GRC AC 10.0 - CUP Preimplementatio From Post Intallation to Firts Access Request
Transcript of GRC AC 10.0 - CUP Preimplementatio From Post Intallation to Firts Access Request
AC 10.0 Pre-Implementation
From Post-Installation to First Access Request
Customer Solution Adoption
April 11th 2011
Version 1.0
Purpose of this document
This document allows implementation consultants and administrators to
setup the required functionality for creating an access request after the
post-installation has been finished, please notice that it is required to
configure Role Management before being able to request role assignments.
This is by no means a comprehensive guide for setting up MSMP
workflows, rather it allows testing the application is working properly by
setting up a basic test case.
© 2011 SAP AG. All rights reserved. 3
Disclaimer
This presentation outlines our general product direction and should not be relied on
in making a purchase decision. This presentation is not subject to your license
agreement or any other agreement with SAP. SAP has no obligation to pursue any
course of business outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and SAP's strategy
and possible future developments are subject to change and may be changed by
SAP at any time for any reason without notice. This document is provided without a
warranty of any kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular purpose, or non-
infringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly
negligent.
© 2011 SAP AG. All rights reserved. 4
Agenda
Requirementso Verifying default configuration parameters
o Adding connector to PROV scenario
o Creating users and assigning roles
o Configuring number ranges
o Maintain provisioning settings
Maintain MSMP Workflowo Process Global Settings
o Maintain Rules
o Maintain Agents
o Variables and Templates
o Maintain Paths
o Maintain Route Mapping
o Generate Versions
Creating an access request
Requirements Verifying default configuration parameters
Adding connector to PROV scenario
Creating users and assigning roles
Configuring number ranges
Maintain provisioning settings
© 2011 SAP AG. All rights reserved. 6
Creating users and assigning roles
Please create users and roles as needed. You need at least the admin for
configuration, an approver and a standard business user for request creation. The
following roles are provided as examples.
For workflow maintenance:
SAP_GRC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows
SAP_GRC_MSMP_WF_CONFIG_ALL Configuration role for MSMP workflows
For workflow management:
SAP_GRAC_ACCESS_APPROVER Approver for Access Request and User Access Review
SAP_GRAC_CONTROL_APPROVER Approver for Control Maintenance and Assignments requests
SAP_GRAC_SUPER_USER_MGMT_OWNER Approver for Firefighter Log
SAP_GRAC_FUNCTION_APPROVER Approver for Function Maintenance
SAP_GRAC_RISK_OWNER Approver for Risk Maintenance and SoD Risk Review
SAP_GRAC_ROLE_MGMT_ROLE_OWNER Approver for Role Maintenance
Reminder: end users will require also the roles based on SAP_GRC_FN_BASE and
SAP_GRC_FN_BUSINESS_USER
© 2011 SAP AG. All rights reserved. 7
Verifying default configuration parameters
Please check the AC Configuration Settings suit your needs:
© 2011 SAP AG. All rights reserved. 8
Adding connector to PROV scenario
To create access requests it is required to have the PROV scenario linked to the
connector, this is done via IMG:
© 2011 SAP AG. All rights reserved. 9
Configuring number ranges (1/3)
A number range needs to be create via transaction SNRO:
© 2011 SAP AG. All rights reserved. 10
Configuring number ranges (2/3)
Add as many intervals as needed:
Note: Make sure the “Ext” box is unchecked
© 2011 SAP AG. All rights reserved. 11
Configuring number ranges (3/3)
Then the default number range needs to be enabled in IMG under Governance Risk
and Compliance Access Control User Provisioning Define Number Ranges
for Provisioning Requests.
Add the requests created in transaction SNRO and make sure one of them is marked
as Active
© 2011 SAP AG. All rights reserved. 12
Maintain provisioning settings
The provisioning settings are configured in IMG under Governance Risk and
Compliance Access Control User Provisioning Maintain Provisioning
Settings. Maintain at least the Global Provisioning settings.
Maintain MSMP workflow Process Global Settings
Maintain Rules
Maintain Agents
Variables and Templates
Maintain Paths
Maintain Route Mapping
Generate Versions
© 2011 SAP AG. All rights reserved. 14
Configure MSMP WorkflowGlobal Process Settings
Go to IMG under Access Control Workflow for Access Control Activate MSMP
Workflow. Select SAP_GRAC_ACCESS_REQUEST and click on Display/Change.
Maintain here the Process Global Settings.
© 2011 SAP AG. All rights reserved. 15
Configure MSMP WorkflowMaintain Rules
In this step the available rules to the selected process are shown. These are the
default rules. Please maintain the global rules as shown.
© 2011 SAP AG. All rights reserved. 16
Configure MSMP WorkflowMaintain Agents
In this step the available agents are added. These are the default ones. Please
notice in this scenario we are only going to use Manager approval.
© 2011 SAP AG. All rights reserved. 17
Configure MSMP WorkflowVariable and Templates
Notification variables and notification templates are maintained here. We will use
the default settings.
© 2011 SAP AG. All rights reserved. 18
Configure MSMP WorkflowMaintain Paths
Notification variables and notification templates are maintained here. We will use
the default settings. Maintain the stage settings as required using the Modify Task
Settings button
© 2011 SAP AG. All rights reserved. 19
Configure MSMP WorkflowMaintain Route Mapping
Please create the route mapping as shown below.
© 2011 SAP AG. All rights reserved. 20
Configure MSMP WorkflowGenerate Versions
Click on Save and then Activate.
Creating an access request
© 2011 SAP AG. All rights reserved. 22
Create first access request
Now you can create an access request. Please make sure the Manager is provided
as this will be the default approver for all requests.