ACCESS REQUEST MANAGEMENT (ARM)

Access Request Management (ARM)

 

Traditional access provisioning relies on manual paper forms, where users request access to backend systems or business applications. These forms undergo a multi-step approval process, involving first-line and second-line approvers. Managers in this process are tasked with researching potential conflicts of interest between existing and requested roles.

However, expedited, and under-researched approvals can lead to legal, regulatory, security, and financial risks. Access Request Management (ARM) addresses these challenges by automating the approval process through customized workflows. When a user submits an access request, ARM automatically forwards it to designated managers and approvers within a predefined workflow.

This workflow, tailored to company policies, ensures thorough approval, and roles and permissions are logged for future reference and audits. ARM not only streamlines the access provisioning process but also ensures corporate accountability and compliance with regulations like Sarbanes-Oxley (SOX). 

Basic Functionality of ARM

1. Initiation by Requester:
• Users initiate access requests through a pre-configured access request page set up by the Administrator.
2. Workflow Trigger:
• Upon submission of the Access Request, a workflow is automatically triggered based on selections made by the requester.
3. Condition-Linked Selections:
• The selections made by the requester are linked with pre-defined conditions set by the Administrator.
4. Approval Points:
• At each approval stage, the designated approver receives the request.
• Approvers analyse, conduct risk assessments, and may choose to approve, reject, or hold the request based on their findings.
5. Auto Provisioning:
• Upon approval at all stages, the system activates Auto Provisioning.
• Auto Provisioning creates the specified user or role from the information filled out in the request form.
6. Logging and Audit Trail:
• The entire request process, from initiation to approval, is logged.
• This comprehensive log serves as an Audit Trail for security, monitoring, and legal purposes.
7. Auto Provisioning Details:
• When a request is raised, the information in the request form is temporarily held.
• Upon approval, Auto Provisioning kicks in, translating the request information into actual users or roles in the specified system.

Stages of an initiated request

1. Role Selection:
• Approvers can choose to select a new or different role for the requester based on the nature of the request.
2. SoD Risk Analysis:
• During the approval process, a thorough analysis for Segregation of Duties (SoD) risks is conducted to identify and address potential conflicts.
3. Date/Time Stamped Comments:
• Enforcing date and time-stamped comments ensures a transparent record of the approver's reasoning or any specific considerations during the approval or rejection process.
4. Role Removal for SoD Compliance:
• In cases where conflicts are identified, offending roles can be removed to ensure compliance with Segregation of Duties requirements.
5. Mitigation Control Application:
• Approvers have the option to apply mitigation controls to specific users or roles, addressing potential risks or conflicts in a proactive manner.
6. Closing Requests:
• Requests can be closed in various ways, providing flexibility in handling different scenarios or outcomes.
7. Partial Approval:
• Approvers can choose to partially approve requests by rejecting some roles while approving others, allowing for a more nuanced response.
8. Email Notifications:
• Throughout the request lifecycle, automated email notifications are triggered to inform relevant parties when a request is generated, approved, or rejected. This ensures timely communication and transparency in the approval process.

Types of users in ARM

1. Requester:
• Definition: Any user with the capability to request access, either for themselves or on behalf of someone else.
• Role: Initiates access requests through the designated Access Request pages.
2. Approver:
• Definition: An individual vested with the authority to approve or deny access requests.
• Role: Analyses requests, conducts risk assessments, and makes decisions based on company policies and requirements.
3. Administrator:
• Definition: A key individual responsible for the setup and configuration of the entire access management system.
• Role: Designs and configures Access Request pages, workflows, and conditions. Manages the overall structure and functionality of the access provisioning system.

Top of Form

MSMP [Multi-Stage Multi-Path]

Introduction to MSMP: Multi-Stage Multi-Path (MSMP) serves as a dynamic workflow engine designed to cater to a myriad of approval and provisioning scenarios within a company. Its flexibility and robust features make it adept at handling unique user-specific requirements. MSMP seamlessly integrates with other applications/modules, such as BRF+, Function module, and ABAP class, enabling the definition, testing, and maintenance of rules that act as triggers for specific workflows.

MSMP Workflow Mechanics:

1. Request Initiation:
• When a requester initiates an action, such as a 'New Account' request, it triggers the corresponding initiator (e.g., new account initiator).
2. Workflow Path and Stages:
• The initiator is tied to a specific path pre-configured with predetermined stages.
• Each stage includes necessary approvers and settings that dictate how the request should be handled.
3. Path Dynamics:
• The request traverses the predefined path, marking off necessary approvals or rejections at each stage.
• Based on outcomes, the workflow may take detours, initiate a completely new path (escape route), fork into two distinct paths at the initiator point (fork route), or branch out into multiple paths at a certain stage (parallel paths).

(Note: Fork Route & Parallel Paths are concepts more associated with version 5.3, but the underlying principles remain applicable for building conditions to achieve desired outcomes.)

Workflow Checklist for Efficient Management:

1. Specific Conditions for Workflow Triggering:
• Decide on specific conditions that should trigger the initiation of a workflow.
2. Association with Process ID:
• Associate the identified conditions with a unique Process ID, streamlining workflow identification and management.
3. Levels of Approvals (Stages):
• Determine the number of approval stages within the workflow, ensuring a structured and comprehensive approval process.
4. Authorized Approvers:
• Designate authorized approvers for each approval stage, aligning with company hierarchy and policies.
5. Contingency Plans for Denials:
• Develop contingency plans for cases where requests are denied, including mitigation strategies or cancellation procedures.
6. Approver Responsiveness:
• Implement contingency plans if approvers do not respond within the specified time limit, incorporating email reminders and escalation protocols.
7. Partial Request Approval Handling:
• Establish plans for scenarios where only a part of the request is approved, addressing situations with multiple roles and owners through alternate approver assignments or mitigation measures.
8. Auto Provisioning Decisions:
• Determine whether auto provisioning should occur when a request is approved.
• If not, define alternative procedures for handling approved requests.

Notifications

Optimizing Workflow Communication: A Guide to Customized Notifications in MSMP

In the realm of access request workflows, effective communication is paramount. Automated notifications play a pivotal role in keeping stakeholders informed and engaged throughout the process. Here’s a step-by-step guide on how to enhance your MSMP workflow notifications for a more personalized and informative experience.

Understanding the Notification Framework

1. Pre-defined Message Classes:
• MSMP workflows come with built-in automated notifications triggered by events in the workflow process.
• Each event corresponds to a pre-defined message class, linking to a document object containing a pre-delivered message body.
2. Customization Possibilities:
• The GRFNVNOTIFYMSG table (SE16) holds the link between message class and pre-delivered document object.
• Customization allows the replacement of pre-delivered messages with tailored text, including notification variables referring to request attributes, user IDs, and other relevant content.

Customization Procedure

3. Create Custom Document Objects:
• Navigate to SE61 -> Document Name (e.g., Z_GRAC_AR_SUBMIT) -> Create -> Enter details.
• Establish a custom document object to serve as the foundation for your personalized notifications.
4. Associate with Message Class:
• Go to SPRO -> IMG -> Workflows -> Maintain Custom Notification Messages.
• Associate your newly created document object with a message class, creating a link for customized notifications.
5. Maintain Text/Body for Custom Document:
• Access SPRO -> IMG -> Workflows -> Maintain Text for Custom Notification Messages.
• Input and refine the text or body of the document, tailoring it to meet your specific communication needs.
6. Assign to Notification Templates in MSMP Workflow:
• Integrate your customized notifications into the MSMP workflow.
• Assign the custom document to notification templates in MSMP WF, ensuring it aligns with the stages and events in your workflow.

Workflow-Specific Considerations

7. Select Process Global Settings:
• For processes like SAP_GRAC_ACCESS_REQUEST and SAP_GRAC_ACCESS_REQUEST_HR, leverage message template classes for request submissions (GRAC_AR_SUBMIT) and completions (GRAC_AR_CLOSE).
• Choose these processes and their recipients in the "Process Global Settings" section during the initial steps of the MSMP Workflow setup.
8. Notification Templates at Stage Level:
• For events such as New Work Item, Approved, Rejected, Forward, and Escalation, customize notification templates at the stage level.
• In step 5, Maintain Paths, select the stage for which you want to configure notification templates.
• Define recipients and click on Notification Settings to tailor the notifications for each specific event.

Configurations

Establishing a Robust Access Request Management (ARM) System: A Comprehensive Implementation Guide

Navigating the intricate landscape of Access Request Management (ARM) demands a meticulous approach. From user role assignment to workflow configuration and notification customization, each step plays a vital role in ensuring a seamless and secure access provisioning process. Let’s delve into the detailed implementation process:

User and Role Management:

1. User Assignment:
• Create or assign ARM roles to users using transaction code ‘SU01’.
• Determine and allocate appropriate roles based on user responsibilities and access needs.
2. Role Customization:
• Customize ARM roles using ‘PFCG’ to tailor permissions and responsibilities according to organizational requirements.

Role Assignments:

3. Administrator Roles:
• Allocate critical administrator roles such as SAP_GRAC_MSMP_WF_ADMIN_ALL and SAP_GRAC_MSMP_WF_CONFIG_ALL for overseeing and configuring MSMP workflows.
4. Approver Roles:
• Assign roles like SAP_GRAC_ACCESS_APPROVER, SAP_GRAC_CONTROL_APPROVER, SAP_GRAC_RISK_OWNER, and SAP_GRAC_ROLE_MGMT_ROLE_OWNER to respective individuals responsible for approvals in various facets of access management.
5. User Group Inclusion:
• Utilize SUGR to add users to specific user groups, especially if utilizing agent-based configurations.

GRC System Configuration:

6. Maintain System Parameters:
• Access SPRO -> IMG -> GRC -> AC -> Maintain Configuration Settings to configure crucial parameters related to Risk Analysis, Workflow, and Access Request Role Selection.
7. BC Set Activation:
• Activate the GRC_MSMP_CONFIGURATION BC Set using SCPR20 for comprehensive MSMP workflow configuration.
8. Integration Scenario Settings:
• Configure integration scenarios by maintaining connection settings for the ‘PROV’ scenario using SPRO -> IMG -> GRC -> Common Component Settings -> Integration Framework -> Maintain Integration Scenario.
9. Service Level Agreements:
• Establish Service Level Agreements using SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Maintain Service Level Agreements to ensure timely task completion.

Access Request Configuration:

10. Request Type Definition:
• Define and maintain request types using SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Define Request Type to categorize access requests (e.g., New/Change/Delete Account).
11. Priority Configuration:
• Create priorities for requests to prioritize urgency, accessible through SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Maintain Priority Configuration.
12. Employee Types Definition:
• Define employee types (Permanent, Contract, Part-time, etc.) with SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Define Employee Types.
13. Number Range Intervals:
• Avoid request identifier conflicts by maintaining number range intervals for provisioning requests using SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Maintain Number Range Intervals for Provisioning Requests or SNRO.
14. End User Personalization:
• Customize attributes visible on the request page with SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> End User Personalization.
15. Provisioning Settings:
• Define and maintain provisioning settings with SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Maintain Provisioning Settings for streamlined access provisioning.
16. User Defaults Configuration:
• Specify user defaults based on geographical locations (date format, time zone, etc.) using SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> User Defaults.
17. Review Rejection Reasons:
• Enhance transparency by specifying reasons for request rejections with SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Maintain Review Rejection Reasons.

Access Control Owners:

18. AC Owners Setup:
• Create and maintain Access Control Owners through NWBC -> Setup -> Access Owners -> Access Control Owners for effective ownership distribution.

MSMP Workflow Configuration:

19. Workflow Customization:
• Customize, create, and maintain MSMP workflows with SPRO -> IMG -> GRC -> Access Control -> Workflow for Access Control.
20. Event Linkage Activation:
• Activate event linkage for AC workflows by maintaining the event 'START' using SPRO -> IMG -> GRC -> Access Control -> Workflow for Access Control -> Activate Event Linkage for AC Workflows.
21. MSMP Version Management:
• Manage and customize MSMP versions with SPRO -> IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain MSMP Versions.
22. Rule Definition:
• Define MSMP rules and conditions with SPRO -> IMG -> GRC -> Access Control -> Workflow for Access Control -> Define Workflow-Related MSMP Rules and Define Business Rule Framework.
23. Notification Messages Customization:
• Create and maintain custom notification messages with SPRO -> IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain Custom Notification Messages.
24. Text Customization:
• Customize the text/body for notification messages through SPRO -> IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain Text for Custom Notification Messages.
25. E-mail Reminders Configuration:
• Schedule background jobs for email reminders with SPRO -> IMG -> GRC -> Access Control -> Workflow for Access Control -> Maintain Background Job for E-Mail Reminders or SM36.

Workflow Validation:

26. Access Request Testing:
• Create an access request and thoroughly test if the configured workflow is triggered based on defined selections and conditions.
27. Log Analysis:
• Analyze instance logs and provisioning logs in NWBC -> Access Management -> Access Request Administration for a comprehensive understanding of the workflow.