SAP GRC 10.0/10.1/12.0 – BRF+ Agent Rule through a DBLOOKUP using Custom Table
GRC Access Controls has provided extremely flexible and powerful tool to configure or customize workflows using MSMP workflow configuration. In this document we will see how to create BRF+ MSMP agent rule by taking example of a real business case in context of Access Request.
In GRC 10/10.1/12.0 SAP has provided different ways for determining agents of a stage in access request (i.e. Function Module rule or ABAP Class based rules or BRFPlus rules). The following scenario is to determine the approver of a stage using BRF+ agent rule through a DBLOOKUP using custom table in GRC.
Creating Custom table in GRC
You can create custom table using SE11 transaction. Following steps are followed to create custom table and also create table maintenance generator which is required for maintaining data entries in tha table using SM30.
Select relevant fields for the custom table. I have used the fields highlighted below:
Enhancement category defines that the table/structure can be enhanced after the creation as per the requirements. For example if the enhancement category is set as can be enhanced then customer modifications are possible else select option as “Cannot be enhanced”.
Technical settings define how the table will be handled when it is created in the database, that is whether the table will be buffered, whether changes to data records of the table will be logged. With out these technical settings table activation will show errors.
SAP table maintenance generator is used to create table maintenance program that can be utilized by end users for maintaining the table entries through SM30.
Sample data maintained in the custom table using SM30
Steps to build the BRF Rule:
Creating BRF+ Rule for determining Agent based on Custom table in GRC
You have to generate the BRF Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.
Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control => Define Workflow related MSMP rules.
Directly execute Tcode GRFNMW_DEV_RULES
- Fill generation criteria (Process ID, Rule type, etc.)
- Specify Generation options
- Generate rule shell (Execute button)
Click Execute or Press F8. This now generates a successful message for BRFPlus Rule with name and ID. You can run BRF+ Tcode and can check the newly created BRF+ application there.
Functions Signature Update
In BRF+ function, change the mode to “Event Mode” and activate the function as shown below:
- Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
- In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID
Create Ruleset in BRF+ ApplicationCreate Ruleset in your BRF+ application by clicking on “Create Ruleset” button under “ASSIGNED RULESETS” tab of function. Ruleset is a combination of business rules that can only be assigned to a function in the BRFPlus framework. Enter any name for the Ruleset and click on “Create and Navigate to object” as shown below. Ruleset will be created and you will be shown a success message as shown below:
Create Rule within Ruleset – Create Expression of Type “DBLOOKUP”
- Click on “Insert Rule” button to create new rule
- From within rule, click on “Add” -> “Process Expression” -> “Create” to create a new expression
- Create expression of type “DBLOOKUP” and provide suitable name and description
DBLOOKUP gets created as shown below. DBLOOKUP is maintained as shown below.
After activating the DBLOOKUP, Ruleset and Function, perform simulation to verify the agent rule results.
Thanks for reading.
Looking forward for your inputs in improving this blog with additional details or scenarios ?
Madhu Babu Sai
Good One Madhu
Im having a problem withe the firm, when I tried to change to GRFN_MW_T_AGENT_ID it doesn´t appear. Do you know wich could be the problem?
Can you help me I can follow the rest of the steps without it.
While defining the condition, I am not able to select the context field.
I am getting "With Condition" "BPROC" is equal to getting "Balnk text field" - how do i select the context field instead of entering the value in blank field.
In UAR review if Role owner = End user then he/she should not approve/remove own role so for this SAP provided 2065 Parameter so how can we set up logic for this and route such requests to other approves or managers.