on 10-27-2014 5:03 PM
Dear GRC Experts,
in SU01 of plug-in system we are using the User Group for Authorization Check under SU01 Log on data also to define the assignment of the SAP IDs to e.g. countries/departments rather than attributes SU01 company address or SU01 User Group tab.
So in GRC access requests we need to define the User Group for Authorization Check in tab User System Details as a mandatory field.
Because of this we are required to use the User Group for Authorization Check in BRF+ decision table to define the rule result values per company/department.
Does anybody know how to include the User Group for Authorization Check as a Condition Column into the BRF+ Decision table?
Thanks and best regards,
Markus
Hi Markus,
If I have understood correctly your requirement is, User Group will be mentioned under System details during access request creation.
Based on the User Group mentioned in the access request, you need to retrieve the User group and you need to define the conditions in your decision table. User Group field is available both in Header and Item structure in BRF+
So, what kind of conditions you will define in BRF+ based on User Group? Can you provide more details on this so that it will be easy to assist you.
Regards,
Madhu.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Dear Madhu,
thanks for your reply.
The User Group in the header structure refers to SU01 User Group field USERGROUP but the User Group for Authorization Check we are using refers to field CLASS.
This field relates to user group under user system details tabs and is different to user group under tab user group. It is not part of the standard header structure.
Thanks and regards,
Markus
HI Markus,
In the table settings for the "Decision table" expression in the BRF+ rule, add the "User Group" object from the "GRAC_S_REQUEST_RULE_LINE" structure to your condition column.
This is the SU01 usergroup you want to utilise based on the entries within "User System Details" tab in the Request screen.
See the screenshots below from BRF+
the one you require to select is highlighted
Hope that makes things clear for you
HI Markus,
You need to ensure you created your BRF+ Agent rule as a Flat line (Line Item by Line Item rule). This will enable you to get the Line Items structure in your Agent rule and allow you to select attributes in relation to line items (such as Roles as well as Systems i.e. the User Groups)
Hope that helps
Hi Madhu,
Quick question - outside of the BRF+, where is the user group being taken from? I need it to be taken from the data source that's been configured.
Instead, it's being taken from the systems associated with the roles that are selected.
Where might I set it to pick the user group supplied by the data source?
Santosh
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.