In that case, it can be forwarded by the administrator.

But if you see, in my view, we are simply adding up additional work for the administrator.

Our objective is to reduce the workload.

So I will say no in most of my cases, because we know who is the role owner and who needs to be
reviewed.

Let us go to our GRC system and configure these parameters.

Let us log in to our system with our configuration user GRC all.

Let us go to Spro SAP.

Reference img.

Go to governance, risk and compliance.

Go to access control.

Maintain configuration.

Let's go to new entries.

Let's go to user access review.

The first one which we see in is 2004.

Here we are going to use the parameter value 011.

That is UAA review.

Next one you are review.

The next parameter id is 2005.

Default priority.

Here we are going to use 007.

Then we will go to user access review.

The next parameter which we are going to use is 2006.

Here I will use role owner.

Next one is 2007.

We also have additional parameters, let's say the number line item per user access, review and
notification

and show approver and so on.

So we are going to use only the mandatory one which is required at the moment.

This is for admin review.

Here we are going to say no.

Let me save it.

Now we have done the parameter configuration for user access review.

Similarly for the Sod also you have Sod reviews and we can set these parameters for Sod review.

You can see Sod review and different parameters similar way.

We will be also able to do the Sod review.

You want to save the configuration.

Let's check okay.

Configuration is saved.

Let's go back to our presentation.

The next one is we need to define the user access review request type.

This is again a standard delivered request type.

We don't need to do anything.

We can simply go to define request type and make sure that you are a review is there in the request

type.

Let's go to spro.

Then go to governance Risk and Compliance.

Go to access control.

This comes under user provisioning.

Then go to Define Request type.

You can see the request type one one.

This is the one which we have configured in our configuration setting.

You are a review that is active and linked to GRC user access review.

Okay, this is the MSB process ID in this configuration is there, so we don't need to do any major

changes here.

The next configuration which we need to do is a Mozambique configuration, the process ID, which
we

are going to use here.

As we see in our previous slide, that is Gracie User Access review.

In the first stage, we are not going to make any changes.

Then we go to the next stage.

Here we have agent routing as well as the initiator rule.

And this will be the default result.

We will use the default result.

As it is we will not make any changes here.

We will make it simple as we seen in our previous exercises.

If it is really required for you to change, I recommend you need to change the default value to your

own values.

Then it will be very easy to identify and for the future users, the next stage we are just skipping

the agent and variables.

Here we will come to path because here we are not making any changes.

Here in the path we have the default path.

We will use the default path where we have a default state, the default stage.

We will use the reviewer as grace user access review reviewer.

Anyone approve, work and approve?

And this will be the default stage which we will be using.

Then we need to define the route mapping.

Route mapping is already defined.

We will use a standard as it is until.

Unless you have changed some of the configuration we can use as it is, and we will save and
generate

the version for MSM configuration.

Now let us go to the system and make the MSM configuration.

Let us go to our GRC system.

Let us go to MSM configuration.

Let's login in to the user using Gracol.

Okay.

The process ID which we are going to use is GRC User Access review.

We will go to the change mode go to next.

Here we have agents routing agent role notification variable.

And let's check the initiator.

Initiator role we have the result GRC default result.

Maintain agent, maintain variables and templates.

We are not going to make any changes.

Let's go to maintain path.

Here we are going to use the default path as it is.

Let's go to stage.

We have the default stage.

Let's go to modify and show details.

We need to define the agent.

We are going to use the the FBI agent, Gracie Weaver.

And let us say approval.

Type any approval.

Let me save it.

And we can also check the modified task setting.

We have enabled okay.

Reject user forward.

User allowed.

Okay.

We will keep everything default as it is.

Let's save it.

Then let's go to the next stage.

Route mapping.

So this is the role ID.

This is the result map to this path.

So this is all default.

We did not make any changes.

So we don't need to make any changes here.

Let's go to next.

And let's go to save and simulate.

This will be configuration.

So it's all saved.

So let me activate.

The new version is created.

So the MSM configuration is done.

Let's go back to our presentation.

The next configuration which we need to do is that we need to define the coordinator.

We need to manage the coordinator.

All the coordinator basically.

Coordinator means who is triggering this event.

They need to have who is the reviewer detail who is going to review this.

So in our case the coordinator is that we are going to use the graphic user as the coordinator.

And we will use the role approvers.

Anyway, we are going to use the role approver as a reviewer as well as the approver.

So we are going to use the AC role approver as the reviewer.

This is again one of the step which we need to do in the configuration that we need to define the
reviewer.

In our case, the reviewer and approver is role owner.

So we are going to simply going to use that one and we can manage the coordinator using this
functionality.

So let us go to our system and configure this.

Let us go to WBC.

GRC all user.

Then go to Access Management.

Then we go to compliance certification review.

Then go to manage coordinator.

And create.

GRC underscore all.

this is the user we want.

And AC underscore.

All approval.

Okay.

This is a user we want.

We assign both the user and save it close.

You can see that we have created the coordinator.

Close this.

And you can also let's say the review the request.

You can also manage the rejections here.

Now this is created let us go to our presentation.

The next step is to generate the user access review request.

For that we need to go to scheduling similar to what we did in our previous exercises.

We go to schedule.

We need to create a schedule.

Basically we need to generate this report.

We need to create a schedule name.

And we need to define generate data for access request.

You are okay.

We will create an access request and this can be planned.

And in our case we simply schedule it immediately.

And you can generate this on a periodic basis.

The next screen we need to select the parameters here.

Basically we need to select the connector of course.

And we can also select different parameters let's say different users for a specific users.

Or let's say you want to include some user.

You want to exclude some user.

You can also generate based on function area organization level.

In our case we will use roles because we have many users actually in the Aida system.

As I said, the Aida system is quite big system, which have a lot of users and a lot of roles.

If you remember, this is the role which we have used it before.

So I'm going to run it for simply for one specific role, simply to reduce the number of entries in

the particular request.

Because these requests also have some limitations, you cannot just run it for the whole system on
one
request, because that will have again quite a lot of data which will be generated depending on the

situation.

You can also limit, let's say based on the user groups or let's say user type or organizations like

this.

You can schedule it.

In general, if you see if it's a big system, we don't run everything in one day.

We need to create a schedule like we do it in a over a period of 1 or 2 weeks in every semester.

Then we schedule it for each organization.

Then once this is finished, then we will move on.

Then it will also easy to monitor.

So always schedule it in a smaller chunks so it is easy to monitor.

Don't schedule it for the entire system.

Then we create the schedule and we will define the schedule.

So let's go to the system and create the schedule.

Let's go to NBC.

And let's go to background scheduler.

Let's say create.

I will say user access review one.

And here you can see yeah here user access review.

And we are not doing recurrent planning.

We will say start immediate and go to next.

Here we are going to select the connector.

And let's also define a role name here.

Let's take the first one.

Okay.

This is our selection criteria.

Let's go to next.

Okay.

This is what what we have selected and let's say finish.

Now you can see this is successfully created.

We can see in the status also completed.

The next step is to view the background job so we can go to the background jobs.

We need to check all the events or green.

We need to make sure everything is green.

If there is a warning or error message, please go through the error message and you can fix
accordingly.

So generally you don't get many issues in this one.

Generally you get some warnings.

Let's say you have a number of entries are higher or the coordinator missing, or this kind of
information

you will get it.

Let's say you selected something.

However there is no proper reviewer or approver is present, then you should be able to see it in this

event or in this detail.

So if you go to the detail, then you should be able to see in that long text.

So let us go to our WBC.

Let me close this.

And go to background jobs.

You can see this is the one.

Let's select this view result.

So all green.

You can see this is the job number.

And total number of users are 15.

And total number of role is 15 and one.

You are request has been created.

That means we have one request is created for this.

And total number of request is one.

Because all the approver required for this specific role is only one.

That's the reason it created only one request.

Let's say if you have multiple approval, then you should create multiple request depending on the
selection

criteria.
Depending on the selection criteria and the approval required, it will automatically create multiple

request.

Let's close this.

The next step is we can also search the URL request to see where is this particular request and how

this request is flowing.

Let's go to search request.

Here let's select User access review workflow and search.

And this is the request which is created.

That is one 212.

And the priority is zero seven.

And let's select this go to audit log.

You can see right now this is pending with the user the approver yes.

Roll approval based on our selection criteria.

This is pending with this user.

Next step is to approve the user request.

So once you log in to the specific user.

The user should get the approval workflow.

Once they select the approval workflow.

Then they should have this kind of screen.

That means based on the selection criteria.

Let's say how many users who have this specific role which we have selected.

Once they go to this one, they can select the options using the approve or remove role using these

buttons.

Basically, they need to go to each and every user and approve whether these specific user required

this role or not required this role.

This specific request has all the users with this specific role.

Then we need to go to each and every User and confirm whether this is approved or rejected.

Once that is done, then you will submit the request.

That means you will submit your action, what you have selected, whether you approve or remove it.

Then you need to approve the request on the request level.

This is on the item level.

That means each user we need to approve.

So once you done that then you need to submit.

Then you need to approve the request.

Then only it will go for actions.

Then the request will be approved.

Once the request is approved, then we could also see that specific role is being removed from the
user

depending on your approval.

So let us go to the system and approve the request.

Let me log out from here.

Roll approval.

Let's go to work inbox.

So I have the approval request for the request ID, which we have created.

Let's open this.

Now you can see this is the role and these are all the users.

So each user we need to select and say approve.

You can also select multiple users here.

Let's say approve.

Let's say we are going to use this user to remove the role.

Before that let me also just to show you what all the roles available for this user.

This is the user which we have created using our GRC.

Let me go to the back end system H8.

Let's go to issue 01D.

Test.

UGM 21.

This is the user.

We will use it for our testing.

Okay, this have both the roles and if I go to 22.

This have only this role.

Okay so let's go to this users.

So we are going to remove this role only from one user in our case.

So once you have done this for each entries here we need to do that.

And we can also provide attachment comments and all other things.

Let's say if you want to forward a specific item you can also forward it.

And like this you have lot of other functionalities.

Lettuce.

Submitted.

Now we have submitted our decision.

Okay, then we need to approve the request.

This decision is on individual role level.

And now we need to approve it.

Now we have approved it.

Let's cancel this.

Let's go back.

Let's go to access management.

Then go to search request.

And let's select the access review search.

Select.

Let's look into the audit log.

This audit log is quite interesting.

As you can see we have approved the role for these users.

Okay.

Only this user we set remove for user UGM 21 and 22.

We have approved.

Okay.

Like this.

You have approved for all other user except the ARM 21.

Let me pause this if I go back to the gate system.

So the first user arm 21.

You can see that role is removed.

The the role which we have marked for removal is removed automatically.

And if you go to two.

The role already exist.

There is no change in our example.

We are doing it for one users.

Let's say if in a big landscape this is going to be a huge exercise which can be automated like this

very easily.

With this, we are coming to the end of this particular session.

Thank you very much for listening.

I will see you in the next session.

Bye bye.