cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HR Trigger and connected Back End Systems???

Go to solution
former_member184114
Active Contributor

on ‎06-14-2016 12:02 PM

0 Kudos

Dear Folk,

I would like to understand how to create users in multiple systems (based upon business requirement) using HR Triggers at the same time with GRC Access Request.

I have configured HR Triggers and it seems to be working fine as far request creation is concerned. Currently, I have maintained ONLY one back end system in GRC SPRO ("Maintain Settings for HR Trigger"). What I understand that if we want any user to be created in any back end system, that system is to be maintained herein.

Example:

If we have 2 SAP systems: S1 and S2 and if we want the user id to be created in these 2 systems using HR Triggers, we need to maintain these 2 systems in "Maintain Settings for HR Trigger" in GRC system. But the problem is that, all the request generated would be having these 2 systems in the request! Where as a user needs to be created only in 1 system (S1).

I would like to understand/know how people have achieved this.

May you guide me in achieving this? Waiting for your kind responses.

Regards,

Faisal

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎06-14-2016 12:31 PM
0 Kudos

Hi Faisal,

Multi system provisioning can be achieved using Role mapping for HR Triggers

You need to identify the cross functional roles assigned to HR positions and maintain the mapping accordingly in BRM.

For example : You have assigned Role XYZ to Postion P1 in HR system. When there is a new HIRE for Position P1 the access request is automatically created and the application reads the role XYZ assigned to position P1.

If XYZ is decided to be a cross functional role as per business need then import XYZ and do the role mapping in BRM.

In this case when the request is created, roles from multiple systems will be added to the request based on the mapping done in BRM.

This was you can achieve multi system provisioning without maintaining all the system entries in "Maintain settings for HR Triggers"

Hope this helps.

Regards,

Manju

Show replies
Show replies
former_member184114
Active Contributor
‎06-15-2016 9:04 AM
0 Kudos

Manjunath,

Thanks for your reply.

I know one way where in, if simply a role(s) is added in the request, this will be provisioned/de-provisioned accordingly in the system where it is coming from.

Example: If a role XYZ is coming from system ABC and if I simply add XYZ role in the request for role provisioning, then we have 2 possibilities:

  1. If User does not exist in ABC system: It creates the user and then assigns the role
  2. If user already exists in ABC system: It simply assigns this role to this user.

However, below "Maintain Provisioning Settings" are to be maintained in SPRO:

I have used this technique 'without' mapping the role(s) in BRM and it worked for me.

May you please let me know:

  1. If this is only the way to achieve this?
  2. Do we have any settings/configurations at HR System side or satellite system side to get User ID created with role assignment/deleted automatically as soon as a HR record is created/deleted?
  3. If I map roles in BRM, do I need to still maintain above settings in GRC System?
  4. Do I need to maintain above settings in GRC and also map the roles in BRM at the same time?
  5. What is the exact use of  'Maintain System' in SPRO->......'Maintain Settings for HR Trigger'

Please advise.

Regards,

Faisal

Former Member
‎06-15-2016 11:58 AM
0 Kudos

Hi Faisal,

There are 2 ways of provisioning using HR Triggers

  1. Direct Provisioning – Roles are not assigned to HR positions. When the access request is created the approver needs to manually add the role into the request
  2. Indirect Provisioning – Roles are assigned to HR positions and the access request is created from the roles assigned to HR positions

Looks like you are trying to achieve a combined approach as per your comments .

The provisioning settings has to be maintained whether you are using direct or indirect provisioning.

Please find the response for your queries

  1. If this is only the way to achieve this? – No. You can  also assign roles from multiple systems to HR positions which I have never tried. Refer the  thread https://scn.sap.com/thread/3634534 for details. 

  1. Do we have any settings/configurations at HR System side or satellite system side to get User ID created with role assignment/deleted automatically as soon as a HR record is created/deleted? –

Install HR Plug-ins

Maintain plug-in parameters 1000,1001 and 1003 in the HR system to trigger the infotype changes

  1. If I map roles in BRM, do I need to still maintain above settings in GRC System? - YES
  2. Do I need to maintain above settings in GRC and also map the roles in BRM at the same time? - YES
  3. What is the exact use of  'Maintain System' in SPRO->......'Maintain Settings for HR Trigger' – Used to maintain the association between the actions that start an HR trigger and the HR systems

Hope this helps.

Regards,

Manju

former_member184114
Active Contributor
‎06-16-2016 9:37 AM
0 Kudos

Dear Manju,

Thanks for your reply. This discussion is getting lengthy and interesting too .

I have tried to squeeze my concerns to the best of my ability. 



 There are 2 ways of provisioning using HR Triggers




    

  1. Direct Provisioning – Roles are not assigned to HR positions. When the access request is created the approver needs to manually add the role into the request
    2. 

  2. Indirect Provisioning – Roles are assigned to HR positions and the access request is created from the roles assigned to HR positions
    3.

In my current settings, I am using 'Direct' Role Provisioning Type and I have configured HR Triggers and it seems to be working fine.

Meaning that, when a request is created by HR trigger, this includes automatically (approver is not including the role manually):

  1. the role (I have designed a composite role and assigned to a Position in HR System)
  2. User details (pulled from AD mainly) and
  3. back system (for testing purpose, I have only included HR system, which is maintained in GRC System->SPRO->...Maintain Settings for HR Trigger') in the request.

When this request is successfully provisioned, this composite role is assigned to the user! Now I am a bit confused with the description of option#1 you have mentioned. May you please clarify on this? In fact I would request you to explain both of them with example because I need clarity on it. Sorry if I am asking for more 





    

  1. Do we have any settings/configurations at HR System side or satellite system side to get User ID created with role assignment/deleted automatically as soon as a HR record is created/deleted? –
    2. 



Install HR Plug-ins


Maintain plug-in parameters 1000,1001 and 1003 in the HR system to trigger the infotype changes

Yes, I have done this in HR System ONLY as of now and working fine. We have Plug-Ins in other systems also. Do we also need to maintain parameters there to be included in Access Request?





    

  1. If I map roles in BRM, do I need to still maintain above settings in GRC System? - YES
    2. 

  2. Do I need to maintain above settings in GRC and also map the roles in BRM at the same time? - YES
    3.

May you please help me understand below highlighted columns in Role Mapping? Am I correct in saying that if Role PQR is available in SYS1 and I if maintain below entries for this role while role mapping:

Source System=SYS1

Target System=SYS2

once the role methodology is successfully completed, PRQ role will be created in SYS2 system also?





    

  1. What is the exact use of  'Maintain System' in SPRO->......'Maintain Settings for HR Trigger' – Used to maintain the association between the actions that start an HR trigger and the HR systems
    2.

Does it mean that we need to ONLY maintain HR Systems here? If yes, what happens if I maintain other non-HR Systems?

What process you are following to include non-HR systems in access request (ex: HR and BW Systems)?

Please advise.

Regards,

Faisal

Former Member
‎06-16-2016 2:00 PM
0 Kudos

Hi Faisal,

Yes, this is getting interesting

Please find my response below

1. As per your comments you have assigned composite roles to HR positions and set the Role provisioning type to Direct in SPRO. This will provision the roles to user in the HR system as per design.

Normally in direct provisioning of HR triggers the roles will not be assigned to HR positions and will be added manually by the approvers in the workflow process.

In your case the roles are assigned to positions and hence the application is adding them automatically to the request but the provisioning of the roles is happening to the user as per the role provisioning type in SPRO.

If you maintain the role provisioning type to indirect and indirect provisioning type to position then the roles will be provisioned to positions in HR system

2. Plug-in configuration settings is only required in the HR system. It is not required for non-HR systems

3 & 4 . For mapping in BRM , Source is HR system(S1) and target is non-HR system(S2). You need to map role XYZ from S2 to S1 for creating the user and provisioning the roles in S2(non-HR) also.

5. You can add only the HR system entry in maintain settings for HR Triggers. This is required for adding the system lineitem in the request. The request will not be created if you do not add the HR connector here. No need of adding non-HR connectors as the system lineitem for this will be added automatically in the request if you have done the role mapping correctly.

We have achieved multi-system provisioning using Role mapping concept.

As commented in my previous reply you can achieving multi-system provisioning by mapping roles from different systems to HR positions. Sorry to say, i do-not have much details on this approach.

Let me know if you have any further queries.

Regards,

Manju

former_member184114
Active Contributor
‎06-19-2016 9:21 AM
0 Kudos

Manjunath,

Thanks for taking some time and helping me understand the concept. I really appreciate your efforts

I will try these options and hopefully I will achieve as same as you have.

I will update this thread about its progress and will close this once completed successfully.

Regards,

Faisal

former_member184114
Active Contributor
‎06-19-2016 1:22 PM
0 Kudos

Dear Manju,

I have tried to use the Role Mapping concept as explained by you. However, I could not get any success in it. Here is what I have done:

1. Mapped a Test Roles available in GRC system (Source) with HR System (Target)

2. Create a HR record

3. It created a request and sent to GRC system.

Surprisingly, I could not see this role in the request! Though the role is mapped to HR system.

How does HR system know that the role (test role) coming from GRC System should be assigned to a particular position?

Please advise if I am missing any thing.

Regards,

Faisal

Former Member
‎06-19-2016 4:30 PM
0 Kudos

Hi Faisal,

Source will be HR connector and GRC is the target connector. Looks like the mapping is done the other way as per point #1. Can you do the mapping correctly and check if it is working

Also make sure the role status of GRC test role is set to PRD and Provisioning Allowed is set to YES.

Let us know.

Regards,

Manju

former_member184114
Active Contributor
‎06-20-2016 11:35 AM
0 Kudos

Dear Manju,

Thanks for your support.

Actually, I had mapped test role from GRC system to a 'Composite' Role in HR System and it seems does not go well. But I believe, role mapping is ONLY possible through Single Role.

Now I have tried with single role mapping and it worked. However, I have raised the request manually in GRC system and I believe it will go well with HR triggers also.

Have you also tried mapping single roles to a composite role?

Regards,

Faisal

former_member184114
Active Contributor
‎06-20-2016 11:55 AM
0 Kudos

Manju,

Now I have tried to map a test role to a composite role and it worked. While generating the role, it was giving me error for associated roles. Therefore I created the associated roles (two) in GRC system and tested. It worked.

Thanks again for all your inputs and support.

Regards,

Faisal

Former Member
‎06-20-2016 12:37 PM
0 Kudos

Hi Faisal,

Glad to hear that it is working

I too did a quick check by mapping single roles to composite roles and it is working as expected.

Regards,

Manju

Answers (1)

Answers (1)

plaban_sahoo6
Contributor
‎06-15-2016 2:48 PM
0 Kudos

Hi,

i find your question contradicting to itself.  "... and if we want the user id to be created in these 2 systems...." and "..Where as a user needs to be created only in 1 system (S1)."

Could you clarify, your requirement.

regards

Plaban

Show replies
Show replies
former_member184114
Active Contributor
‎06-16-2016 9:42 AM
0 Kudos

Plaban,

Thanks for your reply.

I am sorry if my question is not clear. Let me explain....


When a HR record is created for a new employee in SAP HR system. How to achieve below requirement if:

  1. This user needs access in HR system ONLY
  2. This user needs access in HR and non-HR systems (Ex: BI)

Please let me know if my question is clear.

Regards,

Faisal

former_member193066
Active Contributor
‎06-17-2016 7:14 PM
0 Kudos

Hello Faisal,

if you want multiple system for HR trigger.

you have to maintain in HR trigger system and in system field for that particular action type add system.

spro>>Access Control>> HR trigger setting>> Action>> maintain system.

Let us know incase you need any other information.

Regards,

Prasant

former_member184114
Active Contributor
‎06-19-2016 9:25 AM
0 Kudos

Dear Prasant,

Thanks for taking part in this discussion.

Technically I see this is possible. However, may you help me understand why we may need this if it can be achieved through "Role Mapping Concept" (as explained by Manjunath).?

I will really appreciate if you can share your view points on this.

Regards,

Faisal

former_member193066
Active Contributor
‎06-19-2016 1:59 PM
0 Kudos

Hello Faisal,

yes, we can use Role Mapping as well.

I don't remember ,when I did last time, I have to simulate now and provide you details, but yes we can do it.

Regards,

Prasant

Ask a Question