SAP - User De-provisioning

An SAP - De-provisioning request enables you to:

  • Lock a user in SAP and Infor Risk & Compliance.
  • Revoke the user's roles
  • Mark a user as expired
  • Change the additional attributes for a user, for example, change a user's existing user group

De-provisioning may be required in cases where an employee leaves the company, or requires only temporary access to SAP. In such a case, the user account may need to be locked and the roles assigned to the user removed.

User de-provisioning requests are not analyzed. If the request type supports automatic completion, the user is locked by default, the users roles are revoked and the user is marked as expired.

If the request type does not support automatic completion, the  Administrator has to lock the user manually and revoke the roles manually.

Note: The file SAMIWritebackConfig.xml located at [Install Path]\Settings enables you to configure whether to remove a user's access and/or mark a user as expired in SAP. By default, these settings are enabled.

For details see the Configuration Settings Guide.

To create a User De-provisioning type of request:

  1. Provide details on the following panels
    • General Information: Use this panel to provide the following general information about the request.
      • Request Name: Provide a unique name to identify the request .
      • Request Priority: From the drop-down list, select a priority for the request .
      • Connections: Provide a connection for which the request is being created. You can set this connection as default from the Preferences page. To select a connection, type in a part of the connection name. All connections matching your search criteria are displayed. Select the desired connection.
        Note: Multiple connections for this request may be selected.

        The connections displayed in the drop-down list are a combination of both mapped and unmapped connections. You can select multiple mapped connections but the following combination of connections is not supported by Infor Risk & Compliance as the users will be different.

        • Mapped and Unmapped Connections
        • Multiple Unmapped connections

        For details on mapped and unmapped connections refer to the topic Create or Modify a Connection. Alternatively, browse and select the desired connection and click OK. The selected connection appears in the Connections field.

        Note: In case of secured connections, users signed into Infor Risk & Compliance will be able to view and use only those connections that they have access to.
      • Select User ID: Select the user to be de-provisioned. To select a user, type in a part of the user name. All users matching the search criteria are displayed. If multiple connections are selected and the same user exists in those connections, the user will be displayed multiple times. Select the desired user name. Alternatively, browse and select the desired user and click OK. The selected user appears in the Select User ID field .
        Note: If users are manually mapped, the browse window will display the mapped name and not the ERP name. Write-back to the ERP will be on the basis of the mapped name.
      • Full Name: This field is a read only field that displays the full name of the selected user.
      • Approval Manager: Select the name of the Infor Risk & Compliance user who will be an approver for the this request if the user's manager is unable to approve the request. For example, if the approval template has Manager of User as the approver at one or more stages but the manager is out of office
        Note: The Approval Manager field will be enabled only if the option 'Allow user to redirect request' is selected on the Access Management section on the Configuration page.
        To select an Approval Manager, type in a part of the user name. All users from the selected connection that match your search criteria are displayed. Alternatively, browse and select the desired user and click OK .
      • Additional User Attributes: Select additional user attributes if required and provide values for them. User attributes can be configured for all connections in which the user is present and should be enabled through the additionaluserattributes.xml file so that they are displayed on the request creation page. For details , see the respective Configuration Settings Guide.
        Note: Any additional user attributes added cannot be connected and cannot write back to SAP .
      • More Details
        • Comments: Provide additional information about the request through comments. Comments are mandatory if the Infor Risk & Compliance option check box on the Access Management section of the Configuration page is selected.
        • E-mail settings: This tab enables you to send email notifications to request participants or other users at specific stages of a request.
          1. Select any of the request status check boxes next to a user. Email notifications will be sent to that user when the request reaches that status. The option Approval Email Notification ensures that a user is notified whenever a request is posted to that user's inbox.
          2. Select the check box Display comments in email notifications, if you want the application to display comments in the notification.
          3. Other users can be notified by selecting the option Others. Provide the email address for the other users in the Other emails text box and click the Add icon.
          Note: Email settings are enabled and may be changed only if the check box Override this Option is selected in the Options panel of the Approval Process Template page.
        • Approval Stages : This panel provides details of the approval stages of the request and its present status .
  2. Click Send. The request is sent to the specified approvers and is displayed on the Requests home page. Click the request link to view the request details and take further action.

SAP - User De-provisioning Requests in CUA Clients