SAP GRC 10.0/10.1/12.0 – Multiple Rule Set Functionality for Access Requests

Introduction

Multiple Rule set functionality in GRC can be used to determine the rule set to be considered while running risk analysis for the access request. “Request Header” and “Request Line Item” fields can be utilized for customizing the conditions in BRF+ multiple rule set application which will determine the rule set for the access request.

SAP delivers a predefined BRF+ Application and BRF+ rule mapping that can be utilized for customizing in GRC. You can use this BRF mapping as per your requirement to enforce the determination of different rule sets based on request parameters.

Requirement

Usually customers will have requirement to use multiple rule sets depending on different scenarios.

I was working for one of the client “A” and they merged with another client “B” and both wanted to use their own set of rules without combining them in the same rule set. Also they wanted to use their own “Request Types” for access request creation.

Client A – Rule set 1

Client B – Rule set 2

Solution

The MSMP Workflow Settings are integrated with BRF+ application Configurations

The configuration is available through the below mentioned path.
SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Multiple Rule set”.

Under the Application Mapping, there is the Application ID: ‘Request Multiple Rule set’. The BRF+ Function for this App ID is maintained by default. The BRF+ rule is created to determine the Rule set based on request parameters.

We have customized Request Multiple Rule set rule according to our requirement. Following are the steps:

Configuration Setting 1

Parameter 1025 – Default Rule Set for Risk Analysis

Configuration Setting 2

SPRO =>Governance, Risk and Compliance =>Access Control =>Maintain AC Applications and BRFPlus Function Mapping and check the mapping for application “Request Multiple Rule set”.

Request Multiple Rule set is maintained and associated with MSMP Process ID “SAP_GRAC_ACCESS_REQUEST”

Configuration of BRF+ Application

Open BRF+ in “Expert Mode” and if you are not in Expert mode use “Personalize” button as shown below:

BRF+ Multiple Rule set application provided by SAP is “GRAC_BRFP_MULTIPLE_RULESET”

Open the Function of the Multiple Rule set BRF+ application and create a top expression as “Decision Table”. This decision table is the place where you define your Multiple Rule set rules.

We have used Multiple Rule set functionality based on “Request Type” as our requirement is based on Request Type rule set should be selected.

You can customize your requirements using both Request Header or Request Line Item fields  for rule set selection.

Save and activate your Decision Table, Function and Application and once completed use Function Simulation to verify the results.

Multiple Rule set Test Scenario

In order to validate the behavior I have created two GRC requests with Request Type 001 (New Account) and Request Type 002 (Change Account).

Audit Log of these requests shows which rule set has been considered while running risk analysis.

Request Number: 20

Request Type: New Account

Rule set: GLOBAL_N

Request Number: 21

Request Type: Change Account

Rule set: GLOBAL

Multiple Rule set functionality can be customized as per your requirements by creating different rules in the Multiple Rule set BRF+ application.

Thanks for reading

Looking forward for your valuable inputs in updating/improving the blog with all relevant details.

Best Regards,

Madhu Babu Sai