Welcome to the Multi-Stage, Multi-Path Workflow Configuration lesson for SAP

BusinessObjects Access Control 10.0.

1
MSMP Workflow Configuration is the first lesson of the Workflow Configuration
unit.

2
After completing this lesson, you will be able to perform the actions listed
above.

3
4
Configure workflow in Access Control 10.0 with the following configuration
activities highlighted above:
„Activate Event Linkage for AC Workflows
„Maintain MSMP Workflows
„Activate MSMP Content for AC

5
Use
In this Customizing activity, you can activate the event linkage for each
workflow.
For each Access Control object type, the event START, which triggers the
event for Access Control Workflows, is maintained in the event linkage
table You can activate the standard workflow and the linkage between the
table.
triggering event and the standard workflow.

These activities are listed in the next two slides.

Activities
To activate event linkage:
„From the Event Type Linkages table, select a row and click the Change
button.
„In the Receiver Type column, select the event linkage for standard
workflow, and then click the Detail button.
„Select the Linkage Activated checkbox.
„Save your entry.
.

6
7
8
Use
In this Customizing activity, you can activate the delivered Business
Configuration (BC) Set for Access Control Multi-State Multi-Path (MSMP)
workflow configuration.
It is recommended that you activate the MSMP Configuration BC Set as part of
the initial setup
setup, and then adjust the configurations as needed
needed. The BC Set
contains configuration objects such as: Initiator Rules, Routing Rules, and
Agent Rules that you can use as a template for creating your own MSMP
configurations.

Activities
To activate the MSMP Configuration BC Set, do the following: In the BC Set
field, enter GRC_MSMP_CONFIGURATION, and then click the Activate
button.
To use the MSMP configuration content as delivered, activate the MSMP
workflows using the Customizing activity Generate MSMP Process Versions.

To use the BC Set as a template, do the following:

„Modify the MSMP workflows as required, in the Customizing activity:
Maintain MSMP Configuration
„Activate the MSMP workflows using the Customizing activity: Generate
MSMP Process Versions.

9
10
11
12
13
14
15
16
17
Navigation path: Transaction SPRO Æ SAP Reference IMG Æ Governance
Risk and Compliance Æ Access Control Æ Workflow for Access Control Æ
Maintain MSMP Workflows

In this Customizing activity, you maintain the Multi-Stage Multi-Path (MSMP)

process workflows for the Access Control application
application. When you start this
activity, a configuration screen displays seven activities in a recommended
order. You can directly execute a few of these activities; the others require that
you complete the pre-requisite activities before executing them.

The activities are:

„ Process Global Settings
„ Maintain Rules
„ Maintain Agents
„ Variables & Templates
„ Maintain Paths
„ Maintain Route Mapping
„ Generate Versions

18
To directly access a particular activity, select the desired Process ID in Process
Global Settings, then click the activity title.

19
These workflows are delivered in the Business Customizing (BC) Set for
Workflow

20
These options allow you to maintain the following global settings for a given
process:
„Enable Escalations on a Fixed Date – Optional.
„Set-up EOR (End-Of-Request) and Submission Templates and Recipients –
Optional.
„Set-up
Set up Escape Paths in case an approver is not found or if provisioning fails –
Optional.

21
Escalation - optional
„Choose Display/Change to enter change mode. Select a process to maintain.
„In the Escalation column, click the checkbox to enable escalation for the
selected process. If this is activated, you are required to enter the Escalation
date on which all work items for the selected process are escalated.

22
End of Request Templates - optional
„In the EOR Template ID section, maintain the template for the notification
message to be sent at the end of request processing (Configured in Step 4 -
Variables & Templates).
„In the EOR Recipient ID section, maintain the recipient of the end-of-request
notification message (Configured as an Agent)
Agent).
„In the Submission Temp. ID (Template), maintain the template for the
notification message to be sent at the submission of a request (Configured in
Step 4 - Variables & Templates).
„In the Submission Recpt. ID (recipient) section, maintain the recipient of the
submission notification message. (Configured as an Agent).

23
Escape Conditions - optional
„In the Escape Conditions section, maintain the Escape Routing, Escape
Path, and Escape Stage.
„ Set Escape Routing – Enables escape routing (optional).
„ Escape Path - Path to which request follows in case no Agents are found for
any stage,
stage or
or, failure during auto
auto-provisioning
provisioning (Configured in Step 5) –
Required if Set Escape Routing is enabled.
„ Escape Stage - Stage to the above path for which request follows
(Configured in Step 5) – Required if Set Escape Routing is enabled.
„Click Next.

24
A Rule can be defined using BRFplus (Business Rule Framework) or a
Function Module (FM).

Example: In BRFplus, you define the Rule and map the logical path to the rule.
Scenario: If Role < is equal to>’Z_AP_PAYABLE’ <route to> Path 1
Else If Role < is equal to> ‘Z
Z_AP_CLERK
AP CLERK’ <route to> Path 2
Note: Here Path 1 and Path 2 are the Logical Paths.
In this example, the AC 5.3 equivalent to this Rule is the Initiator Condition.

This step maintains allowable rules and rule set results for the selected
process.
Only the items chosen here will be available when configuring Maintaining
Paths and Route Mapping.
These allow you to:

„ Add Rules to the Selected Process – Rules determine Agents, Initiators,

Routing and Notification Values.
„ Compile a Result Set - The result set can be viewed by clicking the Results
button when available. When a rule has results, an additional section will
allow the modification of the results description.

25
To maintain rules: (all fields in each row are mandatory)
„ Click Add to add a new rule, Modify to change an existing selected rule, or
Delete to remove an existing selected rule.
„ In the Rule ID column, enter a unique name for the rule.
„ In the Rule Description column, enter a description for the purpose of the
rule.
rule
„ In the Rule Type column, select the rule type from the drop-down list:
„ BRFplus Rule – is a rule defined in the BRFplus application to fetch rule results,
depending on conditions inside the rule.
„ Function Module Based Rule – Function module is coded to output rule results.
„ ABAP Class Based Rule – Class method is coded to output rule results
„ BRFplus Flat Rule (Line-item by Line-item) – BRFplus rule which is defined for only one
line item (rule will be called once for each line-item
line item in the request).
request)

26
27
Rule Kind and Global Rules are highlighted above.
„ In the Rule Kind column, select the results that are to be obtained:
„ Initiator Rule – determines the path upon submission of the request
„ Routing Rule – determines a detour routing based upon an attribute of the request (for
example, SoD Violations Exist)
„ Agents Rule – determines the recipients of a stage
„ Notification
N ifi i V Variables
i bl RRule
l – determines
d i the
h variable
i bl values
l at runtime
i used
d iin the
h
notification e-mails.
„ Global Rules
„ Process Initiator – determines the global default Initiator rule for the process
„ Notification Rule – returns values for variables defined in Step 4 (Notification Variables)

28
29
Rule Kind and Global Rules are highlighted above.
„ In the Rule Kind column, select the results that are to be obtained:
„ Initiator Rule – determines the path upon submission of the request
„ Routing Rule – determines a detour routing based upon an attribute of the request (for
example, SoD Violations Exist)
„ Agents Rule – determines the recipients of a stage
„ Notification
N ifi i V Variables
i bl RRule
l – determines
d i the
h variable
i bl values
l at runtime
i used
d iin the
h
notification e-mails.
„ Global Rules
„ Process Initiator – determines the global default Initiator rule for the process
„ Notification Rule – returns values for variables defined in Step 4 (Notification Variables)

30
Initiator Routing Rules results are highlighted.

In the Rule Results section:

„ Rule Result Value - Initiator or Routing rules return rule results. The result
value are mapped to the name of the path to be used by workflow.
„ Trigger Value Descr – Description of the Rule Result Value
Value.

31
Maintain Agents:
This stage allows you to define dynamic approvers which can be assigned to
any workflow stage. Agents are Logical Recipients.

The various Agent Types supported are as follows:

„ Directly Mapped Users – User defined recipient listlist. Users are assigned to
an Approver Group ID, and the Approver Group ID is assigned to the Agent
ID.
„ PFCG Roles – Recipients are selected based on assignment to PFCG Role.
„ PFCG User Groups – Recipients are selected based on assignment to PFCG
user groups assigned to a user. These User Groups are assigned via SU01
on the Groups tab.
„ GRC API (Application Programming Interface) Rules – This will return
recipients via a rule that can be of one of the 4 rule types (BRF, Function
Module, ABAP Class and BRF Flat Rule). These can be customized or SAP
delivered, such as Manager, Role Owners, Risk Owners, etc., via an
associated FM (Function Module).

32
You can choose to Add New, Modify, or Delete an existing Agent.

Agent ID – Logical Approver ID.

Agent Name – Logical Approver Name/Description.

Agent Purpose – Purpose of Agent

„Notification
„Approval

33
34
Agent Type – There are 4 supported Agent Types. Depending on this selection,
an additional field will appear as defined in Point 6, described below:

„ Directly Mapped Users – Approvers selected from the Approver definition.

„ PFCG Roles – Approvers selected from PFCG roles assigned to users.
„ PFCG User Groups – Approvers selected from PFCG User Groups assigned
to users (SU01 Groups tab).
„ GRC API Rules – Approvers selected from the associated function module
(FM).

35
The following fields will be displayed depending upon the Agent Type:

„ For Directly Mapped User, Approver Group ID field will appear (The next slide
will discuss the maintenance of approvers).
„ For PFCG Roles, Role field will appear. The Agent is determined by the
assignment of a PFCG role to the user
user.
„ For PFCG User Groups, User Group field will appear. The Agent is
determined by PFCG User Group assignment.
„ For GRC API Rules, Agent Rule ID will appear. This Agent is determined by
the entered BRFplus rule or function module (FM). BRFplus is discussed in
a separate lesson.

36
Configuring Directly Mapped Users
If the Agent Type is set to Directly Mapped Users, the subsequent field
Approver Group ID will appear. This configuration is used for defining static
user groups which are used within workflow processes.
Example: You may want to define a custom group (a “security group”, for
instance) consisting of one or more SAP users
users. This group could then be
assigned to any approval stage for a workflow process.
To configure this group, click the F4 search icon at the end of the field. A pop-
up box will display currently configured Approver Group IDs. Each Approver
User ID entry is listed separately.
To add new approvers to an existing group, or to add a new Approver Group
ID:
„ Click Add. A pop-up screen will appear with fields to add New Approvers
„ Enter an existing Approver Group ID or Enter a New Approver Group ID.
„ Enter an Approver User ID.
„ Click Save.
To delete a particular user, select the correct Approver Group ID / Approver
User ID combination and click Delete.

37
GRC API Rules
If the Agent Type is set to GRC API Rules, the subsequent field requires the
Agent Rule ID. API rules consist of Function Module, BRF+, and Class based
rules.

Use F4 Search in the Agent Rule ID to open the list of Agent Rules available for
selection, as shown above. These rules must already exist in the system.

38
Notification Templates
Templates for each Notification Type are configured here, along with the
corresponding Message Class and Message Number for each template.
This is equivalent to the AC 5.3 Feature Notification Configuration Where E-
Mail Structures are Configured.

To add a new Notification Template (all fields are mandatory):

„ Click Add.
„ Enter Template ID.
„ Enter Message Class – Message stored in the message class.
„ Enter Message Number – Number assigned to the message.

39
Notification Variables: Variables used in the notification message. These
variables will be replaced by valid values in the runtime by the MSMP engine.
This is equivalent to the AC 5.3 Feature Email Arguments.

To add a new variable or change/delete an existing variable: (all fields are

mandatory)

„ Click Add, Modify, or Delete

„ Template Variable – Unique name for each variable used in the template
message
„ Variable Description – Description for the Variable used in the message

40
Maintain Paths
In this activity, you configure Actual Paths (Stages) for a Process.

This is equivalent to the AC 5.3 Features Stage Details and Additional

Configuration Sections.

Define a Path Name, Description, Workflow Type, and Assigning Stages (this
slide).
Define a Stage Name, Description, Workflow Type, and Stage Attributes (next 4
slides).

To Maintain a Path for a Process:

„ Click Add for a new path or select an existing path and click Modify or
Delete.
„ Enter Path ID.
„ Enter Path Description describing the path purpose.

41
Maintain Stages
Stage Definition: The stages which can be associated with a path.
Maintain Stage Task Settings: The application-specific Actions/Tasks for a
process are configured in this activity.
This is equivalent to the AC 5.3 Feature Stage Configuration – Stage Details
Section.
Section

42
Maintain Stages
Stage Definition: The stages which can be associated with a path.
Maintain Stage Task Settings: The application-specific Actions/Tasks for a
process are configured in this activity.
This is equivalent to the AC 5.3 Feature Stage Configuration – Stage Details
Section.
Section

43
Note: The details shown on the initial screen will take precedence over the
default stage settings.
The inset, which is shown when Modify Task Settings is clicked shows the
default settings of the Stage without regard to the Path and/or Stage Sequence
number.

44
To Maintain Stages for a Path:

„ Select the Path in the Maintain Paths section.

„ Click Add for a new stage or select an existing stage and clic
„ Modify or Delete.
„ Enter the Stage Sequence Number – 3 Numeric Characters
Characters.
„ Enter Stage Config ID (Configuration).
„ Enter Stage Description – This describes the Stage’s purpose.
„ If further details are not visible, click Show Details.
„ Agent ID – Logical Approver ID.

45
Maintain Stages (continued)
Approval Type – Choose from drop-down list: All Approvers or Any One
Approver.

Routing Enabled (Optional) – This determines an optional detour route. If

routing is enabled
enabled, these fields are mandatory.
mandatory

„ Rule ID – ID of the selected Detour Routing.

„ Routing Level – Choose from the drop-down list: Stage Level / Line Item
Level – These options indicate whether the routing should apply to the entire
stage or only to the line-items that meet the routing rule criteria.

46
Maintain Stages (continued)
Escalation Type – This item determines how an escalation should be handled,
for this stage. The drop-down list contains the supported choices:

„ Escalate to Specified Agent – This will require the following fields to be

maintained:
„Escalation Time Mins (Minutes) – Determines how long a request should be idle
before the escalation process begins.
„ Escalation Agent – Agent ID that determine Approvers for Escalation.
„ Use Defaults – This will use the default setting for escalation.
„ Skip to Next Stage – This will escalate the request to the next stage after a
specified time. Requires entry for the following field:
„ Escalation Time Mins (Minutes) – Determines how long a request should be
idle before the escalation process begins.
„ No Escalation – The request will not escalate with this setting.

47
Stage Definition – Stage Details
These settings will apply to the stage anytime this is used in a particular path.
IMPORTANT TO NOTE: The Stage Details section can be overridden by
settings on the Maintain Path screen shown on the previous slide. Settings
here will NOT appear in the Maintain Stages overview, but will be effective if no
entries are entered on the Maintain Path screen.
screen

Maintain Task Settings

These setting will apply to the stage anytime this is used in a particular path.
These settings will apply anytime the stage is used and cannot be overridden.
This is equivalent to the AC 5.3 Feature Stage Configuration – Additional
Configuration.

48
Maintain Task Settings (continued)

Runtime Config Change Ok (Configuration Change) – If there are any

configuration changes in the stage settings, selecting this action would allow it
be considered for an ‘already-in-process-path’

Add Assignment – this setting will allow the addition of roles in this stage. Note:
The Change Request Det. Setting must also be enabled with this.

Path Reval New Role (Revaluation) – Checks if path revaluation is to be

performed if a new role is added. The possible values are:

„ Only New Roles in Evaluation Path (Evaluate).

„ No Path Revaluation for New Role (Continue).
„ All Roles in Evaluation Path (Re-evaluate).
Request Rejected – Enables ability to reject the request.

49
Maintain Task Settings (continued)

Reroute – Allows the request to be re-routed manually by the Approver.

Confirm Approval – Enforces approval confirmation.

Confirm Rejection – Enforces rejection confirmation.

Reject by Email – Enable rejection via e-mails.

Approve by Email – Enable approval via e-mails.

Forward Allowed – Allows approvers to forward the request to another

approver.
Approve Despite Risk – Allows approval of the request despite any risks that
are found.
Display Revw Screen (Review) - Displays a review screen prior to final
approval or rejection of the request.

50
Maintain Task Settings (continued)

Reaffirm Approve – Requires user to enter system log-on credentials to validate

user prior to approval.

Reaffirm Rejection – Requires user to enter system log

log-on
on credentials to
validate user prior to rejection.

Change Request Det. – Enables the approver to change request parameters.

Risk Analy Mandtry – Enforces risk analysis to be performed before processing

request. The following parameters are allowed:
„ YES – Risk Analysis is Mandatory.
„ YAC – Risk Analysis is Mandatory when Access is Changed.
„ NO – Risk Analysis is not required.

51
Maintain Task Settings (continued)

Approval Level – Determines the level at which the request can be approved.
The following parameters are allowed:
„ Request
„ Role
„ System and Role
Rejection Level – Determines the level at which the request can be rejected.
The following parameters are allowed:
„ Request
„ Role
„ System and Role

52
Maintain Task Settings (continued)

Comments Mandatory – Enforces when request comments must be entered.

The following parameters are allowed:
„ Approval
„ Rejection
„ Both
E-Mail Group – per Solution Development, this is not supported at this time
(11/1/10)
EUP ID (End User Provisioning) – this setting controls the fields shown in this
stage when the request is viewed
Allow Manual Prov (Provisioning) – this is used on the LAST stage of a
workflow path and if enabled, shows a button Provision Manually.
Override Assign Type – this setting is used when both direct and indirect
provisioning is utilized. Enabling this setting will allow the approver to decide
whether a specific role should be assigned directly or indirectly.

53
Notification Settings
Stage specific notification settings are maintained, here.
This is equivalent to the AC 5.3 Feature Stage Configuration – Notification
Settings.
Notification Event – Event ID of the notification triggering event. The following
parameters are allowed:
„ Approved – Notification after approval.
„ Escalation – Notification after escalation.
„ New Work Item – Notification after new work item is ready for approval.
„ Rejected – Notification after rejection.
Template ID – Notification template to use for the message.

54
55
Notification Settings (continued)
„ Recipient ID – Other possible interested parties who should receive
notification. Allowed values for this field are Agents marked for Notification in
the Agent Purpose field in Maintain Agents (step 3). Remember, the
Recipient ID entered here will be an Agent ID previously created, and can
contain multiple actual recipients
recipients.
„ Disable Email – Disable sending notifications for the event
If more than one recipient group should receive the notification, repeat the
Notification Event with the desired Recipient IDs.

56
Clean-Up Stage Definitions
This functionality will list Un-Used Stage Definitions in a particular process.

57
Define Route Mapping
Mapping the Logical Path (Initiator or Routing Rule) to an Actual Path.
This is equivalent to the AC 5.3 Feature Associating Initiator to a Path.

Rule ID – Enter the ID of the router.

Rule Result Value – Enter the result value returned by the rule.

„All Rule Result Values that can be returned from the Rule ID MUST be
mapped to a path.

Path ID – Enter the path to be started, based on the result value, returned by
the rule.

58
Generating Versions
Generating workflow versions enables the ability to change the workflow
configuration while there are other active running paths. Excluding Agent,
Approvers and Process Global Settings, all of the other workflow configuration
settings can be versioned.
If the stage task setting Runtime Config Chng Ok is enabled,
enabled once the change
is activated in the system, the stage will take on the new settings; otherwise,
the settings will be used for any new requests after activation.
Save & Activate
Save – Saves changes to the database.
Save/Simulate – Save changes to the database and run a simulation to check
for errors.
Activate – Generate active versions.

A pop-up screen will appear to determine how the changes should be

transported:
„Use Existing Transport – Enter or search for an existing Request/Task.
„Create New Transport Request – Enter transport request short description.
„Do Not Transport Object – Sets changes as Local Only , but it does queue for
transport.

59
You should now be able to perform the actions listed above.

60
61