Skip to Content
Technical Articles

SAP GRC 10.0/10.1/12.0 – BRF+ Agent Rule based on Location field using LOOP

Purpose

In MSMP, Access Controls 10.0 and 10.1 provides extremely flexible and powerful tool to configure workflows. In this document we will see how to create BRF+ (NOT line item by line item) MSMP agent rule by taking example of real business case in context of Access Request.

Overview

In GRC 10/10.1 SAP has provided different ways for determining agents for a stage in access request. This scenario is more to determine the Role Owner for a role using Custom BRF+ application based on Location field and Role Name. Common scenario is that the PFCG roles will be the same but depending on Locations approvers should be different, hence to achieve this scenario, custom BRF+ agent rule is used.

 

Steps to build the BRF Rule:

Creating BRF+ Rule for determining Agent based on Location Field

You have to generate the BRF Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.

Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control  => Define Workflow related MSMP rules.

Or

Directly execute Tcode GRFNMW_DEV_RULES

  • Fill generation criteria (Process ID, Rule type, etc.)
  • Specify Generation options
  • Generate rule shell (Execute button)

 

Click Execute or Press F8. This now generates a successful message for BRFPlus Rule with name and ID. You can run BRF+ Tcode and can check the newly created BRF+ application there.

Functions Signature Update

In BRF+ function, change the mode to “Event Mode” and activate the function as shown below

  • Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
  • In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID

Create Ruleset in BRF+ Application


Create Ruleset in your BRF+ application by clicking on “Create Ruleset” button under “ASSIGNED RULESETS” tab of function. Ruleset is a combination of business rules that can only be assigned to a function in the BRFPlus framework. Enter any name for the Ruleset and click on “Create and Navigate to object” as shown below. Ruleset will be created and you will be shown a success message as shown below:

Create Rule within Ruleset – Create Expression of Type “Loop”

  1. Click on “Insert Rule” button to create new rule
  2. From within rule, click on “Add” -> “Process Expression” -> “Create” to create a new expression
  3. Create expression of type “Loop” and provide suitable name and description

Loop gets created as shown below. Processing Mode and Loop Mode maintain as mentioned below.

Create Rules within Loop Expression

Once above things are done activate your Loop and Finally Ruleset expression looks as below. Just simulate your function and check if the data is proper.

5 Comments
You must be Logged on to comment or reply to a post.
  • Hi Madhu,

    Thanks a lot for sharing your knowledge!

    Could you please provide the Loop Creation Screen Shot in GRC 10.1. Actually we are getting “Assert Condition is Violated” error while creating Loop Expression in 10.1.

    Regards,

    Charan

  • Hi Madhu,

    Can you please tell me how to create this line – RULESET WILL BE TRIGERRED if XYZ function is processed? I am on 10.1 and not able to find this option. Also do you create rules within ruleset or loop? I am trying to achieve the same thing but getting error on above 2 things. Will appreciate your reply.

  • Hi Madhu

     

    Your Article and input to GRC Community are very helpful. Sometimes it save Consultants job.

    I have a below requirement and provide some input if possible.

    We need to send notification to help desk team to install some software after provisioning Roles ( only HANA Roles) .

     

    Thanks

    Krish

    • Hi Krishna,

      This is one of the common requirements i came across with the clients.

      You can create a HANA role “XXX_SW_Installation” in HANA system and make this as a default role which need to be assigned to all HANA users. Set Auto provisioning and prov immediately field values as NO for this role. Also set default roles to be assigned only for new users.

      Make “Help Desk Team” as the role owner for this role so that GRC access request will get routed to them as part of access request process and help desk team can perform installation of required software using the access request as reference whenever they receive the access request. Upon completion of required software installation the help desk team can close the request.

      Regards,

      Madhu