Documente Academic
Documente Profesional
Documente Cultură
Johan Wouters
Expertum
Produced by Wellesley Information Services, LLC, publisher of
SAPinsider. 2015 Wellesley Information Services. All rights
reserved.
In This Session
Rehire
Unlock user
Change validity period for user
5
Communication fails
Double maintenance
More time consuming
HR
User Access
Management
Objectives
User Access
Management
HR
SAP
Access Control
7
GRC
Back End
Update
Master Data
Creation
Access Request
Approval Workflow
Provisioning
EAM
ARA
RT
Emergency Access
Management
ARM
Access Request
Management
BRM
Business Role
Management
Risk Terminator
UAR
10
GRC
Back End
Update
Master Data
Creation
Access Request
Approval Workflow
Provisioning
11
BRM
ARM
ARA
12
Initiate
Request
No
No
Role
Owner
Approve?
Provisioning
Yes
Risk?
Yes
Approve?
Yes
Risk
Owner
No
No
Provisioning
Yes
Mitigate
Approve?
Risk
13
ARM Workflow
BRF+
14
15
GRC
Back End
Update
Master Data
Creation
Access Request
HR Trigger
Approval Workflow
Provisioning
16
Installation of components
GRCPINW and GRCPIERP
RFC connections
HR Plug-in Connector
GRC connector
Configuration parameters
Param ID
1000
1001
1003
Short description
Please maintain Plug-in Connector
Please maintain GRC Connector
Enable HR trigger
Value
HR Plug-in RFC connector
GRC RFC Connector
Yes
18
Installation of component
GRCFND_A
Customizing activities
RFC connection for GRC
Mapping to connector group
Linking to integration scenarios
19
Customizing activities
Linking to application type and environment
Mapping to actions and connector group
0004 (Provisioning)
0005 (HR Trigger)
20
22
Input
HR data 1
Output
Action ID 1
HR data 2
HR data 3
Action ID 2
Action ID 3
Action ID
Action ID
Request Type
Connector
HR Trigger settings
Enter Action ID
Enter Request Type
Enter Connector
For Action ID, use a clear naming convention in
ID (max. 5 characters) and description
25
Connector
26
HR
GRC
Update
Master Data
Class /GRCPI/CL_IM_GRIA_HRINFADD
Method IF_EX_HRPAD00INFTY~IN_UPDATE
Creation
Access Request
Function Module
Approval Workflow
GRAC_HR_TRIGGER_EVENT_RECIEVER
Class CL_GRAC_HR_TRIGGER
Method CREATE_REQUEST
Provisioning
27
28
GRC
Back End
Update
Master Data
Creation
Access Request
Approval Workflow
Provisioning
29
Central client
Child 1
Child 2
Model Distribution
30
Provisioning settings
Global provisioning
System provisioning
Setting
Provisioning Type
Provisioning Options
Role assignment
E-mail status
Recommendation
Direct
Auto provisioning at end of request
Provisioning effective immediately
Sent password = YES
32
New hire
Position change
Termination
New hire
Termination
Position change
33
New Hire
HR functionality
PA30/PA40 procedure
Future new hire
GRC functionality:
Creation of user ID
Automatic generation of password
Automatic multi-system provisioning
New hire
35
Position Change
HR functionality:
PA40 procedure
Update of position
GRC functionality:
Standard:
Use of position-based security role(s) related to position for access request
Not standard:
Delimit current role assignments to 60 days
Validation of current and required access
Position change
36
37
Termination
HR functionality:
PA40 procedure
Future termination
GRC functionality:
Delimitation of user ID
Automatic multi-system provisioning
Termination
38
Termination (cont.)
39
40
Lessons Learned
41
42
http://wiki.scn.sap.com/wiki/display/GRC/Understanding+HR+Triggers+in+Access+Contr
ol+10.0
Puneet Kohli, Understanding HR Triggers in Access Control 10.0 (SCN, December
2012).
http://wiki.scn.sap.com/wiki/display/GRC/GRC+10.0+-+HR+Trigger+configuration
Manik Saldi, GRC 10.0 HR Trigger configuration (Reference to SAP Note 1591291)
(SCN, December 2012).
http://sapexperts.wispubs.com/Financials/articles/integrate-sap-access-control-10-0-withsap-erp-human-capitalmanagement?id=4dc5d9eee25841309437acce0d8705f7#.VR0oIzpCQic
Alpesh Parmar, Integrate SAP Access Control 10.0 with SAP ERP Human Capital
Management (Financials Expert, August 2013).
43
44
Your Turn!
Disclaimer
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or an SAP affiliate company) in Germany and other
countries. All other product and service names mentioned are the trademarks of their respective companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
46