Key difference between MSMP BRF+ rule and BRF+ flat rule ( lineitem by lineitem)
In MSMP, Access Controls 10.0 and 10.1 provides extremely flexible and powerful tool to configure Access Control workflows. In this blog we will try to understand some basic concepts about MSMP and BRF+.
Before we can start creating any BRF+ rule for MSMP, we need to understand the difference between MSMP BRF+ rule and BRF+ flat rule ( lineitem by lineitem ). The logic executed in both the rules is same but the difference is in the input, output and the way it is processed.
Following are some of key differences:
1.) MSMP BRF+ flat rule (lineitem by lineitem):
This rule is called flat rule or lineitem by line item rule because this rule is called by MSMP multiple times, once for each lineitem. So if in access request you have added 3 roles/systems, then this BRF rule will be called 3 times. As an input to this rule, MSMP sends detail of one lineitem at a time and this BRF rule provides result for that one lineitem only. BRF+ flat rule is easy to create as no loop is required and only one decision table (or other expression) is required for the logic. For example, consider an access request with 3 roles/system. In this case the BRF flat rule is called 3 times by MSMP with following input and output:
Input provided by MSMP to BRF+ flat rule in first call:
| Item Name | System | Role Type | LINEITEM KEY… |
|---|---|---|---|
| ROLE1 | SYSTEM 1 | SIN | 0001 |
Output given by BRF+ to MSMP in first call:
| Lineitem Key | Rule Result |
|---|---|
| 0001 | RolePath |
Input provided by MSMP to BRF+ flat rule in second call:
| Item Name | System | Role Type | LINEITEM KEY… |
|---|---|---|---|
| ROLE2 | SYSTEM 2 | COM | 0002 |
Output given by BRF+ to MSMP in second call:
| Lineitem Key | Rule Result |
|---|---|
| 0002 | RolePath |
Input provided by MSMP to BRF+ flat rule in third call:
| Item Name | System | Role Type | LINEITEM KEY… |
|---|---|---|---|
| SYSTEM1 | SYSTEM1 | 0003 |
Output given by BRF+ to MSMP in third call:
| Lineitem Key | Rule Result |
|---|---|
| 0003 | SystemPath |
So the flat rule is called once for each lineitem which makes its creation easier as no looping is required which is required in case of BRF+ rule.
2.) MSMP BRF+ rule:
In this case, all the lineitems (roles, systems and FFID…) present in the Access Request are sent to the BRF rule in form of a table. After processing, this rule has to return a table with lineitem key and result. For example, in case of initiator rule the input to BRF rule can be following table. The roles/system shown here are one that are added to access request.
INPUT sent by MSMP to BRF+
| Item Name | System | Role Type | LINEITEM KEY… |
|---|---|---|---|
| ROLE1 | SYSTEM 1 | SIN | 0001 |
| ROLE2 | SYSTEM 2 | COM | 0002 |
| SYSTEM 1 | SYSTEM 1 | 0003 |
For the above input, the output of BRF rule will be something like following:
OUTPUT given by BRF+ to MSMP
| Lineitem Key | Rule Result |
|---|---|
| 0001 | RolePath |
| 0002 | RolePath |
| 0003 | SystemPath |
Please note that we have not shown the decision table which contains the logic to determine the path in case of initiator rule. Since complete request details are sent by MSMP to BRF+ rule for execution, so this rule is called only once by MSMP. Hence it is required that the logic to loop on all the lineitems has to be done within BRF+ rule. The decision table or other condition is called within the loop so that it is executed for all the lineitems one by one.
Key differences between BRF+ rule and BRF+ flat rule are again summarized below:
| BRF+ Flat Rule | BRF+ Rule |
|---|---|
| 1.) Executed multiple times, Once for each lineitem | 1.) Executed only once |
| 2.) Details of one lineitem at a time passed to BRF rule by MSMP | 2.) Complete request details passed to BRF rule by MSMP in form of a table |
| 3.)Output of flat rule is result of one line item only | 3.) Output of BRF+ rule is complete table with all lineitems |
| 4.) Easy to create as no loop is required | 4.) Complex as compared to flat rule as loop is required |
| 5.) Some of business cases not possible in flat rule | 5.) Almost all business cases can be achieved by BRF+ rule |
Perfectly explained .. Really helpful for the beginners.
Good Post... 🙂 Really informative....
Good Post.
Regards,
Venugopal Ireni
For MSMP enthusiasts 🙂 who have SAPexpert account ... long article tackling a lot of internal stuff around MSMP rules
http://sapexperts.wispubs.com/GRC/Articles/Understand-and-Extend-SAP-Access-Control-10-0-Approval-Workflow?id=C6A0341397CE4E5D8D0D1E63ECCA6D1F#!
Hi Amanjit,
I have created BRF+ flat rule(lineitem by lineitem) and decision table as per that, but dif. paths are not followed. could you suggest why
There are 2 diff. paths created for 2 diff. role name(type) Z* and non Z*. But my request always follows the non Z* path, as shown below. i have also tried hard-coding Line item no., but still it only follows only non Z* path.
Enable MSMP rules debugging (TA GRFNMW_DEBUG and GRFNMW_DEBUG_MSG) to see what is your decission table in BRF+ actually really returning during runtime (you will see the calculated results of the BRF+ call for every line item in MSMP logs.
Hi Plaban
i am a begineer ,couild u please share me screen shots for msmp and brf+ u followed for ur business scenario
hi Mahi,
this blog should not be disturbed with new questions. you need to post a separate discussion
regards
plaban
Nice article. May I ask the following, please?
a) are there examples of "Some of business cases not possible in flat rule", as per summary #5?
b) which type should we use for decisions that affect the entire request and therefore the rule does not need to run multiple times or even loop? For example, the decision is based on request type or whether it contains risks.
Thanks,
Gustavo