Working with Candidate Business Roles

A Candidate Business Role (CBR) is an optimal business role proposed by the SAP Cloud Access Governance Role Design Service. The service suggests business roles that should be created based on existing user-to-technical role associations. It generates a list of proposed candidates for business roles that you can adjust as needed. When you activate the candidate business role, it becomes a standard business role.

The Role Design Flow consists of 5 steps:

1. The first step is to create candidate business roles by defining multiple attributes and by defining the users that should be taken into account for the creation of candidate business roles in the Create Candidate Business Roles app. After submitting, the app generates candidate business roles.
2. These candidate business roles can be reviewed and selected in the Select Candidate Business Roles app. The app routes the selected candidate business roles to the Role Design Inbox and make them available to process.

   The next steps are to be performed in the Role Design Inbox.

3. Refine step: Open your Role Design inbox and decide which candidate business role to work on. All roles have an initial status of Refine. The app changes the initial status of refined candidate business roles to the next processing stage Activate.
4. Activate step: Open your Role Design inbox and select the candidate business roles to be activated. If you are satisfied with your edits, choose Activate. The app then converts the candidate business roles into normal business roles. It changes the status of the business role to Reconcile.
5. Reconcile step: Open your inbox and select the business roles that you want to reconcile. Choosing Submit indicates that you are done with reconciliation.

Use the Create Candidate Business Roles app to define the attributes and data selection of your candidate business roles and to create business roles that are suggested based on the parameters which are defined. For example, you can create candidate business roles for a certain business process or for users from a dedicated department. This app proposes optimal, editable candidate business roles with the goal of reducing redundancy and access overlap. In addition, it is important to already have an authorization concept to map the candidate business roles with the business need. The better your existing authorization concept is, the better the candidate business roles proposal will become.

In the top-right corner of the app, the Access Considered number displays the technical roles and groups that are going to be included in the proposal based on the filters. The Users Affected number shows the number of users based on the filter attributes.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Create Candidate Business Roles.
3. Provide the necessary information by using the filters to narrow your proposal.
   • Select a business process.
   • Select one or more departments.
   • Select one or more companies.
   • Select one or more user groups.
   • Select one or more functions.
4. Select the checkbox and use the slider bar to set the allowed percentage of overlapping (optional).
5. Fill in the project information that you want to associate to this candidate business role proposal. Use the drop-down arrow to select a project.
6. Enter a purpose (optional).
7. Choose Submit.
8. The app would schedule a job that generates candidate business roles. Enter a name for the job.
   Note

   To see the status of the submitted job, use the Job History List app (Propose Candidate Business Roles job).
9. Choose Submit again to schedule the job.

In the Create Candidate Business Roles app, there is an option to specify a percentage of allowed overlapping above which the app issues a warning message. Overlapping access occurs if the access within a candidate business role is repeated in an active business role.

The usage of this overlapping access depends on customer specific needs.

The Role Design Service checks for overlapping percentages during the refinement and activation of a candidate business role.

Use the Select Candidate Business Roles app to view the candidate business roles that have been proposed and to perform the second step in the Role Design process. Here, you review the candidate business roles generated by the app for this project and you choose the ones that you want to work with.

You can choose a candidate business roles one-by-one to display the details including the proposed users and details about the proposed access. Select the available icon to display candidate business roles that are available for selection. Choose the submitted icon to display candidate business roles that have already been selected for processing. When the review of one business role is complete, you will go back to the list, select the candidate business roles you want to process, and choose Next.​

Perform the following steps to select and process the candidate business roles:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Select Candidate Business Roles.
3. Select the checkbox of one or more available candidate business roles that you want to process.
4. Choose Next on the bottom-right corner.
5. Review your selection and select Back to Select Candidates if you want to choose another CBR. Use the (x) to remove a candidate business roles from your selection.
6. If the selection is fine, choose Submit.

The app assigns a request number to each candidate business role. It routes each candidate business role to the Role Design Inbox and sets the stage of all candidate business roles to Refine.

In the Select CBR you always have an overview of all proposed CBR's ("Available") and of all submitted CBR's ("Submitted") by switching on top of the screen.

When you select and submit the candidate business roles, you can review the proposed business role and associated access, possible risks and users for the candidate business role in the Role Design Inbox. You can also update the role attributes.

When opening the Role Design Inbox, a Requests screen appears. In the Task column, the Refine task for a candidate business role. When you make the required changes, you can also simulate to see how your changes have impacted the SoD or Critical Access risks. When you are finished with the changes, you select Submit to route the candidate business role request to the next stage, Activate.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Role Design Inbox.
3. Select a request.

   The Access section lets you see the access, application name, business process, subprocess, access type and number of risks.

   The Users section lets you see all the users who get this candidate business role.

   The Other Attributes section lets you see a long description and the content approvers as well as the assignments approvers.

   The Audit section lets you see the audit log of a request.

4. Choose Edit to modify the candidate business role. From here, you can do the following:
   • Change the Role Name, Description, Business Process, and Long Description
   • Add and delete associated access
   • Assign one or more content approvers (Other Attributes section)
   • Assign one or more assignment approvers (Other Attributes section)
   • Add any comments in the Notes section
5. Choose Simulate to see how your changes have impacted the SoD or Critical Access risks. Continue making adjustments until you are satisfied with the results.
6. Save changes and choose Submit to route the request for the candidate business role to the next stage: Activate.

In the Activate step, you activate the candidate business roles. After activation, these roles become the standard business roles. Depending on your authorizations choose the Role Design Inbox app to check all open requests for candidate business roles relevant to you.

Once you click on a request with the task Activate, you will get to the Activate Candidate Business Role screen, where can see the number of potential risks the role may cause. Select the Audit section to see what actions have been taken starting from Refine stage. You can also edit the role name, description, or add a note if required.

When you are ready, choose Activate to activate the role.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Role Design Inbox.
3. Select a request with the task Activate.

   The Access section lets you see the access, system name, business process, subprocess, access type and number of risks.

   The Users section lets you see all the users who get this candidate business role.

   The Audit section lets you see the audit log of a request.

   The Notes section lets you see notes if available.

4. Choose Edit to modify the candidate business role. From here, you can change the role name, description and add a note.
5. Save changes.
6. Choose Activate to route the request to the next stage, Reconcile.

At the Reconcile stage, role assignment owners can review the new business roles and the impact on user assignments and their access.

You access the Reconcile Current vs. Proposed Access function through the Role Design Inbox app, which displays all the open tasks for candidate business roles relevant to you. To reconcile a candidate business role, select an item with the status of Reconcile. You can see the difference between users' current access compared to their access with the new business role. Missing Access shows the access that will be added with the new business role.

When you are done, select the Submit button to begin the provisioning process. The provisioning will take place the next time the Provisioning job runs.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Role Design Inbox.
3. Select a request with the task, Reconcile.

   The Users section lets you see all the users who get this candidate business role. Choose Current Access and Missing Access to see details

   The Access section lets you see the access, system name, business process, subprocess, access type and number of risks. Click on the available Risks to see details about the risks.

4. Choose Submit.
5. Navigate to the Job Scheduler app on the Fiori Launchpad and run a Provisioning Job, so that the provisioning can take place.

   The provisioning ensures that the accesses provided by the role are be assigned to users.

The CBR Simulator app lets you simulate the business roles by three steps. After filtering the roles and users by the criteria business process, department, company, user group and function, you select a project name and a purpose as in the Create Candidate Business Role app. You can also skip the filter step and move on with Visualize Role Assignment, which is the second step.

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→CBR Simulator.
3. Select the filters by selecting the dropdown buttons next to each filter that is needed. Choose a project under project information and enter a purpose (optional).

   Or choose Skip Filter Step to get to the next step.

4. Choose Next to get to the Visualize Role Assignment step.

The Role Design Administration app is used to monitor the role design process of candidate business roles. From this screen, administrators can track each request in the Role Design Service and take action as needed. It enables to view metrics for open role design tasks and to act to resolve blockers. For example, you can see how long a task has been open and forward it to someone to complete it. This will lock the request for other users. You can also unlock a task to enable users to access it.

The app consists of the Metrics and the Request screen.

The Metrics screen shows graphs at the top of the screen that give statistics about role requests to assist role administrators. The Processing Times bar chart at the right side shows minimum, maximum and average processing times for each stage (Refine, Activate, and Reconcile). The bar chart shows how many requests have taken above average or below average time to process. The Requests in Process pie chart shows the number of requests that are in each stage: Refine, Activate, and Reconcile.

The Requests screen at the lower part shows details about the requests. It display the Request Number which is assigned by the role design process, the Project name that was assigned by the user when the candidate business role proposal was initiated, the Candidate/Business role name, the stage (Refine/Activate/Reconcile), the Effective Date which is the date when this role entered the current stage and the Last Updated date.

If a request has been locked, it can be unlocked by choosing the Release Request button. Requests can also be forwarded to another user for processing. Requests can also be canceled and removed from processing.

Select a request line for more information about the Access and to take further action. From this screen, you can Reconcile Current vs. Proposed Access, Activate Candidate Business Roles or Approve/Reject Access (depending on the stage of the request).

The steps to perform are as follows:

1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
2. Navigate to Role Designer→Role Design Administration.
3. Select a request to perform one of the following actions:Release Request (if the request is locked), so that another processor can work on the requestForward Request and add a message (optional)Cancel Request
4. Choose a request for more information and take action if necessary:Reconcile current vs. proposed accessActivate candidate business rolesApprove/reject access