SAP GRC MSMP Workflow Configuration: A Streamlined Guide

SAP Governance, Risk, and Compliance (GRC) Access Control is an essential tool that helps enterprises manage and automate security risks, streamline access provisioning, and enforce compliance across their IT landscapes. A key component of this GRC module is the Multi-Stage Multi-Path (MSMP) workflow. MSMP workflows offer a flexible framework to build custom approval processes that align with your organization’s unique needs.

In this blog post, we’ll delve into the step-by-step process of configuring MSMP workflows in SAP GRC:

1. Activating the Business Configuration (BC) Set

• The MSMP functionality lies within a specific BC set. Begin by activating it:
  • Transaction Code: SPRO
  • Path: SAP Reference IMG -> Governance, Risk and Compliance -> Access Control -> Workflow for Access Control -> Activate MSMP BC Set

2. Maintain Process Global Settings

• Transaction Code: SPRO
• Path: SAP Reference IMG -> Governance, Risk and Compliance -> Access Control -> Workflow for Access Control -> Maintain MSMP Workflows

The key elements in this section are:

• Process ID: A unique identifier for your workflow (e.g., SAP_GRAC_ACCESS_REQUEST)
• Initiator Rule: Defines who can start the workflow. You’ll often use a BRF+ (Business Rule Framework Plus) rule here for flexibility.

3. Maintaining Rules

• Rules determine the possible outcomes or “Result Values” at each workflow stage, guiding the routing of different requests.
• You can use BRF+ rules or simpler rule types.

4. Maintain Paths

• A path is a series of stages that a request can traverse.
• You’ll define stages (e.g., Manager Approval, Security Approval) and their order.

5. Maintain Agents

• Agents are the decision-makers at each stage of the workflow:
  • Role-based: Agent is defined by a role (e.g., all users with the ‘Security Admin’ role)
  • Users: Specific, named individuals
  • Rule-based: Determined dynamically (often via BRF+)

6. Maintain Route Mapping

• This step connects ‘Result Values’ to paths. Determine which path a request follows based on the outcome of each stage’s rules.

7. Maintain Stage Configuration (Optional)

• Fine-tune each stage’s behavior:
  • Define timeouts and escalations
  • Enable notifications
  • Specify forms for data collection

Example: Access Request Workflow

1. Initiator: User submits an access request.
2. Stage 1: Manager Approval
   • Agent: User’s manager (from org data)
   • Result Values: ‘Approve’ or ‘Reject’
3. Stage 2: Security Approval
   • Agent: Security Team Role
   • Result Values: ‘Approve’ or ‘Reject’
4. Route Mapping:
   • ‘Approve’ at both stages -> ‘Provisioning Path’
   • Other combinations -> ‘Rejection Path’ or additional custom paths

Key Considerations

• BRF+: Offers maximum flexibility but adds complexity. Consider using simpler rule types when possible.
• Testing: Thoroughly test your workflows in a development environment before deploying them to production to ensure they are working as intended.
• Documentation: Keep detailed documentation of your workflow configurations. It’s helpful for troubleshooting and ongoing maintenance.

Benefits of MSMP Workflows

• Streamlined Approvals: Automate access request workflows for greater efficiency.
• Enforced Compliance: Ensure segregation of duties and implement risk mitigation controls.
• Auditability: Clear audit trails for compliance purposes.