Skip to Content
Technical Articles
Author's profile photo Madhu Babu #MJ

SAP GRC 10.0/10.1/12.0 – Multiple Rule Set Functionality for Access Requests

Introduction

Multiple Rule set functionality in GRC can be used to determine the rule set to be considered while running risk analysis for the access request. “Request Header” and “Request Line Item” fields can be utilized for customizing the conditions in BRF+ multiple rule set application which will determine the rule set for the access request.

SAP delivers a predefined BRF+ Application and BRF+ rule mapping that can be utilized for customizing in GRC. You can use this BRF mapping as per your requirement to enforce the determination of different rule sets based on request parameters.

Requirement

Usually customers will have requirement to use multiple rule sets depending on different scenarios.

I was working for one of the client “A” and they merged with another client “B” and both wanted to use their own set of rules without combining them in the same rule set. Also they wanted to use their own “Request Types” for access request creation.

Client A – Rule set 1

Client B – Rule set 2

 

Solution

The MSMP Workflow Settings are integrated with BRF+ application Configurations

The configuration is available through the below mentioned path.
SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Multiple Rule set”.

Under the Application Mapping, there is the Application ID: ‘Request Multiple Rule set’. The BRF+ Function for this App ID is maintained by default. The BRF+ rule is created to determine the Rule set based on request parameters.

We have customized Request Multiple Rule set rule according to our requirement. Following are the steps:

Configuration Setting 1

Parameter 1025 – Default Rule Set for Risk Analysis

Configuration Setting 2

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Multiple Rule set”.

Request Multiple Rule set is maintained and associated with MSMP Process ID “SAP_GRAC_ACCESS_REQUEST”

Configuration of BRF+ Application

Open BRF+ in “Expert Mode” and if you are not in Expert mode use “Personalize” button as shown below:

BRF+ Multiple Rule set application provided by SAP is “GRAC_BRFP_MULTIPLE_RULESET”

Open the Function of the Multiple Rule set BRF+ application and create a top expression as “Decision Table”. This decision table is the place where you define your Multiple Rule set rules.

We have used Multiple Rule set functionality based on “Request Type” as our requirement is based on Request Type rule set should be selected.

You can customize your requirements using both Request Header or Request Line Item fields  for rule set selection.

Save and activate your Decision Table, Function and Application and once completed use Function Simulation to verify the results.

 

 

Multiple Rule set Test Scenario

In order to validate the behavior I have created two GRC requests with Request Type 001 (New Account) and Request Type 002 (Change Account).

Audit Log of these requests shows which rule set has been considered while running risk analysis.

Request Number: 20

Request Type: New Account

Rule set: GLOBAL_N

Request Number: 21

Request Type: Change Account

Rule set: GLOBAL

Multiple Rule set functionality can be customized as per your requirements by creating different rules in the Multiple Rule set BRF+ application.

Thanks for reading

Looking forward for your valuable inputs in updating/improving the blog with all relevant details.

Best Regards,

Madhu Babu Sai

Assigned tags

      10 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Rakesh Ram
      Rakesh Ram

      Hello Madhu,

      As always ,another excellent article from your side. Thanks a lot for sharing.

      I am not able to find the standard application

      GRAC_BRFP_MULTIPLE_RULESET

      can you help me with this?

      Regards,

      Rakesh ram

      Author's profile photo Madhu Babu
      Madhu Babu
      Blog Post Author

      Hi Rakesh,

      Please try searching using the BRF+ function ID available in SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping.

      Regards,

      Madhu

      Author's profile photo Rakesh Ram
      Rakesh Ram

      Hello Madhu,

      Searched and getting the following result.

      /wp-content/uploads/2016/08/2016_08_15_07_17_24_1015217.jpg

      Regards,

      Rakesh ram M

      Author's profile photo Artem Ivashkin
      Artem Ivashkin

      Hi Rakesh,

      Try to find the rule id in 000 client.

      Regards,

      Artem

      Author's profile photo Plaban Sahoo
      Plaban Sahoo

      The ruleset is BRFGRAC_MUL_RULESET_APPL

      So, we need to include it in SPRO , as well

       

      Regards

      Plaban

      Author's profile photo Former Member
      Former Member

       

      Hi,

      Did not get you , Pls explain ..

      Author's profile photo Former Member
      Former Member

       

      Hi, Did not get you , Pls explain,.

      Author's profile photo Sreekanth Reddy
      Sreekanth Reddy

      Hi Rakesh,


      Export from 000 client and Import to your client.


      /.Sreekanth

      Author's profile photo bhagyaraj rankireddi
      bhagyaraj rankireddi

      HI Madhu

       

      Thanks for the article.

      Is it possible have the two rule set for one request type ?

      we have A1 & A2, and need to run risk analysis for new users on both the rule sets.

       

      Thanks

      Regards

      Bhagyaraj R

      Author's profile photo Jose Gonzalez
      Jose Gonzalez

      I'm confused about something, at which point do you create the Structure "RES_S_ZGRAC_MULTI_RULESET_1"?