cancel
Showing results for 
Search instead for 
Did you mean: 

BRF+ Flat Rule: How to combine approvals for an Agent

Former Member
0 Kudos

Dear all,

we use BRF+ Flat Rule for GRC Access Request:

For request type "New Account" and action "Create User" only Manager Approval is required = only one Stage.

Same request type but action "Role assignment" Manager Approval (same Manager as for Create User) AND Role Owner approval is required = two Stages.

If we now place a request type "New Account" for both action "Create User" and "Role assignment" an approval for Manager Stage is required twice by the same Manager:

1. line item: Create User

2. line item: Role Assignment

Using the above BRF+ Flat Rule we didn´t find any solution on how to enhance this Rule to combine approvals for BOTH line items into ONE request.

The Manager receives two notifications asking him to approve seperately the two line items of the same request. This is not really smart.

Any idea on how to enhance this scenario?

Many thanks,

Markus

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
0 Kudos

Hi Markus

What if you tried to introduce routing?

  1. Initiator Rule - send both request scenarios down the same path that has a single stage. Initiator rule can then capture other scenarios as well
  2. Path for Initiator:
    1. Single Stage which has the Manager Approval (Create User Scenario)
    2. Notification for New item can be sent to the manger. Role Owner does not need to know yet.
    3. Introduce a routing rule (flat rule) which has two outcomes to capture both scenarios
    4. Scenario 1: Role Owner = Manager - Route down a new path 2
    5. Scenario 2: Role Owner <> Manager - Route down new path 3
  3. Path for Routing to Path 2 - have no stages so it automatically Approves. manage does not receive line item notification either (remove duplicate notification)
  4. Path for Routing to Path 3 - have a single stage for Role Owner where notification is also sent

I haven't attempted to prototype this one but figured it removes a duplicate approval/notification step (assuming the routing rule logic is possible)?

I don't think there is a solution for both line items into a single notification request as BRFplus. Possibly, you could also look at a custom notification rule (Function Module) that checks the previous notifications and agents (can leverage the MSMP instance logs) to see if the person received the notification?

Former Member
0 Kudos

Hi Colleen,

many thanks for your input.

As I only have experience in creating Initiator BRF+ Flat Rule so far I first time tried to create a Routing BRF+ Flat Rule today. For this I followed the guide

http://wiki.sdn.sap.com/wiki/display/GRC/BRF+plus+Flate+Rule+-+GRC+Integration

but selected Routing Rule instead Initiator Rule.

My questions on that so far:

1.     1.To implement Scenario 1 and 2 I do not find the fields for Manager nor Role Owner to add for the decision table. Where to add these custom fields?

2.     2.Also I don´t know how to insert eg condition Manager IS NOT Role Owner into the table. In Inititator Rule I usualy check for eg Field Company1 equals one Country and so on. But there I cannot check if Field "Company1" equals another Field "Company2". Do you know any guides available for this?

Thanks and kind regards,

Markus

Former Member
0 Kudos

From my limited experience with BRF+, you will only be able to use the fields which appear at the Header Level or Item Level from the request form. To determine if the Manager = Role Owner, I think a nested rule may be required.

I have still to test this scenario.

Former Member
0 Kudos

Hi Markus,

To check condition 'Manager = Role Owner', you will have to create two DB lookups . In one DB lookup you will get the manager and in second you will get role owner of line item.

Then in decision table you can compare results of both the lookups..

Following blog shows how to create DB lookup for role owner..

http://scn.sap.com/community/grc/blog/2013/03/15/using-brf-db-lookup-to-create-complex-msmp-rules

Regards,

Aman

Answers (1)

Answers (1)

Former Member
0 Kudos

Hi Markus,

Below is the solution..... thanks to Amanjit & Colleen for showing the right path. This can be achieved using Multiple DBLookups....in this case 4 DBLookups:

1. Get Request ID

2. Get Role ID

3. Get the Manager ID

4. Get the Role Approver ID

Following are the steps:

Step 1: Get Request ID

Request ID is in GRACREQ (Request Header) where REQNO = Request.ReqNo (select from context parameter) . This will be used as expression in Manager ID Table to get the Manager for this Request only and not any other request.

Step 2: Get Role ID

Request ID is in GRACROLE (Role) where Role_Name=Request.Role_Name (select from context parameter) . This will be used as expression in Role ID Table to get the Role for this Request only and not any other request.

Step 3: Get Manager ID

Now create DBLookup for Manager ID. Manager ID is in GRACREQOWNER Table with Req_ID=Get_REQ_ID (Request No from Step 1) and UserType="MAN". Put that ID in a variable lets say User ID.

Step 4: Get Role Approver ID

Role Approver ID is in GRACROLEAPPRVR Table where Role_ID=Get_Role_ID (Role ID from Step 2).We can put that in Approver Variable.

Step 5: Create Condition in Decision Table

Create simple condition that if DBLOOKUP-MGR=DBLOOKUP-ROW (Manager = Role Owner) then True otherwise False.

Hope this helps.

Best Regards.

Shahid.

Former Member
0 Kudos

Hi Shahid,

Need you guys help on this. I am trying to do dblookup to retrieve Project Release in my decision table, which will trigger Agent value based on different Project releases. I know this is possible using standard flexibility givne within BRF+, but I am missing any of the peices.

I am doing 3 db lookups -

GRACREQ to get REQ_ID

GRACREQPROVITEM to get ROLE_NAME based on REQ_ID and PROV_TYPE used in above db lookup

GRACROLE - Get Project Release Based on above db lookup fields - ROLE_NAME

Is this the right approach to do this?

I am creating DB lookup from GRACREQ to get Req_Id, and GRACREQPROVITEM to get Role_Name based on REQ_Id. But at this time, I am unable to search the first DB lookup in expression. There it show 0 result found.

When I select the REQ_ID in contetx paramter, which is now showing the element added in DB lookup.

Third lookup I am doing on table GRACROLE where it looks for REQ_ID and PROV_TYPE ROL and brings PrjRel as a return values.

None of the places ,including Decision table, I am able to get DB lookup. As a result, my decision table will not give desired output.

If you guys have any solution for that, please suggest.

Thanks,

Sabita

Former Member
0 Kudos


Hello Shahid,

as I can see, you seems to be an expert for creating DB Lookups. I am trying to implement the solution from Amanjit "Using BRF+DB lookup to create complex MSMP rules". Im stucking in this step:

I cant get this role guid from the context. Can you please have a look at the screenshot below? Am I on the right way? Where I can select this ROLE GUID (GRAC_S_R...-ROLE_GUID)? Select context parameter? If yes, I only can find the row GUID (Type Text).

Please advise me!

Thanks a lot in advance,

Best regards

Sabrina