cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

User Access Review Workflow

Go to solution
mohammed_shariff
Explorer

on ‎05-20-2014 3:46 AM

0 Kudos

I am trying to add a column "user group" in BRF+ to use in agent rule in UAR workflow.  The requirement is UAR request should go to regional reviewer based on user group.  Example: Asia region users UAR request will be reviewed by Asia Reviewer.  How should I achieve this scenario.

Thanks in advance.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member136769
Employee
Employee
‎05-27-2014 12:34 AM
0 Kudos

Hi Mohammed,

Here we go:

In MSMP, you have an Agent ID, pointing to BRF rule ID.

In BRF, you will have:

- one DB Lookup expression, lets call it User_group_for_User

In this lookup, you will define the following:

select CLASS from USR02

with condition BNAME is equal to <user id coming from grc>

into <structure for user group>

- in your decision table, you will have one field for the db lookup as one of the condition columns.

Hope it helps?

Let me know!

Thanks

Luciana

Show replies
Show replies
mohammed_shariff
Explorer
‎06-02-2014 4:35 PM
0 Kudos

Thank you Luciana,

I am able to create BRF with the DB lookup expressions, as you explained.

Mohammed.

former_member136769
Employee
Employee
‎06-03-2014 11:38 PM
0 Kudos

Great!! Good job!

Former Member
‎09-11-2014 6:09 PM
0 Kudos

Luciana,

We are trying to achieve the same scenario as described above. When I look at the table USR02 in GRC it doesn't show all the user group information from the back end Production system users, so which table should I use for this? Also, can you explain little bit more detail on creating DB lookup expression as I am new to creating BRF+ rule.

Appreciate your response.

-Raghu.

former_member136769
Employee
Employee
‎09-16-2014 11:35 PM
0 Kudos

Hi Raghu,

In Mohammed's scenario, they were mapping a DB Lookup table to get users based on UserGroup from USR02 table. In your case, do you also want to create a DB Lookup for users based on usergroup? Let me know what DBLookup you need to create.

Former Member
‎09-17-2014 3:18 PM
0 Kudos

Hello Luciana,

Since we have a scenario where the UAR request should go to operations manager instead of user manager we are planning to have FM created which will fetch the data for us and use this to create custom agent. Wanted to check if this works and where do you go about calling this FM to create agent in MSMP.

Also, we wanted to make UAR a 2 stage approval. Stage 1 will be Operations Manager and once the approve should go to the Role Owner at stage 2. Is this feasible? If so, how can I achieve that.

Thanks you so much for your valuable inputs.

-Raghu.

Former Member
‎09-17-2014 4:57 PM
0 Kudos

Hello Raghu, the above scenario seemingly was for User Group info. stored in the table USR02, so if in your case, if the Ops. Manager is stored in some dictionary table, then you can create a DB lookup similarly via the SELECT as mentioned by Luciana - This is the way for BRF+ rule.

Otherwise, your mention on FM would have to consider writing piece of ABAP code again to write a similar SELECT for the tables - This is the way for Function Module based rule.


Once you have implemented either of the above ways, you can then map the created rule into MSMP under Maintain Agents option and use it further at the stage level.

former_member136769
Employee
Employee
‎09-18-2014 5:31 PM
0 Kudos

Thanks Manik for the help!

Former Member
‎09-18-2014 8:48 PM
0 Kudos

Thank you Luciana and Manik for your response.

former_member82556
Participant
‎10-23-2014 5:23 PM
0 Kudos

Hey Luciana, I tried your suggestion, but as soon as you get to the below step, I am unable to select the "user id coming from grc".  When you generate a UAR WF MSMP rule, the user id is actual a result field, so how would this work?

  "Select CLASS from USR02

   with condition BNAME is equal to <user id coming from grc>

   into <structure for user group> "

I did use this suggestion for an access request approval and it worked great... any guidance would be appreciated.

Former Member
‎10-28-2014 5:05 AM
0 Kudos

Hello Salim, you have to adjust your inputs fields in the BRF. This should be the field which contains the user under review - this user would be contained in the UAR request, so you can use the appropriate field, not in result, but as input.

Former Member
‎11-19-2014 3:41 PM
0 Kudos

Hello Manik,

Thanks for your reply. If I have a developer create a table for user ID and corresponding operation manager in GRC, how do I use this in BRF+. Could you explain in detail how I can use the logic to have this rule created in BRF+ db lookup.

Your help is much appreciated.

Regards,
Raghu.

Former Member
‎11-26-2014 5:40 PM
0 Kudos

Please the steps as prescribed in the link below:

http://scn.sap.com/community/grc/blog/2013/03/15/using-brf-db-lookup-to-create-complex-msmp-rules


This should go well. All the best!

Answers (1)

Answers (1)

Former Member
‎05-20-2014 5:33 AM
0 Kudos

Hi,

Go to SPRO>>Governance, Risk and Compliance>>Access Control>>Workflow for Access Control>>Maintain MSMP Workflows

Select SAP_GRAC_USER_ACCESS_REVIEW in process global setting>>Maintain Agents>> and then add agents,


Below is the example for the details to be filled,



Hope this helps.

BR,

Mangesh

Show replies
Show replies
alessandr0
Active Contributor
‎05-20-2014 1:35 PM
0 Kudos

Dear Mangesh,

your pictures cannot be shown..

Regards,

Alessandro

Former Member
‎05-20-2014 2:58 PM
0 Kudos

Dear Alessandro,

Thanks for notifying it, I don't have the access to GRC right now, so I will update the screenshot tomorrow.

but thanks once again

@Mohammad: it is just one example which includes, here are the details given, so you need not to waste time for screenshot.

Agent name: Z_Agent

Agent Description: Agent for user XYZ

Agent purpose: Approval/notification (select as per your need)

Agent type: PFCG user group (Once you select this option will open to mention user group, make sure you already have created this user group in system)

User Group: ZXYZ

BR,

Mangesh

mohammed_shariff
Explorer
‎05-20-2014 11:58 PM
0 Kudos

Thank Mangesh,

Your suggestion applies to all roles but in my scenario I have certain roles which should go to particular role reviewer.  This can be accomplished by creating a BRF+ agent rule with the following columns:

User group - role name - reviewer

I do not see "user group" as column in BRF+

Regards,

Mohammed

mohammed_shariff
Explorer
‎05-21-2014 12:26 AM
0 Kudos

Mangesh,

Here is my requirement:

Role XXX  reviewers:

Asia - Tom

Europe - Cindy

Japan - Chris

America - Darren

Role XYZ reviewer

Asia - Tom

Europe - Tom

Japan - Tom

America - Tom

I hope the above example throws a light on my requirement.

Regards,

Mohammed

Former Member
‎05-21-2014 12:23 PM
0 Kudos

Hi,

Please define it as a data object by binding it to existing expression and then you will have it in decision table for condition setup.

BR,

Mangesh

mohammed_shariff
Explorer
‎05-22-2014 1:30 AM
0 Kudos

Mangesh,

Could you please explain me in detail, how to define the data to existing expression.

Appreciate your help.

Mohammed.

Ask a Question