Learn about the different aspects and flexibility of role management in SAP Access Control 10.0. Business Role Management, commonly known as BRM, is used to create and manage different types of roles in SAP Access Control.
Key Concept
Role certification is the process by which an administrator can notify role owners to recheck the roles for which they are responsible. Role owners can ensure that the roles are correct and if required the role owner can make further changes to the role. An administrator can trigger a job to send an email notification to the role owners. Notification is sent on the basis of configuration parameters and the next certify date in a role.
A Business Role Management (BRM) role certificate is a new concept introduced in SAP Access Control 10.0 to certify roles after a specified period of time. You can use role certification to re-check roles. After a designated time period, the administrator uses the role certification process to trigger an email to the role approver to certify the roles again.
Role Certification Process in BRM
Here is the step-by-step process to certify roles. Create a role in BRM by following menu path NWBC > Access Management > Role Maintenance. Enter the required fields such as Application Type, Business Process, Subprocess, and Role Name. As shown in Figure 1, I have created a single role, Z_TRAINING_NEW_JOINEE_30_DAYS, in the system.
Figure 1
Create a single role
Specify the certify period. Click the Define Role button and then click the Properties tab. That takes you to Figure 2.
Figure 2
Properties tab
Enter the number of days after which you want to certify or revisit this role in the Certification Period in Days field (Figure 3). This is a text field. For example, per my business requirement in this example, I want to certify this role again after 30 days.
Figure 3
The screen to enter role certification details
Click the Save button. The data is saved and the Next Certification: date is populated, as shown in Figure 4. The Derivation Allowed: field has a Yes. Role derivation is allowed for a single role, and this value is populated as Yes by default.
Figure 4
The screen to show the next certification
After saving the role, click the Owners/Aprovers tab. Select or enter the value of the approver, which is the person’s name. Take the following steps to assign a role approver to the role Z_TRAINING_NEW_JOINEE_30_DAYS.
Click the Add button on the Owners/Approvers tab, which adds a new row, as shown in Figure 5.
Figure 5
Add a new row for the approver
Select the new row, then click F4 help. A pop-up appears (Figure 6). Enter the approver name and click the Start Search button. You are searching for and then assigning the approver (person) who is responsible for approving the role. After that click the OK button to add the approver.
Figure 6
Search the approver screen
After the approver is added to the role, check the Assignment Approver and Role Content Approver check boxes, as shown in Figure 7. Then click the Save button to assign the approver to the role. The approver is then assigned to the role, as shown in Figure 8.
Figure 7
Check the Assignment Approver and role Content Approver check boxes
Figure 8
Approver is assigned to the role
This user has also been assigned as the Role Content Approver, who is responsible for the content of the role.
Configuration Parameter for Role Certification
In this step you specify the number of days before which the email notification should be sent. For example, if I set the parameter 3020 in Figure 9 (Role Certification reminder notification) as 2, it means an email should be sent to the role content approver before or fewer than two days before the next certification date. For the Next Certification date refer to Figure 4.
Figure 9
Role certification reminder notification parameter screen
To change the parameter value enter transaction SPRO and click the SAP Reference IMG. Follow menu path Governance, Risk and Compliance > Access Control > Maintain Configuration Settings (Figure 10).
Scroll down to Param ID 3020. This parameter is the default parameter for the role certification reminder notification. You can specify the number of days before you want to send an email notification to the approver for the roles that are about to expire. The email specifies the role detail and asks the approver to certify the role. Change it to your designated number and click the save icon 
.
Scheduling the Job
The next step is for the administrator to schedule a role certification job. The job/program is GRAC_ERM_ROLE_CERTIFY_NOTIF. This is the standard job delivered by SAP. Follow these steps to schedule the job.
Go to main screen shown in Figure 11. Enter transaction SM36 and press Enter.
Figure 11
The main screen
The Define Background Job screen (Figure 12) opens.
Figure 12
Add the job name
Enter the job name (e.g., Role_Certification_Job) as shown in Figure 12. This can be any name and it identifies the job. Now click the Step button to open the screen shown in Figure 13.
Figure 13
The Create Step screen for job scheduling
In the Name field enter the job name GRAC_ERM_ROLE_CERTIFY_NOTIF, which is the standard program delivered by SAP (Figure 14).
Figure 14
Enter the job name
Click the Check button and then click the save icon shown in Figure 14 to go to Figure 15.
Figure 15
Step list overview for the job step
Click the back icon to go back to the Define Background Job screen. Click the Start condition button to go to Figure 16.
Figure 16
The Start condition screen for job scheduling
Click the Immediate button if you want to schedule the job immediately. You can choose a later date or time by clicking the Date/Time button. In this example I clicked the Immediate button (Figure 17). As you click the Immediate button, an Immediate start check box appears on the screen as shown in Figure 17. This check box is checked automatically.
Figure 17
The Immediate start screen for the job
Click the Check button and then the save icon to save the start time for job. Click the save icon in Figure 18 to schedule the job.
Figure 18
Define the background job screen
After you click the save icon, the job is released and you get information in the status bar as shown in Figure 19.
Figure 19
Save the background job
Follow these steps to check the status of the job. Go to main screen. Enter transaction code SM37 and press the Enter key (on the keyboard) as shown in Figure 20.
Figure 20
The main screen
Click the Execute button in the next screen (Figure 21).
Figure 21
Check the scheduled job status
In the next screen, you find the job name with the status. As shown in Figure 22, the Status is Finished, which means the job is completed.
Figure 22
The Job Overview screen
Email Notification
Now an email reminder has been sent to the approver (Role Content Approver) of the role. The system does it automatically on execution of the job as shown in the above steps. Figure 23 shows the format of the email.
Figure 23
Email notification to the approver
This email gives the role name, due date, and URL of the role. This feature does not stop the role assignment to a user after the role certify date. It is just a reminder notification to the role owner to check the role and to take any further action if required.
Vinay Gupta
Vinay Gupta has a total of 10 years of experience in software development. He has worked with large IT companies, such as IBM and SAP Labs. Since 2008 he has been working at SAP Labs and involved in various phases of development and maintenance of SAP Access Control 5.3, 10.0, and 10.1. He has expertise in Business Role Management, Access Risk Analysis, Access Request, migration, and SAP authorization concepts.
You may contact the author at vinay.gupta@sap.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.
Premium
Premium
Premium
