on 05-17-2013 3:53 PM
Dear all,
we use BRF+ Flat Rule for GRC Access Request:
For request type "New Account" and action "Create User" only Manager Approval is required = only one Stage.
Same request type but action "Role assignment" Manager Approval (same Manager as for Create User) AND Role Owner approval is required = two Stages.
If we now place a request type "New Account" for both action "Create User" and "Role assignment" an approval for Manager Stage is required twice by the same Manager:
1. line item: Create User
2. line item: Role Assignment
Using the above BRF+ Flat Rule we didn´t find any solution on how to enhance this Rule to combine approvals for BOTH line items into ONE request.
The Manager receives two notifications asking him to approve seperately the two line items of the same request. This is not really smart.
Any idea on how to enhance this scenario?
Many thanks,
Markus
Hi Markus
What if you tried to introduce routing?
I haven't attempted to prototype this one but figured it removes a duplicate approval/notification step (assuming the routing rule logic is possible)?
I don't think there is a solution for both line items into a single notification request as BRFplus. Possibly, you could also look at a custom notification rule (Function Module) that checks the previous notifications and agents (can leverage the MSMP instance logs) to see if the person received the notification?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colleen,
many thanks for your input.
As I only have experience in creating Initiator BRF+ Flat Rule so far I first time tried to create a Routing BRF+ Flat Rule today. For this I followed the guide
http://wiki.sdn.sap.com/wiki/display/GRC/BRF+plus+Flate+Rule+-+GRC+Integration
but selected Routing Rule instead Initiator Rule.
My questions on that so far:
1. 1.To implement Scenario 1 and 2 I do not find the fields for Manager nor Role Owner to add for the decision table. Where to add these custom fields?
2. 2.Also I don´t know how to insert eg condition Manager IS NOT Role Owner into the table. In Inititator Rule I usualy check for eg Field Company1 equals one Country and so on. But there I cannot check if Field "Company1" equals another Field "Company2". Do you know any guides available for this?
Thanks and kind regards,
Markus
Hi Markus,
To check condition 'Manager = Role Owner', you will have to create two DB lookups . In one DB lookup you will get the manager and in second you will get role owner of line item.
Then in decision table you can compare results of both the lookups..
Following blog shows how to create DB lookup for role owner..
http://scn.sap.com/community/grc/blog/2013/03/15/using-brf-db-lookup-to-create-complex-msmp-rules
Regards,
Aman
Hi Markus,
Below is the solution..... thanks to Amanjit & Colleen for showing the right path. This can be achieved using Multiple DBLookups....in this case 4 DBLookups:
1. Get Request ID
2. Get Role ID
3. Get the Manager ID
4. Get the Role Approver ID
Following are the steps:
Step 1: Get Request ID
Request ID is in GRACREQ (Request Header) where REQNO = Request.ReqNo (select from context parameter) . This will be used as expression in Manager ID Table to get the Manager for this Request only and not any other request.
Step 2: Get Role ID
Request ID is in GRACROLE (Role) where Role_Name=Request.Role_Name (select from context parameter) . This will be used as expression in Role ID Table to get the Role for this Request only and not any other request.
Step 3: Get Manager ID
Now create DBLookup for Manager ID. Manager ID is in GRACREQOWNER Table with Req_ID=Get_REQ_ID (Request No from Step 1) and UserType="MAN". Put that ID in a variable lets say User ID.
Step 4: Get Role Approver ID
Role Approver ID is in GRACROLEAPPRVR Table where Role_ID=Get_Role_ID (Role ID from Step 2).We can put that in Approver Variable.
Step 5: Create Condition in Decision Table
Create simple condition that if DBLOOKUP-MGR=DBLOOKUP-ROW (Manager = Role Owner) then True otherwise False.
Hope this helps.
Best Regards.
Shahid.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Shahid,
Need you guys help on this. I am trying to do dblookup to retrieve Project Release in my decision table, which will trigger Agent value based on different Project releases. I know this is possible using standard flexibility givne within BRF+, but I am missing any of the peices.
I am doing 3 db lookups -
GRACREQ to get REQ_ID
GRACREQPROVITEM to get ROLE_NAME based on REQ_ID and PROV_TYPE used in above db lookup
GRACROLE - Get Project Release Based on above db lookup fields - ROLE_NAME
Is this the right approach to do this?
I am creating DB lookup from GRACREQ to get Req_Id, and GRACREQPROVITEM to get Role_Name based on REQ_Id. But at this time, I am unable to search the first DB lookup in expression. There it show 0 result found.
When I select the REQ_ID in contetx paramter, which is now showing the element added in DB lookup.
Third lookup I am doing on table GRACROLE where it looks for REQ_ID and PROV_TYPE ROL and brings PrjRel as a return values.
None of the places ,including Decision table, I am able to get DB lookup. As a result, my decision table will not give desired output.
If you guys have any solution for that, please suggest.
Thanks,
Sabita
Hello Shahid,
as I can see, you seems to be an expert for creating DB Lookups. I am trying to implement the solution from Amanjit "Using BRF+DB lookup to create complex MSMP rules". Im stucking in this step:
I cant get this role guid from the context. Can you please have a look at the screenshot below? Am I on the right way? Where I can select this ROLE GUID (GRAC_S_R...-ROLE_GUID)? Select context parameter? If yes, I only can find the row GUID (Type Text).
Please advise me!
Thanks a lot in advance,
Best regards
Sabrina
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.