Before the release of SAP BusinessObjects Access Control 10.0, security administrators who wanted to grant access to a large number of users could use transaction SU10. Administrators needed to document and provide the approvals for granting access to auditors for later reference and tracking. In some companies, to track all the approvals in the compliant user provisioning functionality of SAP BusinessObjects Access Control 5.3 itself, administrators were faced with the time-consuming, tedious task of submitting requests one by one for each user. SAP BusinessObjects Access Control 10.0’s multiuser request feature enables security administrators to include all their access requests within a single request that is sent to the SAP BusinessObjects GRC system.

I explain the step-by-step instructions on how to submit a multiuser request in SAP BusinessObjects Access Control 10.0. The key step in a multiuser request is filling out the comma-separated value (csv) template correctly.

Step 1. Prepare the User List

This step involves preparing the csv file correctly. The file is relatively simple and straightforward, but the correct columns need to be populated. Any errors at this stage may result in the request being incorrectly submitted. This file includes the list of all the users, their user IDs, their first and last names, and their email addresses (Table 1). The columns with the values indicated are the ones that need to be filled out. You can leave the rest blank.

Table 1

Columns in the csv file for a multiuser request

Table 2 shows the csv file format with only the required columns completed.

Table 2

Entries in the csv file

The same SAP roles are granted to all the users in the spreadsheet and are added in the subsequent steps.

Step 2. Log on to the SAP BusinessObjects GRC 10.0 System

Because SAP BusinessObjects GRC 10.0 solutions are based on the ABAP platform, you can log on directly via the SAP GUI (Figure 1). You then execute transaction NWBC to launch SAP NetWeaver Business Client.

Figure 1

The SAP GUI

The alternative option is to log on to the SAP NetWeaver Business Client URL for the SAP BusinessObjects GRC 10.0 system. This step directly launches the SAP NetWeaver Business Client window (Figure 2).

figure 2

The SAP NetWeaver Business Client window

The SAP NetWeaver Business Client window shows all the cockpits or roles available in the user master record. Click the SAP_GRAC_NWBC link to open the SAP NetWeaver Business Client home page (Figure 3).

Figure 3

The SAP NetWeaver Business Client home page

Different links are visible in the SAP NetWeaver Business Client window depending on the roles assigned to the security administrator. The administrator should at least have the SAP_GRAC_ACCESS_REQUEST_ADMIN role (I recommend the client-specific copied version of this role) to be able to submit requests to the SAP BusinessObjects GRC 10.0 system.

Step 3. Submit the Request

Click the Access Request link located under My Profile in the screen shown in Figure 3. This action takes you to the screen shown in Figure 4. Select New Account from the drop-down menu in the Request Type field if all the users are new users and do not exist in the SAP system. I recommend checking first to see if any of the users in the spreadsheet already exist in the SAP system. If the users’ accounts already exist, then select Change Account in the Request Type field and submit a separate access request for users who need to be created.

Figure 4

The initial screen for an access request

In the Description block enter a description of the request being made to the SAP BusinessObjects GRC system. If the request is for a project, then I recommend entering a change request, a reference-for-change number that identifies the mass user change. This step is useful for audit tracking.

Choose Multiple from the drop-down menu in the Request For field as this request is being submitted for many users. From the drop-down menu set the Business Process field to Workflow. Depending on the configuration of your SAP BusinessObjects GRC 10.0 system, the Functional Area may or may not be a mandatory field. The Due Date field also may be an optional entry. Import the csv file that was created in step 1 by clicking the Import button in Figure 4 and specifying the csv file name and path (Figure 5).

Figure 5

Select the csv file path

Once you import the csv file, the user list appears (Figure 6).

Figure 6

The access request screen after the csv file is imported

Go to the User Access tab (Figure 7). This is where the SAP role that needs to be assigned to all the users is added in the request to the SAP BusinessObjects GRC system.

Figure 7

The User Access tab to add the roles for the multiuser request

Click the Add button and then select Role. This action takes you to Figure 8. To search for the role, enter the role name in Figure 8, click the downward arrow, and add it in the request. Also select the system for which the access request is being created. Note that you can add multiple roles at this stage by repeating the aforementioned steps.

Figure 8

Selecting the roles to be added in the access request

When all the roles are added, click OK. This action brings you back to Figure 7. Now click the Add button. Select the system in which you plan to create or change users. Once you select the roles and the system, they are automatically populated in the User Access tab (Figure 9). The assignment approver is also shown in the request. If the role has a validity period that needs to be specified, then you can specify it in this screen. Click the Submit button to submit the access request. This request is then routed to the manager of the users.

Figure 9

Access request screen to submit the request

Step 4. Approve the Request

Depending on how the workflow is set up, the request to the SAP BusinessObjects GRC system is typically routed to the manager first and then to the role owner. Then it is routed to the account management team for risk violation analysis and approval. The access request is routed to each of the managers of all the users. For example, if there are 10 users in the access request with 10 different managers, the request is first routed to the 10 managers with just their users’ requests showing. This functionality is really the key behind how this approval workflow works for the multiple user request in SAP BusinessObjects Access Control 10.0.

Step 5. Review the Users Created

To validate if the users have been created, log on to the back-end SAP system where the users were supposed to be created. Use transaction SUIM and validate if the users are created correctly.

Figure 10

Transaction SUIM output in the SAP system showing how users were created