I recently moderated a Q&A on SAP Access Control 10.

0 workflow with Turnkey Consultings Simon

Persin.
There was a lot of discussion on changes to approvals with 10.0 and MSMP and, not surprisingly, a lot
of questions about BRF+, an area where we know our GRC 2013 conference attendees have lots of
questions.
Specifically, Simon took questions on big changes to CAD, access request standard rules, Firefighter
ID access, status requests for end users, the challenges of configuring alternate approvers, and skills
youll need with BRF+.
If you missed the one-hour Q&A, you can review all the posts in this Q&A, visit Insider Learning
Networks Compliance Forum, or read the transcript below. Watch for more in this series of GRC
Forums, webinars and podcast in the weeks to come!
Matt Moore, conference producer, GRC 2013: Welcome to today's forum on Access Control 10.0
workflow & automation. Im pleased that we have Simon Persin from Turnkey Consulting here to take
your questio ns.
Simon is senior manager & solution lead, GRC Access Controls with Turnkey Consulting and a
speaker at SAPinsiders GRC 2012 conference. Todays Q&A is the first in a series of GRC Q&As,
podcasts, and webinars well be doing with Turnkey consultants.
Simon is here for the hour to answer your questions on Access Control 10.0 functionality, especially
questions about Access Request Management (ARM formerly CUP), access request automation and
configuration, and using BRF+ and MSMP workflow in 10.0.
Welcome, Simon! Its great to have you here!
Simon Persin, Turnkey Consulting: Thanks Matt!
Matt Moore: Simon, were happy to have your expertise to clear up some uncertainty in this area,
especially since its a popular topic among our GRC customers.
Id like to quickly start with a basic question, addressing some confusion about when to use BRF+ and
the new MSMP templates.
Do you want to start with a quick overview of a couple of the most significant changes in workflow
and automation with AC 10.0?
Simon Persin: Ok, to start with, perhaps we should look at what MSMP and BRF+ are:
MSMP is the new workflow engine used within GRC Access Controls 10.0. It stands for Multi-stage,
multi-path meaning that the engine is capable of directing requests down multiple approval routes
simultaneously. It is used for the management of automated approval workflows for the purposes of
access request management but can also be triggered for the other access control modules including
Access Risk Analysis master data updates or role build approval workflows. The big change is that it
works off a multitude of different rules to govern what should happen to the requests. All of these rules
need to be defined up front before they can be assigned in to the configuration and used in the
workflow processes.
BRF+ is the Business Rules Framework Plus applicatioin which supports the definition of business
rules. It can be the authoring environment for the rules which can then be plugged into MSMP
workflow configuration. However, it is much more powerful than that. In advanced cases, it can
actually be like writing code but for access controls functionality, the uses are often more simple to
derive agents or specific results which can be linked to workflow route decision points.
The biggest change is definitely the terminology. The existing capabilities are still there within MSMP
but they are called different things:
There is still an initiator although this is now a central and global initiator for each workflow
process (type). Rather than specifying an initiator for each workflow path, you now only have
one which contains all of the different variations that you can have.
Paths are still the same as are stages but Approvers are found through Agent Rules rather than
CADs.
Agent rules are also the source for defining recipients of notifications.
Further changes are to be found in the architectural changes. Being on ABAP, the solution
now requires more SAP standard setup. For example, you have to activate the tasks for SAP
business workflow and configure SAPConnect to be able to send email notifications.
Also, the content is transportable to enable you to migrate through the landscape. This also
requires attention as although the configuration is transported, youll still need to check the
master data (user IDs) and activate the workflow locally in each system.
rajeshnanda1982: How is it different from 5.3 when creating CAD?
Simon Persin: Hi,
The CAD is substantially different in 10.0 vs 5.3. In fact a CAD (Custom Approver Determinator) does
not actually exist in GRC 10.0. It has been superceded by the concept of Agent Rules.
You can define agents through multiple different mechanisms - either directly mapped or via a PFCG
user group or Role assignment. Alternatively, you can use BRF+ (Business Rules Framework Plus) to
build a rule which will result in specific agent(s) based upon fields populated in the access request.
Cheers, Simon
KenLauver: This is one of the major reasons that we haven't upgraded to V10. We have a lot of faily
complicated CAD's and although it seems like the appovers and agents would be the same people there
is no way to easily convert the 5.3 CAD's to agent rules. Have you heard of a conversion tool? I know
that SAP doesn't provide one.
Simon Persin: Hi Ken,
If you are on version 5.3 there is in fact a migration tool which will also work with your workflow
configuration. I believe that CADs are indeed covered by this migration tool but to be honest with you,
I have tended to recommend that when upgrading, customers should re-implement the workflow.
If you know what you want to achieve, and it is not reasonable to re-assess the design of the CADs,
then it isn't too much of a technical challenge to re-configure the workflows to GRC 10.0. As with
most of the tools, it is the thinking and design discussions that take the time rather than the technical
build.
I don't know of any automated conversion tool other than SAP's migration tool but within BRF+ you
can upload directly from excel so its quite quick once the design is finalised.
Simon
Matt Moore: A question about troubleshooting MSMP: There are a number of settings that must be in
place before you can even begin working with MSMP. Are there steps here where errors are commonly
made?
Simon Persin: In addition to my previous post, in terms of troubleshooting the MSMP setup, there is a
specific issue if you have the GRC plug in installed on the GRC system. If that is the case, you cannot
automatically activate the workflow tasks and assign agents correctly youll need to activate manually.
Bette Ferris: Simon, what are best practices or workarounds to simplify building business rules, to
avoid some of the most common errors when setting up workflow in 10.0?
Simon Persin: Best practice for simplifying the workflow is to really challenging the validity of the
approvers at each stage.
Are they really required to make a decision or just there because historically thy want to know
what's going on?
If they only need to know, then how about making them a recipient of a notification rather
than a specific approver?
I would also try to rationalise as much master data as possible. If you can have a rule in place that
caters for changes in organisations then do that rather than leave yourself with a legacy of continually
having to update users in the workflow definition.
Abdul Hakim Khan: Could anybody please tell us the best practice/approach for leveraging the pre
delivered rules SAP_GRAC_ACCESS_REQUEST
A small business scenario would be helpful.
Simon Persin: Hi,
The pre-delivered rules are there mainly as accelerators. Whilst they are useful, they rarely match your
requirements.
As standard, the access request goes to Manager then Role owner for every case. That's fine if you
want that, but what if the request is for a system, not a role? Role owner won't work for that.
Also, what about Firefighter ID access? If you want a firefighter ID, why call a role owner? Wouldn't it
be better to have an additional path to go to the Owner of the ID?
In that case, you'll already need to augment the standard default configuration to produce your own
initiator to cater to your own use cases.
Simon
malinirao: What are the kind of workflows required for Emergency Access Management and Access
Risk Analysis?
Simon Persin: Hi Malini,
Long time no speak!
For Emergency access Management, you don't need to use workflow but if you choose to, the main
ones are the provisioning / removal of access via the SAP_GRC_ACCESS_REQUEST process and
then the log review process SAP_GRC_FIREFIGHTER_LOG_REVIEW.
For ARA, the main workflows are for Master data updates including changes to Risks, Functions and
Mitigating Control masters / assignment.
All of these workflows can be configured to direct to appropriate approvers and linked together for an
integrated approach to access management.
Simon
malinirao: Hi Simon,
Good to hear from you after long time :)
I have another question, could you please site 1 or 2 examples of BRF+ Rules for the benefit of the
audience to get better clarify of BRF+ rules.
Also what kind of skills/experience required to work on BRF+ Workflow. Is prior knowledge of BRF
useful?
Simon Persin: Sure,
BRF+ rules are the basis of workflow process definition on the MSMP side of things.
The most common one that nearly everyone will need is an Initiator.
Here you define the routes which should be taken given a certain set of criteria.
For example:
You have a requirement that for access provisioning that workflow directs to a manager then a r ole
owner but for access removal, it only goes to manager. Also if the user wants Firefighter access, it
should go to the Firefighter owner.
In this case, you can use BRF+ to define the inputs and results for the workflow engine to process.
Solution:
Use Request Type to govern the result in a decision table within BRF+. Request type will be the inpur
value and use the standard results of LINE ITEM and Trigger Value.
For Request types "New" and "Change" result in a value of "Addition"
For Request type "Delete" result in a value of "Remove"
For a request type of "Super User Access" result in a value of "Super".
You should also setup a path to match each of your approval requirements. You can then match the
trigger values to the path when configuring the route mapping to direct the process down a chosen path
which has the correct approvers
PatrickWeyersBE: Hi Simon,
Two questions from my side:
In 5.3, escalating during the manager approval stage was a common problem (There wasn't any way to
configure alternate approvers. Only option was to forward to Administrator centrally). With 10.0, the
escalation capabilities in MSMP appear to be more flexible. What is a good practice for escalating
requests that are stalling in the manager approval stage?
Also, in 10.0, the request status overview for end users who want to check back on their access
requests seems to have lost some functionality. Vs. the graphical overview from 5.3, there is now no
way to deduce who will still have to approve (i.e. to receive an estimate of the how long the request
will yet take to complete).
Any recommendations here?
Simon Persin: Hi Patrick,
Escalation is a common issue.
You can configure e scalation independently at each approval stage and you have options to escalate to
an alternative approver (a different agent) or to escalate directly to the next stage.
I don't tend to like escalation much as it can serve to encourage approvers not to make a decision and
simply wait for the system to move it to someone else. But it is possible to be flexible with it with the
technology.
Request status has been enhanced in 10.0. There is still an end user application which allows users to
see their own requests but there is also an improved Instance Status available for users who have a
GRC account. Here you can see the full status and history of the request as well as the current
approvers. However, if there are multiple approvers (like Role owners) it does not dynamically update
to show you which of the current approvers have already approved and who its waiting for. I submitted
an Idea in the Ideas Place on SCN for that but thus far, it's not been developed.
KenLauver: Attendees, please remember to submit ideas for upgrades to the Idea Place
cw.sdn.sap.com/cw/community/ideas Thanks Simon for the time and suggestions!
Matt Moore: Thanks to all who posted questions and followed the discussion! Weve reached the end
of the hour, and Simon is wrapping up his final responses to the posted questions.
Thank you, again, to Turnkey Consultings Simon Persin for taking the time to respond to these
questions.
A full summary of all the questions will be available on Insider Learning Network.
Watch for our fall and s pring calendar of GRC events including live events, online forums, plus
webinars, podcasts and more. Follow us on Twitter @iln4sap or check back on the Forum calendar for
updates on the full GRC Q&A series:
The next in this GRC series with Turnkey consultants is coming up soon this Thursday,
September 20: A webinar on Role- and ID-Based Firefighting with Simons colleague
Kehinde Eseyin, exclusively for SAPexperts subscribers!
For updates about this springs GRC 2013 conference in the US, visit our site. I hope to see
you in Las Vegas, March 19-22!
Thanks again for participating in todays forum, and a special thanks to Simon Persin of Turnkey
Consulting.
For additional GRC information, the GRC Forum archives past Q&As with Simon and other GRC
experts. You can also post your questions for the entire community by selecting "New Thread" in the
GRC Forum.
Thanks for joining us, and I look forward to seeing you all at GRC 2013 in the US. Thanks again for a
great discussion!