SAP - User Re-provisioning

This request type enables you to re-provision, or grant SAP access to users who have been previously de-provisioned through Infor Risk & Compliance. When you re-provision a user, you can

Assign new validity dates for the user
Assign new roles
Change user attributes, for example, change the user's user group from the existing to a new one
Unlock users (depending on the locked status of the user)

Although re-provisioning requests can be created for all users but if the request is created for active users and if the status is active in SAP then during write-back the request will fail and an error message is displayed.

Note: The locked status of a user can be defined as excluded from unlocking in the file SAMIWritebackConfig.xml. The user's lock status is checked during write-back to SAP. If it is defined as excluded, the user re-provisioning request will fail with the message User is not Re-Provisioned in connection(s): <connection_name>' and no change will be made to the user's status in SAP or Infor Risk & Compliance.

For details see the Configuration Settings Guide.

To create a user re-provisioning type of request:

Provide details on the following panels
- General Information: Use this panel to provide the following general information about the request.
  - Request Name: Provide a unique name to identify the request .
  - Request Priority: From the drop-down list, select a priority for the request .
  - Connection: Select the connection for which the request is to be created. You can set this connection as default from the Preferences page. All users from this connection are available for new role assignment through this request. To select a connection, type in a part of the connection name. All connections matching your search criteria are displayed. Select the required connection. Alternatively, browse and select the required connection and click OK.
    Note: In case of secured connections, users signed into Infor Risk & Compliance can view and use only those connections that they have access to.
  - Select user ID: Select the user whose account is to be re-provisioned. To select a user, type in a part of the user name. All users from the selected connection and matching the search criteria are displayed. If multiple connections are selected and the same user exists in those connections, the user will be displayed multiple times. Select the desired user name. Alternatively, click the Browse icon to browse for and select the desired user and click OK. The selected user appears in the Select User field .
    Note: If users are manually mapped ,the browse window will display the mapped name and not the ERP name. Write-back to the ERP will be on the basis of the mapped name.
  - Full Name: This field is a read only field that displays the full name of the selected user.
  - Valid From: Provide a date from when the user is valid. Click the Calendar icon to select a date from the calendar or leave as Date of Approval.
  - Valid Through: Provide a date till when the user is valid. Click the Calendar icon to select the expiry date for the user or leave as Never Expires.
    Note: The Valid Through date must always be either the current date or a future date for the request to be submitted
  - Approval Manager: Select the name of the Infor Risk & Compliance user who will be an approver for the this request if the user's manager is unable to approve the request. For example, if the approval template has Manager of User as the approver at one or more stages but the manager is out of office
    Note: The Approval Manager field will be enabled only if the option 'Allow user to redirect request' is selected on the Access Management section on the Configuration page.
    To select an Approval Manager, type in a part of the user name. All users from the selected connection that match your search criteria are displayed. Alternatively, browse and select the desired user and click OK .
  - Assign Roles as this user: Specify the name of the user whose roles you want to assign to this new user. To select a user, type in a part of the user name in the autosuggest text box. All users matching the search criteria will be displayed. Select the required user. Alternatively, click the Browse icon to browse for and select the desired user and click OK. The selected user appears in the Assign Roles as this User field.
  - Additional User Attributes: Select additional user attributes if required and provide values for them . User attributes can be configured for all connections in which the user is present and should be enabled through the additionaluserattributes.xml file. During extraction these attributes will also be extracted along with the newly created user during extraction. For details see the SAP - Configuration Settings Guide.
    Note: Any additional user attributes added cannot be connected and cannot write back to SAP.
- New roles to be assigned : This panel enables you to assign new roles to the selected user. If you have selected an existing user in the Assign Roles as this user field, this panel will list the roles belonging to that user will be listed here.
  - Add new roles: Roles may be assigned to a user present in a single connection, or they may be assigned to multiple connections in which the user is present. The process of selecting roles varies depending on whether the roles are to be assigned to the user in one connection or in multiple connections :
    - Roles to be assigned in one connection: If the role is to be assigned to the selected user in one connection, select the role as follows:
      1. Type in a part of the role name. All roles from the selected connection and matching the search criteria will be displayed. Select the required roles from the drop-down list. Alternatively, browse and select the desired role. All roles from the selected connection are available for selection.
      2. Click OK . The selected roles appear in the panel below and are marked with an icon .
        Import Roles : If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles can be imported and selected to be assigned:
    - Roles to be assigned in multiple connections: If multiple connections are selected from the Connections drop-down list and the user is present in two or more of the selected connections, this panel displays two drop-down lists:
      - The drop-down list on the left lists all the selected connections in which the user is present.
      - The drop-down list on the right lists all the SAP roles present in the selected connections.
      You need to select roles for each connection separately as follows:
      1. From the drop-down list on the left, select the required connection .
      2. From the drop-down list on the right, select the required roles to be assigned to the user in this connection.
        Import Roles : If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles can be imported and selected to be assigned:
- Already assigned roles: This panel displays roles already assigned to the selected user in the selected connection. If the selected connection is a mapped connection, this panel will also list the roles assigned to this user in other connections to which the user belongs.
  Note: Click Undo to reset the revoked roles.
  - Revoke existing roles: This panel enables you to revoke any of the roles already assigned in the selected connection. Roles assigned to this user in other connections cannot be revoked. To revoke a role, select the check-box next to the role to be revoked and click Revoke . The role will be revoked after the request undergoes the approval process. By default, all existing role assignments can be revoked through this request. This means that users can have zero role assignments. You can modify this default setting in the AMSConfig.xml file to ensure that all existing roles are not revoked. For details see the Configuration Settings Guide .
    Note: Indirect assignments, that is, single roles belonging to a composite role cannot be revoked. Only direct assignments can be revoked or the validity period changed.
    
    Composite roles are listed on the User Interface marked with an icon.
    
    Note: The Valid From and Expires On dates can be changed for existing roles assigned. The validity date changes can be viewed from the Request Details for SAP page.
- More Details
  - Comments: Provide additional information about the request through comments. Comments are mandatory if the Infor Risk & Compliance option check box on the Access Management section of the Configuration page is selected.
  - E-mail settings: This tab enables you to send email notifications to request participants or other users at specific stages of a request.
    1. Select any of the request status check boxes next to a user. Email notifications will be sent to that user when the request reaches that status. The option Approval Email Notification ensures that a user is notified whenever a request is posted to that user's inbox.
    2. Select the check box Display comments in email notifications, if you want the application to display comments in the notification.
    3. Other users can be notified by selecting the option Others. Provide the email address for the other users in the Other emails text box and click the Add icon.
    Note: Email settings are enabled and may be changed only if the check box Override this Option is selected in the Options panel of the Approval Process Template page.
  - Approval Stages : This panel provides details of the approval stages of the request and its present status .

SAP - User Re-provisioning Requests in CUA Clients