on 06-14-2016 12:02 PM
Dear Folk,
I would like to understand how to create users in multiple systems (based upon business requirement) using HR Triggers at the same time with GRC Access Request.
I have configured HR Triggers and it seems to be working fine as far request creation is concerned. Currently, I have maintained ONLY one back end system in GRC SPRO ("Maintain Settings for HR Trigger"). What I understand that if we want any user to be created in any back end system, that system is to be maintained herein.
Example:
If we have 2 SAP systems: S1 and S2 and if we want the user id to be created in these 2 systems using HR Triggers, we need to maintain these 2 systems in "Maintain Settings for HR Trigger" in GRC system. But the problem is that, all the request generated would be having these 2 systems in the request! Where as a user needs to be created only in 1 system (S1).
I would like to understand/know how people have achieved this.
May you guide me in achieving this? Waiting for your kind responses.
Regards,
Faisal
Hi Faisal,
Multi system provisioning can be achieved using Role mapping for HR Triggers
You need to identify the cross functional roles assigned to HR positions and maintain the mapping accordingly in BRM.
For example : You have assigned Role XYZ to Postion P1 in HR system. When there is a new HIRE for Position P1 the access request is automatically created and the application reads the role XYZ assigned to position P1.
If XYZ is decided to be a cross functional role as per business need then import XYZ and do the role mapping in BRM.
In this case when the request is created, roles from multiple systems will be added to the request based on the mapping done in BRM.
This was you can achieve multi system provisioning without maintaining all the system entries in "Maintain settings for HR Triggers"
Hope this helps.
Regards,
Manju
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Manjunath,
Thanks for your reply.
I know one way where in, if simply a role(s) is added in the request, this will be provisioned/de-provisioned accordingly in the system where it is coming from.
Example: If a role XYZ is coming from system ABC and if I simply add XYZ role in the request for role provisioning, then we have 2 possibilities:
However, below "Maintain Provisioning Settings" are to be maintained in SPRO:
I have used this technique 'without' mapping the role(s) in BRM and it worked for me.
May you please let me know:
Please advise.
Regards,
Faisal
Hi Faisal,
There are 2 ways of provisioning using HR Triggers
Looks like you are trying to achieve a combined approach as per your comments .
The provisioning settings has to be maintained whether you are using direct or indirect provisioning.
Please find the response for your queries
Install HR Plug-ins
Maintain plug-in parameters 1000,1001 and 1003 in the HR system to trigger the infotype changes
Hope this helps.
Regards,
Manju
Dear Manju,
Thanks for your reply. This discussion is getting lengthy and interesting too .
I have tried to squeeze my concerns to the best of my ability.
There are 2 ways of provisioning using HR Triggers
- Direct Provisioning – Roles are not assigned to HR positions. When the access request is created the approver needs to manually add the role into the request
- Indirect Provisioning – Roles are assigned to HR positions and the access request is created from the roles assigned to HR positions
In my current settings, I am using 'Direct' Role Provisioning Type and I have configured HR Triggers and it seems to be working fine.
Meaning that, when a request is created by HR trigger, this includes automatically (approver is not including the role manually):
When this request is successfully provisioned, this composite role is assigned to the user! Now I am a bit confused with the description of option#1 you have mentioned. May you please clarify on this? In fact I would request you to explain both of them with example because I need clarity on it. Sorry if I am asking for more
- Do we have any settings/configurations at HR System side or satellite system side to get User ID created with role assignment/deleted automatically as soon as a HR record is created/deleted? –
Install HR Plug-ins
Maintain plug-in parameters 1000,1001 and 1003 in the HR system to trigger the infotype changes
Yes, I have done this in HR System ONLY as of now and working fine. We have Plug-Ins in other systems also. Do we also need to maintain parameters there to be included in Access Request?
- If I map roles in BRM, do I need to still maintain above settings in GRC System? - YES
- Do I need to maintain above settings in GRC and also map the roles in BRM at the same time? - YES
May you please help me understand below highlighted columns in Role Mapping? Am I correct in saying that if Role PQR is available in SYS1 and I if maintain below entries for this role while role mapping:
Source System=SYS1
Target System=SYS2
once the role methodology is successfully completed, PRQ role will be created in SYS2 system also?
- What is the exact use of 'Maintain System' in SPRO->......'Maintain Settings for HR Trigger' – Used to maintain the association between the actions that start an HR trigger and the HR systems
Does it mean that we need to ONLY maintain HR Systems here? If yes, what happens if I maintain other non-HR Systems?
What process you are following to include non-HR systems in access request (ex: HR and BW Systems)?
Please advise.
Regards,
Faisal
Hi Faisal,
Yes, this is getting interesting
Please find my response below
1. As per your comments you have assigned composite roles to HR positions and set the Role provisioning type to Direct in SPRO. This will provision the roles to user in the HR system as per design.
Normally in direct provisioning of HR triggers the roles will not be assigned to HR positions and will be added manually by the approvers in the workflow process.
In your case the roles are assigned to positions and hence the application is adding them automatically to the request but the provisioning of the roles is happening to the user as per the role provisioning type in SPRO.
If you maintain the role provisioning type to indirect and indirect provisioning type to position then the roles will be provisioned to positions in HR system
2. Plug-in configuration settings is only required in the HR system. It is not required for non-HR systems
3 & 4 . For mapping in BRM , Source is HR system(S1) and target is non-HR system(S2). You need to map role XYZ from S2 to S1 for creating the user and provisioning the roles in S2(non-HR) also.
5. You can add only the HR system entry in maintain settings for HR Triggers. This is required for adding the system lineitem in the request. The request will not be created if you do not add the HR connector here. No need of adding non-HR connectors as the system lineitem for this will be added automatically in the request if you have done the role mapping correctly.
We have achieved multi-system provisioning using Role mapping concept.
As commented in my previous reply you can achieving multi-system provisioning by mapping roles from different systems to HR positions. Sorry to say, i do-not have much details on this approach.
Let me know if you have any further queries.
Regards,
Manju
Dear Manju,
I have tried to use the Role Mapping concept as explained by you. However, I could not get any success in it. Here is what I have done:
1. Mapped a Test Roles available in GRC system (Source) with HR System (Target)
2. Create a HR record
3. It created a request and sent to GRC system.
Surprisingly, I could not see this role in the request! Though the role is mapped to HR system.
How does HR system know that the role (test role) coming from GRC System should be assigned to a particular position?
Please advise if I am missing any thing.
Regards,
Faisal
Hi Faisal,
Source will be HR connector and GRC is the target connector. Looks like the mapping is done the other way as per point #1. Can you do the mapping correctly and check if it is working
Also make sure the role status of GRC test role is set to PRD and Provisioning Allowed is set to YES.
Let us know.
Regards,
Manju
Dear Manju,
Thanks for your support.
Actually, I had mapped test role from GRC system to a 'Composite' Role in HR System and it seems does not go well. But I believe, role mapping is ONLY possible through Single Role.
Now I have tried with single role mapping and it worked. However, I have raised the request manually in GRC system and I believe it will go well with HR triggers also.
Have you also tried mapping single roles to a composite role?
Regards,
Faisal
Hi,
i find your question contradicting to itself. "... and if we want the user id to be created in these 2 systems...." and "..Where as a user needs to be created only in 1 system (S1)."
Could you clarify, your requirement.
regards
Plaban
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Plaban,
Thanks for your reply.
I am sorry if my question is not clear. Let me explain....
When a HR record is created for a new employee in SAP HR system. How to achieve below requirement if:
Please let me know if my question is clear.
Regards,
Faisal
Hello Faisal,
if you want multiple system for HR trigger.
you have to maintain in HR trigger system and in system field for that particular action type add system.
spro>>Access Control>> HR trigger setting>> Action>> maintain system.
Let us know incase you need any other information.
Regards,
Prasant
Dear Prasant,
Thanks for taking part in this discussion.
Technically I see this is possible. However, may you help me understand why we may need this if it can be achieved through "Role Mapping Concept" (as explained by Manjunath).?
I will really appreciate if you can share your view points on this.
Regards,
Faisal
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.