Skip to Content
Technical Articles

Easy and Simple BRFPlus Initiator rule based on GRC Access Control Object

This document will provide more basic understanding and shows, how to create custom BRFPlus rule based on different requirement in step by step process for easy and better understanding.

Business Requirement

As all requirements starts with customer business. For this document purpose, I picked more generic requirement as written below.

Workflow should initiate the path based on Role’s “Critical Level” and its “Sensitivity”. Basically, to achieve this requirement consultant need to create their specific initiator rule so, consultant can achieve either through writing rule based on available options such as BRFPlus Rule, Function Module Based Rule, Class Based Rule or BRFPlus Flat Rule (Lineitem by Lineitem)

 

Prerequisite knowledge requirement

GRC product implementation knowledge, and solid knowledge on BRFPlus Expressions such as Loop Expression, Decision Table and LOOKUP Expressions.

The design for the above business requirement is to, create a Loop Expression to loop through each lineitems in request and add Decision Table into Loop rules to validate the Critical Level and Sensitivity to determine right path. As Sensitivity, will not be available in given GRC components, we need to utilize LOOKUP expression to get the Sensitivity value from GRC table

Notes

This document will not discuss about any transport details of created brf+ rules.

Please always save the activity you perform and Activate where were possible in all processes.

Processes Overview

Process 1 – Invoke TCODE GRFNMW_DEV_RULES and update Rule Info

Process 2 – Update Function details and create the Ruleset for the function

Process 3 – Build Lookup expression

Process 4 – Create Decision Table

Process 5 – Create Loop Expression

Process 6 – Add Loop Expression to Ruleset

Process 7 – Save the Created Object, Activate and run a Simulation.

 

Process 1

 

In this process, we need to invoke BRF+ rule from GRC TCODE to utilize needed context parameters for brf+ rule. As this topic is related to GRC MSMP workflow, it is good suggestion to utilize GRC’s TCODE GRFNMW_DEV_RULES to get needed components based on your process id which reduces complexity further. In this document, our idea is to go with process id SAP_GRAC_ACCESS_REQUEST

Step 1

Execute TCODE GRFNMW_DEV_RULES and update Rule Info. and execute, for reference review below screen shot

Step 2

Make sure the Rule is generated in next screen, for reference review below screenshot.

Step 3

Execute TCODE BRF+ which will take you directly to newly generated rule-id, for reference review below screenshot

Step 4

The below screen shot shows you, GRC components are automatically picked for your custom rule to further handle your business requirements.

 

Process 2

 

In this process, we will update the Function details and create Ruleset for this function.

Step 1

Select the Function and click edit to change the Mode to “Event Mode” and save it, for reference review below screenshot.

Step 2

Now select “Assigned Rulesets” tab to create new Ruleset for our rules. Click Edit button and click “Create Ruleset” button from Ruleset section to create a ruleset. For reference, review attached screen shot.

Step 3

Save the newly created Rule set. For reference, review below screenshot.

Process 3

 

In this process, we will build Lookup expression to fetch the Sensitivity based Lineitem’s roleid. So, we need to use GRACROLE table to get the sensitivity for given roleid.

Step 1

Right click on Rule and navigate to pick Database Lookup. For reference, review below

Step 2

Provide Need information to create Database Lookup. For reference, review below screenshot.

Step 3

Inside the DBLOOKUP, do needful to configure the query and pick roleid for condition. For reference, review below screenshot.

Step 4

Pick the Roleid field from context Parameter which is given lineitem. For reference, review below screenshot.

Step 5

Now, we need to create a Element to store value which we get from DBLookup for role Sensitivity. For reference, review below screenshot for creating Element.

Step 6

Perform Field Mapping with table field Sensitivity with newly create TEXTSENSITIVITY element. For reference, review below screenshot.

FYI – You can also add for Critical level here, but this document is to show different options so, we do it from lineitem

Step 7

Save the DBLookup and Activate the same.

 

Process 4

 

In this process, we need to create Decision Table which will be used in our loop later. This Decision Table will determine Critical Level value and Sensitive value (created through DBLOOKUP from Process 3) to decide our different path.

Step 1

Create a Decision Table from ruleid, for reference review below screenshot.

Step 2

Update the Result Data Object and Condition Columns to add Critical Level. For reference, review below screenshot

Select the CRITLVL from GRAC_S_REQUEST_RULE_LINE structure, as shown in below screen.

After adding the CRITLVL, the configurations look similar to below screenshot

Step 3

Add the LOOKUP expression which we created to fetch the SENSITIVITY from Process 3 as shown in below screenshot sequence.

Now the Table setting looks like below screenshot.

Step 4

Add Table content to Decision Table for CRITLVL and DBLOOKUP_GETSENSITIVITY columns as depicted in below screenshot sequence

Make sure you provide right value based on your Sensitivity maintenance in GRC system. On our example below, our sensitivity is maintained with number

Now add the Rule Result as show in below screen

Step 5

Repeat the table content in Decision table as show in Step 4 to complete you validations, for reference review below screen shot

 

Process 5

 

In this process, we will create a Loop Expression to iterate our lineitem from request which we will add to our Ruleset later.

Step 1

To create Loop Expression, right click on rule id and navigate to select Loop. For reference, review attached below screenshot.

Step 2

Update Loop configuration as shown in below screen and click Select to pick the lineitem from context

Step 3

Create rule in loop as shown in below screenshot.

Step 4

The first rule condition is include our Decision Table DT_TOEVALUVATEPATH. For reference review below screenshot.

Now store the DT_TOEVALUVATEPATH result into our context parameter, as shown in below sequence screens.

The first rule looks like as below screen shot.

Step 5

Add another rule in Loop expression, this rule is to add the returned result from first rule into context table GRFN.. For reference review below screenshot.

Assign GRFN_MW_T_ROUTING for Value into and GRFN_MW_S_ROUTING for From clause, please don’t miss to change the Insert option. The second rule condition will look like below screen

Step 6

Make sure the Rules are in correct sequence as shown in below screen.

 

Process 6

 

In this process, we need to add our Loop Expression to our Ruleset, as shown in below steps

Step 1

Click Ruleset RULESET_INITIATOR and  insert Rule. For reference review below screenshot.

Step 2

Select Loop Expression which we created already, as shown in below screenshot sequence.

 

Process 7

 

In this process, we will save all the created object and activate to further test the simulation with same date.

Step 1

Make sure all object we created saved and activated. Now Simulation to test the results. For reference review below screenshot

Step 2

Input the sample data with Role ID and CRITLVL in lineitem object table as shown in below screen before Execute.

The result will be as shown in below screenshot which is based on Critical level and Sensitivity from each role provided in lineitem

 

As this blog post to help consultant to configure their BRFPlus with SAP GRC Access Control objects to meet basic custom requirement, consultants can further use knowledge gained from this blog to develop further address different types of custom requirements.

Also, feel free to leave your comments on this blog post,  below if you have questions please, raise it in Access control Tag if it relates to SAP GRC Access Control or BRF+ tags area for specific BRF+ questions

3 Comments
You must be Logged on to comment or reply to a post.
  • Vijayakumar,

    Its good document.

    1. We have a custom requirement - In MSMP Role Owners stage the workflow must go to appropriate division approvers (We have added role owner in Role import template). Is this scenario can be achieved through BRF+ ruleset?
    2. Another custom requirement - I also exploring the Plant & Division details to be displayed in access request approval form but unable to find the correct Field, class & table to be added in Maintain Mapping for Actions and Connector groups. Let me know if you come across something on this. (I am able to bring up the company code but not for plant & divisions).

    Regards,

    Mahendran R

    • Question 1 - Workflow - I'm not sure why you would want to do this use BRF+ to determine the approvers?  You could use an organization chart, security role or a agent rule. I suppose you could create code that calls the BRF+ decision table if you wanted to.  But that seems like a lot of work.

       

    • Hi Mahendran,

      For stage level, you need to develop agent rule (not initiator rule) but the process is same and as GRC dont provide division approvers you might use DBLookup options (also as shown in same blog) to fetch your division approvers.