One of the key advantages of SAP BusinessObjects Access Control 10.0 is the multiuser access request feature. With this feature, multiple user access requests can be combined into a single request to save time and effort. This feature was available in SAP BusinessObjects Access Control 5.3’s compliant user provisioning functionality, but it had limited capabilities. Learn about how SAP has enhanced multiuser request submission in SAP BusinessObjects Access Control 10.0. You can use SAP BusinessObjects Access Control 10.0 for multiuser request submissions during go-live or to provide the same roles to numerous SAP users.
Key Concept
The multiuser request feature in SAP BusinessObjects Access Control 10.0 tracks all the approvals from managers or role owners in one request and is easily accessible for audit purposes later. It’s difficult to track all the approvals from managers and role owners if these users are created manually in the SAP system. In such a case, you need to track all the email approvals.
Before the release of SAP BusinessObjects Access Control 10.0, security administrators who wanted to grant access to a large number of users could use transaction SU10. Administrators needed to document and provide the approvals for granting access to auditors for later reference and tracking. In some companies, to track all the approvals in the compliant user provisioning functionality of SAP BusinessObjects Access Control 5.3 itself, administrators were faced with the time-consuming, tedious task of submitting requests one by one for each user. SAP BusinessObjects Access Control 10.0’s multiuser request feature enables security administrators to include all their access requests within a single request that is sent to the SAP BusinessObjects GRC system.
I explain the step-by-step instructions on how to submit a multiuser request in SAP BusinessObjects Access Control 10.0. The key step in a multiuser request is filling out the comma-separated value (csv) template correctly.
Step 1. Prepare the User List
This step involves preparing the csv file correctly. The file is relatively simple and straightforward, but the correct columns need to be populated. Any errors at this stage may result in the request being incorrectly submitted. This file includes the list of all the users, their user IDs, their first and last names, and their email addresses (Table 1). The columns with the values indicated are the ones that need to be filled out. You can leave the rest blank.

Table 1
Columns in the csv file for a multiuser request
Table 2 shows the csv file format with only the required columns completed.

Table 2
Entries in the csv file
The same SAP roles are granted to all the users in the spreadsheet and are added in the subsequent steps.
Step 2. Log on to the SAP BusinessObjects GRC 10.0 System
Because SAP BusinessObjects GRC 10.0 solutions are based on the ABAP platform, you can log on directly via the SAP GUI (Figure 1). You then execute transaction NWBC to launch SAP NetWeaver Business Client.

Figure 1
The SAP GUI
The alternative option is to log on to the SAP NetWeaver Business Client URL for the SAP BusinessObjects GRC 10.0 system. This step directly launches the SAP NetWeaver Business Client window (Figure 2).

figure 2
The SAP NetWeaver Business Client window
The SAP NetWeaver Business Client window shows all the cockpits or roles available in the user master record. Click the SAP_GRAC_NWBC link to open the SAP NetWeaver Business Client home page (Figure 3).

Figure 3
The SAP NetWeaver Business Client home page
Different links are visible in the SAP NetWeaver Business Client window depending on the roles assigned to the security administrator. The administrator should at least have the SAP_GRAC_ACCESS_REQUEST_ADMIN role (I recommend the client-specific copied version of this role) to be able to submit requests to the SAP BusinessObjects GRC 10.0 system.
Step 3. Submit the Request
Click the Access Request link located under My Profile in the screen shown in Figure 3. This action takes you to the screen shown in Figure 4. Select New Account from the drop-down menu in the Request Type field if all the users are new users and do not exist in the SAP system. I recommend checking first to see if any of the users in the spreadsheet already exist in the SAP system. If the users’ accounts already exist, then select Change Account in the Request Type field and submit a separate access request for users who need to be created.

Figure 4
The initial screen for an access request
In the Description block enter a description of the request being made to the SAP BusinessObjects GRC system. If the request is for a project, then I recommend entering a change request, a reference-for-change number that identifies the mass user change. This step is useful for audit tracking.
Choose Multiple from the drop-down menu in the Request For field as this request is being submitted for many users. From the drop-down menu set the Business Process field to Workflow. Depending on the configuration of your SAP BusinessObjects GRC 10.0 system, the Functional Area may or may not be a mandatory field. The Due Date field also may be an optional entry. Import the csv file that was created in step 1 by clicking the Import button in Figure 4 and specifying the csv file name and path (Figure 5).

Figure 5
Select the csv file path
Once you import the csv file, the user list appears (Figure 6).

Figure 6
The access request screen after the csv file is imported
Go to the User Access tab (Figure 7). This is where the SAP role that needs to be assigned to all the users is added in the request to the SAP BusinessObjects GRC system.

Figure 7
The User Access tab to add the roles for the multiuser request
Click the Add button and then select Role. This action takes you to Figure 8. To search for the role, enter the role name in Figure 8, click the downward arrow, and add it in the request. Also select the system for which the access request is being created. Note that you can add multiple roles at this stage by repeating the aforementioned steps.

Figure 8
Selecting the roles to be added in the access request
When all the roles are added, click OK. This action brings you back to Figure 7. Now click the Add button. Select the system in which you plan to create or change users. Once you select the roles and the system, they are automatically populated in the User Access tab (Figure 9). The assignment approver is also shown in the request. If the role has a validity period that needs to be specified, then you can specify it in this screen. Click the Submit button to submit the access request. This request is then routed to the manager of the users.

Figure 9
Access request screen to submit the request
Step 4. Approve the Request
Depending on how the workflow is set up, the request to the SAP BusinessObjects GRC system is typically routed to the manager first and then to the role owner. Then it is routed to the account management team for risk violation analysis and approval. The access request is routed to each of the managers of all the users. For example, if there are 10 users in the access request with 10 different managers, the request is first routed to the 10 managers with just their users’ requests showing. This functionality is really the key behind how this approval workflow works for the multiple user request in SAP BusinessObjects Access Control 10.0.
Step 5. Review the Users Created
To validate if the users have been created, log on to the back-end SAP system where the users were supposed to be created. Use transaction SUIM and validate if the users are created correctly.

Figure 10
Transaction SUIM output in the SAP system showing how users were created
Note
In this example, I assume that the role owner has already been informed that this request is routed to him for approval. The role owner should also have reviewed the list of users. If the role owner is not planning to approve the role access for a few users, then these users should not be included in the request. Rejecting the access request for these users rejects the entire request. If certain users do not need a particular role, then they should be part of a separate request to the SAP BusinessObjects GRC system. In a multiuser request, you cannot approve access to a few roles and reject a few others.
Rudr
Rudr is a senior GRC consultant. He has been consulting for more than 14 years in SAP systems and for more than eight years in the field of Virsa and SAP GRC solutions.
You may contact the author at editor@grcexpertonline.com.
If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.