Trigger as integration point with ARM
Provisioning engine as key feature for ARM
Commonly used HR scenarios
Lessons learned
Wrap-up

42

Where to Find More Information

http://wiki.scn.sap.com/wiki/display/GRC/Understanding+HR+Triggers+in+Access+Contr
ol+10.0
Puneet Kohli, Understanding HR Triggers in Access Control 10.0 (SCN, December
2012).
http://wiki.scn.sap.com/wiki/display/GRC/GRC+10.0+-+HR+Trigger+configuration
Manik Saldi, GRC 10.0 HR Trigger configuration (Reference to SAP Note 1591291)
(SCN, December 2012).
http://sapexperts.wispubs.com/Financials/articles/integrate-sap-access-control-10-0-withsap-erp-human-capitalmanagement?id=4dc5d9eee25841309437acce0d8705f7#.VR0oIzpCQic
Alpesh Parmar, Integrate SAP Access Control 10.0 with SAP ERP Human Capital
Management (Financials Expert, August 2013).
43

7 Key Points to Take Home

HR processes can be integrated with SAP Access Control

User access management flow can run from HR over GRC to back-end systems
HR Trigger can be set to initiate different workflows in ARM
BRF+ can be used to steer HR Trigger and ARM workflows
ARM allows high level of automation in user access provisioning
Scenarios like new hire, position change and termination can be configured
HR and GRC activities need to be aligned and system dependencies monitored

44

Your Turn!

How to contact me:

Johan Wouters
Email: johan.wouters@expertum.net
Please remember to complete your session evaluation
45

Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

46

Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026

Copyright 2015 Wellesley Information Services. All rights reserved.