Understanding HR Triggers in Access Control 10.0
Purpose
The Purpose of this document is to help user in understanding the
details of the HR Trigger functionality provided by Access Control 10.0.
This document also talks about the various configurations and settings
that the user needs to make use of this functionality as per the
business requirements.
Overview
HR Triggers is used in Access Control 10.0 to automatically create an
access request whenever an info type is changed in the HR Plug-in
system. This helps the organization to set specific rules for a new user
automatically when the user is hired in the organization. There are
many other functionalities that are achieved using the HR Trigger
process and are explained in detail in the following sections.
How is HR Trigger Initiated
HR Trigger gets initiated as soon as there is a change in any of the
info types in the HR system. This change in HR Info types may be due to
the creation of a new User ID because of a new hire or due to change in
Position of an employee or due to change in the validity of an employee
or due to termination of an employee or due to any other info type
change of an existing employee. All this process happens at the Plug-in
system used for the HR processes. There are a few IMG setting that are
required to be set to initiate this HR Trigger process properly.
IMG setting required at the HR Plug-in system
Goto IMG->Governance, Risk and Compliance (Plug-In->Access Control->Maintain Plug-In Configuration Settings.
Maintain the following parameters as shown below.
Param ID |
Parameter Value |
Short Description |
1000 |
ERDCLNT300 |
Please maintain Plug-in Connector |
1001 |
GRDCLNT100 |
Please maintain GRC connector |
1003 |
YES |
Enable HR Trigger |
A reference screenshot for this configuration setting is shown below:
How is this change transferred to the GRC System
As soon as any of the changes stated above occur in the HR system, a
BADI is triggered in the plug-in system which makes an internal table
containing the info types that have been changed along with their old
and new values. This table is then passed to the GRC system via a system
call to the GRC function module which receives this change event and
takes over the control. This call is made using a qRFC to make sure that
the data is not lost in case the GRC system is down or not available at
that moment.
How GRC system handles this change
Now, the control is passed on from the HR Plug-in system to the GRC
system along with the info type data that has changed. The GRC system
now tries to make use of the BRF+ Application for HR Triggers to find
out which type of request has to be created. This is done by using the
decision table in BRF+ application whose each row returns an Action ID
based upon the info type that has been changed. As an example, change in
the info type 0105 and Subtype 0001 (User ID) would indicate that a new
user has been created and hence this row would return the Action ID as
Create. Based upon this Action ID, the request type is chosen and the
request is created using this request type.
BRF+ Application to choose the request type
The BRF+ Application is required for the purpose of selecting the
Request Type that would be used to create the request. The BRF+
Application that is used for HR Triggers must be mapped under the
following IMG setting.
Goto IMG->Governance, Risk and Compliance->Access Control->Maintain AC Applications and BRFplus Function Mapping.
Add a new entry using the BRF Function ID used in the BRF+.
Appl ID |
BRF Function ID |
MSMP Process ID |
HR Triggers |
XXXXXXXXXXXXXXXX |
SAP_GRAC_ACCESS_REQUEST |
A reference screenshot showing this configuration is shown below:
You can create the BRF+ Application by following the steps mentioned under the following link:
GRC 10.0 - HR Trigger BRF+ configuration
Now, the Action ID that is returned by this BRF+ application is used
to fetch the information on the request type to be used for the newly
created request.
Setting up the Request Type
To set the Request Types based upon the Action_ID, set the IMG as shown below:
Goto IMG->Governance, Risk and Compliance->Access Control->User Provisioning->Maintain Settings for HR Trigger
The screen here would looks as shown in the below screenshot:
Select and double click on the Action ID for which you need to set the respective Request Type.
You can also set the systems for which the request is to be created
along with the validity dates of the user over these systems. To do
this, you can select the Action ID and then click over the 'Maintain
Systems' link in the left panel. A reference screenshot for the screen
that would appear is shown below:
Overview
HR Triggers rules can configured in the GRC 10.0, either via BRF+ rules or via complex Procedure Call via Function Module.
This document contains the step-by-step approach to build the BRF+
rules for configuring the HR Trigger rules to be used to enable the
automatic request creation into the GRC system, whenever there is an
activity carried out in the connected HR system.
1. On GRC 10.0 system open transaction SPRO and go to node
Governance, Risk and Compliance =>Access Control =>Maintain AC
Applications and BRFplus Function Mapping.
2. Copy the pre-delivered BRFplus rule, mentioned against Appl Id 'HR Triggers'.
3. On GRC 10.0 system open transaction brfplus or fdt_workbench. In
BRF+ menu choose Workbench =>Open Object and paste the ID copied in
step 2.
Creating BRF Rule with conditions
4. Go to ‘Assigned Rule sets’ tab and click on ‘Create Rule set’ button.
5. Enter the details as shown below and click on ‘Create and Navigate to Object’ button.
6. Save the Object. Press Yes, when the pop-up "Do you want to Save before exit" comes.
7. Enable the Ruleset by clicking on ‘Enable Ruleset’ button as shown below.
8. Assign the priority to the ruleset as shown below.
9. Enter the priority and click on ‘OK’ button.
10. Save the Object.
11. Create the Rule as shown below. Right click on the HR_Trigger application and go to Create ->Rule.
12. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.
13. Save the Rule.
14. Now Insert the Rule in the Ruleset.
15. Select the rule RULE_1.
16. Save the Ruleset.
17. Go to Rule_1 and create the Process Expression as shown below.
18. Select the Type as ‘Loop’.
19. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.
20. Click on Loop_1 as shown below.
21. Save the object Rule_1.
22. Select ‘Perform Action’ value in Result Type as shown below.
23. Select Loop Mode as ‘For Each Entry in…’ as shown below.
24. Select the table by clicking on ‘Select…’ as shown below.
25. Select the ‘HR_TRIGGER_TABLE”.
26. Save the loop ‘Loop_1’.
27. Now create one more rule as shown below.
28. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.
29. Save the rule ‘Rule_2’.
30. Now add the Rule_2 as shown below.
31. Click on ‘Search’ button.
32. select the ‘RULE_2’ object.
33. Save the loop ‘Loop_1’.
Creating Decision Table for conditions
34. Create the Decision Table as shown below.
35. Enter the details as shown below and click on ‘Create And Navigate To Object’ button.
36. Click on ‘Insert Column -> From Context Data Objects’ as shown below.
37. Select the objects in the table and click on ‘Select’ button.
38. The selected objects are displayed in the table as shown below.
Now click on ‘Insert Column from Data Object’ button in the Result
Columns table as shown below.
39. Click on ‘Search’ button.
40. Select the object and click on ‘Select’ button.
41. The selected objects are displayed in the table. Now click on ‘OK’ button.
42. Now we can find the columns in the table.
43. Click on ‘Insert New Row’ button to add the contents to the decision table.
44. Enter the value for the Connecter column as shown below.
45. Enter the connecter value and click on ‘OK’ button.
46. In the same way add then values to the necessary columns as shown below.
47. Select the row and click on ‘Copy Row’ button.
48. Now click on ‘Insert Copied Row’ button as shown below.
49. Save the Decision table.
50. Activate the Decision table.
51. Click on ‘Activate’ button.
52. Add a Process Expression as shown below.
53. Select the Object ‘DECISION_TABLE’.
54. Now assign the value to the ‘Action ID’ Result data table as shown below.
55. Select ‘Insert’ as shown below.
56. Select the Context parameter as shown below.
57. Select ‘ACTION_ID’ object.
58. Save and activate the rule ‘Rule_2’.
59. Click on ‘Activate’ button as shown below.
60. Now activate the loop ‘Loop_1’.
61. Click on ‘Activate’ button as shown below.
62. Now activate the rule ‘Rule_1’.
63. Click on ‘Activate’ button as shown below.
64. Now activate the ruleset ‘Ruleset_1’.
65. Click on ‘Activate’ button as shown below.
A. Decision table Conditions for New Hire, Terminitation and Position Change