SAP Cloud Identity Access Governance – Candidate for Business Role
SAP Cloud Identity Access Governance (IAG) is Software as a service (SAAS) solution built on the SAP Business Technology Platform, It helps organizations to manage SOD and critical access risks while meeting security and compliance requirements.
Cloud IAG provides native integration with a superior user experience across hybrid environments, it can be connected directly to SAP Cloud applications or existing customers can enable it as a bridge, to connect Access Control 12.0 and the SAP Cloud applications for a hybrid access governance landscape.
SAP Cloud Identity Access Governance software helps simplify and automate access governance using its key capabilities or services- access analysis service, access request service, role design service, access certification service, privileged access management service.
In this article, we’ll explore candidate for business role functionality by role design service.
Candidate for Business Role
A candidate for the business role is an optimal business role proposed by the SAP Cloud Identity Access Governance, role design service.
The service suggests business roles that should be created based on existing assignments. This service supports you in simplifying your business applications by using business roles more efficiently.
The service generates a list of proposed candidates for business roles that you can adjust as needed. You evaluate these and decide whether or not to activate them. Once you activate the candidate business role, it becomes a standard business role.
Role Design Flow
We are going to use the following apps in the role design flow.
1. You enter the criteria for generating the candidate business role
The app generates candidate business roles (Create Candidate Business Roles App )
2. You select candidate business roles to process.
App routes selected candidate business roles to inbox ( Select Candidate Business Roles App)
3. You open your inbox and decide which candidate business role to work on. All roles have an initial status of Refine. Click Save once you are done with your edits. Then click Submit to route the candidate business role to the next processing stage, Activate.
App changes the status of refined candidate business roles to Activate. ( My Inbox app or the Role Design Inbox app )
4. You open your inbox and select the candidate business roles to be activated. Click Activate once you are satisfied with your edits.
App converts candidate business roles to business roles, It changes the status of business roles to Reconcile.
5. You open your inbox and select the business roles that you want to reconcile. Click Submit, and you are done with reconciliation.
Creating Candidate Business Role
The first step in the role design process is to enter criteria for generating candidate business roles for your project. You use Create Candidate Business Roles app to specify the project’s parameters, to create candidate business roles for a certain business process or department.
You use Filter By fields to define the attributes of your candidate business roles.
Overlapping access occurs if the access within a candidate business role is repeated in an active business role.
Here you can specify a threshold overlap percentage above which the app issues a warning message. Clicking the Options checkbox enables the slider bar and then uses the slider to set the overlap percentage allowed.
Once you have filled in the required information, click Submit.
To view the candidate business roles that the app creates, use the Select Candidate Business Roles app.
Selecting Candidate Business Roles
Use the Select Candidate Business Roles app to perform the second step in the role design process. Here you review the candidate business roles generated by the app for this project and select the desired candidate business role. And finally, Submit.
The app performs the following actions:
Assigns a request number to each candidate business role
- Routes each candidate business role to the My Inbox app
- Sets the stage of all candidate business roles to Refine
To process the selected candidate business roles, use the My Inbox app / Role Design Inbox app.
Role design routes all candidate business roles through the following stages in sequential order
Refining Candidate Business Roles
You can access the Refine Candidate Business Role function through the My Inbox app or Role Design Inbox app depending on your authorizations. Here you review the proposed business role and associated access, and can also update the various role attributes.
After making the required changes you can Simulate to see how your changes have impacted the SoD or Critical Access risks. Once you are done with the changes you can Submit to route the candidate business role request to the next stage, Activate.
Activating Candidate Business Roles
In the activate step, you activate the candidate business roles, after activation, these roles become the standard business roles. Depending on your authorizations choose the My Inbox app or Role Design Inbox app to check all open requests for candidate business roles relevant to you.
On Activate Candidate Business Role screen, you can see the number of potential risks the role may cause. Select the Audit section to see what actions have been taken. You can also edit the role name, description, or add a note if required.
Once you are ready click Activate to activate the role.
Reconciling Use Access Assignment
In the reconcile stage, role assignment owners can review the new business roles and the impact on user assignments and their access.
You access the Reconcile User Access Assignment function through the My Inbox / Role Design app, which displays all the open tasks for candidate business roles relevant to you. To refine a candidate business role, click an item with the status of Reconcile, You can see the difference between users’ current access compared to their access with the new business role.
Once you are done, select the Submit to begin the provisioning process. The provisioning will take place the next time the Provisioning job is run.
Please check the Administration Guide from https://help.sap.com/viewer/product/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE
Note: Please share your feedback or queries in a comment below or ask questions in the Q&A tag area here about SAP Cloud Identity Access Governance
Well explained Ravi.
The 1st step itself requires creating a job, post which i do not see the role available in Inbox. The 1st step showed 5 accesses, which means 5 single roles are selected for the CBR.
Also the 1st step does not allow to specify the name of a CBR. So, how will it be available for selection in 2nd step.
Also, CBR simulator is not explained in your blogpost. Do you mind explaining it.
I wanted inquire that at which stage the new business roles (candidate business roles) assigned to users?
Does Reconcile User Access Assignment function allows to adjust role-assignment as well?