cancel
Showing results for 
Search instead for 
Did you mean: 

Manage List of Local Approvers country wise or Functional Module wise inSAP GRC 10 Access Control

Former Member
0 Kudos

Hi Experts,

Need your advice on this.

I have to design a solution with No SoD &  SoD Cases.

Here Approver approves request if any SoD contains then its go to Local Approver (BASED On LOCATION) so how i manage this?

If Requester create a request for Country B & Approver is in Country A it approves the request it contain SoD then it goes to Local Approver which is in Country B so how i manage List of Local Approvers country wise or Functional Module wise.

Accepted Solutions (0)

Answers (1)

Answers (1)

kevin_tucholke1
Contributor
0 Kudos

This sounds like you need a BRFplus agent.  Assuming that you have Location/Country as an attribute on your request, you can easily create a BRFplus agent rule for this purpose. 

Thanks.

Kevin Tucholke

Former Member
0 Kudos

Hi Kevin,

Is there is any way to use Functional Module?

kevin_tucholke1
Contributor
0 Kudos

Sure, if you have the ABAP programming expertise available, you can always create a custom function module as a rule instead of using BRFplus.

Thanks,

Kevin Tucholke

Former Member
0 Kudos

If i go for BRF+ then i have to create custom rules for  initiators, agents and  routing.

kevin_tucholke1
Contributor
0 Kudos

Sachin:

Not sure that I am reading your reply correctly, but it sound like you are thinking that you need to create rules for all types BRFplus items.  If that is you thinking, that is not true.  In your case, you could just create the BRFplus rule for your Country Specific approvers (agent rule), and still utilize the default initiator (function module delivered by SAP), and the delivered SOD routing rule (function module delivered by SAP) to handle this situation.

In short, if all you need is a list of agents based upon an attribute contained in a request and available in the context structure, than you only need to build an agent rule.

My apologies if I read your reply incorrectly, but wanted to make sure you have the correct information.

Cheers,

Kevin Tucholke

Former Member
0 Kudos

Hi Kevin,

Let me explain you.

We have 4 Locations A,B,C,D.

[This the case where no SoD There so no Location required]

If a request comes for any locations goes to approver here no SoD exists, so approver approve the request then security after then auto provisioning.

[This the case where  SoD exists There  Location required]


If a request comes for any locations goes to approver here  SoD exists, so approver take risk analysis & approve the request then it goes to Location wise{A,B,C,D} Local Approver after then goes to Security then auto provisioning.

In my case no SoD working fine but how i request decided which location it goes A,B,C,D after taking risk analysis.

If i not consider the location constraint then 2 case works fine.

Need you input on this.

Former Member
0 Kudos

Hi Kevin,

So here i am using BRF+ rule for creating Custom Routing rule.I create successfully when i am going to add in Step 2 Maintain Rule it shows Please enter a valid Rule-ID.

New rule id is 005056A47F7A1EE29AD8C785C377BE68 & its active.

Attached Snapshot for reference.

former_member541582
Participant
0 Kudos

Hi Sachin,

You need a SoD detour. It is a standard rule. In case of risks this rule will route the request to a specified path of your choice (route mapping).

Say this path is containing only one stage, the Local SOD stage.

To route the request to the correct approver you need also an agent rule consisting of at least one attribute. We are using the attribute company, which we are fetching from LDAP (ADS) along with other user data. When the rule is called, it will depending on the company (header, hence not line item), return a different user id.

With this approach you will have some limitations:

  • It is not possible to return the request to previous stage after it takes the detour
  • It is not possible to use multi user request due to the use of the attribute company

We have a twisted rule which is able to route the request to approvers depending on risk id and company.

Good Luck,

Vit

Former Member
0 Kudos

Hi Vit,

Thanks for information.

Can you please tell us what twisted rule you are using.

This sound interesting for me.

former_member541582
Participant
0 Kudos

It uses a custom FM call, table lookup and a loop.

Former Member
0 Kudos

That is very interesting.

Reason Standard FM you cant debug via se37 coz i already tried.

So please share you experience to customize the Standard FM.

It is helpful for all.

former_member541582
Participant
0 Kudos

It is not a standard FM

Our FM structures data from the risk analysis (from a long string) and put into a ztable, where it can be accessed with a table lookup from the BRF+ rule.

Former Member
0 Kudos

idea is good.

then you using custom structure data .

cooooooooool