To ensure seamless GRC processes it is highly recommended to guarantee that a single user is not allowed to initiated and approve his/her own requests. The principle which stipulates how many users must be involved in approving access requests must be defined by each company and can be slightly different from one to another. This may be a 2, 4 or even 6-Eyes-Principle as given from your management.
In this document I would like to share how we can technically guarantee that a user who initiates the request is not allowed to approve, so that at least the 4-eyes-principle is given.
The following example describes a common set up with four steps.
- Step 1: Request Initiation – Requestor
- Step 2: Manager Approval – Manager
- Step 3: Role Owner Approval – Role Owner
- Step 4: Security Stage – Security Personnel (e.g. SAP Competence Center)
Basically I recommend that the Requestor is not allowed to approve his own requests (neither for his own user nor for requests submitted by him) as Manager at the Manager Stage. As Role Owner he should be allowed to approve requests for his user account and also for requests submitted by him. In case you have different requirements this document gives you a basic idea how this can be handled.
How does the configuration look like?
Go to the IMG Configuration (SPRO) > GRC > Access Control > User Provisioning > Maintain End User Personalization.
I suggest having separate EUP configurations for each stage. Therefore create a new EUP for each stage (Manager, Role Owner and Security). Preferred way is to copy from an existing (e.g. DEFAULT) as most of the settings are available and can be modified easily.
The EUP has to be assigned in MSMP configuration for each stage. Below is an example for the Manager Stage with reference to the EUP configuration 920 (Manager View). All others are similar.
The EUP configuration can be defined in different ways:
- If maintained as USER or Blank, the user will not be able to approve his own request
- If maintained as USER AND REQUESTOR, neither user nor requestor can approve the request
Define the field as not editable and not visible as it isn’t required to be seen by the approver.
In the Access Request approval screen you will see the error message “You are not allowed to approve your own requests”.
As mentioned it is possible to define who can approve/reject own requests at each stage. In my example I have maintained only for Manager Stage as I assume a 4-eyes-principle is sufficient for most of the companies.
Let me know if you need further ideas and do not hesitate to contribute..