You are on page 1of 23

SAP GRC Access Control- ARM

1 April 2018 TCS Confidential


Access Request Management
ARM is a workflow engine focused on the user access management processes. It allows
you to define an approval process for different types of user changes and automate the
provisioning of these changes based upon the decision of the defined approvers.

2
1 April 2018
Access request template

3
1 April 2018
Access request template Management
> Create and maintain customized template through tcode SCPR20
and also need to activate BC set GRAC_ACCESS_REQUEST_EUP

4
1 April 2018
Standard SAP roles for ARM configuration

5
1 April 2018
Access control configuration parameters

6
1 April 2018
Provisioning Settings

7
1 April 2018
MSMP workflow

• the new workflow engine used within GRC Access Controls 10.0 which is capable of
directing requests down multiple approval routes simultaneously.

• used for the management of automated approval workflows for the purposes of access
request

• works off a multitude of different rules to govern what should happen to the requests.

• All of these rules need to be defined up front before they can be assigned in to
the configuration and used in the workflow processes.

8
1 April 2018
Maintain MSMP WF

9
1 April 2018
1. Process Global Settings

10
1 April 2018
1. Process Global Settings

11
1 April 2018
2. Maintain Rules

12
1 April 2018
2. Maintain Rules: Rule kinds

13
1 April 2018
2. Maintain Rules: Rule types

14
1 April 2018
2. Maintain Rules: Results for initiator and Routing
Rues

15
1 April 2018
3. Maintain agents :

16
1 April 2018
4. Variables and Templates

17
1 April 2018
5. Maintain Paths

18
1 April 2018
6. Maintain Route Mapping

19
1 April 2018
7. Generate Versions

20
1 April 2018
General Steps to create ARM WF

Create Initiator Add the Initiator Create Agent Add Agent Rule
Rule using BRF+ Rule in MSMP Rule using BRF+ in MSMP
•SPRO - Access •MSMP Workflow •SPRO - Access •MSMP Workflow
Control - Workflow Configuration - Control - Workflow Configuration -
for Access Control - Maintain Initiator for Access Control - Maintain Agent Rule
Define Workflow- Rule - Add Initiator Define Workflow- - Add Agent Rule
Related MSMP Rule details - Add Related MSMP details - Add Rule
Rules. Rule Result. Rules Result.
•Create Initiator rule . •MSMP - Generate •Create Initiator rule. •MSMP - Generate
•BRF plus- Function - Versions – Save. Versions – Save.
•BRFplus - Function -
Top Expression - Top Expression -
Create Decision Create Decision
Table --Table Table -
Settings - Insert •Table Settings -
Condition Column -
•Insert Condition
Insert Row and enter
Column - Insert Row
Condition Values.
enter Condition
Values.

21
1 April 2018
General Steps to create ARM WF contd.

Maintain New Create New Path


Agent • Add Stages & Maintain Global Activate
Maintain Process Initiator • MSMP - Generate
• Maintain Agents-
as GRC API Rules Approvers for • MSMP - Global Versions - Save &
under MSMP - each stage. Rules - assign Simulate.
Maintain Agents. • MSMP - Generate Process Initiator • Activate.
• MSMP - Generate Versions – Save. as the new
Versions – Save. Initiator rule
created.

22
1 April 2018
Process ID Rule Kind Rule Types Agent Types
• SAP_GRAC_ACCESS_REQUEST • Initiator Rule • ABAP Program • Directly Mapped
• SAP_GRAC_ACCESS_REQUEST • Agent Rule • ABAP Class Based Users
_HR • Routing Rule Rule • PFCG Roles
• SAP_GRAC_CONTROL_ASGN • Notification • BRFplus rule • PFCG User Groups
• SAP_GRAC_CONTROL_MAINT Variables Rule • BRFplus Flat • GRC API
• SAP_GRAC_FIREFIGHT_LOG_R rule/BRF+ Easy (Application
EPORT Programming
Interface) Rules
• SAP_GRAC_FUNC_APPR
• SAP_GRAC_RISK_APPR
• SAP_GRAC_SOD_RISK_REVIEW
• SAP_GRAC_USER_ACCESS_RE
VIEW

23
1 April 2018