SAP GRC Access Control- ARQ Requestor and Approver Validation BRF
Steps to help create BRF Plus initiator rule
My Client had a Scenario to validate the requestor of the ARQ submitted and take the workflow path as required. This is mainly because we have the Requestor and the approver as the same person,to avoid unnecessary re approvals.
ARQ workflow should validate the Requestor and Role approver and take the path as required.
If the Requestor is same as the Primary or Secondary approver take auto provision Path if not it should take the path of role owner for approval.
Generate the Initiator Rule as below
2) Open the BRF Plus work bench and click on the application to view/change
Create DB Lookup expression to Extract REQ ID and the Requestor User ID
Use Tables: GRACREQ and GRACREQOWNER
You need to create few Z Variables to store the extracted values for future use
ZREQDET – TO extract the RED ID
ZREQID – To Extract Requestor owner user id to validate against the role approver
4) I have created a Custom table to hold the mapping between Connector and Connector group to avoid use of many tables
5) Create DB look up to look for the connector group which will be used in later stages
6) Use the extracted Connector Group from (5) to find the Role ID
Create a DB look up expression
7) Create a new DB Lookup to read the list of approvers for the role (Both Primary and Secondary )
8) Validate all the Primary approver to see if the requestor is same as the approver and if found change the ZAPPLOOP flag to 1
9) Validate all the Alternate approver to see if the requestor is same as the approver and if found change the ZAPPALTLOOP flag to 1
10) Now that the validation is done and the flags are set use Formula Expression to sum the values which will be used in later stages
11) Create a Rule to execute the expressions in Sequence
12) Change the Top Expression (decision Table) data to reflect the validation details
If the Requestor is same as Primary Approver and Secondary Approver ZFOUND will be 2
If the Requestor is same as Primary Approver or Secondary Approver ZFOUND will be 1
If the Requestor is not same as Primary Approver or Secondary Approver ZFOUND will be 0
Based on the Validation of request type and the ZFOUND flag the trigger value is sent as output
13) Since we need to trigger the Rule created Map the Rule to Function by creating the Rule set and also map the Z variables created in the context
Make sure to change the Mode to Functional and Event to process the rule set assigned.
Simulate the BRF+ application and then map the required Approval stages in MSMP configuration.
Great job Sandeep.
Thanks for sharing and make it appear very simple.
Rakesh Ram M
Very helpful blog. Thank you very much Sandeep for sharing great idea.
Personally I would add the variables in the Ruleset Header, rather than in the Context, for cleanness, but it works either way.