Approving an Access Request

Once a user has created and submitted an access request, the assigned approver can examine the request. Imagine yourself in the shoes of this approver, and watch the following video. It guides you through the steps to approve an access request.

Approvers receive all requests in the Work Inbox app, where the approval process begins. Individual assignments within the request can be approved, rejected, or forwarded to another approver. The Risk Violation tab permits risk analysis and mitigation. After thoroughly reviewing the access request, approval is finalized by choosing Submit. Any undecided assignments are automatically approved. Once approved, the requested access changes for users in target systems are automatically implemented.

You've now learned how users can request access and how approvers can approve these requests. However, how do you ensure that the user request is directed to the appropriate approver?

SAP Access Control provides various options to configure the approval workflow for access requests. Depending on the details of the request or the assignments, the request can be sent to different workflow paths. Technical experts configure a workflow according to company requirements. For example, a company must configure a workflow so that a manager approves requests of type "New Account" and connector "SAP S/4HANA" on the first stage of approval. On the second stage of approval, role owners approve the requests. However, only a manager approves requests of type "Change Account" and connector "SAP SuccessFactors." To meet these requirements, technical experts configure a rule that routes requests to different workflow paths depending on request type and connector type.

SAP Access Control provides the SAP Business Rule Framework (BRF) plus rules to configure routings for access request approval workflows. Business Rule Framework BRF plus provides a comprehensive application programing interface (API) and user interface for defining and processing business rules. Using BRF plus rules for the access request approval process, you can define all conditions to be analyzed (request type, connector, business process, role name, and so on). You can also define the resultative workflow path or approval agent for each condition. Workflow paths are maintained in Multi-Stage, Multi-Path (MSMP) configuration. Paths determine the lifecycle of access requests. A path consists of approval stages with a designated type of approver, such as: A manager, role owner, risk owner, users of a particular user group, or users with a particular role. The stage configuration controls what an approver can or cannot do at this point in the request lifecycle. For example, forwarding to another approver, changing request details, approving without risk analysis, and so on.

The list of BRF plus rules types that are relevant for MSMP workflow configuration includes but is not limited to:

Initiator rules determine the initial routing of a request. It defines to which workflow path that the request will be sent straight after creation depending on request attributes or assignments' attributes. To avoid unintended results or issues, the conditions analyzed for an initiator rule must be unique. Initiator rules return only one result. To process every request created, an initiator rule must be complete and must cover all possible scenarios.

An agent is a person or group of people who perform approval of requests or get notifications about workflow events. SAP Access Control provides standard agents. For example, manager (specified in request details), role owner (specified in role details in BRM), and firefighter ID owner (specified in firefighter ID details.) You can also create the following types of custom agents:

• A list of users.
• User group.
• Users with particular PFCG role.
• Custom GRC API rule based agents such as BRF plus, Function Module, ABAP Class Based Rule, and BRF plus Flat Rule.

BRF plus agent rules determine the actual persons for approving an access request or receiving notifications about workflow actions, depending on request or assignment conditions. Conditions analyzed for an agent rule don't have to be unique, because if the business process requires it, the rule can return multiple results (approvers or notification receivers.)

Routing rules are similar to initiator rules, except that they are activated during the workflow process. Routing rules are typically used for exception processing and only contain the condition scenarios that match the exception. For example, you can configure a routing rule as follows: after the first stage of approval, roles of a request that belong to a particular business process are routed to a security team for approval.

A routing rule must deliver a single resultative workflow for each condition to provide a consistent workflow. If there are existing access risks in an access request, SAP Access Control delivers a standard routing rule. Using this standard SOD routing rule, you can configure a workflow to route the request with access risks to another path after completion of at least one approval stage.

In the following image, you can see an example of how a workflow can be configured when a company has various requirements to workflow of access request approval. To route a request to a particular path, the initiator rule analyzes the conditions (request and assignment attributes.) On the right part of the following figure, you can find paths with the corresponding conditions mentioned.

Let's take the two first paths on the figure. If a user creates a request of types New Account and Change Account with the target system ZMGCLNT800 in assignments, the initiator rule routes it to the AR_NA_PATH. An AR_NA_PATH path consists of three steps:

• Manager
• Role approver
• Security stage

If there are access risks in the request, the SOD routing rule reroutes the request to the SOX team after the role approver stage, and before the security stage.