Professional Documents
Culture Documents
Introduction To AC 10 MSMP Workflow+++++ PDF
Introduction To AC 10 MSMP Workflow+++++ PDF
Introduction To AC 10 MSMP Workflow+++++ PDF
Ruth Johnson
Customer Advisory Group
1
What We’ll Cover
2
Introduction to AC 10 MSMP Workflow
• MSMP workflow
Multiple Stage, Multiple Path workflow
Initiator
Decides which path the request will follow
Path
A linear group of stages which determine which approvals
are required
Stage
Defined approval action required
3
Introduction to AC 10 MSMP Workflow (cont.)
• Benefits
Gain understanding of how workflows will be created and their
functionality
You can incorporate the flexibility benefits for the 10.x workflow
right from the start
5
Different Types of Paths
• Paths by System
Path #1 for Production access
7
Different Types of Paths (cont.)
• Roles that require specific actions could have their own paths
with stage approvals
Training requirements
8
What We’ll Cover
9
BC Sets
Initial of parameters
Manager
Role Owner
Others
Routing Rules – Rules that will route the request to other paths
SoD Detours
Others
11
MSMP Workflow BC Sets
GRC_MSMP_SAMPLE_CONF
GRC_MSMP_STD_CONF
12
Other BC Sets
GRAC_ACCESS_REQUEST_EUP
GRAC_ACCESS_REQUEST_APPL_MAPPING
GRAC_ACCESS_REQUEST_PRIORITY
GRAC_ROLE_MGMT_METHODOLOGY
GRAC_ROLE_MGMT_ROLE_STATUS
GRAC_ROLE_MGMT_PRE_REQ_TYPE
13
Caution When Activating BC Sets
The data and configuration options that are delivered via the BC
Sets can be used in your workflow configuration
But if any changes were made, the BC Sets will overwrite
them
14
What We’ll Cover
15
Basic Steps in MSMP Workflow
• Transaction SPRO
• SAP Reference IMG
Governance, Risk, and
Compliance
Access Control
Workflow for
Access Control
Maintain
MSMP Workflow
16
MSMP Workflow Configuration
2. Maintain Rules
3. Maintain Agents
5. Maintain Paths
7. Generate Versions
17
Display vs. Change for MSMP Workflow
18
Process IDs
Firefighter IDs
SAP_GRAC_FIREFIGHT_LOG_REPORT
19
Step 1 – Process Global Settings
20
Step 1 – Process Global Settings (cont.)
• Notification Settings
Request Submission emails
• Escape Conditions
Auto Provisioning Failures
No Approver Found
21
Step 2 – Maintain Rules
• All Rules used in this Process ID workflow must exist as Rule IDs
• Rules can be SAP-Delivered or Custom
SAP-delivered Rules are usually Function Module-Based Rules
22
Kinds of Rules
Notification Rule
Routing Rule
23
Adding Custom Rules
24
Global Rules for Process ID
• Each Process ID will have one initiator rule and one notification
rule
The Global Rules should reflect the custom Initiator Rule
25
Step 3 – Maintain Agents
26
Step 3 – Maintain Agents (cont.)
Add each custom agent rule using the Rule ID (list of numbers
and letters)
27
Step 3 – Maintain Agents (cont.)
Agent Rule ID: Use dropdown to find the long Rule ID with
letters and numbers
Cut and paste the Rule ID from the BRF+ Function screen
28
Notification Agent Rules
Sometimes you want to notify the manager, but they are not
the current approver
29
Step 4 – Variables and Templates
• Notification Templates
The text that appears in the email notifications
GRAC_MSMP_AR_NEWWORKITM_APP
GRAC_AR_CLOSE
30
Step 4 – Variables and Templates (cont.)
• Variables
The values that are replaced with actual values when the email
notifications are sent
Example: User ID and Username
31
Step 4 – Variables and Templates (cont.)
33
Step 5 – Creating Paths
SoD Detour
34
Step 5 – Creating Paths (cont.)
• A path will need to be created for each Rule Result from the
Initiator Rule
Initiator analyzes each request to determine which path request
and/or items on the request should follow
Custom BRF+ initiator will return a rule result for each different
row listed in the initiator
35
Stages Creation
36
Stages Creation (cont.)
• Modify Stage
Escalation – number of minutes
38
Stage Definition
39
Stage Definition – Notification
Forward
Return
Approved
40
Stage Definition – Notification (cont.)
Rule results are defined with the initiator and the routing
table will coordinate on which path each result is sent
Detours
42
Step 6 – Maintain Routing Rules (cont.)
43
Step 7 – Generate Versions
• Transport Required
Best Practices suggest that the workflow be configured in
development and transported
along to production
44
Generation Log
• Generation Log will appear and give details of both the successful
and failed details of the workflow configuration
• Using this detailed log, it is easier to figure out the workflow
errors and correct them
45
What We’ll Cover
46
BRF+ Rules
• BRF+ Rules are ways to customize and add flexibility into the
workflow
• BRF+ Rules allows for creating flexible rules without requiring the
user to be an ABAP Developer or have knowledge of ABAP
programming
• Although the BRF+ concepts are much easier than learning the
ABAP programming, it will still take time to learn and master
47
BRF+ Initiator Rule
• Although this may work, often times companies will have more
than one requirement for access approval
48
BRF+ Initiator Rule (cont.)
Function
• SAP GRC recommends that each BRF+ Rule be unique and have a
one-to-one relationship
There is one application to one decision table to one function
Other BRF+ rules can share data objects, but it is important that
each BRF+ rule you build is its own unique application
49
BRF+ Initiator Rule (cont.)
50
BRF+ Initiator Rule (cont.)
• Although you can’t see the whole screen, the Rule_Result is in the
end column
Here is a picture of the decision table in Excel with all columns
51
BRF+ Initiator Rule (cont.)
Request Detail
• Determine how your requests should follow the paths, then you
can decide how to build your BRF+ Initiator
52
BRF+ Initiator Rule (cont.)
53
BRF+ Rules: Import Decision Table via Excel
Manually create the BRF+ Rule with decision tables with all
the appropriate columns
Add a few lines of decisions
Then export it
54
BRF+ Rules: Simulate Results
55
BRF+ Rules: Agent Rule
56
BRF+ Rules: Agent Rule (cont.)
Example 2:
System Role User ID
Production Z:STAFF_ACCOUNTANT JOHNSONR
Production Z:SALES_ORDER* COLEP
QA Z:SALES_ORDER* WHITES
57
BRF+ Rules: Agent Rule (cont.)
• If the SAP solution for Alternative Approvers does not work for your
application, here is a suggestion
• Build an Alternative Approver BRF+ Rule
A BRF+ rule can be created for Alternative Approvers for escalation
An alternate approver rule looks just like the original Agent Rule; the
difference would just be where in the workflow it is called
In an Alternate Agent Rule, every occurrence in the original Agent
(Approver) Rule will need to be duplicated over into the Alternative
Approver Rule, but with a listing of an escalation agent
Therefore, some items could be escalated to the same user
In previous versions, there was a limitation on escalation; items
would escalate to another user without retaining the first approver’s
ability to approve
Now, both approver and alternate approver can be listed in the
Alternate Approver Rule
58
What We’ll Cover
59
Incorporating BRF+ Initiator Rule
• The Rule ID for any custom rules will be the long Rule ID with
letters and numbers
Cut and paste the Rule ID from the BRF+ Function screen
Example: 00505881002203009081CFE87DA153E
60
Incorporating BRF+ Initiator Rule (cont.)
61
Incorporating BRF+ Initiator Rule (cont.)
• Agents
Add each Agent Rule with a unique ID and name. Unlike the
initiator rule, agent rules are referred to in the workflow, but
these are unique agent IDs.
Approver Agent Rule should be set up twice – once with the
purpose of Approval and once with the purpose of Notification
Additional fields will relate the custom BRF+ Rule ID to this
Agent
The BRF+ long number ID will be entered on this screen
• Example
Either select Add to add new Agent or Modify
after highlighting Agent ID to be changed
Once added, you may need to save the workflow prior to seeing
this Agent ID available in Path-Stage configuration
64
What We’ll Cover
65
Tips and Tricks #1
66
Tips and Tricks #2
For instance:
67
Tips and Tricks #3
Through IMG
68
Tips and Tricks #3 (cont.)
Methodology Processes
BC Sets
For roles to be available in Access Request workflows, the
following BC sets should be activated:
GRAC_ROLE_MGMT_ROLE_STATUS
GRAC_ROLE_MGMT_METHODOLOGY
69
Tips and Tricks #3 (cont.)
Import roles
70
Tips and Tricks #4, 5, and 6
71
Tips and Tricks #7
73
Where to Find More Information
• Create your own BRF+ rules; do not limit your workflow to SAP-
delivered workflow rules
75
7 Key Points to Take Home (cont.)
• Through SAP Notes and SCN websites, there is a lot of help for
Access Control Workflow Configuration, just not located all in one
place
76
Your Turn!
SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or
an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective
companies. Wellesley Information Services is neither owned nor controlled by SAP SE.
78
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2015 Wellesley Information Services. All rights reserved.