SAP - Role Assignment

The SAP - Role Assignment request type enables you to:

• Assign SAP roles to users in SAP or revoke existed roles. This request can also be used to assign roles in CUA managed clients.
• Change user details such as validity period
• Change the validity period for role assignments

Roles can be assigned to only one user at a time.

By default, this feature is enabled. To disable this feature, the AMSConfig.xml file located at [Install Path]\PresentationServices\xml should be modified by changing the <enableamiforbizrights> node to 'false'.

To create a SAP - Role Assignment type of request:

1. Provide details on the following panels
   • General Information: Use this panel to provide the following general information about the request.
     • Request Name: Provide a unique name to identify the request.
     • Request Priority: From the drop-down list, select a priority for the request.
     • Connection: Select the connection for which the request is being created. If a connection is set from the Preferences page, it is selected by default in this drop-down list. You have the option of removing this connection and adding another connection.

       To select a connection, type in a part of the connection name in the autosuggest text box. All connection names matching the search criteria are displayed. Select the required connections. Alternatively,  browse and select the desired connections and click OK. The selected connections appear in the grid below.

       Note: The connections displayed in the drop-down list are a combination of both mapped and unmapped connections. You can select multiple mapped connections, but the following combination of connections is not supported by Infor Risk & Compliance as the users in these connections will be different:

       • Mapped and unmapped connections.
       • Multiple unmapped connections.

       For details on mapped and unmapped connections refer to the topic create or modify a connection.

       When selecting multiple connections, if a CUA Central System connection is selected along with another SAP connection, the CUA Central System connection will overwrite the selected SAP connection.

       CUA Requests

       Select the entry 'CUA Central System' so that you can make changes across multiple clients through a single request.

       Note: In case of secured connections, users signed into Infor Risk & Compliance will be able to view and use only those connections that they have access to.
     • Select User ID: Select the user who is to be assigned new roles. To select a user, type in a part of the user name. All users from the selected connections and matching your search criteria will be displayed. If multiple connections are selected and the same user exists in those connections, the user will be displayed multiple times. Select the required user. Alternatively, browse and select the required user and click OK.The selected user appears in the Select User field .
       Note: If users are manually mapped, the browse window will display the mapped name and not the ERP name. Write-back to the ERP will be on the basis of the mapped name.

       If users are manually mapped, the browse window will display the mapped name and not the ERP name. Write-back to the ERP will be on the basis of the mapped name.

       Note: If a request for the same user is already pending, Infor Risk & Compliance displays a message alerting you about the duplicate assignment. You have the option to continue the request, cancel it or select a different user.

       If the request is continued, then, during the approval process, the approver will see the message in the Previous Comments section. After you select a user, the screen will display the roles already assigned to the selected user and will allow you to add or remove roles. If the connection selected is a mapped connection then the list of roles assigned to the user from the other connections are also displayed.

     • Full Name: This field is a read only field that displays the full name of the selected user.
     • Valid From: The Valid From text box enables you to provide a date from which the selected role is valid.
       • If a valid from date is already selected for the user, that date appears in the text box. Click the Calendar icon to modify the date or select Date of Approval if the validity period is to begin from the date of approval of the request.
       • If a valid from date is not set for the selected user, click the Calendar icon to either select a specific date or select Date of Approval .
     • Valid Through: The Valid Through text box enables you to provide a date till the selected user is valid.
       • If a Valid Through date is already selected for the user, that date will appear in the text box. Click the Calendar icon to modify the date or select Never Expires.
       • If a Valid Through date is not set for the selected user, you can click the Calendar icon to either select a specific date or select Never Expires.
         Note: The Valid Through date can either be the current date or a future date.
     • Approval Manager: Select the name of the Infor Risk & Compliance user who will be an approver for the this request if the user's manager is unable to approve the request. For example, if the approval template has Manager of User as the approver at one or more stages but the manager is out of office
       Note: The Approval Manager field will be enabled only if the option 'Allow user to redirect request' is selected on the Access Management section on the Configuration page.
       To select an Approval Manager, type in a part of the user name. All users from the selected connection that match your search criteria are displayed. Alternatively, browse and select the desired user and click OK .
     • Assign Roles as this user: Specify the name of the user whose roles you want to assign to this new user. To select a user, type in a part of the user name in the autosuggest text box. All users matching the search criteria will be displayed. Select the required user. Alternatively, click the Browse icon to browse for and select the desired user and click OK. The selected user appears in the Assign Roles as this User field.
       Note: You can configure the WhatIfSettings.xml file to enable or disable this functionality. By default, this functionality is enabled.
     • Additional User Attributes: Select additional user attributes if required and provide values for them. User attributes can be configured for all connections in which the user is present and should be enabled through the additionaluserattributes.xml file so that they are displayed on the request creation page. For details , see the respective Configuration Settings Guide.
       Note: Any additional user attributes added cannot be connected and cannot write back to SAP .
   • New Roles to be assigned: This panel enables you to assign new roles to the selected user. If you have selected an existing user in the Assign Roles as this user field, this panel will list the roles belonging to that user as well.

     Click the look up option on the Roles field. Select one of these options to assign new roles:

     • Role Name and Description
     • Roles with Authorization
     • Roles with Transaction
     • Roles assigned to User
       Note: You can configure the WhatIfSettings.xml file to enable or disable this functionality. By default, this functionality is enabled.
     • Roles by Functional Areas
     Type in part of the role name. All roles from the selected connection and matching the search criteria are displayed. Select the required role name. Alternatively, browse for the required role . The newly selected role is displayed below and marked with an icon.

     Import Roles : If you wish to select multiple roles, you have the option of importing these roles through a CSV file.

   • Already assigned roles: This panel displays roles already assigned to the selected user in the selected connection. If the selected connection is a mapped connection, this panel will also list the roles assigned to this user in other connections to which the user belongs.
     Note: Click Undo to reset the revoked roles.
     • Revoke existing roles: This panel enables you to revoke any of the roles already assigned in the selected connection. Roles assigned to this user in other connections cannot be revoked. To revoke a role, select the check-box next to the role to be revoked and click Revoke . The role will be revoked after the request undergoes the approval process. By default, all existing role assignments can be revoked through this request. This means that users can have zero role assignments. You can modify this default setting in the AMSConfig.xml file to ensure that all existing roles are not revoked. For details see the Configuration Settings Guide .
       Note: Indirect assignments, that is, single roles belonging to a composite role cannot be revoked. Only direct assignments can be revoked or the validity period changed.

       Composite roles are listed on the User Interface marked with an icon.

       Note:  The Valid From and Expires On dates can be changed for existing roles assigned. The validity date changes can be viewed from the Request Details for SAP page.
   • More Details
     • Comments: Provide additional information about the request through comments. Comments are mandatory if the Infor Risk & Compliance option check box on the Access Management section of the Configuration page is selected.
     • E-mail settings: This tab enables you to send email notifications to request participants or other users at specific stages of a request.
       1. Select any of the request status check boxes next to a user. Email notifications will be sent to that user when the request reaches that status. The option Approval Email Notification ensures that a user is notified whenever a request is posted to that user's inbox.
       2. Select the check box Display comments in email notifications, if you want the application to display comments in the notification.
       3. Other users can be notified by selecting the option Others. Provide the email address for the other users in the Other emails text box and click the Add icon.
       Note: Email settings are enabled and may be changed only if the check box Override this Option is selected in the Options panel of the Approval Process Template page.
     • Approval Stages : This panel provides details of the approval stages of the request and its present status .
   Note: Role Assignment for SAP requests support only automatic request completion.
2. Click Send. The request is sent to the specified approvers and is displayed on the Requests home page. Click the request link to view the request details and take further action.

A Role Assignment request can also be generated from the What-if analysis for Role Assignment .

Role Assignment Requests in CUA Clients: Role assignment requests for CUA clients can be created as above, except for the following details:

• Connections : From the Connections drop-down list, select the required CUA connection:
  • Select a CUA Central System: To assign roles to  the user in multiple child connections associated with the selected master connection.
  • Select the required child connection: To assign the required roles to the user in this connection only.
• New Roles to be Assigned panel: The options available in this panel vary depending on the option selected in the Connections drop-down list.
  • A CUA Central System is selected :If a CUA Central System is selected and the user is present in two or more child connections, this panel displays two drop-down lists.
    • The drop-down list on the left lists all the child connections in which the selected user is present.
    • The drop-down list on the right lists all the SAP roles available in the listed child connections.

    To assign roles to the user, you need to select roles in each child connection separately as follows:

    1. From the drop-down list on the left, select the required child connection.
    2. From the drop-down list on the right, select the required roles to be assigned to the user in this connection.

    To assign roles to all the child connections associated with the selected CUA master connection, select the option All in the first drop-down list and select the required role.

    Import Roles : If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles can be imported and selected to be assigned:

  • A child CUA connection is selected: If a child CUA connection is selected, select the roles to be assigned as follows:
    1. Type in a part of the role name. All roles from the selected connection and matching the search criteria will be displayed. Select the required roles from the drop-down list.  Alternatively, browse and select the desired role. All roles from the selected connection are available for selection.
    2. Click OK. The selected roles appear in the panel below and are identified with an icon and the role is assigned to the user in this child connection only.

    Import Roles : If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles can be imported and selected to be assigned:

  • Two or more child CUA connections are selected : If two or more child connections are selected in the Connections drop-down list, this panel displays two drop-down lists:
    • The drop-down list on the left lists all the selected child CUA connections.
    • The drop-down list on the right lists all the SAP roles available in the selected child connections.

    You need to select roles for each child connection separately as follows:

    1. From the drop-down list on the left, select the required child connection.
    2. From the drop-down list on the right, select the required roles to be assigned to the user in this connection.

    Import Roles : If you wish to select multiple roles, you have the option of importing these roles through a CSV file. Only the following roles can be imported and selected to be assigned: