Component documentationCompliant User Provisioning Locate this document in the navigation structure

 

Compliant User Provisioning (CUP) is a capability of SAP GRC Access Control. It provides compliant user provisioning across enterprise systems. Included are access request self-service, approvals, compliance checks, proactive resolution of access controls, and provisioning.

CUP also provides standard reports, located on the Informer Tab.

Both CUP and RAR capabilities introduce a configurable reporting data mart that enables customized reporting by integrating your reporting tool of choice.

  • The data mart extracts the relevant data from the RAR and CUP and converts the data for reporting purposes

  • The data mart is nonhistorical

  • Data mart schema are published, which enables customers to integrate with any reporting tools.

    For more information, see the GRC Access Control Configuration documentation.

CUP combines predefined roles and permissions with configurable workflow capabilities, thus automating and expediting user provisioning throughout an employee’s lifecycle with the company.

CUP prevents violations of separations of duty (SoD) and helps to ensure corporate accountability and compliance with Sarbanes-Oxley, and other laws and regulations.

Users can request system access using a context-based selection of role descriptions that are defined using the Enterprise Role Management (ERM) functionality, another capability in the SAP BusinessObjects Access Control application.

When a user requests access to a system, CUP automatically forwards the access requests to designated managers and approvers within a predefined workflow that is customized for the enterprise. The CUP workflow engine considers the functional responsibility of the requestor and the type of access request being made, and automatically determines the appropriate routing for access approval.

CUP prevents access-approval delays by routing requests to back up approvers when primary approvers are unavailable or have not responded.

CUP automates the following user provisioning activities:

  • Creating users

  • Changing users

  • Deleting users

  • Locking/Unlocking users

  • Resetting user passwords

  • Assigning roles to users

  • Removing and changing role validity for users

  • User access review

CUP users comprise three categories.

  • Requestors: users who can request access for themselves and, potentially, for other users as well; however, they are not empowered to approve any access requests.

  • Approvers: users who can request access on behalf of themselves and others, and they can approve access requests. They can also create and view related reports.

  • System Administrators: IT professionals who manage the Compliant User Provisioning configuration and the overall system landscape.

    System Administrator functions are not part of the present documentation. Rather, for further information for System Administrators, see the Configuration activities documentation.

User categories and related application tabs

User Category

Compliant User Provisioning Tabs

Requestor

Uses the My Work tab

Approver

Uses the My Work tab and the Informer tab

System Administrator

Uses:

  • My Work tab

  • Informer tab (reporting)

  • Configuration tab

More Information