Registration

Dear SAP Community Member,
In order to fully benefit from what the SAP Community has to offer, please register at:
http://scn.sap.com
Thank you,
The SAP Community team.
Skip to end of metadata
Go to start of metadata

Understanding HR Triggers in Access Control 10.0

Purpose

The Purpose of this document is to help user in understanding the details of the HR Trigger functionality provided by Access Control 10.0. This document also talks about the various configurations and settings that the user needs to make use of this functionality as per the business requirements.


Overview

HR Triggers is used in Access Control 10.0 to automatically create an access request whenever an info type is changed in the HR Plug-in system. This helps the organization to set specific rules for a new user automatically when the user is hired in the organization. There are many other functionalities that are achieved using the HR Trigger process and are explained in detail in the following sections.

How is HR Trigger Initiated

HR Trigger gets initiated as soon as there is a change in any of the info types in the HR system. This change in HR Info types may be due to the creation of a new User ID because of a new hire or due to change in Position of an employee or due to change in the validity of an employee or due to termination of an employee or due to any other info type change of an existing employee. All this process happens at the Plug-in system used for the HR processes. There are a few IMG setting that are required to be set to initiate this HR Trigger process properly.

IMG setting required at the HR Plug-in system

Goto IMG->Governance, Risk and Compliance (Plug-In->Access Control->Maintain Plug-In Configuration Settings.

Maintain the following parameters as shown below.

Param ID

Parameter Value

Short Description

1000

ERDCLNT300

Please maintain Plug-in Connector

1001

GRDCLNT100

Please maintain GRC connector

1003

YES

Enable HR Trigger

A reference screenshot for this configuration setting is shown below:

 

How is this change transferred to the GRC System

As soon as any of the changes stated above occur in the HR system, a BADI is triggered in the plug-in system which makes an internal table containing the info types that have been changed along with their old and new values. This table is then passed to the GRC system via a system call to the GRC function module which receives this change event and takes over the control. This call is made using a qRFC to make sure that the data is not lost in case the GRC system is down or not available at that moment.

How GRC system handles this change

Now, the control is passed on from the HR Plug-in system to the GRC system along with the info type data that has changed. The GRC system now tries to make use of the BRF+ Application for HR Triggers to find out which type of request has to be created. This is done by using the decision table in BRF+ application whose each row returns an Action ID based upon the info type that has been changed. As an example, change in the info type 0105 and Subtype 0001 (User ID) would indicate that a new user has been created and hence this row would return the Action ID as Create. Based upon this Action ID, the request type is chosen and the request is created using this request type.

BRF+ Application to choose the request type

The BRF+ Application is required for the purpose of selecting the Request Type that would be used to create the request. The BRF+ Application that is used for HR Triggers must be mapped under the following IMG setting.

Goto IMG->Governance, Risk and Compliance->Access Control->Maintain AC Applications and BRFplus Function Mapping.

Add a new entry using the BRF Function ID used in the BRF+.

Appl ID

BRF Function ID

MSMP Process ID

HR Triggers

XXXXXXXXXXXXXXXX

SAP_GRAC_ACCESS_REQUEST

A reference screenshot showing this configuration is shown below:

 

You can create the BRF+ Application by following the steps mentioned under the following link: GRC 10.0 - HR Trigger BRF+ configuration

Now, the Action ID that is returned by this BRF+ application is used to fetch the information on the request type to be used for the newly created request.

Setting up the Request Type

To set the Request Types based upon the Action_ID, set the IMG as shown below:

Goto IMG->Governance, Risk and Compliance->Access Control->User Provisioning->Maintain Settings for HR Trigger

The screen here would looks as shown in the below screenshot:

Select and double click on the Action ID for which you need to set the respective Request Type.

You can also set the systems for which the request is to be created along with the validity dates of the user over these systems. To do this, you can select the Action ID and then click over the 'Maintain Systems' link in the left panel. A reference screenshot for the screen that would appear is shown below:

 

Related Content

Related Documents


Link for the WIKI document to create BRF+ Application for the HR Triggers:

GRC 10.0 - HR Trigger BRF+ configuration