GRC
HR
SCM
CRM
BI
Expand +


Article

 

Role Certification in SAP Access Control 10.0

by Vinay Gupta, Senior Software Engineer, SAP Labs India Pvt. Ltd.

February 8, 2016

Learn about the different aspects and flexibility of role management in SAP Access Control 10.0. Business Role Management, commonly known as BRM, is used to create and manage different types of roles in SAP Access Control.

A Business Role Management (BRM) role certificate is a new concept introduced in SAP Access Control 10.0 to certify roles after a specified period of time. You can use role certification to re-check roles. After a designated time period, the administrator uses the role certification process to trigger an email to the role approver to certify the roles again.

Role Certification Process in BRM

Here is the step-by-step process to certify roles. Create a role in BRM by following menu path NWBC > Access Management > Role Maintenance. Enter the required fields such as Application Type, Business Process, Subprocess, and Role Name. As shown in Figure 1, I have created a single role, Z_TRAINING_NEW_JOINEE_30_DAYS, in the system.   


Figure 1
Create a single role

Specify the certify period. Click the Define Role button and then click the Properties tab. That takes you to Figure 2.  


Figure 2
Properties tab

Enter the number of days after which you want to certify or revisit this role in the Certification Period in Days field (Figure 3). This is a text field. For example, per my business requirement in this example, I want to certify this role again after 30 days.  


Figure 3
The screen to enter role certification details

Click the Save button. The data is saved and the Next Certification: date is populated, as shown in Figure 4. The Derivation Allowed: field has a Yes. Role derivation is allowed for a single role, and this value is populated as Yes by default.


Figure 4
The screen to show the next certification

After saving the role, click the Owners/Aprovers tab. Select or enter the value of the approver, which is the person’s name. Take the following steps to assign a role approver to the role Z_TRAINING_NEW_JOINEE_30_DAYS.

Click the Add button on the Owners/Approvers tab, which adds a new row, as shown in Figure 5.


Figure 5
Add a new row for the approver

Select the new row, then click F4 help. A pop-up appears (Figure 6). Enter the approver name and click the Start Search button. You are searching for and then assigning the approver (person) who is responsible for approving the role. After that click the OK button to add the approver.  


Figure 6
Search the approver screen

After the approver is added to the role, check the Assignment Approver and Role Content Approver check boxes, as shown in Figure 7.


Figure 7
Check the Assignment Approver and role Content Approver check boxes

Then click the Save button to assign the approver to the role. The approver is then assigned to the role, as shown in Figure 8.


Figure 8
Approver is assigned to the role

This user has also been assigned as the Role Content Approver, who is responsible for the content of the role.

Configuration Parameter for Role Certification

In this step you specify the number of days before which the email notification should be sent. For example, if I set the parameter 3020 in Figure 9 (Role Certification reminder notification) as 2, it means an email should be send to the role content approver before or fewer than two days before the next certification date. For the Next Certification date refer to Figure 4.


Figure 9
Role certification reminder notification parameter screen

To change the parameter value enter transaction SPRO and click the SAP Reference IMG. Follow menu path Governance, Risk and Compliance > Access Control > Maintain Configuration Settings (Figure 10).


Figure 10
Default parameter for the reminder notification

Scroll down to Param ID 3020. This parameter is the default parameter for the role certification reminder notification. You can specify the number of days before you want to send an email notification to the approver for the roles that are about to expire. The email specifies the role detail and asks the approver to certify the role. Change it to your designated number and click the save icon .

Scheduling the Job

The next step is for the administrator to schedule a role certification job. The job/program is GRAC_ERM_ROLE_CERTIFY_NOTIF. This is the standard job delivered by SAP. Follow these steps to schedule the job.

Go to main screen shown in Figure 11. Enter transaction SM36 and press Enter.


Figure 11
The main screen

The Define Background Job screen (Figure 12) opens.


Figure 12
Add the job name

Enter the job name (e.g., Role_Certification_Job) as shown in Figure 12. This can be any name and it identifies the job. Now click the Step button to open the screen shown in Figure 13.


Figure 13
The Create Step screen for job scheduling

In the Name field enter the job name GRAC_ERM_ROLE_CERTIFY_NOTIF, which is the standard program delivered by SAP (Figure 14).


Figure 14
Enter the job name

Click the Check button and then click the save icon shown in Figure 14 to go to Figure 15.


Figure 15
Step list overview for the job step

Click the back icon to go back to the Define Background Job screen. Click the Start condition button to go to Figure 16.


Figure 16
The Start condition screen for job scheduling

Click the Immediate button if you want to schedule the job immediately. You can choose a later date or time by clicking the Date/Time button. In this example I clicked the Immediate button (Figure 17). As you click the Immediate button, an Immediate start check box appears on the screen as shown in Figure 17. This check box is checked automatically.


Figure 17
The Immediate start screen for the job

Click the Check button and then the save icon to save the start time for job. Click the save icon in Figure 18 to schedule the job.


Figure 18
Define the background job screen

After you click the save icon, the job is released and you get information in the status bar as shown in Figure 19.


Figure 19
Save the background job

Follow these steps to check the status of the job. Go to main screen. Enter transaction code SM37 and press the Enter key (on the keyboard) as shown in Figure 20.


Figure 20
The main screen

Click the Execute button in the next screen (Figure 21).


Figure 21
Check the scheduled job status

In the next screen, you find the job name with the status. As shown in Figure 22, the Status is Finished, which means the job is completed.


Figure 22
The Job Overview screen

Email Notification

Now an email reminder has been sent to the approver (Role Content Approver) of the role. The system does it automatically on execution of the job as shown in the above steps. Figure 23 shows the format of the email.


Figure 23
Email notification to the approver

This email gives the role name, due date, and URL of the role. This feature does not stop the role assignment to a user after the role certify date. It is just a reminder notification to the role owner to check the role and to take any further action if required.

An email has been sent to:





 

Vinay Gupta

Vinay Gupta (vinay.gupta@sap.com) has a total of 10 years of experience in software development. He has worked with large IT companies, such as IBM and SAP Labs. Since 2008 he has been working at SAP Labs and involved in various phases of development and maintenance of SAP Access Control 5.3, 10.0, and 10.1. He has expertise in Business Role Management, Access Risk Analysis, Access Request, migration, and SAP authorization concepts.



More from SAPinsider



COMMENTS

Please log in to post a comment.

No comments have been submitted on this article. Be the first to comment!


SAPinsider
FAQ