Use

In this Customizing activity, you can maintain the User Provisioning settings. The user provisioning feature collects approvals and then provisions user access to the target systems.

By default, user provisioning is done automatically by the application. If you do not want to use auto provisioning, then you must select No Provisioning. Auto provisioning is available for SAP systems and non-SAP systems only by way of plug-ins. Plug-ins are not required for SPML based provisioning systems such as LDAP.

You can specify as to whether auto provisioning must be done globally or by system. All global auto provisioning features are superseded by the system settings.

Auto provisioning can be done in two ways:

Direct Provisioning: In this case the application carries out provisioning on the SAP User Master Record by using transaction SU01.

• You must use this method in the following cases:
• When you do not use the SAP HR system
• When you SAP HR and assign security roles directly to the user
• Indirect Provisioning: In this case the application sends a request to the SAP HR system, and then the SAP HR system carries out the provisioning. You must use this method if you assign security roles based on the user's position in the HR organization.

Requirements

You have ensured that the Customizing activity Maintain AC Connector Settings is already performed.

Standard settings

Activities

The following options apply to both the Global Provisioning and the System Provisioning options, though the screen layouts for both are different. The settings in the System Provisioning options supersede the Global Provisioning settings.

1. Select the Role Provisioning Type as described below:
• Direct
  The application carries out provisioning directly on the user master record.
• Indirect
  The application uses the SAP HR system to carry out provisioning. You must also select one of the following HR object types, which the application needs to transmit to the HR system: Position, OrgType, or Job.
• Combined
  The application first uses indirect provisioning. If it is unsuccessful, then the application uses direct provisioning. You must choose the HR object type that he application uses for indirect provisioning.
2. Choose Auto Provisioning options:
• Auto Provision at End of Request
  Select this option to begin provisioning when all of the workflow paths in the submitted request are approved.
• Auto Provision at End of Each Path
  Select this option to provision the access requested for each path as the path is approved. This method works only when the request splits into parallel workflows.
• No Provisioning
  Select this option to turn off auto provisioning.
• Manual Provisioning
  Select this option if provisioning must be done by an approver at an approval stage. This can be done at the last stage using stage configuration.
• Manual Provisioning with Auto Password Generation
  This case is the same as Manual Provisioning; however the approver cannot set the user password.
3. Choose Create User Options.
   Use this feature if you want the provisioning process to automatically create a user in case no record is found for the user. You can select one of the following options:
• For Change User Option
  Apply this feature only for requests of the action Change User.
• For Assign Role Option
  Enable this feature only for requests of the action Assign Role.
4. Maintain Account Validation Check. You can choose whether the application displays a warning message or an error.
   The application performs the following two checks:
• Whether or not the target connector is working properly
• Whether or not the user exists in the target system; for example, if the user exists in the target system, the application does not create a request for user creation.
5. Maintain the Role Assignment.
   From the Provisioning Effective Immediately dropdown list, select one of the following options:
• Yes : The provisioning takes place immediately.
• No: The provisioning takes place at a later time.
6. Maintain the Old Role Delimit Duration.
   Enter the length of time in Years, Months, and Days for transitioning from an old position to a new position. Use this setting with SAPHR indirect provisioning only.
7. Maintain the Password Expiration for ORAAPPS.
   Select the basis on which the password expires: number of days, number of accesses, or none. For Days and Accesses, you must also enter the number.
8. Maintain Deactive Password.
   Select the checkbox to enable this feature if you are using Single Sign-On (SSO) and do not want to allow dialog logons.
   If you set this option in the Global Provisioning Configuration, it applies to all systems.
   If you set this option in the System Provisioning Configuration, it applies only to the specified system.
   Once you enable this feature, the application disables passwords for all new access requests. For all users with passwords activated prior to this, you must disable the passwords via transaction SU01.
   
   Note: If you have chosen to deactivate passwords here, but you have enabled PSS for the connector in the Customizing activity Maintain Connector Setting, when the user tries to use PSS, the application displays a message indicating the connector is not valid for passowrd activation.
9. Maintain E-mail Status.
   Choose whether the application must send the user's password in an e-mail. If you choose Yes, then you must also specify the number of seconds for which the password is valid.
   If you choose No, then the application includes a link in the e-mail notification. The link opens an HTML page with the details of the password.

Example