Tuesday, 21 January 2014

HR Triggers in Access Control 10.0





Understanding HR Triggers in Access Control 10.0

Purpose

The Purpose of this document is to help user in understanding the details of the HR Trigger functionality provided by Access Control 10.0. This document also talks about the various configurations and settings that the user needs to make use of this functionality as per the business requirements.

Overview

HR Triggers is used in Access Control 10.0 to automatically create an access request whenever an info type is changed in the HR Plug-in system. This helps the organization to set specific rules for a new user automatically when the user is hired in the organization. There are many other functionalities that are achieved using the HR Trigger process and are explained in detail in the following sections.

How is HR Trigger Initiated

HR Trigger gets initiated as soon as there is a change in any of the info types in the HR system. This change in HR Info types may be due to the creation of a new User ID because of a new hire or due to change in Position of an employee or due to change in the validity of an employee or due to termination of an employee or due to any other info type change of an existing employee. All this process happens at the Plug-in system used for the HR processes. There are a few IMG setting that are required to be set to initiate this HR Trigger process properly.
IMG setting required at the HR Plug-in system
Goto IMG->Governance, Risk and Compliance (Plug-In->Access Control->Maintain Plug-In Configuration Settings.
Maintain the following parameters as shown below.
Param ID Parameter Value Short Description
1000 ERDCLNT300 Please maintain Plug-in Connector
1001 GRDCLNT100 Please maintain GRC connector
1003 YES Enable HR Trigger
A reference screenshot for this configuration setting is shown below:
 

How is this change transferred to the GRC System

As soon as any of the changes stated above occur in the HR system, a BADI is triggered in the plug-in system which makes an internal table containing the info types that have been changed along with their old and new values. This table is then passed to the GRC system via a system call to the GRC function module which receives this change event and takes over the control. This call is made using a qRFC to make sure that the data is not lost in case the GRC system is down or not available at that moment.

How GRC system handles this change

Now, the control is passed on from the HR Plug-in system to the GRC system along with the info type data that has changed. The GRC system now tries to make use of the BRF+ Application for HR Triggers to find out which type of request has to be created. This is done by using the decision table in BRF+ application whose each row returns an Action ID based upon the info type that has been changed. As an example, change in the info type 0105 and Subtype 0001 (User ID) would indicate that a new user has been created and hence this row would return the Action ID as Create. Based upon this Action ID, the request type is chosen and the request is created using this request type.

BRF+ Application to choose the request type

The BRF+ Application is required for the purpose of selecting the Request Type that would be used to create the request. The BRF+ Application that is used for HR Triggers must be mapped under the following IMG setting.
Goto IMG->Governance, Risk and Compliance->Access Control->Maintain AC Applications and BRFplus Function Mapping.
Add a new entry using the BRF Function ID used in the BRF+.
Appl ID BRF Function ID MSMP Process ID
HR Triggers XXXXXXXXXXXXXXXX SAP_GRAC_ACCESS_REQUEST
A reference screenshot showing this configuration is shown below:
 
You can create the BRF+ Application by following the steps mentioned under the following link: GRC 10.0 - HR Trigger BRF+ configuration
Now, the Action ID that is returned by this BRF+ application is used to fetch the information on the request type to be used for the newly created request.

Setting up the Request Type

To set the Request Types based upon the Action_ID, set the IMG as shown below:
Goto IMG->Governance, Risk and Compliance->Access Control->User Provisioning->Maintain Settings for HR Trigger
The screen here would looks as shown in the below screenshot:

Select and double click on the Action ID for which you need to set the respective Request Type.
You can also set the systems for which the request is to be created along with the validity dates of the user over these systems. To do this, you can select the Action ID and then click over the 'Maintain Systems' link in the left panel. A reference screenshot for the screen that would appear is shown below:
 


Overview

HR Triggers rules can configured in the GRC 10.0, either via BRF+ rules or via complex Procedure Call via Function Module.
This document contains the step-by-step approach to build the BRF+ rules for configuring the HR Trigger rules to be used to enable the automatic request creation into the GRC system, whenever there is an activity carried out in the connected HR system.

Steps to configure the HR Triggers:

1. On GRC 10.0 system open transaction SPRO and go to node Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFplus Function Mapping.
2. Copy the pre-delivered BRFplus rule, mentioned against Appl Id 'HR Triggers'.
3. On GRC 10.0 system open transaction brfplus or fdt_workbench. In BRF+ menu choose Workbench =>Open Object and paste the ID copied in step 2.

Creating BRF Rule with conditions

4.   Go to ‘Assigned Rule sets’ tab and click on ‘Create Rule set’ button.

5.   Enter the details as shown below and click on ‘Create and Navigate to Object’ button.

6.   Save the Object. Press Yes, when the pop-up "Do you want to Save before exit" comes.
7.   Enable the Ruleset by clicking on ‘Enable Ruleset’ button as shown below.

8.   Assign the priority to the ruleset as shown below.

9.   Enter the priority and click on ‘OK’ button.

10. Save the Object.

11. Create the Rule as shown below. Right click on the HR_Trigger application and go to Create ->Rule.

12. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.

13. Save the Rule.

14. Now Insert the Rule in the Ruleset.

15. Select the rule RULE_1.


16. Save the Ruleset.

17. Go to Rule_1 and create the Process Expression as shown below.


18. Select the Type as ‘Loop’.

19. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.


20. Click on Loop_1 as shown below.

21. Save the object Rule_1.


22. Select ‘Perform Action’ value in Result Type as shown below.

23. Select Loop Mode as ‘For Each Entry in…’ as shown below.



24. Select the table by clicking on ‘Select…’ as shown below.

25. Select the ‘HR_TRIGGER_TABLE”.

26. Save the loop ‘Loop_1’.

27. Now create one more rule as shown below.


28. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.

29. Save the rule ‘Rule_2’.


30. Now add the Rule_2 as shown below.


31. Click on ‘Search’ button.


32. select the ‘RULE_2’ object.


33. Save the loop ‘Loop_1’.


Creating Decision Table for conditions

34. Create the Decision Table as shown below. 


35. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.



36. Click on ‘Insert Column -> From Context Data Objects’ as shown below.


37. Select the objects in the table and click on ‘Select’ button. 

38. The selected objects are displayed in the table as shown below. Now click on ‘Insert Column from Data Object’ button in the Result Columns table as shown below.


39. Click on ‘Search’ button.


40. Select the object and click on ‘Select’ button.


41. The selected objects are displayed in the table. Now click on ‘OK’ button.


42. Now we can find the columns in the table.

43. Click on ‘Insert New Row’ button to add the contents to the decision table.


44. Enter the value for the Connecter column as shown below.


45. Enter the connecter value and click on ‘OK’ button.



46. In the same way add then values to the necessary columns as shown below.



 






47. Select the row and click on ‘Copy Row’ button.


48. Now click on ‘Insert Copied Row’ button as shown below.






49. Save the Decision table.


50. Activate the Decision table.


51. Click on ‘Activate’ button.

52. Add a Process Expression as shown below.


53. Select the Object ‘DECISION_TABLE’.




54. Now assign the value to the ‘Action ID’ Result data table as shown below.




55. Select ‘Insert’ as shown below.


56. Select the Context parameter as shown below.

57. Select ‘ACTION_ID’ object.




58. Save and activate the rule ‘Rule_2’.


59. Click on ‘Activate’ button as shown below.



60. Now activate the loop ‘Loop_1’.


61. Click on ‘Activate’ button as shown below.



62. Now activate the rule ‘Rule_1’.

63. Click on ‘Activate’ button as shown below.



64. Now activate the ruleset ‘Ruleset_1’.


65. Click on ‘Activate’ button as shown below.



 A. Decision table Conditions for New Hire, Terminitation and Position Change