- SAP Community
- Products and Technology
- Additional Q&A
- Parallel workflows in CUP
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Parallel workflows in CUP
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 03-19-2010 3:44 PM
Hello Experts,
our environment has SAP HR , GRC CUP (5.3) and Active directory(connected to IBM tivoli Manager).
I have a requirement where I need to provision user IDs to SAP systems through GRC CUP after the Hire event is completed in SAP HR. To provision in SAP, we need to first create Active directory ID ( network ID) before we can use this ID as sap user ID. we are planning to use position based security in SAP HR.
Question: After the Hiring event is completed,can I initiate 2 paths in GRC CUP workflow where one path creates the Active directory ID and then provides that Active directory ID to the second path which will then use this to provision in SAP systems.
The Active directory is connected to IBM Tivoli Identity manager. so we have to create Active Directory account through IBM Tivoli Manager.
Can you share your thougts on this. can we build a workflow like that. If not, any other alternative thoughts ??
Thanks
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Is your AD supply the email id back to the HCM system thru IdM? Do you create the user request without the userid email id available in the network or AD?
Please look at the following document for different scenarios with IdM and GRC CUP:
Thanks
Himadama
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Himadama,
After the employee number is created in SAP HR, We would like to create the user ID and email ID in AD. This user ID and email ID should be updated to HCM system thru IdM and at the same time this user ID should be sent through GRC CUP, which should provision to ECC, SRM and BW.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
My 2 cents on SAP IdM and GRC integration scenario (draft):
1. HR will create an employee record in HCM
2. IdM monitors changes and create a network (AD) id and email id (Assumption : Network id and SAP UserIds same)
3. IdM updates the email address back to the HCM systems
4. Hiring manager enters the required roles. 1* (one more option, manager may add the business role and the business roles are mapped to the technical roles in IdM)
5. IdM sends the SAP systems requests to GRC 5.3 RAR
6. If there are no violations, the request returns to the IdM and IdM completes the provisioning process and roles need to be approved.
7. If there are violations in the request(CUP approval), after the role owners approval, request returns to the IdM and then IdM completes the provisioning process.
8. Manager (Only) gets the notification of user creation and logon credentials will be given to the new employee If non-SAP (AD) provisioning process not happened prior to SAP provisioning process. (not clear yet)
Questions:
1. 1* Does IdM complete creation of network id? If it does, then manager could enter the new employeeu2019s email id. (Not sure whether manager only able to add roles or adding roles and email id)
2. Not sure whether IdM completes the non-SAP systems (like AD, etc) prior to SAP systems in the same request.
Reference:
Page 11/14:
Page 8/48:
Thanks
Himadama
koehntopp
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
First - IdM monitors changes in HCM system and creates AD account and email id*.
Second - Send the email id back to the HCM**.
Third- IdM takes the all details of the user and it initiates the workflow either manager adding business &/ technical roles (or automaticaly takes from position)***.
assuming idm notices the change in HCM within 30seconds
**assuming IdM updates the email id back to the HCM with in a minute and send's the logon credetials to the hiring Manager (60 seconds total for first and second tasks or waits until to complete the first task)
***assuming this 3rd task starts after the first and second tasks completed(waits until IdM completes sthe second task(any monitoring job again???)).
Thanks
Himadama
- Simplifying Employee and Manager Experiences with Employee Central Quick Actions in Human Capital Management Blogs by SAP
- New Machine Learning features in SAP HANA Cloud in Technology Blogs by SAP
- CF Deployment Error: Error getting tenant t0 in Technology Q&A
- Switch on gCTS (for existing packages) in Technology Blogs by SAP
- Workflow Flexible not going to My Inbox until SWU_OBUF in Enterprise Resource Planning Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.