AC 10.0 Customizing Workflows for
Access Management
Customer Solution Adoption
June 2011
Version 2.0
Purpose of this document
This document allows implementation consultants and administrators to
setup the required functionality for enabling the workflow engine in AC 10.0.
You will learn the main components of the new workflow engine and how to
customize them, also how to create agents and initiators using Function
Modules and BRFplus.
Disclaimer
This presentation outlines our general product direction and should not be relied on
in making a purchase decision. This presentation is not subject to your license
agreement or any other agreement with SAP. SAP has no obligation to pursue any
course of business outlined in this presentation or to develop or release any
functionality mentioned in this presentation. This presentation and SAP's strategy
and possible future developments are subject to change and may be changed by
SAP at any time for any reason without notice. This document is provided without a
warranty of any kind, either express or implied, including but not limited to, the
implied warranties of merchantability, fitness for a particular purpose, or noninfringement. SAP assumes no responsibility for errors or omissions in this
document, except if such damages were caused by SAP intentionally or grossly
negligent.
© 2011 SAP AG. All rights reserved.
3
Agenda
Workflows in Access Control
Streamlined User Access Management in SAP BusinessObjects
Access Control 10.0
Configuring MSMP Workflows
Extending Workflows Using Function Modules
Extending Workflows Using BRFplus
Wrap-Up
© 2011 SAP AG. All rights reserved.
4
Workflows in Access Control
Structure of a Workflow
Access Control’s Compliant User Provisioning Functionality
Standard Path
Initiator
Stage 1
Stage 2
Stage n
Stage 1
Stage n
Provisioning
(optional)
Provisioning
(optional)
Detour Path
© 2011 SAP AG. All rights reserved.
6
Streamlined User Access Management in
SAP BusinessObjects Access Control 10.0
New Feature Highlights
Streamlined User Access Management
Focus Area
What Does It Do?
Access Control Harmonization
 Unifies all Access Control capabilities on a
standardized ABAP platform, offering enterprise
supportability, granular security, transport, and
archiving.
 Lowers TCO by eliminating redundancy in
administration, configuration, setup, and
end-user training.
Unified Compliance Platform
 Harmonizes Access Control with Risk
Management & Process Control offers shared
processes, data, and user interface across the
GRC suite.
 An enterprise GRC platform approach
allows you to have complete management
of all risks and controls from a single
environment.
Streamlined User Access
Management
 Standardizes on improved workflow that
supports flexible, multi-tiered routing and
approval matrices. Dynamic user request forms
based on user or system selected.
 Tailoring of routing requirements for
simple to highly complex organizations.
New request forms improve user adoption
and usability.
Business Role Governance
 Provides a standardized role compliance
framework, centralized across organizations,
systems, and applications. Translates roles into
terms business users can understand.
 Streamlines management of technical
roles and eases identification and
selection of appropriate roles for users,
positions, and jobs.
Centralized Emergency Access
 Centralizes firefighting and administration
across all systems. New workflow provides an
auditable process for tracking log report
approval.
 Reduces the effort required to grant and
provision emergency access to multiple
systems. Provides a structured,
documented process around emergency
access.
Improved Identity Management
Integration
 Improves compliant provisioning for customers
already using IdM. Allows for initiation of risk
analysis and remediation from IdM or enables
use of IdM to provision compliant requests.
© 2011 SAP AG. All rights reserved.

What Is the Value?
 Provides flexibility to ensure an enterprise
wide, compliant provisioning process.
8
Streamlined User Access Management
SAP BusinessObjects Access Control 10.0
Access Control standardizes on SAP
Business workflow technology and
supports more flexible and tailored
access request and approver views,
simplifying the provisioning process.
Solution Enhancements

Standardized on SAP Business
Workflow technology

Access requests enhancements:
 New customizable access
request forms
 New template-based access
requests
 New position-based role
assignment requests
 New end-user display of
profile, access assignments,
and request history

© 2011 SAP AG. All rights reserved.
Enhanced search for roles,
groups, and system based on
authorization

New customizable approver
views

New multiple rule set support

Enhanced periodic reviews for
user access and access risks
Key Benefits
 Business workflow reduces
manual tasks and streamlines
access request processing
 Leverage existing resources for
workflow administration and
configuration
 Faster and easier for users to
request the roles they need
 Utilize existing HR structure for
automated and compliant
position-based role assignment
 Improved security and richer
request context
9
Workflow Key Terms in SAP BusinessObjects AC 10.0
Mapping Previous Workflow Terms to the New Workflow Functionality
SAP
BusinessObjects
AC 5.X
SAP
BusinessObjects
AC 10.0
One process ID can have
multiple request types
 Access Request: Create Request,
Change Request, etc.
 Function Approval: Update Function,
Delete Function, etc.
One initiator rule is able to
trigger multiple paths based on
the rule result value
© 2011 SAP AG. All rights reserved.
10
Configuring MSMP Workflows
Prerequisites
The following configuration should have been completed as part of the initial postinstallation steps:
 GRC_MSMP_CONFIGURATION BC Set has been enabled





Perform Automatic Workflow Customizing
Perform Tasks Specific Customizing
Activate Event Linkage
Define number ranges for Access Requests
Connectors assigned to the PROV integration scenario
© 2011 SAP AG. All rights reserved.
12
Roles and Users
Please create users and roles as required. You need at least the admin for
configuration, an approver and a standard business user for request creation.
For workflow maintenance:
 SAP_GRAC_MSMP_WF_ADMIN_ALL Administrator role for MSMP workflows
 SAP_GRAC_MSMP_WF_CONFIG_ALL Configuration role for MSMP workflows
For workflow management:
 SAP_GRAC_ACCESS_APPROVER Approver for Access Request and User Access Review
 SAP_GRAC_CONTROL_APPROVER Approver for Control Maintenance and Assignments
requests
 SAP_GRAC_SUPER_USER_MGMT_OWNER Approver for Firefighter Log
 SAP_GRAC_FUNCTION_APPROVER Approver for Function Maintenance
 SAP_GRAC_RISK_OWNER Approver for Risk Maintenance and SoD Risk Review
 SAP_GRAC_ROLE_MGMT_ROLE_OWNER Approver for Role Maintenance
© 2011 SAP AG. All rights reserved.
13
Configuration Parameters
The configuration parameters are set in IMG under Governance, Risk and
Compliance  Access Control  Maintain Configuration Settings. Make sure they
reflect your needs.
© 2011 SAP AG. All rights reserved.
14
Provisioning Settings
The provisioning settings are configured in IMG under Governance Risk and
Compliance  Access Control  User Provisioning  Maintain Provisioning
Settings.
Maintain at least the Global Provisioning settings.
© 2011 SAP AG. All rights reserved.
15
Maintain MSMP Workflow
Overview
The configuration tool can be launched in IMG under Governance, Risk and
Compliance  Access Control  Workflow for Access Control  Maintain MSMP
Workflows
These activities allow you to customize and maintain the Multi-Stage Multi-Path
(MSMP) process workflows for Access Control 10.0
Ready to use components are delivered by SAP under BC Set
GRC_MSMP_CONFIGURATION
© 2011 SAP AG. All rights reserved.
16
Maintain MSMP Workflow
1. Process Global Settings
In this step settings that apply to all process IDs are configured, such as escape
conditions and notifications settings
Predelivered Process IDs:
 Access Request Approval Workflow
 Access Request Approval Workflow for
HR OM Objects
 Control Assignment Approval Workflow
 Mitigation Control Maintenance Workflow
 Fire Fighter Log Report Review Workflow
 Function Approval Workflow
 Risk Approval Workflow
 Role Approval Workflow
 SOD Risk Review Workflow
 User Access Review Workflow
© 2011 SAP AG. All rights reserved.
17
Maintain MSMP Workflow
1. Process Global Settings
© 2011 SAP AG. All rights reserved.
18
Maintain MSMP Workflow
1. Process Global Settings
© 2011 SAP AG. All rights reserved.
19
Maintain MSMP Workflow
1. Process Global Settings
© 2011 SAP AG. All rights reserved.
20
Maintain MSMP Workflow
1. Process Global Settings
© 2011 SAP AG. All rights reserved.
21
Maintain MSMP Workflow
2. Maintain Rules
Maintain Rules includes a list of all available rules to be used when configuring a
workflow. If a new rule is created it must be added to this list. This is also where the
default initiator is configured.
There are different Rule Kinds
according to the rule’s objective:




Initiator Rule
Agents Rule
Routing Rule
Notification Variables Rule
Rules can be coded in different
ways, these are the different Rule
Types:
 Function Module Based Rule
 ABAP Class Based Rule
 BRFplus Rule
© 2011 SAP AG. All rights reserved.
22
Maintain MSMP Workflow
2. Maintain Rules: Rule Kinds
Rule Kinds:
• Initiator Rule – determines the path upon submission of the request
• Agents Rule – determines the recipients of a stage
• Routing Rule – determines a detour routing based upon an attribute of the request (for
example, SoD Violations Exist, Training Verification, No Role Owner)
• Notification Variables Rule – determines the variable values at runtime used in the
notification e-mails.
© 2011 SAP AG. All rights reserved.
23
Maintain MSMP Workflow
2. Maintain Rules: Rule Types
Rule Types:
• BRFplus Rule: is a rule defined in the BRFplus application to fetch rule results, depending
on conditions inside the rule.
• Function Module Based Rule: Function module is coded to output rule results.
• ABAP Class Based Rule: ABAP Class is coded to output rule results
• BRFplus Flat Rule (Line-item by Line-item): BRFplus rule which is defined for only one
line item (rule will be called once for each line-item in the request). Also referred to as
BRF+ Easy.
© 2011 SAP AG. All rights reserved.
24
Maintain MSMP Workflow
2. Maintain Rules: Results for Initiator and Routing Rules
It is required to maintain a list of all possible results returned by an initiator/routing
rule by using the Results button. These values will be mapped to a path on step 6.
© 2011 SAP AG. All rights reserved.
25
Maintain MSMP Workflow
3. Maintain Agents
A list of all available agents for a workflow is maintained in step 3. Agents have a
type and a purpose assigned.
Agent Purpose
 Notification: Recipients for email
 Approval: Recipients to process request
Agent Types




© 2011 SAP AG. All rights reserved.
API Rules, coded as per rule’s type
Directly Mapped Users
PFCG Roles, and
User Groups
26
Maintain MSMP Workflow
3. Maintain Agents: Agent Types
Directly Mapped Users
PFCG Roles
PFCG User Groups
GRC API Rules
© 2011 SAP AG. All rights reserved.
27
Maintain MSMP Workflow
3. Maintain Agents: Directly Mapped Users
Directly Mapped Users allows you to define static user groups
© 2011 SAP AG. All rights reserved.
28
Maintain MSMP Workflow
3. Maintain Agents: PFCG Roles and User Groups
These two agent types will determine the recipients of a workflow based on a role or
a user group assignment
© 2011 SAP AG. All rights reserved.
29
Maintain MSMP Workflow
3. Maintain Agents: GRC API Rules
This agent type will determine the recipients based on a rule maintained in step 2.
API to be completed
© 2011 SAP AG. All rights reserved.
30
Maintain MSMP Workflow
4. Variables and Templates
In this step all templates for email notifications are maintained. The templates are
created using transaction SE61.
Notifications can be sent on
different events, such as:







New Work Item
Approval
Rejection
Escalation
Request submission
Request closure
Reminder
This topic is covered in a separate guide in
detail, please check the references at the
end of the presentation
© 2011 SAP AG. All rights reserved.
31
Maintain MSMP Workflow
5. Maintain Paths
Here the actual workflows are
configured. Multiple paths
relevant to a specific Process
ID are configured by
assigning a sequence of
stages.
Each stage is configured in
this screen as well as
notifications settings specific
to stage
© 2011 SAP AG. All rights reserved.
32
Maintain MSMP Workflow
5. Maintain Paths: Stage Details
Stage details can be configured globally for the specific process ID and can be
overwritten at a specific path/stage sequence.
Default Stage Details Settings
Stage settings specific to Path
and Stage Sequence Number
© 2011 SAP AG. All rights reserved.
33
Maintain MSMP Workflow
5. Maintain Paths: Modify Task Settings
When adding a stage to a path it is possible to configure all stage settings by
clicking on Modify Task Settings. These settings will apply to the stage anytime
this is used in a particular path.
© 2011 SAP AG. All rights reserved.
34
Maintain MSMP Workflow
6. Maintain Route Mapping
In this step you define the mapping between rule results and paths to route the
requests
Always the Global Initiator must be used, if multiple paths are required the Global
Initiator must return different result values
Routing rules for detours can be added here as well
© 2011 SAP AG. All rights reserved.
35
Maintain MSMP Workflow
7. Generate Versions
In the last step all changes will be saved and activated. If necessary, a transport
request can be configured.
© 2011 SAP AG. All rights reserved.
36
Extending Workflows Using Function
Modules
Creating a Function Module Rule
Overview
Function Module rules allow developers
to create complex rules by using ABAP
Code. These are the activities needed
for creating a FM rule:
 Create Function Group in SE37:
Function Modules will be added to
the group
 Define Workflow Related MSMP
Rules: For generating the FM rule
content from a template before
maintaining it.
 Maintain Function Module in
SE37: For maintaining the FM rule
contents.
© 2011 SAP AG. All rights reserved.
38
Create Function Group in SE37
Preparing for creating a Function Module
Go to SE37 and create a Function Group as shown below.
© 2011 SAP AG. All rights reserved.
39
Define Workflow Related MSMP Rules
Generating a Function Module
Generate each Rule ID (FM) to the Function Group created in the previous step.
Testing of the rule is optional and will be done when the rule is generated. After
generation the FM will be ready to be maintained.
© 2011 SAP AG. All rights reserved.
40
Maintain Function Module in SE37
Customizing the ABAP code
Now you can maintain the FM content in SE37. A default template is created on
generation.
© 2011 SAP AG. All rights reserved.
41
Extending Workflows BRFplus
Business Rule Framework
Overview
BRFplus Workbench
 The BRFplus Workbench is a User Interface (UI) that enables users to define,
test and maintain rules for various business scenarios without the need of
ABAP code. Rules can be created for initiators, agents, and also for routing
workflows on specific conditions.
© 2011 SAP AG. All rights reserved.
43
Creating a BRFplus Rule
Overview
There are two main activities that are
relevant to maintaining BRFplus
rules, they are located in IMG under
Governance, Risk and Compliance 
Access Control  Workflow for
Access Control
 Define Workflow Related MSMP
Rules: For generating the rule
before maintaining it
 Define Business Rule
Framework: Launches the UI for
maintaining the rule’s conditions
using BRFplus
© 2011 SAP AG. All rights reserved.
44
Define Workflow Related MSMP Rules
Overview
Using this activity you can create rules for initiators, agents, and for routing. This will
only create an empty rule that will be maintained later
© 2011 SAP AG. All rights reserved.
45
Define Workflow Related MSMP Rules
Rule Info
Generate each Rule ID (Function) to its own unique application/Funct. Group
when using BRF rules.
© 2011 SAP AG. All rights reserved.
46
Define Workflow Related MSMP Rules
Generation of Options
Select both Generate Rule and Generate Result Work-Area
© 2011 SAP AG. All rights reserved.
47
Define Workflow Related MSMP Rules
Test Rule
FM Rules can be tested on generation. Testing for BRF Rules can be executed
once the rule has been activated
© 2011 SAP AG. All rights reserved.
48
Define Business Rule Framework
Maintaining Conditions
Using this activity you maintain the request fields that will be checked in a decision
table
The decision table is empty by default and is located under Expression  Decision
Table where the necessary request fields can be added by inserting columns
© 2011 SAP AG. All rights reserved.
49
Setting up an Initiator/Agent Rule
Table Settings
By using the Table Settings button the condition columns can be maintained
© 2011 SAP AG. All rights reserved.
50
Setting up an Initiator/Agent Rule
Condition Columns
In the Conditions Columns, click Insert Column, then select Context Data
Objects in order to add items that will be used as the Condition Factors in the
Decision Table:
© 2011 SAP AG. All rights reserved.
51
Setting up an Initiator/Agent Rule
Condition Columns
Navigate to the structure that contains the Condition Items:
GRAC_S_REQUEST_RULE_HEADER. Notice that custom fields will only be
available to rules created AFTER the creation of the custom field.
© 2011 SAP AG. All rights reserved.
52
Setting up an Initiator/Agent Rule
Condition Columns
Items can be selected from multiple structures, role line items are located in
structure GRAC_S_REQUEST_RULE_LINE.
© 2011 SAP AG. All rights reserved.
53
Setting up an Initiator/Agent Rule
Table Settings
The Condition columns are now selected into the Decision Table settings.
 Click OK, on the bottom of the screen, to complete Table Settings:
© 2011 SAP AG. All rights reserved.
54
Setting up an Initiator/Agent Rule
Decision Table Values
Click on Insert New Row to configure new conditions statements and results:
© 2011 SAP AG. All rights reserved.
55
Setting up an Initiator/Agent Rule
Decision Table Values
Now the Condition Statement can be configured.
 Click the icon in each field. Select Direct Value Input to enter value(s) for the
Condition:
© 2011 SAP AG. All rights reserved.
56
Setting up an Initiator/Agent Rule
Decision Table Values
Input each Condition Statement:
 Choose the Expression Type (is equal to, is not equal to) from the dropdown list.
 Enter the value that the Condition should match. User the icon to continue to enter,
OR, more Condition Values, if needed, to complete the Condition Statement.
 Repeat, as needed, for other Condition fields:
© 2011 SAP AG. All rights reserved.
57
Setting up an Initiator/Agent Rule
Condition Statements
Condition Example:
The condition statement above means:
 Request Type is equal to 001 and Priority is NOT equal to 001, and Employee Type is
between 000 and 999
 If all of the conditions are true, then the statement is true and will return the result
value(s)
Note:
• All condition statements can be easily imported and exported to Microsoft Excel
© 2011 SAP AG. All rights reserved.
58
Setting up an Initiator/Agent Rule
Result Columns
Finally, set the results column values. The result objects are highlighted in
green.
• Initiator/Routing Rules: the result column is RULE_RESULT which will be used for
mapping the path in the MSMP Workflow Configuration
• Agent Rules: the result column is USER_ID, which will return an agent (notification or
approval).
Notes:
• Always configure LINE_ITEM_KEY with Context Parameter ITENNUM.
• Remember to add a “catch-all” entry with no values if needed
© 2011 SAP AG. All rights reserved.
59
Setting up an Initiator/Agent Rule
Save Changes
You need to make sure there is a green light next to the decision table and
function names. You need to click on Save and then Activate to achieve this.
Now you are ready to use your BRFplus rule in MSMP Workflows. Notice that
you will use the Function ID instead of the rule name.
© 2011 SAP AG. All rights reserved.
60
Wrap-Up
Resources
AC 10.0 How to Customize Notification Templates
http://www.sdn.sap.com/irj/bpx/go/portal/prtroot/docs/library/uuid/605077fc-35772e10-e1a6-a743514d4eb3
SAP Community Network
http://www.sdn.sap.com/irj/bpx Go to Key Topics  Access Control
SAP Service Marketplace Documentation *
https://service.sap.com/instguides
SAP Help
http://help.sap.com Go to SAP Business User  GRC Solutions
SAP BusinessObjects GRC Solutions
http://www.sap.com/grc
* Requires login credentials to the SAP Service Marketplace
© 2011 SAP AG. All rights reserved.
62
Wrap-Up
SAP’s comprehensive approach to GRC leverages
the standard SAP Business Workflow technology
SAP provides ready to use content for
configuring basic workflow scenarios
Complex criteria can be coded for routing
requests and determining workflow and
notification recipients by using ABAP code
No ABAP development skills are required for
setting up rules using the SAP Business Rule
Framework
Workflow recipients can be easily determined
by using role and user group assignments
Email notification can be customized on specific
events
New request form improves user adoption
with a consistent user experience in all GRC
components
© 2011 SAP AG. All rights reserved.
63
Thank You!
Contact information:
Luis Bustamante
Customer Solution Adoption (GRC)
[email protected]
© 2011 SAP AG. All rights reserved
No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP AG. The information contained herein may be
changed without prior notice.
Some software products marketed by SAP AG and its distributors contain proprietary
software components of other software vendors.
Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft
Corporation.
IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x,
System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer,
z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server,
PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER,
OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP,
RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX,
Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered
trademarks of IBM Corporation.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or
registered trademarks of Adobe Systems Incorporated in the United States and/or other
countries.
Oracle is a registered trademark of Oracle Corporation.
UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.
Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are
trademarks or registered trademarks of Citrix Systems, Inc.
HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C®, World
Wide Web Consortium, Massachusetts Institute of Technology.
Java is a registered trademark of Sun Microsystems, Inc.
JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for
technology invented and implemented by Netscape.
Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal
Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services
mentioned herein as well as their respective logos are trademarks or registered trademarks
of Business Objects Software Ltd. Business Objects is an SAP company.
Sybase and Adaptive Server, iAnywhere, Sybase 365, SQL Anywhere, and other Sybase
products and services mentioned herein as well as their respective logos are trademarks or
registered trademarks of Sybase, Inc. Sybase is an SAP company.
All other product and service names mentioned are the trademarks of their respective
companies. Data contained in this document serves informational purposes only. National
product specifications may vary.
The information in this document is proprietary to SAP. No part of this document may be
reproduced, copied, or transmitted in any form or for any purpose without the express prior
written permission of SAP AG.
This document is a preliminary version and not subject to your license agreement or any
other agreement with SAP. This document contains only intended strategies, developments,
and functionalities of the SAP® product and is not intended to be binding upon SAP to any
particular course of business, product strategy, and/or development. Please note that this
document is subject to change and may be changed by SAP at any time without notice.
SAP assumes no responsibility for errors or omissions in this document. SAP does not
warrant the accuracy or completeness of the information, text, graphics, links, or other items
contained within this material. This document is provided without a warranty of any kind,
either express or implied, including but not limited to the implied warranties of
merchantability, fitness for a particular purpose, or non-infringement.
SAP shall have no liability for damages of any kind including without limitation direct,
special, indirect, or consequential damages that may result from the use of these materials.
This limitation shall not apply in cases of intent or gross negligence.
The statutory liability for personal injury and defective products is not affected. SAP has no
control over the information that you may access through the use of hot links contained in
these materials and does not endorse your use of third-party Web pages nor provide any
warranty whatsoever relating to third-party Web pages.
SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP BusinessObjects Explorer,
StreamWork, and other SAP products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of SAP AG in Germany and other
countries.
© 2011 SAP AG. All rights reserved.
65