Exploring Integrational Aspects of SAP Access Control

Objectives

After completing this lesson, you will be able to:

  • Explain integration of SAP Access Control with SAP SuccessFactors, SAP HR on-premise system and SAP Cloud Identity Access Governance.

Integrational Aspects of SAP Access Control

Integration of SAP SuccessFactors with SAP Access Control

Changes to an employee's HR status leads to access changes for the employee in business processes systems. For example, if the employee changes job position, they need another set of roles. For hiring, you create a user for the employee, with the required roles in the systems. With SAP Access Control, you can automate these processes to change users' access, depending on HR events. HR events can come to SAP Access Control from SAP SuccessFactors or SAP HR on-premise system. Then SAP Access Control creates a request with the corresponding user access, and provisions the user in target systems. First, let's look at SAP Access Control integration with SAP SuccessFactors.

SAP SuccessFactors Employee Central lead to New Hire, Change of Employee Job Data, and Termination. All three lead to SAP Cloud Integration, which leads to SAP Access Control, which leads to Target systems.

SAP SuccessFactors to SAP Access Control integration supports three scenarios:

  1. Add a new employee.
  2. Change of employee job data. For example, update employee records, such as the business unit or position.
  3. Terminate an employee.

What are the main steps of integration?

  1. Employee data resides in SAP SuccessFactors Employee Central. Changes happen to employee status, such as hiring, changing job data or termination.
  2. SAP Cloud Integration retrieves changed employee data from Employee Central and converts it to a format that can be used by SAP Access Control.
  3. SAP Access Control imports the data from SAP Cloud Integration. Using decision tables that are configured in the Business Rule Framework (BRF+) and in Rule-to-Role mapping configuration, SAP Access Control creates access requests that contain the appropriate roles and actions for the employee.
  4. SAP Access Control provisions the employee in the correct target systems with the appropriate role assignments (role assignments are removed in the case of an employee termination).

Let's look at SAP Access Control integration with SAP HR on-premise system.

SAP HR on-premise system lead to New Hire, Change of Employee Job Position, Termination. All three lead to SAP Access Control, which leads to Target systems.

SAP HR on-premise system to SAP Access Control integration supports three scenarios:

  1. Add a new employee.
  2. Change an employee's job position.
  3. Terminate an employee.

Main steps of integration:

  1. Employee data resides in SAP HR on-premise system. Changes happen to employee status, such as hiring, changing job position or termination.
  2. SAP Access Control imports the data from SAP HR on-premise system. Using information about roles that correspond the position of the employee SAP Access Control creates access requests that contain the appropriate roles and actions for the employee.
  3. SAP Access Control provisions the employee in the correct target systems with the appropriate role assignments (delimits the validity date of a user in the case of employee termination).
SAP Cloud Identity Access Governance Bridge: Hybrid Identity and Access Governance.

SAP Access Control provisions access to on-premise applications and the SAP SuccessFactors cloud solution. Connecting to the most cloud applications is not supported directly from SAP Access Control. With infrastructure changes in a company, you may need to provision access to more cloud target systems. At the same time, you want to continue using SAP Access Control as an entry point for users, keep configured SAP Access Control workflows, and other configurations. SAP Cloud Identity Access Governance Bridge scenario is the option to provision access to cloud systems keeping SAP Access Control as a leading system. It allows you to use the existing configuration and the existing access requests management process. SAP Cloud Identity Access Governance Bridge enables access requests and risk analysis for cloud target applications from SAP Access Control. In the SAP Cloud Identity Access Governance Bridge scenario, SAP Access Control and SAP Cloud Identity Access Governance solutions are integrated mainly in Access Request Management and Access Risks Analysis components. Also, the integration enables user access change for cloud target systems in UAR Review and Updating Business Role Assignment processes. Access request process consists of the following steps in SAP Cloud Identity Access Governance bridge scenario:

  1. As a user, to get access to on-premise and cloud target systems, you create an access request in SAP Access Control.
  2. You, or approvers of the request, start risks analysis in the access request. SAP Cloud Identity Access Governance bridge performs risks analysis for both on-premise and cloud target systems. During mitigation of risks in SAP Access Control, you look up mitigating controls in SAP Cloud Identity Access Governance. Mitigating results are then available in SAP Cloud Identity Access Governance.
  3. Approvers approve the access request in SAP Access Control according to existing workflow configuration.
  4. SAP Access Control provisions access to on-premise target systems, SAP Cloud Identity Access Governance provisions access to cloud target systems.

Log in to track your progress & complete quizzes