AC10.0/10.1 Access Request Workflow: Create BRF+ rule to route single roles based on their risk level
A recent business scenario required to design an Access Request Workflow which determines whether the requested roles are assigned to any access risk ID with high risk level and route only roles to an additional path with further approval steps which meet this condition.
Checking the SCN i found the article AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls from Amanjit Singh Bindra which provides the basic information on how to create a rule to route an access request.
As my own scneario did though absolutely require to route not the whole request but the single roles associated with high-leveled risks IDs the rule needed to be adjusted accordingly.
Please find as follows an illustrated step-by-step tutorial to recreate the rule on your own.
Let me know if there is any unclear or missing explanation in this tutorial.
1. Create Rule ID / Application
Generate BRF+ Application calling transaction GRFNMW_DEV_RULES.
Here fill in the basic information:
MSMP Process ID
This routing rule is determined for the Access Request Workflow (SAP_GRAC_ACCESS_REQUEST).
Routing rule (No explanation required)
Rule ID /Application Name
Fill in a reasonable name for the rule/application. It has been proven workable to use the same name for both fields.
Select the BRFplus Flat Rule as routing requires to be realized on item level (role level).
Generation of Options
Tick Generate Rule and Result. Also select any entry from the Header or Item to get the decision table created automatically.
After the rule has been created successfully you may copy the application ID for next step.
2. Open application
Open the BRF+ Workbench via calling either transaction BRF+ or BRFPLUS in SAP GUI.
Here you select Workbench > Open Object and put in the search field for Object ID the copied ID from previous step.
3. Create table object to store risk analysis result
Before we create the procedure call to run the analysis we have to create the associated table to hold the result data.
Therefor right-click the Application and select Create/Data Object/Table …
The table created has to be of Binding Type DDIC Table and DDIC Type Name GRAC_T_WS_RA_OP_RISK_ANLYS_ID.
No further customization of the table is required.
Activate the data object.
4. Customize Function and assign new Ruleset
Change the Mode to “Event Mode” and save.
Also check whether result data object is: GRFN_MW_S_ROUTING
Afterwards switch to the Assigned Rulesets tab and create a new Ruleset.
Note: Following screen may appear at this and further stages. Always click on the Yes-Button to save the current state of the left object. Otherwise all changes have to be repeated from the current step.
5. Add first Rule to Ruleset
Go to the newly created ruleset and insert a new rule. In the edit window we do want to run a new expression without any conditions. Thus we click on the Add-Button next to “Then” and select Process Expression/Create.
Select procedure call and define the previously created result table (Risk Analysis Result) as Result Data Object.
Within the procedure call select Function Module as Call Type and enter following name for the module respectively: GRAC_IDM_RISK_WITH_NO_SERVICES
Note: This module requires a request number as parameter and provides all associated violation data such as Risk IDs, risk level, roles, etc. To get a better understanding of this function execute it in transaction SE37 by selecting Function Module/Execute/In the test environment.
Add parameters REQUEST_NO and RISK_ANALYSIS_WITH_NO_RESULT
to the procedure call.
Click on both parameters and assign the corresponding values:
- “Req No” from the request header in the context à
- Table “Risk analysis result” à
Activate the expression and go back to the ruleset.
6. Add second rule to ruleset
Now we check whether the role from the Line Item (role from the access request sent to the routing rule) is associated with a high-leveled Risk IDs.
To do this a second rule has to be created in the same manner as the first one. This rule contains one loop which goes through the risk analysis table to determine entries with high-leveled risks (Risk IDs) and a second loop wandering through the table data object “ROLE” contained in the risk analysis table. Then for every Entry Role an expression of type table operation check whether the current entry matches the role name of the Line Item from the context.
Following picture demonstrates the procedure:
7. Create outer loop
Insert the basic information.
Following screenshot shows the required configuration for the first loop. As this outer loop just passes the result from the inner loop Return Value for Processing Mode and BOOLEAN (Default Objects) for Result Data Object have to be selected. Also we need the loop to perform another expression for each entry thus we select “For Each Entry in…”. Also you configure to select only rows with risk level high (high).
Finally we need to enable the loop to stop if a high risk role has been found within the table via adding an Exit Condition.
8. Create inner loop
Here we can define the inner loop going through the ROLE_LIST table of the high-leveled Risk ID and containing the associated roles.
Just like in the first loop we want to return a True/False value when looping through the ROLE_LIST table of the risk analysis table entry. Thus we select Return Value as Processing Mode and BOOLEAN (Default Objects) as Result Data Object. Also we can already filter the ROLE_LIST for entries which match the role name from the current context line item.
Now we need to create a Rule to initiate the Boolean returned.
Within the rule create a new expression which will be definied in the next step.
9. Create table operation
The customized table operation simply checks whether the filtered table of the outer look does contain any rows which determines that current role (Line Item Context) is assigned to the current Risk ID and return in this case TRUE.
Activate the expression and go back to the inner loop via entering the Back-Button.
Now select “Assign Value to Context” for the “Then” clause and define the Boolean-variable to be set to true if the table expression does return true.
After finishing the table operation go back to the inner loop and configure the Boolean to be changed to true if the table operation is successful.
10. Create third rule in ruleset
Create the third rule in the ruleset which is responsible for the routing according to the finding of the second rule.
Here we can use the automatically created decision table.
11. Add Condition Column to Decision Table
After adding the new rule, go to the decision table and make sure you are in edit mode.
Select the Table Settings-Button.
Replace any existing Condition columns with the outer loop LOOP_RISK_ANALYSIS_RESULT which returns the result of the role search.
12. Add Business Logic to the Decision Table
Based on the result of “Table Operation,” which checks whether any “High” risk violations exist in request or not, the path of request is decided.
Save and activate the decision table.
13. Add variables to ruleset
Finally check whether both variables RISK_ANALYSIS_RESULT and BOOLEAN are added to the ruleset.
Also check whether the order of the roles is correct and all elements/objects activated.
Now you should be able to register this rule in the MSMP configuration and use it as a routing rule.
In order to do this you need to refer to the function ID which can be found in the general tab of the BRF+ function.