Skip to Content
Author's profile photo Former Member

Key difference between MSMP BRF+ rule and BRF+ flat rule ( lineitem by lineitem)

In MSMP, Access Controls 10.0 and 10.1 provides extremely flexible and powerful tool to configure Access Control workflows. In this blog we will try to understand some basic concepts about MSMP and BRF+.

Before we can start creating any BRF+ rule for MSMP, we need to understand the difference between MSMP BRF+ rule and BRF+ flat rule ( lineitem by lineitem ). The logic executed in both the rules is same but the difference is in the input, output and the way it is processed.

Following are some of key differences:

1.) MSMP BRF+ flat rule (lineitem by lineitem):

This rule is called flat rule or lineitem by line item rule because this rule is called by MSMP multiple times, once for each lineitem. So if in access request you have added 3 roles/systems, then this BRF rule will be called 3 times. As an input to this rule, MSMP sends detail of one lineitem at a time and this BRF rule provides result for that one lineitem only. BRF+ flat rule is easy to create as no loop is required and only one decision table (or other expression) is required for the logic. For example, consider an access request with 3 roles/system. In this case the BRF flat rule is called 3 times by MSMP with following input and output:

Input provided by MSMP to BRF+ flat rule in first call:

Item Name System Role Type LINEITEM KEY…
ROLE1 SYSTEM 1 SIN 0001

 

Output given by BRF+ to MSMP in first call:  

Lineitem Key Rule Result
0001 RolePath

Input provided by MSMP to BRF+ flat rule in second call:

Item Name System Role Type LINEITEM KEY…
ROLE2 SYSTEM 2 COM 0002

 

Output given by BRF+ to MSMP in second call:  

Lineitem Key Rule Result
0002 RolePath

Input provided by MSMP to BRF+ flat rule in third call:

Item Name System Role Type LINEITEM KEY…
SYSTEM1 SYSTEM1 0003

 

Output given by BRF+ to MSMP in third call:  

Lineitem Key Rule Result
0003 SystemPath

So the flat rule is called once for each lineitem which makes its creation easier as no looping is required which is required in case of BRF+ rule.

2.) MSMP BRF+ rule:

In this case, all the lineitems (roles, systems and FFID…) present in the Access Request are sent to the BRF rule in form of a table. After processing, this rule has to return a table with lineitem key and result. For example, in case of initiator rule the input to BRF rule can be following table. The roles/system shown here are one that are added to access request.

INPUT sent by MSMP to BRF+

Item Name System Role Type LINEITEM KEY…
ROLE1 SYSTEM 1 SIN 0001
ROLE2 SYSTEM 2 COM 0002
SYSTEM 1 SYSTEM 1 0003

 

For the above input, the output of BRF rule will be something like following:

OUTPUT given by BRF+ to MSMP

Lineitem Key Rule Result
0001 RolePath
0002 RolePath
0003 SystemPath

Please note that we have not shown the decision table which contains the logic to determine the path in case of initiator rule. Since complete request details are sent by MSMP to BRF+ rule for execution, so this rule is called only once by MSMP. Hence it is required that the logic to loop on all the lineitems has to be done within BRF+ rule. The decision table or other condition is called within the loop so that it is executed for all the lineitems one by one.

Key differences between BRF+ rule and BRF+ flat rule are again summarized below:

BRF+ Flat Rule BRF+ Rule
1.) Executed multiple times, Once for each lineitem 1.) Executed only once
2.) Details of one lineitem at a time passed to BRF rule by MSMP 2.) Complete request details passed to BRF rule by MSMP in form of a table
3.)Output of flat rule is result of one line item only 3.) Output of BRF+ rule is complete table with all lineitems
4.) Easy to create as no loop is required 4.) Complex as compared to flat rule as loop is required
5.) Some of business cases not possible in flat rule 5.) Almost all business cases can be achieved by BRF+ rule

Assigned tags

      9 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Madhu Babu
      Madhu Babu

      Perfectly explained .. Really helpful for the beginners.

      Author's profile photo Nishad Showkath
      Nishad Showkath

      Good Post... 🙂 Really informative....

      Author's profile photo Former Member
      Former Member

      Good Post.

      Regards,

      Venugopal Ireni

      Author's profile photo Former Member
      Former Member

      For MSMP enthusiasts 🙂 who have SAPexpert account ... long article tackling a lot of internal stuff around MSMP rules

      http://sapexperts.wispubs.com/GRC/Articles/Understand-and-Extend-SAP-Access-Control-10-0-Approval-Workflow?id=C6A0341397CE4E5D8D0D1E63ECCA6D1F#!

      Author's profile photo Former Member
      Former Member

      Hi Amanjit,

      I have created BRF+ flat rule(lineitem by lineitem) and decision table as per that, but dif. paths are not followed. could you suggest why

      /wp-content/uploads/2015/03/1_668432.png

      There are 2 diff. paths created for 2 diff. role name(type) Z* and non Z*. But my request always follows the non Z* path, as shown below. i have also tried hard-coding Line item no., but still it only follows only non Z* path.

      /wp-content/uploads/2015/03/2_668433.png

      Author's profile photo Former Member
      Former Member

      Enable MSMP rules debugging (TA GRFNMW_DEBUG and GRFNMW_DEBUG_MSG) to see what is your decission table in BRF+ actually really returning during runtime (you will see the calculated results of the BRF+ call for every line item in MSMP logs.

      Author's profile photo Former Member
      Former Member

      Hi Plaban

      i am a begineer ,couild u please share me screen shots for msmp and brf+ u followed for ur business scenario

      Author's profile photo Former Member
      Former Member

      hi Mahi,

      this blog should not be disturbed with new questions. you need to post a separate discussion

      regards

      plaban

      Author's profile photo Gustavo Soares
      Gustavo Soares

      Nice article. May I ask the following, please?

      a) are there examples of "Some of business cases not possible in flat rule", as per summary #5?

      b) which type should we use for decisions that affect the entire request and therefore the rule does not need to run multiple times or even loop? For example, the decision is based on request type or whether it contains risks.

      Thanks,
      Gustavo