GRC Access Control, HCM Position Assignment & HCM Triggers Workshop BUSINESS BLUEPRINT WORKSHOP Fahri Batur – Sr. GRC Security Consultant - MENA 01 October 2013 Purpose and Objectives Purpose Provide a consistent baseline understanding of indirect SAP role assignments to HCM org structure Understand the basic functional and technical dependencies of using HCM triggers to drive SAP account creation and SAP role assignment via the HCM org Understand the specific challenges present for Strata in achieving HCM driven account provisioning Objectives Establish if the functional and technical dependencies can be met in the timeframes of the ERP project Make a clear project/business decision if HCM triggers and indirect assignment can be included in the scope of delivery based on HCM stream readiness Agenda Overview of HCM Triggers for GRC AC ARM Overview of User – Direct role assignment Overview of HCM Position Based Indirect role assignment Overview of Hybrid model – Direct and Indirect assignments Strata specific requirements Dependencies HCM Triggers for GRC AC ARM In a business scenario where SAP HCM system is being used to maintain the master data for all employees, whenever any change occurs in the SAP HCM system then it potentially needs to be manually maintained in all the other systems. The HCM Triggers functionality of GRC AC will allow creation of automatic requests in ARM corresponding to changes in the master data in SAP HCM system. User does not need to fill the ARM request form. When an event is triggered in the SAP HCM system, such as hiring a new employee, rules are applied and a corresponding action to create a workflow request is initiated in ARM. The request can be processed by HCM through ARM workflow and can be provisioned to backend system directly or indirectly by HCM through ARM. HCM Triggers for GRC AC ARM HCM Triggers allow automatic creation of workflow requests in ARM when some actions like hiring of a new employee, position change or change in personal data of an employee are held in SAP HCM system. Here is some explanation on the four options that we have for configuring HCM Triggers: Actions What to do when a rule is encountered Rules When will the action be performed Automatic SAP HCM triggers Field Mapping Map SAP HCM fields to ARM fields Process Log Record of ARM updates through HCM Triggers User – Direct role assignment Users gain SAP Access rights which are directly assigned to their SAP user master records. This means that as they move around or leave the organisation the role assignments have to be manually adjusted or automated via a tool such as Access Control 10.0 – Access Request Management or an Identity Management solution HCM Position Based – Indirect role assignment Users gain SAP Access rights based on the position(s) that their personnel HCM record is attached to, this means that as they move around or leave the organisation the role assignments are adjusted automatically HCM Position Based – Indirect role assignment - Pros Reduce the administration time taken by the SAP authorisation team Standardises the access – everyone that is assigned to that position will receive the same access When people move around the organisation their SAP Business Roles are removed for the old position and added for the new position When new people join the organisation they are automatically given the roles assigned to that position HCM Position Based – Indirect role assignment- Cons Position based model is inflexible, everyone assigned to the position gets the same roles, if there is a need for one person to cover / deputise for another then you cannot grant them access without moving them to a new position. Requires the HCM Organisational assignment processes to be very robust and stable – adding new HCM Organisation levels, positions, or changes to current HCM Organisation levels, positions will impact the users access. Users must have a HCM personnel records which must be maintained with a link to the SAP User ID Via infotype 0105 record, the SAP User ID must be created first before assignment to position occurs. Users’ access is only triggered when there is a change in the HCM position. Integration with Access Control 10.0 – Access Request Management is less effective, as the requests are for the organisation object not the user. Access Control Risk analysis will be conducted at the User level, but changes occur at the position level. Does not integrate well with a complex landscape. Additional training is required for the role owners to understand the impact of approving assignments to the position . User – Direct role assignment - Pros This is the most widely used role assignment concept. This approach is very flexible, each user can be assigned the correct SAP Business Roles to carry out their task. Members of the same team could have different access to allow for deputation. Roles can be set to expire to force a periodic business access review (yearly or less). Integrates well with Access Control 10.0 Access Risk Analysis and Access Request Management, this is the concept they were designed to support. Access Control Risk analysis will be conducted at the User level, and changes occur at the User level. Users do not need to have a HCM user record. User – direct role assignment- Cons As people move around the organisation, the roles required for old task are not always removed or added If new people join the organisation or move to a new position, they have to request the access they need, which sometimes means they don’t always get the right access for the job.. Sometimes too much sometime not enough Hybrid model – Direct and Indirect assignments As this hybrid suggest you get the best and the worst of both worlds Hybrid model – Direct and Indirect assignments Users gain SAP Access rights which are indirectly assigned to the HCM organisation structure and directly assigned to their user records. This means that as they move around or leave the organisation some roles will be added or removed automatically and some roles have to be manually adjusted or automated via a second tool like Access Control 10.0 – Access request Management or an Identity Management solution. Allows for a more flexible access control model than the HCM indirect position, and adds more control than the direct assignment. You can handle normal staff, consultants, contractors and 3rd party in the way that best suits the business. Hybrid model – Direct and Indirect assignments Cons Hybrid model can only grant additional access, this means that the HCM position holds the minimum roles required for the position so all team members may need to request additional roles to complete day to day activities The Role Owners need to understand that one request may be for the User and the next request is for the position and may affect more than one person. Additional training is required for the owners to understand the impact of approving assignments to the position. HCM and the User Administration team need to work together. If new people join the organisation or move to a new position, they may have to request the additional access they need which sometimes means they don’t always get the right access for the job.. Sometimes too much sometime not enough ALE of HCM org structure to ‘receiving’ systems As SAP roles are ‘local objects’ then the HCM org structure needs to be ALE’d to the other systems so that system specific SAP role assignments can be assigned ALE of HCM org structure to ‘receiving’ systems The GRC system legitimately has it’s own org structure that would be corrupted by the ALE of the HCM org structure into the GRC system meaning direct assignments would occur Questions Summary & Closing