Setting Up Workflow and Business Rules

With SAP Cloud Identity Access Governance you can manage workflows for access requests, performing risk checks, and providing emergency access. You also use business rules to avoid access risks and SoD risks, and to ensure compliance.

The Access Request service of SAP Cloud Identity Access Governance integrates with SAP Workflow service and SAP Business Rules service on SAP BTP. The business rules capability is tightly coupled with the workflow capability and lets you digitize and automate decision making. However, business rules encapsulate dynamic decision logic from the application logic, which is represented by workflows.

The processing of access requests require a workflow definition that specifies how many stages (in this case approvals) should be passed through before the request is completed. This workflow ensures that access requests - especially for privileged access - can be reviewed and granted properly. To define which workflow needs to triggered for which type of request, you need to specify the decision logic using the business rules.

In SAP Cloud Identity Access Governance, workflow templates and their respective paths and stages are delivered out-of-the-box by default. It is, however, possible to deploy custom workflows. Furthermore, with regards to business rules, SAP Cloud Identity Access Governance comes with predefined sets of rules for various on-premise and cloud applications.

There is no configuration required for the workflow. For all workflow-related actions, you need to make use of pre-delivered workflow templates. You require these templates to create access requests, including those for Privileged Access Management and Privileged Access Monitoring. Perform the following steps to make the workflow templates available:

1. In the SAP Cloud Identity Access Governance Fiori Launchpad (FLP), navigate to Administration→Template Upload.

   In the Template Upload app, you can upload standard and custom workflow templates, and notification templates for all workflow-related processes.

2. In the Workflow section, choose Upload.
   Note

   The word "upload" is misleading. The workflow templates are not uploaded but rather rolled out by a job that you initiate by choosing the Upload button.
3. You can find the uploaded workflow templates in the Maintain Workflow Template app.

In the Maintain Workflow Template, you can add custom workflow templates. This is how you can customize your workflow templates, including the different stage sequences.

1. Open the Maintain Workflow Template app.
2. Choose Add (+ symbol).
3. Provide a name and a description for the custom template.
4. In the Stages section, choose Add (+ symbol) to add the stages to the template.
5. Select a stage or multiple stages: Manager, Role owner, and Security.
6. Choose Apply.
7. Choose Save.

In the Template Upload app, you can also upload notification templates. You need those to use the notification functionality for access requests and notify the requester and the approver about the request status. To use the notification functionality, download and upload notification templates:

1. Open the Template Upload app.
2. In the Notification section, first choose Download. The template is downloaded as a ZIP file.
3. Save the ZIP file in your system.
4. If required, make the relevant changes to the template you downloaded.
5. Choose Upload to upload the modified file. The file is uploaded in a zip file format.

The workflow customization also allows you to define mandatory actions for each stage sequence. During the process flow of access requests, there are additional functionalities, which can be performed by the approvers in the respective stages such as starting a remediation and/or simulation task. Per default those tasks are optional and the approvers are not forced to do that. In case you want to ensure that those tasks are performed and if you want to implement such a strict policy, you can do it by proactively activate it in the workflow configuration templates.

There are 2 options that you can set as mandatory tasks:

• Remediation Mandatory
• Risk Analysis Mandatory

Generally, it is always a best practice to execute remediation and risk analysis tasks during the approval process of an access request. Nonetheless, it depends on your organizational policies and guidelines if you have to ensure that those actions are mandatory or not.

In case you want to achieve this behavior, you can configure the options in the following app:

Maintain Workflow Template

Perform the following steps:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Administration→Maintain Workflow Template.
3. Select the workflow template you are using for your access request (per default: "mangerrolesecuritypath").
4. Choose the proper stage, for which you want to enforce the remediation and risk analysis action.
5. To switch in change mode, choose the Edit button.
6. Set the values for the attributes:

   Example:

   • Risk Analysis Mandatory = YES
   • Remediation Mandatory = YES
7. Choose Save button.

The figure above. Identify the Default Workflow for Access Requests, depicts an example for a to be approved request in the inbox. You can see that there are 2 warnings / messages, which state that the remediation and risk analysis actions are mandatory and have to be performed. Without executing those tasks, the approver will not be able to confirm the request.

More information can be found on SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/83f383d3123c4f57b036d2707ec2e730/0cf1e44e6f74485fab8348fe911a40e7.html?q=Parameter&locale=en-US

You use the SAP Business Rules service to define the stages, paths, and other workflow rules used by Access Request service to move the request items through the stages of an access request.

SAP Cloud Identity Access Governance offers pre-delivered business rules. To access these rules, create a support ticket. To do so, select the component GRC-IAG.

Accessing the business rules can be done in the following way:

1. In the SAP Cloud Identity Access Governance Fiori Launchpad (FLP), navigate to Administration→Configuration.
2. Navigate to Business Rule and choose Launch.

   The Business Rule editor opens.

3. Open the default IAGWorkflowBusinessRule project entry in the Projects list.

The rules have already been modeled. To define the decision logic, you must add a Decision Table for each rule.

Navigate to Rules and select RequestTypeRule in the Local Rules section.

For this rule, workflow paths have been defined.

Finally, the business rules need to be activated and the new workflow version needs to be deployed.

Now, in the Decision Table, you can see which workflow path (one of the pre-delivered workflow templates) is going to be executed for a specific request type.

You can expand the decision table and add further request types. For them, you can define the workflow paths accordingly. To do so, choose Edit in the upper right-hand corner.