Easy and Simple BRFPlus Initiator rule based on GRC Access Control Object
This document will provide more basic understanding and shows, how to create custom BRFPlus rule based on different requirement in step by step process for easy and better understanding.
As all requirements starts with customer business. For this document purpose, I picked more generic requirement as written below.
Workflow should initiate the path based on Role’s “Critical Level” and its “Sensitivity”. Basically, to achieve this requirement consultant need to create their specific initiator rule so, consultant can achieve either through writing rule based on available options such as BRFPlus Rule, Function Module Based Rule, Class Based Rule or BRFPlus Flat Rule (Lineitem by Lineitem)
Prerequisite knowledge requirement
GRC product implementation knowledge, and solid knowledge on BRFPlus Expressions such as Loop Expression, Decision Table and LOOKUP Expressions.
The design for the above business requirement is to, create a Loop Expression to loop through each lineitems in request and add Decision Table into Loop rules to validate the Critical Level and Sensitivity to determine right path. As Sensitivity, will not be available in given GRC components, we need to utilize LOOKUP expression to get the Sensitivity value from GRC table
This document will not discuss about any transport details of created brf+ rules.
Please always save the activity you perform and Activate where were possible in all processes.
Process 1 – Invoke TCODE GRFNMW_DEV_RULES and update Rule Info
Process 2 – Update Function details and create the Ruleset for the function
Process 3 – Build Lookup expression
Process 4 – Create Decision Table
Process 5 – Create Loop Expression
Process 6 – Add Loop Expression to Ruleset
Process 7 – Save the Created Object, Activate and run a Simulation.
In this process, we need to invoke BRF+ rule from GRC TCODE to utilize needed context parameters for brf+ rule. As this topic is related to GRC MSMP workflow, it is good suggestion to utilize GRC’s TCODE GRFNMW_DEV_RULES to get needed components based on your process id which reduces complexity further. In this document, our idea is to go with process id SAP_GRAC_ACCESS_REQUEST
Execute TCODE GRFNMW_DEV_RULES and update Rule Info. and execute, for reference review below screen shot
Make sure the Rule is generated in next screen, for reference review below screenshot.
Execute TCODE BRF+ which will take you directly to newly generated rule-id, for reference review below screenshot
The below screen shot shows you, GRC components are automatically picked for your custom rule to further handle your business requirements.
In this process, we will update the Function details and create Ruleset for this function.
Select the Function and click edit to change the Mode to “Event Mode” and save it, for reference review below screenshot.
Save the newly created Rule set. For reference, review below screenshot.
In this process, we will build Lookup expression to fetch the Sensitivity based Lineitem’s roleid. So, we need to use GRACROLE table to get the sensitivity for given roleid.
Right click on Rule and navigate to pick Database Lookup. For reference, review below
Provide Need information to create Database Lookup. For reference, review below screenshot.
Inside the DBLOOKUP, do needful to configure the query and pick roleid for condition. For reference, review below screenshot.
Pick the Roleid field from context Parameter which is given lineitem. For reference, review below screenshot.
Now, we need to create a Element to store value which we get from DBLookup for role Sensitivity. For reference, review below screenshot for creating Element.
Perform Field Mapping with table field Sensitivity with newly create TEXTSENSITIVITY element. For reference, review below screenshot.
FYI – You can also add for Critical level here, but this document is to show different options so, we do it from lineitem
Save the DBLookup and Activate the same.
In this process, we need to create Decision Table which will be used in our loop later. This Decision Table will determine Critical Level value and Sensitive value (created through DBLOOKUP from Process 3) to decide our different path.
Create a Decision Table from ruleid, for reference review below screenshot.
Update the Result Data Object and Condition Columns to add Critical Level. For reference, review below screenshot
Select the CRITLVL from GRAC_S_REQUEST_RULE_LINE structure, as shown in below screen.
After adding the CRITLVL, the configurations look similar to below screenshot
Now the Table setting looks like below screenshot.
Add Table content to Decision Table for CRITLVL and DBLOOKUP_GETSENSITIVITY columns as depicted in below screenshot sequence
Make sure you provide right value based on your Sensitivity maintenance in GRC system. On our example below, our sensitivity is maintained with number
Now add the Rule Result as show in below screen
Repeat the table content in Decision table as show in Step 4 to complete you validations, for reference review below screen shot
In this process, we will create a Loop Expression to iterate our lineitem from request which we will add to our Ruleset later.
To create Loop Expression, right click on rule id and navigate to select Loop. For reference, review attached below screenshot.
Update Loop configuration as shown in below screen and click Select to pick the lineitem from context
Create rule in loop as shown in below screenshot.
The first rule condition is include our Decision Table DT_TOEVALUVATEPATH. For reference review below screenshot.
Now store the DT_TOEVALUVATEPATH result into our context parameter, as shown in below sequence screens.
The first rule looks like as below screen shot.
Add another rule in Loop expression, this rule is to add the returned result from first rule into context table GRFN.. For reference review below screenshot.
Assign GRFN_MW_T_ROUTING for Value into and GRFN_MW_S_ROUTING for From clause, please don’t miss to change the Insert option. The second rule condition will look like below screen
Make sure the Rules are in correct sequence as shown in below screen.
In this process, we need to add our Loop Expression to our Ruleset, as shown in below steps
Click Ruleset RULESET_INITIATOR and insert Rule. For reference review below screenshot.
Select Loop Expression which we created already, as shown in below screenshot sequence.
In this process, we will save all the created object and activate to further test the simulation with same date.
Make sure all object we created saved and activated. Now Simulation to test the results. For reference review below screenshot
Input the sample data with Role ID and CRITLVL in lineitem object table as shown in below screen before Execute.
The result will be as shown in below screenshot which is based on Critical level and Sensitivity from each role provided in lineitem
As this blog post to help consultant to configure their BRFPlus with SAP GRC Access Control objects to meet basic custom requirement, consultants can further use knowledge gained from this blog to develop further address different types of custom requirements.
Also, feel free to leave your comments on this blog post, below if you have questions please, raise it in Access control Tag if it relates to SAP GRC Access Control or BRF+ tags area for specific BRF+ questions
Its good document.
Question 1 - Workflow - I'm not sure why you would want to do this use BRF+ to determine the approvers? You could use an organization chart, security role or a agent rule. I suppose you could create code that calls the BRF+ decision table if you wanted to. But that seems like a lot of work.
For stage level, you need to develop agent rule (not initiator rule) but the process is same and as GRC dont provide division approvers you might use DBLookup options (also as shown in same blog) to fetch your division approvers.