ARM Configuration in SAP GRC: A Step-by-Step Guide

SAP Governance, Risk, and Compliance (GRC) provides a robust suite of tools to manage access risks, ensure compliance, and streamline security operations within an organization. Access Request Management (ARM) is a crucial module within the GRC suite designed to automate and govern requesting and provisioning user access across various systems. This blog will delve into the configuration of ARM in SAP GRC, outlining the critical steps involved.

Prerequisites

Before embarking on the configuration process, ensure you have the following in place:

• SAP GRC system: A correctly installed and functioning SAP GRC environment is essential.
• Necessary authorizations: You will need the appropriate authorizations to configure and administer the ARM module.
• System landscape understanding: Familiarity with the systems you wish to integrate with ARM (ECC, BW, HANA, etc.) will streamline the process.

Key Configuration Steps

1. Configuration Parameters
2. Begin by defining essential configuration parameters in SPRO (SAP Reference IMG). Navigate to Governance, Risk, and Compliance > Access Control > Access Request Management > Maintain Configuration Settings. Here, you’ll configure settings related to request type creation, workflows, deadlines, and more.
3. Request Types
4. Define the various types of access requests your organization will handle with ARM. Examples include new user creation, role assignment, modification, and system access. For each request type, you will configure:

• • Paths: The approval workflow route
  • Stages: Each step within the approval workflow
  • Agents: Who can approve or reject the request at each stage (role-based, rule-based, etc.)
  • End of Usage Processing (EUP): Actions taken upon expiration or removal of access.

1. Integration Scenarios
2. Enable ARM to communicate with the target systems where access will be provisioned. Use the transaction SPRO > Governance, Risk, and Compliance > Access Control > Access Request Management > Maintain Provisioning Settings. Define connections, technical settings, and field mappings for each system.
3. BRFplus Integration
4. Business Rule Framework Plus (BRFplus) provides decisive rule-based decision-making for ARM processes. Integrate BRFplus to:

• • Automate risk analysis of access requests
  • Implement custom approval logic.
  • Enforce segregation of duties (SoD) policies.

1. Workflow Configuration
2. Utilize the Multi-Stage Multi-Path (MSMP) workflow to establish the approval flow within access requests. In SPRO, access  Governance, Risk, and Compliance > Common Components > Workflow > Maintain MSMP Workflow Configuration. Based on the decisions at each stage, define the stages and possible paths that requests can take.
3. User Interface Customization
4. Personalize the ARM user interface in the NetWeaver Business Client (NWBC) to align with your organization’s terminology and processes. You can:

• • Customize form labels and fields.
  • Adjust layouts
  • Configure default values

Additional Considerations

• Risk Analysis: ARM integrates with SAP GRC’s Risk Analysis module. It’s critical to define your SoD rulesets before configuring ARM to enable automated risk analysis during the request process.
• Testing: Thoroughly test each request type in a non-production environment to ensure workflows, approvals, and provisioning function as intended.
• Change Management As business needs evolve, use a well-defined change management process to maintain your ARM configuration.

Benefits of a Well-Configured ARM

• Improved access governance: Streamline user access granting and revocation with transparent workflows and audit trails.
• Reduced risk: Automated risk analysis and SoD checks help mitigate security vulnerabilities.
• Enhanced compliance: ARM supports compliance initiatives by enforcing internal controls and industry regulations.
• Increased efficiency: Automated provisioning and approvals reduce manual efforts and improve turnaround times for access requests.