RMS Role Mapping Training

© 2014 IBM Corporation

RMS Role Mapping Training

Agenda

 Role Purpose
 Role Mapping Process
 Roles and Responsibilities
 Role Mapping and Scheduling Tool (RMS) Summary
 Role Mapping Timeline

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Role Mapping Purpose and Glossary of Terms

Purpose of Role Mapping:

Provide the appropriate system access based on business role assignments

Assign required training to end users

Business Role A logical grouping of activities/tasks performed in SAP by a specific job. The business role is the
one that launches a process, makes decisions on which of the available paths in the process to take
and in the end finishes the process. Business roles are not HR jobs or positions. One person can
be member of multiple business roles, and multiple persons can be member of the same business
role

SAP Technical Role Within a Business Role, a number of additional more granular technical security roles will exist that
make up the details of the overall security role design. Security Team will build appropriate
authorizations. Technical authorizations can be expressed in terms of Business Roles and aligned to
jobs which the business can easily understand (The Security Technical Roles will not exposed to
end users)
Segregation of Duty (SoD) The concept of having more than one person required to complete a SAP transaction to prevent
fraud and/or error.
Transaction Code (T- A specific function in SAP that allows an end-user to perform one of his/her job responsibilities (e.g.
Code): T-Code VA01 “Create Sales Order)
Task Role: A logical group of transactions (T-Codes) into a specific task (e.g. “Process Sales Order Task Role
includes T-Code VA01 “Create Sales Order, VA02 – “Change Sales Order’, VA 03 – “List Sales
Orders” )

RMS Tool IBM’s Automated Role Mapping & Scheduling (RMS) System. Next generation role mapping
accelerator/tool that facilitates the process of mapping end users to SAP security roles.

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Role Mapping Summary

 Role Mapping Lead assigns end users to role mappers

 Role Mappers map end users in RMS

 Role Mappers maintain all changes in RMS

 Managers and second level approvers validate end users

 Training assigned automatically in RMS based on roles

 Send role mapping file to security to grant required access based on roles
assigned

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Business Roles Enable Role Based Learning Paths

Each user is mapped to an business role (s) that prescribes a learning path

Course 3
• Role name
• Role Description Course 2
• Tasks Course 1
• Subprocess
• Process Steps

 During role mapping, end users are identified and assigned to a learning path
 Learning paths include both web-based and instructor-led courses
 End users complete the learning paths in sequence and must pass
certification at the completion of each instructor-led course

5 5 06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Training Schedules and End User Access Ids are Enabled by the
Role Mapping and Scheduling Tool (RMS)

Business
Businessroles
roles Role
Rolelearning
learningpaths
paths End
Endusers
usersby
byname
name

Role RMS
Role Mapping
Mapping and
and
Scheduling
Scheduling Tool
Tool

Role
Rolespecific
specifictraining
trainingschedules Link
schedules Linkto
tosecurity
securityfor
foruser
useraccess
accessids
ids

6 06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Roles and Responsibilities

 Understand the roles assigned  Assist role mappers in  Understand the transactions
to the end users that they are answering questions assigned to the roles that
responsible for mapping regarding access required for they own
 Review the roles with the first end users’ jobs  Ensure that the end users
line managers if unsure about  Agree with the role mappers assigned to the roles should
the tasks the end users assignments of their direct have access to that role
performs in their individual reports  Formally approve in the RMS
jobs
 Formally validate their direct tool the assignment of the
 Make any required additions reports in the RMS tool end users roles
or deletions to the
assignments based on the end
users’ tasks required to
perform their jobs
 Ensure the first line managers
validate the role assignments.

06/06/19 © 2013 IBM Corporation

7
RMS Role Mapping Training

Role Mapping Will Be Enabled by a Web-Based Tool Called RMS

(Role Mapping and Schedule)

 Allows for mapping of end users to roles, assigns required training, and schedules
course offerings all in one tool
 Reduces the need to manage multiple spreadsheets and the potential for errors
 Supports compliance through RMS reports documenting all internal end users as
well as their responsible role mapper and all approvals
 Allows syncing end user data with LDAP data to maintain current end user
information and minimize changes
 Creates the ability for role mappers will tomake any changes during the change control
period

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Accessing RMS
 Log into RMS using your user id and password and select your deployment
- http://dltds07.atlanta.ibm.com:9080/IBMRMS/login.jsp

 Select “Role Mapping” from the left navigation pane

 Select “Manage End Users” from the left navigation pane

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Role Mappers Verify Their Assigned End Users

 Access the end users you are assigned to map by selecting the “Search and Map
Role” option
 Search on “Assigned Role Mapper” in the search drop down menu and enter your
internet email address
 You can use additional search criteria to narrow your search in the second set of
search options
 Check the “Show ‘Custom 1’ field” box and then click “Search”

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Role Mappers Identify End Users to Map in RMS

 A list of all the end users assigned to you will be populated

 Review your list and verify the right people are assigned to you
 Work with other Role Mappers in your area to ensure all end users are included
 If there are questions, contact your Role Mapping Lead

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Role Mappers Assign Roles Using RMS

 Select the role you would like to map end user(s) in the “Role to Map” dropdown menu
- End users can be mapped to multiple roles required for them to perform their jobs
 Check the box to the left of the name of each end user you would like to map to the
designated role and click the “Map” button

06/06/19 © 2013 IBM Corporation

 RMS Role Mapping Training

Role Mappers Assign Roles Using RMS

 The newly assigned role will now appear next to the end user’s name
 Continue adding new roles as needed
- As more roles are mapped to an end user, additional lines in the table will be created
showing all the end user’s roles

13 06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

OCM Role Mapping Team Tracks Role Mapping Progress

 Brief weekly touchpoints for each role mapping process team scheduled by OCM
– OCM will generate status summary reports by Role Mapper to review progress
– Process Leads and Process Owners will be invited to help resolve any issues and
expedite mapping
– Provides dedicated time for Role Mappers to ask questions about the roles, RMS tool,
and end users

 OCM Team is available to provide additional support during the mapping process as needed

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

OCM Team Sends Managers Validation Request / Managers

Validate Role Mapping
 An e-mail request will be sent to managers with a link to RMS
- Managers log in to RMS and all of their directs are listed with roles
- If managers agree with the role mapping, they will click button “select all” and “validate”
- Managers can also edit roles if they do not agree with the role mapping
 The Role Mapping Lead can see an full audit trail of changes made to mapping and by whom

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Add an End User

 Go to “Role Mapping”  ”Manage End Users”  “Add a Person”
 End users can be added by Manager’s e-mail address or the end user’s e-mail address

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Change a Person’s Role

 Go to “Role Mapping””Manage End Users”  “Search and Unmap Role”
 Search on Name, Manager’s e-mail address, dept, business unit, country, or assigned Role
Mapper
 This would be used if a person changed jobs or an error was made mapping an end user to
the right role

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Reports - Manager Report

 Go to “Role Mapping” ”Role Reports” ”Manager Report”
 The purpose of this report is to show the roles mapped within a manager’s department

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Reports - End User List

 Go to “Role Mapping”  “Role Reports”  “End User List”
 End users can be searched as either individuals or groups
 Check output columns as required

06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Change Control Process

 Changes to roles
 Any identified changes to roles will be communicated to Role Mappers by
the OCM Team
 Changes to people (can be identified by Role Mappers, Leadership, or OCM)
 People leave the company
 People join the company
 People change jobs
 Request deletion of end users by contacting the Role Mapping Lead

 Role Mappers can add new end users directly in RMS

 Once Manager validation begins, Role Mappers will no longer have access to the system
to make changes and must contact the Role Mapping Lead

06/06/19 © 2013 IBM Corporation

 RMS Role Mapping Training

Final Role Mapping Tips

 End users can have multiple roles

 Reach out to Process Leads and Team Member for guidance and speak to
managers if more information about an end user is needed
 Not all people loaded into RMS may need role
 When analyzing end users and meeting with managers, request to delete any
employees who do not need any business roles
 Not all people may be loaded into RMS
 When analyzing end users and meeting with managers, add any employees
that need a business role that may not be in the initial load of RMS end users
 Any questions, call or e-mail the OCM Team

21 06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

OCM
Next Steps Role Mapping Team
End User Managers
September October November December January Feb March

Initial Role Mapping

Manager
Training
Manager
Validation

Last Date
Change Control Process stop
For Changes

Final RMS File

Sent to Security

GO LIVE

22 06/06/19 © 2013 IBM Corporation

RMS Role Mapping Training

Q&A

06/06/19 © 2013 IBM Corporation