NWBC screen layout options for GRC
3/Nov/2016 blog updated for re-tagging due to SCN migration
The purpose of this document is to summarise the technical solutions to custom-build your NWBC screens should you decide the SAP pre-delivered screens do not meet your requirements. The focus on this document applies to GRC 10.x Access Controls. However, some options apply to NWBC in general. This document does mention quite a few technical concepts (PFCG role menu for NWBC access, webdynpro, launchpads, etc). If you are not familiar with these concepts, I recommend you review available documentation in SCN and SAP Help. Technical implementation steps have not been included; however, links to other SCN blogs and Wiki where possible have been provided.
A Quick overview of the GRC SAP standard
In GRC 10.x Access Controls Work Center roles are provided by SAP to provide users with the NWBC layouts (each role provides a different tab). These roles are built based on PFCG Role menu using ABAP webdynpro GRFN_SERVICE_MAP with the specific application configuration mapped. Each folder name in the PFCG role provides the Level 1 Tab (such as Master Data, Access Request) and the webdynpro provides the layout for that tab. The individual links/icons are displayed based on configuration of a launchpad and authorisation object GRFN_REP (if the user does not have authorisations of the link in NWBC for that specific item they will not see it on their screen). Example role of this is SAP_GRC_NWBC as shown in the screen shot below with access to the the My Home, Rule Setup, Access Management and Reports and Analytics work centers.
Screen Shot: example of SAP standard role that grants NWBC Work Center access for GRC
The idea of the GRFN_REP object allows you to reuse the launchpad to provide different links to different users (or if you are not using all of the functionality you can hide some from the users). However, lack of access to the authorisation does not guarantee the users has been prevented from accessing the functionality (if they know the SICF service name they can enter the URL assuming SICF has not been restricted with S_ICF authorisation).
The launchpads can be customised to add/remove the SAP standard proposed links. Launchpad functionality does allow you to compare your changes to the SAP standard version. For information on GRC example, refer to the following document by Trinadh Bokka
I did not like the SAP standard work centers outside of prototyping/demonstration for the following reasons:
- Having to assign the user multiple work centers to get their full access;
- User having to jump across multiple tabs (Org Structure on one, Access Control Owners on another, risk and mitigation split up, etc);
- Wanting to set up custom work center layouts as per the process steps (much more user friendlier); and
- Old school’ avoidance to maintaining SAP standard (although possible, I am not a fan of maintaining the SAP launchpads as I like to have the original reference and not have headache at support packs/enhancement packs). Happy for someone to come along and convince me otherwise (a SAP Basis expert managed to convince me to stop building Custom ZSAP* work center roles for Solution Manager).
Hence, time to provide options on how you can build your own layout for users:
Option 1 – Standard NWBC Build
In this option you build your PFCG role menu without using the GRC Work Center concept. Refer to SAP help documentation for how to achieve this. Each link (webdynpro) must be added to the PFCG role menu as a link and configured to appear in NWBC. This option does allow you to add different levels of folders and group the links together. It provides you the greatest control in choosing what you want to display in the SAPGUI menu and/or NWBC menu. It does not leverage the GRC launchpads or GRFN_SERVICE_MAP.
One benefit of this option is that by adding the webdynpro to the role menu you can leverage the SU24 mapping proposals. At the same time, you will need to go through and figure out the defaults for each webdynpro as SAP did not deliver any standard SU24 proposals (it takes time but is worth it when it comes to security build and testing).
You will, however, need to build PFCG role menu for each access scenario instead of re-use of the work center roles and launchpads. This may not be a drawback for you if your PFCG role is also including the underlying authorisations to execute the functionality.
Screen Shot: Building custom PFCG menu for NWBC layout
Option 2 – Use the Launchpad Webdynpro
Instead of using GRFN_SERVICE_MAP you can create the NWBC layout by adding the webdynpro APB_LAUNCHPAD_NWBC to the PFCG role menu. As part of the configuration parameters, you must specify the launchpad instance and role name.
Screen Shot: Launchpad added to PFCG via APB_LAUNCHPAD_NWBC
This approach does not use the SAP delivered GRFN_SERVICE_MAP (and therefore hiding of links in NWBC via authorisation object GRFN_REP object). It also does not include each webdynpro link in the role menu to import the SU24 proposals (again assuming they exist). I had this as a solution on my options after looking at this webdynpro for an ECC build. However, I did not like that it provided the use with the option in NWBC to “change launchpad” as the user would be presented with the full list of launchpads to choose another.
Screen Shot: Change Launchpad button for APB_LAUNCHPAD_NWBC
Option 3 – Build your own configuration for GRFN_SERVICE_MAP
In this option, you follow the SAP GRC work center approach by using GRFN_SERVICE_MAP to build your own launchpads and use them instead. Unlike the APB_LAUNCHPAD_NWBC, the PFCG item definition does not reference the role and instance. This is configured in the webdynpro configuration via SE80.
The diagram below provides the mappings of the webdynpro configuration and applications for GRFN_SERVICE_MAP. You will need to have a developer key to do this – or you may need to ask a developer depending on your company’s policy. You will not need to register an SAP object in the Marketplace. If you receive a prompt of the object repair key you have attempted to modify the standard instead of copying your own.
Diagram: Mapping of Webdynpro Configuration for GRFN_SERVICE_MAP
You will need to access SE80 for the GRFN_SERVICE_MAP and launch the Webdynpro Application Configurator (a link appears). To create your own, you need to copy the GRAC_FPM* items listed in the example and map them to each other. You are not modifying SAP standard. The “UIBB” item contains the link to the launchpad instance and role. The “AC” item is added to the PFCG menu for the GRFN_SERVICE_MAP.
My tip for copying these items: stick to a naming convention such as ZGRAC_FPM* to denote custom, use the AC/CC/UIBB (marked in red) and have the last character (example above ACCESS_MGMT) reflect the launchpad name. It becomes a lot easier to trace your configuration if you have a build error.
Screen Shot: UIBB Configuration showing mapping to launchpad
This option allows you to leverage the GRC NWBC design and continue to use launchpad. It also means you do not need to maintain the SAP standard launchpad and can build your own.
Refer to the following Wiki article for the SE80 webdynpro configuration.
Option 3 Extended to leverage SU24 proposals
Each webdynpro referenced in the launchpad can also be added to the PFCG role menu but kept invisible. In doing this, SU24 proposal can then be defaulted into PFCG. This option will require dual maintanance of the launchpad and the PFCG menu.
Interested in Option 3… and more?
If the SAP standard roles are not appropriate for you, I recommend you have a look at the Option 3 mappings. Have a look at the PFCG role menu to see differences in making links invisible and changing the icons that you see in NWBC. You can also have a look in the SE80 configuration to change the Launchpad headings from hyperlink to plain bold text; see if you can find the default empty launchpad that has been mapped to all work centers; and work out why your are limited to two columns in your launchpad.
I welcome your constructive feedback in the comments below J