SAP GRC 10.0/10.1/12.0 – BRF+ Initiator Rule based on Role Name using TABLE OPERATION and LOOP

Scenario Details

GRC 10.0 and 10.1 provided extremely flexible and powerful tool to configure MSMP workflows. In this document we will see how to create BRF+ Initiator rule for the following scenario:

GRC request should be routed to different workflow paths based on the roles in the request. In this blog, I am explaining the BRF+ logic using the role name and you can use any of the role attributes (Business Process, Company etc.) and can achieve the same.

E.g. HR roles should go to Path 1 and Basis roles should go to Path 2 within the same request.

Creating BRF+ Initiator Rule to route the access request based on the roles in the request:

You have to generate the BRF Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.

Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control  => Define Workflow related MSMP rules.

Or

Directly execute Tcode GRFNMW_DEV_RULES

• Fill generation criteria (Process ID, Rule type, etc.)
• Specify Generation options
• Generate rule shell (Execute button)

Click Execute or Press F8. This now generates a successful message for BRF+ Rule with name and ID. You can run BRF+ Tcode and can check the newly created BRF+ application there.

Functions Signature Update

In BRF+ function, change the mode to “Event Mode” and activate the function as shown below:

Since Function mode has been changed to “Event mode,” the result data object will get changed automatically, so it has to be reset manually. In “Signature” tab of BRF+ Function, change the result data object to GRFN_MW_T_ROUTING.

Create Ruleset in BRF+ Application

Create Ruleset in your BRF+ application by clicking on “Create Ruleset” button under “ASSIGNED RULESETS” tab of function. Ruleset is a combination of business rules that can only be assigned to a function in the BRFPlus framework.

Detailed steps on how to create ruleset are not mentioned here but the final status of Ruleset will be as shown below:

If you want steps on how to create ruleset and associated rules then you can follow my another blog post:

https://blogs.sap.com/2014/12/03/brf-agent-rule-based-on-role-functional-area-field-using-table-operation-and-loop/

Create Rule within Ruleset – Create Expression of Type “Loop”

1. Click on “Insert Rule” button to create new rule
2. From within rule, click on “Add” -> “Process Expression” -> “Create” to create a new expression
3. Create expression of type “Loop” and provide suitable name and description

Loop gets created as shown below. Processing Mode and Loop Mode maintain as mentioned below.

Create Rules within Loop Expression

First Rule

Create expression of type “Table Operation” and provide suitable name and description.

Second Rule

Create an expression of type DECISION TABLE as shown below and create a rule change agent ID in agent ID structure after processing each entry in Decision table.

Third Rule

Third rule is used to assign value to context as shown below. This rule will be included in your loop for inserting the values into Agent ID table after processing each LineItem.

Function Simulation

To test the BRF+ rule, I have done simulation with test data using 1 HR role and 2 Basis roles.

Looking forward for all your inputs in improving this blog with additional details or scenarios ?

Thanks for reading.

Best Regards,

Madhu Babu Sai