Business Scenario


In one of the GRC projects I have worked for, the client’s requirement is to send the User Access Review Workflow to User for review at First Stage and then to Manager for review. Since there is no standard User agent provided by SAP we developed a custom user agent by making use of BRF+ functionality 🙂

BRF+ Agent Design

As per User Access Review process, first UAR request generation job is scheduled which will generate the requests and then UAR Workflow update job is scheduled which will push all UAR requests into workflow and then they go to corresponding workflow path and stages

Since “User Agent” is requested by the client, now “User” also becomes one of the GRC Approvers and hence “User” should exist in Target system and GRC System as well 🙂

Once the requests are generated by “UAR Request Generation” job, these requests will be stored in GRC table “GRACREVITEM – Review Request Related Items”

In our UAR User Agent design we used DBLOOKUP functionality to the table GRACREVITEM to get the result as UserID based on the UAR Request ID.

NOTE: This Agent design works for UAR workflows having MANAGER as REVIEWER 🙂

BRF+ Agent Configuration


You have to generate the BRF Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.

Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control  => Define Workflow related MSMP rules.

Or

Directly execute Tcode GRFNMW_DEV_RULES


  • Fill generation criteria (Process ID, Rule type, etc.)
  • Specify Generation options
  • Generate rule shell (Execute button)


Click Execute or Press F8. This now generates a successful message for BRFPlus Rule with name and ID. You can run BRF+ Tcode and can check the newly created BRF+ application there.

Functions Signature Update


In BRF+ function, change the mode to “Event Mode” and activate the function as shown below.

  • Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
  • In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID

Create Ruleset in BRF+ Application


Create Ruleset in your BRF+ application by clicking on “Create Ruleset” button under “ASSIGNED RULESETS” tab of function. Ruleset is a combination of business rules that can only be assigned to a function in the BRFPlus framework.


Create Rule within Ruleset – Create Expression of Type “Loop”


  1. Click on “Insert Rule” button to create new rule
  2. From within rule, click on “Add” -> “Process Expression” -> “Create” to create a new expression
  3. Create expression of type “Loop” and provide suitable name and description.
  4. Loop gets created as shown below. Processing Mode and Loop Mode maintain as mentioned below.

Create Rules within Loop Expression


First Rule


a. Request ID field which we use in this particular agent rule is sent with prefix as “ACCREQ/REQ_ID”. Before doing DBLOOKUP the prefix has to be removed and only “REQ_ID” should be sent to DBLOOKUP. To achieve this, I used “FORMULA” expression with SUBSTRING function.


b. Once the Request ID field is trimmed, then this Request ID field is used in DBLOOKUP and gets the UserID. The second rule is to create DBLOOKUP for tables GRACREVITEM


C. Each LineItem in BRF+ need to be assigned to context parameter ITEMNUM as we didn’t initialize the LineItem key.


Second Rule


Second rule is used to assign value to context as shown below. This rule will be included in your loop for inserting the values into Agent ID table after processing each LineItem.


Finally Loop expression will have all required rules as shown below.

Once above rules creation is done, activate your expressions REMOVE STRING, DBLOOKUP, LOOP, FUNCTION and then check by simulating your function by adding Line Items rows and enter any Request_ID from table GRACREVITEM and check if your agent is returning correct results.



After verification this BRF+ agent can be used in MSMP UAR workflow and your UAR requests can be routed to User’s for Approval/Notifications 🙂



Looking forward for all your feedback 🙂

Thanks for reading.

Best Regards,

Madhu Babu Sai

To report this post you need to login first.

12 Comments

You must be Logged on to comment or reply to a post.

  1. Alex Walters

    Great article, Madhu. I always enjoy reading your documents.

    In this scenario, are you still generating UAR requests by manager (config parameter 2006)?

    (0) 
    1. Madhu Babu Sai Post author

      Hi Alex,

      Thanks for your feedback. Yes, we are using MANAGER as reviewer. During my discussion on one of the SCN threads I came to know that GRACREVITEM is different when ROLE OWNER is reviewer which I am working to check to make things work using single logic for both MANAGERS and ROLE OWNERS as reviewers and will update the blog 🙂

      Regards,

      Madhu.

      (0) 
  2. Plaban Sahoo

    Hi Madhu,

    Thanks a lot, for this document. It gives me insight into BRF+

    I could not find formula called SUBSTRING, which you have mentioned. Could you say, from where you have put this.

    Also, i am stuck at the below action

    C. Each LineItem in BRF+ need to be assigned to context parameter ITEMNUM as we didn’t initialize the LineItem key.


    Could you suggest, where do i do this


    Regards

    Plaban

    (0) 
  3. Simon Persin

    Hi There!

    I like the logic involved. I’ve done it slightly differently for my scenario – using a loop as the top expression in functional mode and then having the DB lookups calling each other in order to retain each in the context. However, you loop though a table GRFN_MW_T_UAR_RULE_LINE but I only have a structure following the generation of the BRF+ rule. Is this a custom object you have created or did it generate a table as part of your generation program?

    You can only loop through a table but not a structure, so I’m interested in how you got that object and filled it with the context values.

    Cheers Simon

    (0) 
  4. Muhammad Fazil

    Hi Madhu,

         I followed the document and was able to create a custom user agent rule. But can we send the provisioning log to user via email? meaning, I wanted the emails to carry information about the roles that have been removed as a part of UAR process. Let me know if this is possible.

    Thanks.

    (0) 
  5. pavan amarnani

    Hello,

    I have created a brf+ agent rule and assign that rule id to a custom agent in MSMP Access Request workflow. here workflow calls the BRF+ rule but BRF+ rule does not execute and return value. I am not getting any error in audit log. BRF+ rule working file in simulation.

    I did not use Ruleset  in brF+ rule creation and its functional mode based not event mode.

    Please help me resolving the issue.

    Regards,

    Pavan.

    (0) 

Leave a Reply