BRF+ Initiator Rule MSMP Workflow
Hi all,
I try to create a new initiator rule via BRF+. In this rule I want to check the request type and if there is a role approver for the roles added to the request.
The problem is, I can't find an entry for role approver in the structure GRAC_S_REQUEST_RULE_LINE. And a new added data object with the binding to the DDIC element GRAC_ROLE_APPROVER does not work.
What can I do?
Thanks in advance!
Jan
Hi Jan,
When creating the new BRF+ rules, you should be looking to have an Expression with a Decision Tree and then define your logical criteria there which will then generate a specific result.
You will then assign the generated result to a path in the MSMP config.
I would ensure that you have the appropriate elements expressed in your decision tree to identify the desired results.
Simon
Similar Messages
-
Hello Experts,
We are just trying to configure the basic components of Access Control on AC 10.
We have configured PSS and when we are trying to configure workflow for access requests we are running into issues.
I Just wanted to check what I configured makes sense.
We only need basic functionality.
1.User Lock,Unlock ---Where the only Approver is Manager ( We have configured LDAP so the system picks up manager details for the user)
2.Next is Validity Extension where we don't want any stage but the users can change their validity date just by submitting request and request is auto approved (Auto Provisioning has been configured)
3.We need Change Acct(For Adding of new roles)
4.We need New Acct(For creating new acct and also adding roles in same step)
I see that the major difference w.r.t. 5.3 to 10 is that in 5.3 we have different kind of Request types and we can have different initiators but in 10 we have a process id (Access Request) which pretty much covers above 1-4 etc and we have a single standard initiator(If we want more we need to use BRF+)
So Initially I configured in such a way that the request only goes to manager and it is approved .Here I had to use the system name and it worked fine.
Then I configured second stage of role owner approval and then when i add system and role it was erroring out so i just added the role and did a change acct and it worked fine.Don't know why it wasn't taking system and role together(could be because the role already has system name and maybe it didn't want redundant values)
So after configuring second stage when I tried to use it for user lock/unlock it is erroring out as obviously it doesn't like taking just system name.
My Config settings based on MSMP workflow.
1. Process ID -- SAP_GRAC_ACCESS_REQUEST
2. Rule ID-GRAC_AC_INITIATOR(Rule Result --GRAC_DEFAULT_RESULT)
5.Maintain Paths-GRAC_DEFAULT_PATH
Maintain Stages- GRAC_MANAGER,GRAC_ROLEOWNER
sorry for such a long post but I am at my wit's end as I am so near yet so far from the solution.
Thanks
UdayHi Kuashal,
I had imported only 1 role using role import from access mgmt.I am not using ERM.
I also found out yesterday that the error i was getting gave me a new description
Incorrect path and stage class entry for process SAP_GRAC_ACCESS_REQUEST
Error when generating a new version 000027 for process SAP_GRAC_ACCESS_REQUEST
and also when i try to activate other process id's it works fine but only for this process id i am getting an error.
logged an OSS message .
Will get back with any reply -
Error in Generating GRC BRF Agent Rule
Hello Gurus,
I am atrying to generate a BRF Agent Rule but am aaunable to activate MSMP workflow corresponding to that:
Error in MSMP Workflow while activation:
1) MSMP process SAP_GRAC_ACCESS_REQUEST_HR version IMG Configuration Tables contains errors
2) abap dictionary data object binding is out of synchronization
Below are the screen shots of my BRF Rule configuration. I have created a procedure call which is tied to function moduleHello,
I assume you have already checked the below document where it is explained the procedure call and Function
cross check your settings with below document
AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls
if everything is fine provide the MSMP error screen shot.
Regards
Baithi -
Simple MSMP workflow for Emergency Access Management
Hi,
I am not able to get the EAM to work in Access Control 10. The user is able to successfully place a access request for FFid but there is a error in the workflow logs. I have not done any customization of the MSMP for GRAC_DEFAULT_PATH and other similar stages, as I am not aware of the the specific values that need to be maintained.
I want to avoid customizing as much as possible and use what SAP offers by default. The workflow steps I am looking for is : user places a request for FFid and the request is received by the FFid Owner (Manager) and approved by him, Once approved, the FFID is provisioned automatically and the user can login to tcode GRAC_SPM and use his FFid, and the Controller gets alerted about the log.Hi Veera,
Did you define a condition in your initiator decision table in BRF+ to route your EAM requests to firefighter path.
Do you have stage called FF Owner?
Did you create a Firefighter path in MSMP configuration with FF Owner stage in it?
Did you maintained route mapping in your MSMP workflow configuration?
Please share your BRF+ initiator decision table and MSMP workflow config screenshots to help you further.
If you are new to MSMP and BRF+ config, please check this link for understanding the concept.
MSMP - Multi Step Multi Process – GRC&#82... | SCN
Regards,
Madhu. -
BRF+ Routing Rule not showing Expression
Hi Experts,
I am trying to create a BRF+ routing rule (line item by line item) within SAP Standard Process ID - SAP_GRAC_ACCESS_REQUEST
The purpose is to use it as a detour based upon Role attributes. Although the rule is generated in ABAP screen, when I try to modify BRF+ rule, the Expression where decision table is located, not coming up.
When I test it, it gives error - Expression not set.
What could be the issue? Need your help.
Thanks & Regards,
SabitaHi Sabita,
Definitely look up those courses! I'm an instructor for them in the UK and these sorts of questions are exactly those which most people ask on the courses!
GRFN_MW_S_ROUTING is a structure which contains those two fields. This should be the Result Data Object which will then automatically place those two fields as the results.
The Condition columns are user driven inputs where you give the criteria for the routing rules e.g. Business process or role criticality etc.
For routing rules or initiator rules, there are two sources for the information; the request header (attributes of the request) or the request line items (attributes of the roles on the request). There are some fields which may exist in both (e.g. Business process for the access request or the business process assigned to the Role) which explains why there are duplicates in the list. When selecting the conditions, scroll right to the bottom of the list and you'll find the Structures which show Header or Line Item. If you expand those, then you will see the list of fields again. By doing this, you'll know whether you're looking at the header or line item field.
Select the appropriate fields as the columns and then add in the rows to identify the specific criteria. -
How to create Detour in MSMP Workflow?
Hello GRC Experts,
we are implementing GRC Access Control 10.0 with all four components: CUP, BRM, EAM and RAR.
We have customized the CUP and BRM Workflows without Detour rules, they are working fine so far. But now we have a following issue:
We would like to create Detour rules for CUP Workflow for the following Scenario:
1. Case: No SoD
Request-->Role Owner Approval-->Provisioning
2. Case: SoD
Request--> SoD Risk-->Security Stage-->Role Owner (if Security Stage approves, then Role Owner also approves)--> Provisioning
I have Created two paths in MSMP workflow:
1st Path is Default Path with only one stage: Role Owner Approval stage
2nd Path is SoD Path with two stages:
Default and Security Stage
I have tested the CUP Workflow after creating of the Routing Rule, but it seems, it doesnt work. I have assigned a technical Role to a User, who has SOD risks. Me as approval received a notification about new work item, then I approved the role, and afterwards the Role was assigned to a user, whitout beeing forwarded to a security stage.
Can you please give me an advice what I have to do in order to make it work?
Thanks in advance,
best regards
SabrinaHello Mangesh,
let me explain you my issue:
When I am creating an request for my test user (Role Assigning), I am performing a Risk Analysis during the request creation. As you can see, I have SODs in my request.
My paths:
I have created two pathes:
Path1: GRAC_DEFAULT_PATH: with one stage. Routing enabled. With the ID: GRAC_MSMP_DETOUR_SODVIOL. Escalation to a Specified agend (Security Team)
Path 2: Z_GRAC_DEFAULT_PATH (SOD Path)
with two stages:
001:Role Owner Stage (Routing enabled) to a specified agent
002: Security Stage: no Routing enabled.
The Problem is, even though I have SOD in my reguest, no detour to a second path is occuring.There is somewhere a mistake, but I dont know where.
Here is my Route mapping.
Please, give me an advice, what I did wrong.
The another issue which makes me surprised. When I run the Report: Risk Volation in Access Request, there is no Violation! But I have SOD violations (see Schrrenshot no1)
Why this Report didnt Show the violations?
I hope, I could make you cleare, where is the Problem now?
Default path is working fine, bur the detour is not working. And the Report doesnt Show the violations...
Thanks in advance
best regards
Sabrina -
BADI for MDGF rule based workflow
Hi Experts,
I am really struggling to get a badi that can route on field assigned in my single and agent decision tables. I have used the standard BADI that was provided in RDS documentation for BP and Materials and just tried to change the entity name and field names without success.
Can anyone please provide me with an example where someone has used this to route on field in finance.
I am trying to route on Segment for Profit center
Your help will be highly appreciated
Thanks and best regards
RiaanHi Abdullah,
I am using an existing attribute in the data model OG in the entity PCTR. The field name is PCTRSEG and element is fb_segment. In my rule based workflow in the Single decision table I have added fb_segment and I have populated the values against step 00. I have also updated my agent decision table with the fb_segment value.
I am attaching the BADI that I am struggeling with.
The service name for the change request is in the BADI filter. Thus when the requestor submit the Badi will be called and it will route to the person assigned in my agent decision table against the relevant segment..
My problem is the following:
The issue is that I don't know where I should maintain PCTRSEG and where I should maintain fb_segment in the BADI. Thus, where do I use the attribute name from the data model and where do I use the data element from the model.
When the requestor submit the request it does not go to the next approver and I get the error" Agent could not be determined"
I found ,when I change any of the values for the segment in the single and agent decision tables to not equal, example <> 1001 that the workflow works but all change requests will go to the same person.
Thus my assumption is that something might be wrong with the BADI
Your help will be highly appreciated
Thanks
Riaan
Please find Badi below
method IF_USMD_SSW_RULE_CNTX_PREPARE~PREPARE_RULE_CONTEXT.
DATA:
lo_crequest TYPE
REF TO if_usmd_crequest_api,
lt_entities TYPEusmd_t_crequest_entity,
ls_entity TYPE usmd_s_crequest_entity,
lr_table TYPE REF TO data,
lt_sel TYPE usmd_ts_sel,
ls_sel TYPE usmd_s_sel,
lv_brf_expr_id TYPEif_fdt_types=>id,
ls_context TYPEusmd_s_fdt_context_value,
lv_exit TYPE c.
FIELD-SYMBOLS: <lt_fin_int>
TYPE ANY TABLE,
<ld_fin_int> TYPE
any,
<pctrseg> TYPEfb_segment,
<value> TYPE
any.
* Prepare export parameters
CLEAR et_message.
CLEAR et_rule_context_value.
* Get the CR API for the current
CR
CALL METHOD cl_usmd_crequest_api=>get_instance
EXPORTING
iv_crequest = iv_cr_number
IMPORTING
re_inst_crequest_api = lo_crequest.
* Create data instance of the
entity PCTR for read access
CALL METHOD lo_crequest->create_data_reference
EXPORTING
iv_entity ='PCTR'
i_struct =if_usmd_model=>gc_struct_key_attr
IMPORTING
er_table =lr_table
et_message =et_message.
CHECK et_message IS
INITIAL.
ASSIGN lr_table->*
TO <lt_fin_int>.
* Get the instance keys for entity
type PCTR
CALL METHOD lo_crequest->read_objectlist
EXPORTING
iv_entity_type = 'PCTR'
IMPORTING
et_entity = lt_entities
et_message =et_message.
CHECK et_message IS INITIAL.
* Read the PCTR entity of the one
and only PCTR of the CR
READ TABLE lt_entities INTOls_entity INDEX 1.
CHECK sy-subrc = 0.
ls_sel-fieldname ='PCTRSEG'.
ls_sel-sign = 'I'.
ls_sel-option = 'EQ'.
ls_sel-low = ls_entity-usmd_value.
APPEND ls_sel TO lt_sel.
CALL METHOD lo_crequest->read_value
EXPORTING
i_fieldname = 'PCTRSEG'
it_sel = lt_sel
if_edition_logic = abap_false
IMPORTING
et_data = <lt_fin_int>
et_message = et_message.
* Get the one and only FB_SEGMENT
of the one PCTR in the CR
LOOP AT <lt_fin_int> ASSIGNING <ld_fin_int>.
ASSIGN COMPONENT 'PCTRSEG'OF STRUCTURE <ld_fin_int>
TO <pctrseg>.
EXIT.
ENDLOOP.
CHECK sy-subrc = 0.
* fill out the return table
get_element_id(
EXPORTING
iv_cr_type = lo_crequest->ds_crequest-usmd_creq_type
iv_name ='PCTR'
IMPORTING
ev_brf_expr_id = lv_brf_expr_id ).
ls_context-id = lv_brf_expr_id.
CREATE DATA ls_context-value TYPE fb_segment.
ASSIGN ls_context-value->* TO <value>.
<value> = <pctrseg>.
APPEND ls_context TO et_rule_context_value.
endmethod. -
How to do binding of rule with workflow
hi all
i have a problem regarding the binding of rule ,which i have maintained ,with the workflow on which i am working.
can any one please guide me how to do the binding of rule with workflow,the way am doing is like:
i have vreated a container element in workflow compatible with container element used in rule where agents are kept.
problem is arising when am trying to import that container in rule to my workflow ,at this step please suggest what should i bind in the binding of the workflow container.
the exact parameters detail will really appreciated.
am not new to the rule or workflow but somehow thing am doing is not working exactly the way i want it to be so.
full marks will be rewarded
best regards
ashishHi Ashish,
Please refer the following link. It may be helpful.
http://help.sap.com/saphelp_crm60/helpdata/en/c5/e4b0ae453d11d189430000e829fbbd/content.htm
Regards,
Johnny. -
What is a rule in workflows, when is it used
Hi,
Rule is widely used for determining the workitem responsible agents using any custom logic. You can create it using transaction PFAC. Once you create it you can use the rule in your activiy for assigning it to the agents.
You need to pass the required parameters to the rule container so that your custom logic reads it from there and determines the agents.
I am sure SAP documentation provides you a much detailed explanation on how to create and use rule. For reference you can check the rule 00000168.
Thanks,
Prasath N -
Hi all
What is rule in workflow . How to create one.
Kindly explain a scenario where rule is used.Hi,
Rule is widely used for determining the workitem responsible agents using any custom logic. You can create it using transaction PFAC. Once you create it you can use the rule in your activiy for assigning it to the agents.
You need to pass the required parameters to the rule container so that your custom logic reads it from there and determines the agents.
I am sure SAP documentation provides you a much detailed explanation on how to create and use rule. For reference you can check the rule 00000168.
1. Go to PFAC ---> 00000168 ---> display.
Check this for more Info.
http://help.sap.com/saphelp_nw04s/helpdata/en/04/926f8546f311d189470000e829fbbd/frameset.htm
Thanks,
Reward If Helpful. -
Responsibility rule in workflow
hi ,
i have created a resposibility rule for workflow.
i want to agent assignment to the responsibilitys.
i have implementd in client 060.
i want to do agent assignment in client 090.
that icon is disable in 090 client.
how cani do agent assignment for diffrent clients.
<b>i cant transafer the agent assignment in the workflow, becuase positions client dependent.</b>
pls give me suggestion.
Thanks
Sankar
Message was edited by: sankar suryaSankar,
You have to use txn OOCU_RESP to maintain agent assignments for responsibility rules in different clients.
Cheers,
Ramki Maley. -
BRF (Business Rules Framework)
Hi all,
Anybody knows what is the scope of BRF (Business Rules Framework) and for what is used for? Advantages and disadvantages?
I already read the information in help.sap.com But is very technically and unclearly for me.
Thanks in advance,
Ricardo.Hi Ricardo,
Here is just a detailed info for your questions
BRF - is an event-controlled runtime environment for processing rules.
The BRF also contains a maintenance environment in which a rule administrator can edit and configure BRF objects.
The BRF is object-oriented and therefore offers appropriate enhancement mechanisms that are modification-free and upgrade-independent.
Advantages
Easy implementation and configuration of rules with minimal coding
Easy maintenance of rules as there is not much coding involved
Easy extension in order to support application specific data
Reward Points if found helpfull
Message was edited by:
Seemanthini R -
Associate Business Rules with Workflow
Hi All,
We have a planning application, and forms are having some business rules.
Now our requirement is, when a user promote his cost center to another user, he should not have the access the Business Rules for that cost center.
so, is there any way that we can associate business rules with workflow?
Thanks in Advance,
Edited by: user12865804 on Oct 4, 2010 2:26 AMYa that will be a tricky one.
The only general comment is to build this into your process.
So you will give everyone a window to add To Be Hires during 1 or 2 week period. Then you block everyone and remove the ability to launch the script. Then managers review. So this becomes disconnected from "workflow" the tool inside of Planning.
You could build something but this would be way outside the out of the box process and I wouldn't want to go there personally. You would move the calc into a maxl script and build in code to validate against the workflow tables to see if the calc will work or not. This would require all sort of validate scripting and error handling and would require bring in some experts probably. The only other scenario is to troll the forums and maybe find someone how built something like this and get them to share their code.
In principal what you want sounds obvious and make sense to be in the tool. -
BOIS 4.2 - Disabling Rule Approval Workflow
Greetings,
How can we disable the rule approvals workflow in Information Steward ? from the application itself or from CMC ?
Regards,Rule Approval is a part of rule management and governance process around validation rules. It's not possible to disable the rule approval.
Can you explain your scenario and need for disabling the rule approval? -
Hi all.
I am new to workflow. Can you pls let me know how to use the rule in worklow .I have created a rule using the transaction PFAC. Pls provide me some screen shots which demonstrates hoe to use this rule in workflow.Thanks in advance.
Cheers,
sami.Hi SAMI
go to this pdf in SCN.All about rules.
https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d053fe48-6513-2b10-a59f-871923ff99d8
Second thing workflows related question should be posted at
SAP-Netweaver -> workflow
Regards
s@chin
Maybe you are looking for
-
What is the alternate for T3ServicesDef.config()
Hi, In 5.1, I was using T3ServicesDef.config().getProperty(DBStatic.WEBLOGIC_PORT_IDENTIFIER) inside my program to get the port where my server is running. Now it seems I need to use Management APIs. Could someone please let me know how to do it usin
-
Content removed.
-
Mac mini core duo 1.66 ghz processor upgrade
For all those who are savvy with compatibility of motherboards and processors could someone please tell me if I wanted to upgrade my cpu, what would the maximum processing power of the CPU be? My computer is old (mac mini intel from 2006) and I am wi
-
OK, I downloaded creative cloud in order to get the free trial of Photoshop, while inside the creative cloud i installed Photoshop, it say's it's done downloading, but how do i open up Photoshop? I can't find it in my library and when i'm inside the
-
Urgent: MacBook Backlight Off
I seem to have pressed some kind of deadly key combination that has completely disabled my display's backlight. The screen is barely readable and none of the normal brightness buttons or sliders are having any effect. Any ideas on how to get things b