SAP GRC 10.0 MSMP 101 for beginners
When an employee joins the company he requires SAP Access. The general process I the manager or supervisor of the employees sends an email to the SAP Security with the required roles and the user is provisioned in the required backend systems. This process does works but everything is manual and there is no clear audit trail. There is also no guarantee that the roles were properly assigned.
This is where the SAP GRC 10.0 User Provisioning tool can help. The key engine which drives this process of the approval workflow is called MSMP – Multi Step Multi Process. This will automate the process. Let us understand the MSMP from high level so beginner can understand the configuration
Step 1 ( Process Global Settings) – Execute MSMP Configuration from the SPRO menu to come to MSMP main screen. Here you need to note the process ID which is SAP_GRAC_ACCESS_REQUEST and it is liked to GRAC_AR_INITIATOR. Only one initiator can be linked to the process id.
Step 2: (Maintain rules) – In this step we are going to look at the result value of the GRAC_AR_INITIATOR which drives the path of the work flow. Here the GRAC_DEFAULT_RESULT is the result value. This value will be used to find out how the request is going to flow when you create a request
Step 6 (Maintain Route Mapping) – In this step we look for the GRAC_DEFAULT_RESULT and see which path it is mapped to GRAC_DEFAULT_PATH
Step 5 Maintain Path – In this setting we look for the GRAC_DEFAULT_PATH and identify the Stage in the Path. This shows that there are two stages which are manager and Security. Now we need to understand how the approvers are assigned to the stages. The approvers assigned to the stage are ZGRC_MANAGER and ZGRC_SECURITY
Step 3 Maintain Agents – In this step we are looking are defining the agents and linking them to the PFCG role. The users assigned to this role will be the approvers of the request coming to this stage
Now when you create a request the following high lighted request which are mapped to Process id SAP_GRAC_ACCESS_REQUEST will follow these two steps and get provisionined into the system
Hope this help. Give your feed back and comments