A Business Role Management (BRM) role certificate is a new concept introduced in SAP Access Control 10.0 to certify roles after a specified period of time. You can use role certification to re-check roles. After a designated time period, the administrator uses the role certification process to trigger an email to the role approver to certify the roles again.
Role Certification Process in BRM
Here is the step-by-step process to certify roles. Create a role in BRM by following menu path NWBC > Access Management > Role Maintenance. Enter the required fields such as Application Type, Business Process, Subprocess, and Role Name. As shown in Figure 1, I have created a single role, Z_TRAINING_NEW_JOINEE_30_DAYS, in the system.
Create a single role
Specify the certify period. Click the Define Role button and then click the Properties tab. That takes you to Figure 2.
Enter the number of days after which you want to certify or revisit this role in the Certification Period in Days field (Figure 3). This is a text field. For example, per my business requirement in this example, I want to certify this role again after 30 days.
The screen to enter role certification details
Click the Save button. The data is saved and the Next Certification: date is populated, as shown in Figure 4. The Derivation Allowed: field has a Yes. Role derivation is allowed for a single role, and this value is populated as Yes by default.
The screen to show the next certification
After saving the role, click the Owners/Aprovers tab. Select or enter the value of the approver, which is the person’s name. Take the following steps to assign a role approver to the role Z_TRAINING_NEW_JOINEE_30_DAYS.
Click the Add button on the Owners/Approvers tab, which adds a new row, as shown in Figure 5.
Add a new row for the approver
Select the new row, then click F4 help. A pop-up appears (Figure 6). Enter the approver name and click the Start Search button. You are searching for and then assigning the approver (person) who is responsible for approving the role. After that click the OK button to add the approver.
Search the approver screen
After the approver is added to the role, check the Assignment Approver and Role Content Approver check boxes, as shown in Figure 7.
Check the Assignment Approver and role Content Approver check boxes
Then click the Save button to assign the approver to the role. The approver is then assigned to the role, as shown in Figure 8.
Approver is assigned to the role
This user has also been assigned as the Role Content Approver, who is responsible for the content of the role.
Configuration Parameter for Role Certification
In this step you specify the number of days before which the email notification should be sent. For example, if I set the parameter 3020 in Figure 9 (Role Certification reminder notification) as 2, it means an email should be send to the role content approver before or fewer than two days before the next certification date. For the Next Certification date refer to Figure 4.
Role certification reminder notification parameter screen
To change the parameter value enter transaction SPRO and click the SAP Reference IMG. Follow menu path Governance, Risk and Compliance > Access Control > Maintain Configuration Settings (Figure 10).
Default parameter for the reminder notification
Scroll down to Param ID 3020. This parameter is the default parameter for the role certification reminder notification. You can specify the number of days before you want to send an email notification to the approver for the roles that are about to expire. The email specifies the role detail and asks the approver to certify the role. Change it to your designated number and click the save icon .
Scheduling the Job
The next step is for the administrator to schedule a role certification job. The job/program is GRAC_ERM_ROLE_CERTIFY_NOTIF. This is the standard job delivered by SAP. Follow these steps to schedule the job.
Go to main screen shown in Figure 11. Enter transaction SM36 and press Enter.
The main screen
The Define Background Job screen (Figure 12) opens.
Add the job name
Enter the job name (e.g., Role_Certification_Job) as shown in Figure 12. This can be any name and it identifies the job. Now click the Step button to open the screen shown in Figure 13.
The Create Step screen for job scheduling
In the Name field enter the job name GRAC_ERM_ROLE_CERTIFY_NOTIF, which is the standard program delivered by SAP (Figure 14).
Enter the job name
Click the Check button and then click the save icon shown in Figure 14 to go to Figure 15.
Step list overview for the job step
Click the back icon to go back to the Define Background Job screen. Click the Start condition button to go to Figure 16.
The Start condition screen for job scheduling
Click the Immediate button if you want to schedule the job immediately. You can choose a later date or time by clicking the Date/Time button. In this example I clicked the Immediate button (Figure 17). As you click the Immediate button, an Immediate start check box appears on the screen as shown in Figure 17. This check box is checked automatically.
The Immediate start screen for the job
Click the Check button and then the save icon to save the start time for job. Click the save icon in Figure 18 to schedule the job.
Define the background job screen
After you click the save icon, the job is released and you get information in the status bar as shown in Figure 19.
Save the background job
Follow these steps to check the status of the job. Go to main screen. Enter transaction code SM37 and press the Enter key (on the keyboard) as shown in Figure 20.
The main screen
Click the Execute button in the next screen (Figure 21).
Check the scheduled job status
In the next screen, you find the job name with the status. As shown in Figure 22, the Status is Finished, which means the job is completed.
The Job Overview screen
Now an email reminder has been sent to the approver (Role Content Approver) of the role. The system does it automatically on execution of the job as shown in the above steps. Figure 23 shows the format of the email.
Email notification to the approver
This email gives the role name, due date, and URL of the role. This feature does not stop the role assignment to a user after the role certify date. It is just a reminder notification to the role owner to check the role and to take any further action if required.