Transcript HCM Position Based – Indirect role assignment

GRC Access Control, HCM Position
Assignment & HCM Triggers
Workshop
BUSINESS BLUEPRINT WORKSHOP
Fahri Batur – Sr. GRC Security Consultant - MENA
01 October 2013
Purpose and Objectives
Purpose
Provide a consistent baseline understanding of indirect SAP role assignments to
HCM org structure
Understand the basic functional and technical dependencies of using HCM
triggers to drive SAP account creation and SAP role assignment via the HCM org
Understand the specific challenges present for Strata in achieving HCM driven
account provisioning

Objectives
Establish if the functional and technical dependencies can be met in the
timeframes of the ERP project
Make a clear project/business decision if HCM triggers and indirect assignment
can be included in the scope of delivery based on HCM stream readiness
Agenda
Overview of HCM Triggers for GRC AC ARM
Overview of User – Direct role assignment
Overview of HCM Position Based Indirect role assignment
Overview of Hybrid model – Direct and Indirect assignments
Strata specific requirements
Dependencies
HCM Triggers for GRC AC ARM
In a business scenario where SAP HCM system is being used to maintain the
master data for all employees, whenever any change occurs in the SAP HCM
system then it potentially needs to be manually maintained in all the other
systems.
The HCM Triggers functionality of GRC AC will allow creation of automatic
requests in ARM corresponding to changes in the master data in SAP HCM
system. User does not need to fill the ARM request form.
When an event is triggered in the SAP HCM system, such as hiring a new
employee, rules are applied and a corresponding action to create a workflow
request is initiated in ARM.
The request can be processed by HCM through ARM workflow and can be
provisioned to backend system directly or indirectly by HCM through ARM.
HCM Triggers for GRC AC ARM
HCM Triggers allow automatic creation of workflow requests in ARM when some actions like hiring
of a new employee, position change or change in personal data of an employee are held in SAP
HCM system. Here is some explanation on the four options that we have for configuring HCM
Triggers:
Actions
What to do when a rule is encountered
Rules
When will the action be performed
Automatic SAP HCM triggers
Field Mapping
Map SAP HCM fields to ARM fields
Process Log
Record of ARM updates through HCM Triggers
User – Direct role assignment
Users gain SAP Access
rights which are directly
assigned to their SAP
user master records.
This means that as they
move around or leave
the organisation the
role assignments have
to be manually adjusted
or automated via a tool
such as Access Control
10.0 – Access Request
Management or an
Identity Management
solution
HCM Position Based – Indirect role assignment
Users gain SAP
Access rights based
on the position(s) that
their personnel HCM
record is attached to,
this means that as
they move around or
leave the organisation
the role assignments
are adjusted
automatically
HCM Position Based – Indirect role assignment - Pros
Reduce the administration time taken by the SAP authorisation team
Standardises the access – everyone that is assigned to that position
will receive the same access
When people move around the organisation their SAP Business
Roles are removed for the old position and added for the new
position
When new people join the organisation they are automatically given
the roles assigned to that position
HCM Position Based – Indirect role assignment- Cons
Position based model is inflexible, everyone assigned to the position gets the same roles, if there is a need for one
person to cover / deputise for another then you cannot grant them access without moving them to a new position.
Requires the HCM Organisational assignment processes to be very robust and stable – adding new HCM
Organisation levels, positions, or changes to current HCM Organisation levels, positions will impact the users
access.
Users must have a HCM personnel records which must be maintained with a link to the SAP User ID Via infotype
0105 record, the SAP User ID must be created first before assignment to position occurs.
Users’ access is only triggered when there is a change in the HCM position.
Integration with Access Control 10.0 – Access Request Management is less effective, as the requests are for the
organisation object not the user.
Access Control Risk analysis will be conducted at the User level, but changes occur at the position level.
Does not integrate well with a complex landscape.
Additional training is required for the role owners to understand the impact of approving assignments to the position .
User – Direct role assignment - Pros
This is the most widely used role assignment concept.
This approach is very flexible, each user can be assigned the correct SAP
Business Roles to carry out their task.
Members of the same team could have different access to allow for
deputation.
Roles can be set to expire to force a periodic business access review (yearly
or less).
Integrates well with Access Control 10.0 Access Risk Analysis and Access
Request Management, this is the concept they were designed to support.
Access Control Risk analysis will be conducted at the User level, and
changes occur at the User level.
Users do not need to have a HCM user record.
User – direct role assignment- Cons
As people move around the organisation, the roles
required for old task are not always removed or added
If new people join the organisation or move to a new
position, they have to request the access they need,
which sometimes means they don’t always get the right
access for the job.. Sometimes too much sometime not
enough
Hybrid model – Direct and Indirect assignments
As this hybrid
suggest you get
the best and the
worst of both
worlds
Hybrid model – Direct and Indirect assignments
Users gain SAP Access rights which are indirectly assigned to the
HCM organisation structure and directly assigned to their user
records. This means that as they move around or leave the
organisation some roles will be added or removed automatically and
some roles have to be manually adjusted or automated via a second
tool like Access Control 10.0 – Access request Management or an
Identity Management solution.
Allows for a more flexible access control model than the HCM indirect
position, and adds more control than the direct assignment.
You can handle normal staff, consultants, contractors and 3rd party in
the way that best suits the business.
Hybrid model – Direct and Indirect assignments Cons
Hybrid model can only grant additional access, this means that the
HCM position holds the minimum roles required for the position so all
team members may need to request additional roles to complete day
to day activities
The Role Owners need to understand that one request may be for
the User and the next request is for the position and may affect more
than one person. Additional training is required for the owners to
understand the impact of approving assignments to the position.
HCM and the User Administration team need to work together.
If new people join the organisation or move to a new position, they
may have to request the additional access they need which
sometimes means they don’t always get the right access for the job..
Sometimes too much sometime not enough
ALE of HCM org structure to ‘receiving’ systems
As SAP roles are ‘local objects’ then the HCM org structure needs to
be ALE’d to the other systems so that system specific SAP role
assignments can be assigned
ALE of HCM org structure to ‘receiving’ systems
The GRC system legitimately has it’s own org structure that would be
corrupted by the ALE of the HCM org structure into the GRC system
meaning direct assignments would occur
Questions
Summary & Closing