During this article, we are going to review the capabilities that are related with ARM outside of the user provisioning process, which is the main objective of the Access Request Management tool.
User provisioning for Emergency Access
The ARM module can be connected to EAM tool in order to execute emergency provisioning process. This feature support both Emergency Access and User Provisioning:
- Emergency Access via Firefighter ID This option allows the usage of the Emergency Access with a different SAP© User ID.
- Emergency Access via Firefighter Role. This option allows the assignment of a Firefighter Role to a User.
Additional Request Types for User Provisioning
The standard implementation of ARM allows a set of default Request Type. However, SAP© offers an alternative for creating a new request type. This is important when you need to create different variants of the same provisioning process. For example, when using HR triggers, you would like to define different scenarios when changing the Infotype 0000 to detect promotions, department changes, sick leave or other activities that may affect the User Management Area.
If based on the Organization requirements, a new custom request type needs to be added, it is important to understand that a custom GRC Initiator is required to be created and remove the default one that is appearing within the Global Rules of the MSMP Configuration.
Connection with Active Directory
The ARM module can be connected to Active Directory in order to have a Data Source for User Information. This capability was described in a previous article “Active Directory as User Data Source for SAP© GRC” that was published in the past.
HR triggers with HCM or Success Factors
This functionality is really recommended if you have a HCM application or Success Factors system. The purpose of this feature is to create an ARM request based on what is happening inside the HCM/Success Factors Application. As an example, if there is a new employee who is being created in HCM or Success Factors, the ARM module can automatically raise a request for the creation of the SAP© User ID. This capability will save a lot of effort in the user provisioning process, it will make the organization more efficient since there is no requirement for the ARM Request creation when having this tool available. On the other hand, HR triggers will make the Leavers process much more robust. Removing the SAP© User ID from a Leaver can be performed automatically using HR Triggers. The HR department will mark the employee as “Leaver” and the GRC system will automatically remove the account from the Organization´s SAP© systems. This feature will help to reduce the risk of having SAP© Accounts still active inside the SAP© system for a person who already left the Organization.
End User Logon Application
The ARM module provides an application that will remove the requirement to have a SAP© User Account inside the GRC system in order to create an ARM request.
It is important to note that not all the options that are available inside the NWBC are included in the End User Application. Therefore, the main objective of End User Login is User Provisioning, so Emergency Access, Access Risk Analysis or Role Provision Options are not available inside the End User Logon Application.
Assignment of SAP© Licenses via ARM application
The ARM module can perform the assignment of the SAP© License to a SAP© User ID. This function needs to be executed by defining a new custom field as part of the Access Request template.
Once the Custom Field is available inside the ARM request, it is necessary to map this field with the License Field that exists inside the Plug-In system. This setting needs to be performed inside the “Maintain Mapping for Actions and Connector Group” that exist inside the SPRO transaction configuration:
Default Roles
The ARM module provides a feature where you can establish a specific group of roles that will be included inside an ARM request as soon as the establish criteria has been met.
In some organizations there is a specific group of roles that needs to be assigned to every SAP© User ID, therefore this feature is suitable for those type of scenarios. However, this option is more flexible and you can establish conditions for the following attributes in order to reduce the effort in the ARM request creation and also to standardize roles selection based on predefined criteria:
This option “Default Roles” is being establish inside the NWBC configuration:
Request Type Information
There is a specific request that is part of the Default request that was created by SAP©, which can be used in a more generic way. Most of the requests that are part of the default request types are related to provisioning activities (e.g. Creation, Modification, Deletion, Lock, Unlock,…), but this type is a generic one that will not perform any action inside of the Plug-In system.
The Usage of this type of ARM Request could be related to another process such as confirmation of an authorization matrix, confirmation of assignment of purchase release levels…
User Defaults
This feature is really interesting for organizations which are working in different countries where decimal notation, format date, spool output device, logon language differs for each user.
The application allows to define a criteria that, when obtained, the system will automatically establish the value of Decimal Notation, Date Format and the other previous attributes that were described in the previous paragraph. The configuration of this feature needs to be performed through BRF Rules and SAP© is delivering a standard SAP© rule for it:
As an example, you can automate the provisioning of SAP© Accounts that are operating in the USA, where the decimal notation differs from the European side. Furthermore, you can also establish the default output device for each of the SAP© Users based on, for example, the User Group that the user is assigned to.