BRF+ Initiator Rule MSMP Workflow

Similar Messages

• AC 10 MSMP Workflow

  Hello Experts,
  We are just trying to configure the basic components of Access Control on AC 10.
  We have configured PSS and when we are trying to configure workflow for access requests we are running into issues.
  I Just wanted to check what I configured makes sense.
  We only need basic functionality.
  1.User Lock,Unlock ---Where the only Approver is Manager ( We have configured LDAP so the system picks up manager details for the user)
  2.Next is Validity Extension where we don't want any stage but the users can change their validity date just by submitting request and request is auto approved (Auto Provisioning has been configured)
  3.We need  Change Acct(For Adding of new roles)
  4.We need New Acct(For creating new acct and also adding roles in same step)
  I see that the major difference w.r.t. 5.3 to 10 is that  in 5.3 we have different kind of Request types and we can have different initiators but in 10 we have a process id (Access Request) which pretty much covers above 1-4 etc and we have a single standard initiator(If we want more we need to use BRF+)
  So Initially I configured in such a way that the request only goes to manager  and it is approved .Here I had to use the system name and it worked fine.
  Then I configured second stage of role owner approval and then when i add system and role it was erroring out so i just added the role and did a change acct and it worked fine.Don't know why it wasn't taking system and role together(could be because the role already has system name and maybe it didn't want redundant values)
  So after configuring second stage when I tried to use it for user lock/unlock it is erroring out as obviously it doesn't like taking just system name.
  My Config settings based on MSMP workflow.
  1. Process ID -- SAP_GRAC_ACCESS_REQUEST
  2. Rule ID-GRAC_AC_INITIATOR(Rule Result --GRAC_DEFAULT_RESULT)
  5.Maintain Paths-GRAC_DEFAULT_PATH
     Maintain Stages- GRAC_MANAGER,GRAC_ROLEOWNER
  sorry for such a long post but I am at my wit's end as I am so near yet so far from the solution.
  Thanks
  Uday

  Hi Kuashal,
  I had imported only 1 role using role import from access mgmt.I am not using ERM.
  I also found out yesterday that the error i was getting gave me a new description
  Incorrect path and stage class entry for process SAP_GRAC_ACCESS_REQUEST
  Error when generating a new version 000027 for process SAP_GRAC_ACCESS_REQUEST
  and also when i try to activate other process id's it works fine but only for this process id i am getting an error.
  logged an OSS message .
  Will get back with any reply

• Error in Generating GRC BRF Agent Rule

  Hello Gurus,
  I am atrying to generate a BRF Agent Rule but am aaunable to activate MSMP workflow corresponding to that:
  Error in MSMP Workflow while activation:
  1)    MSMP process SAP_GRAC_ACCESS_REQUEST_HR version IMG Configuration Tables contains errors
  2)    abap dictionary data object binding is out of synchronization
  Below are the screen shots of my BRF Rule configuration. I have created a procedure call which is tied to function module

  Hello,
  I assume you have already checked the below document where it is explained the procedure call and Function
  cross check your settings with below document
  AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls
  if everything is fine provide the MSMP error screen shot.
  Regards
  Baithi

• Simple MSMP workflow for Emergency Access Management

  Hi,
  I am not able to get the EAM to work in Access Control 10. The user is able to successfully place a access request for FFid but there is a error in the workflow logs. I have not done any customization of the MSMP for GRAC_DEFAULT_PATH and other similar stages, as I am not aware of the the specific values that need to be maintained.
  I want to avoid customizing as much as possible and use what SAP offers by default. The workflow steps I am looking for is : user places a request for FFid and the request is received by the FFid Owner (Manager) and approved by him, Once approved, the FFID is provisioned automatically and the user can login to tcode GRAC_SPM and use his FFid, and the Controller gets alerted about the log.

  Hi Veera,
  Did you define a condition in your initiator decision table in BRF+ to route your EAM requests to firefighter path.
  Do you have stage called FF Owner?
  Did you create a Firefighter path in MSMP configuration with FF Owner stage in it?
  Did you maintained route mapping in your MSMP workflow configuration?
  Please share your BRF+ initiator decision table and MSMP workflow config screenshots to help you further.
  If you are new to MSMP and BRF+ config, please check this link for understanding the concept.
  MSMP - Multi Step Multi Process – GRC&#82... | SCN
  Regards,
  Madhu.

• BRF+ Routing Rule not showing Expression

  Hi Experts,
  I am trying to create a BRF+ routing rule (line item by line item) within SAP Standard Process ID - SAP_GRAC_ACCESS_REQUEST
  The purpose is to use it as a detour based upon Role attributes. Although the rule is generated in ABAP screen, when I try to modify BRF+ rule, the Expression where decision table is located, not coming up.
  When I test it, it gives error - Expression not set.
  What could be the issue? Need your help.
  Thanks & Regards,
  Sabita

  Hi Sabita,
  Definitely look up those courses! I'm an instructor for them in the UK and these sorts of questions are exactly those which most people ask on the courses!
  GRFN_MW_S_ROUTING is a structure which contains those two fields. This should be the Result Data Object which will then automatically place those two fields as the results.
  The Condition columns are user driven inputs where you give the criteria for the routing rules e.g. Business process or role criticality etc.
  For routing rules or initiator rules, there are two sources for the information; the request header (attributes of the request) or the request line items (attributes of the roles on the request). There are some fields which may exist in both (e.g. Business process for the access request or the business process assigned to the Role) which explains why there are duplicates in the list. When selecting the conditions, scroll right to the bottom of the list and you'll find the Structures which show Header or Line Item. If you expand those, then you will see the list of fields again. By doing this, you'll know whether you're looking at the header or line item field.
  Select the appropriate fields as the columns and then add in the rows to identify the specific criteria.

• How to create Detour in MSMP Workflow?

  Hello GRC Experts,
  we are implementing GRC Access Control 10.0 with all four components: CUP, BRM, EAM and RAR.
  We have customized the CUP and BRM Workflows without Detour rules, they are working fine so far. But now we have a following issue:
  We would like to create Detour rules for CUP Workflow for the following Scenario:
  1. Case: No SoD
  Request-->Role Owner Approval-->Provisioning
  2. Case: SoD
  Request--> SoD Risk-->Security Stage-->Role Owner (if Security Stage approves, then Role Owner also approves)--> Provisioning
  I have Created two paths in MSMP workflow:
  1st Path is Default Path with only one stage: Role Owner Approval stage
  2nd Path is SoD Path with two stages:
  Default and Security Stage
  I have tested the CUP Workflow after creating of the Routing Rule, but it seems, it doesnt work. I have assigned a technical Role to a User, who has SOD risks. Me as approval received a notification about new work item, then I approved the role, and afterwards the Role was assigned to a user, whitout beeing forwarded to a security stage.
  Can you please give me an advice what I have to do in order to make it work?
  Thanks in advance,
  best regards
  Sabrina

  Hello Mangesh,
  let me explain you my issue:
  When I am creating an request for my test user (Role Assigning), I am performing a Risk Analysis during the request creation. As you can see, I have SODs in my request.
  My paths:
  I have created two pathes:
  Path1: GRAC_DEFAULT_PATH: with one stage. Routing enabled. With the ID: GRAC_MSMP_DETOUR_SODVIOL. Escalation to a Specified agend (Security Team)
  Path 2: Z_GRAC_DEFAULT_PATH (SOD Path)
  with two stages:
  001:Role Owner Stage (Routing enabled) to a specified agent
  002: Security Stage: no Routing enabled.
  The Problem is, even though I have SOD in my reguest, no detour to a second path is occuring.There is somewhere a mistake, but I dont know where.
  Here is my Route mapping.
  Please, give me an advice, what I did wrong.
  The another issue which makes me surprised. When I run the Report: Risk Volation in Access Request, there is no Violation! But I have SOD violations (see Schrrenshot no1)
  Why this Report didnt Show the violations?
  I hope, I could make you cleare, where is the Problem now?
  Default path is working fine, bur the detour is not working. And the Report doesnt Show the violations...
  Thanks in advance
  best regards
  Sabrina

• BADI for MDGF rule based workflow

  Hi Experts,
  I am really struggling to get a badi that can route on field assigned in my single and agent decision tables. I have used the standard BADI that was provided in RDS documentation for BP and Materials and just tried to change the entity name and field names without success.
  Can anyone please provide me with an example where someone has used this to route on field in finance.
  I am trying to route on Segment for Profit center
  Your help will be highly appreciated
  Thanks and best regards
  Riaan

  Hi Abdullah,
  I am using an existing attribute in the data model OG in the entity PCTR. The field name is PCTRSEG and element is fb_segment. In my rule based workflow in the Single decision table I have added fb_segment and I have populated the values against step 00. I have also updated my agent decision table with the fb_segment value.
  I am attaching the BADI that I am struggeling with.
  The service name for the change request is in the BADI filter. Thus when the requestor submit the Badi will be called and it will route to the person assigned in my agent decision table against the relevant segment..
  My problem is the following:
  The issue is that I don't know where I should maintain PCTRSEG and where I should maintain fb_segment in the BADI. Thus, where do I use the attribute name from the data model and where do I use the data element from the model.
  When the requestor submit the request it does not go to the next approver and I get the error" Agent could not be determined"
  I found ,when I change any of the values for the segment in the single and agent decision tables to not equal, example <> 1001 that the workflow works but all change requests will go to the same person.
  Thus my assumption is that something might be wrong with the BADI
  Your help will be highly appreciated
  Thanks
  Riaan
  Please find Badi below
  method IF_USMD_SSW_RULE_CNTX_PREPARE~PREPARE_RULE_CONTEXT.
      DATA:
        lo_crequest      TYPE
  REF TO if_usmd_crequest_api,
        lt_entities      TYPEusmd_t_crequest_entity,
        ls_entity        TYPE usmd_s_crequest_entity,
        lr_table         TYPE REF TO data,
        lt_sel           TYPE usmd_ts_sel,
        ls_sel           TYPE usmd_s_sel,
        lv_brf_expr_id   TYPEif_fdt_types=>id,
        ls_context       TYPEusmd_s_fdt_context_value,
        lv_exit          TYPE c.
    FIELD-SYMBOLS: <lt_fin_int>
  TYPE ANY TABLE,
                   <ld_fin_int>  TYPE
  any,
                   <pctrseg>      TYPEfb_segment,
                   <value>      TYPE
  any.
  * Prepare export parameters
    CLEAR et_message.
    CLEAR et_rule_context_value.
  * Get the CR API for the current
  CR
    CALL METHOD cl_usmd_crequest_api=>get_instance
      EXPORTING
        iv_crequest          = iv_cr_number
      IMPORTING
        re_inst_crequest_api = lo_crequest.
  * Create data instance of the
  entity PCTR for read access
    CALL METHOD lo_crequest->create_data_reference
      EXPORTING
        iv_entity    ='PCTR'
        i_struct     =if_usmd_model=>gc_struct_key_attr
      IMPORTING
        er_table     =lr_table
        et_message   =et_message.
    CHECK et_message IS
  INITIAL.
    ASSIGN lr_table->*
  TO <lt_fin_int>.
  * Get the instance keys for entity
  type PCTR
    CALL METHOD lo_crequest->read_objectlist
      EXPORTING
        iv_entity_type = 'PCTR'
      IMPORTING
        et_entity      = lt_entities
        et_message     =et_message.
    CHECK et_message IS INITIAL.
  * Read the PCTR entity of the one
  and only PCTR of the CR
    READ TABLE lt_entities INTOls_entity INDEX 1.
    CHECK sy-subrc = 0.
    ls_sel-fieldname ='PCTRSEG'.
    ls_sel-sign = 'I'.
    ls_sel-option = 'EQ'.
    ls_sel-low    = ls_entity-usmd_value.
    APPEND ls_sel TO lt_sel.
    CALL METHOD lo_crequest->read_value
      EXPORTING
        i_fieldname      = 'PCTRSEG'
        it_sel           = lt_sel
        if_edition_logic = abap_false
      IMPORTING
        et_data          = <lt_fin_int>
        et_message       = et_message.
  * Get the one and only FB_SEGMENT
  of the one PCTR in the CR
    LOOP AT <lt_fin_int> ASSIGNING <ld_fin_int>.
      ASSIGN COMPONENT 'PCTRSEG'OF STRUCTURE <ld_fin_int>
  TO <pctrseg>.
      EXIT.
    ENDLOOP.
    CHECK sy-subrc = 0.
  * fill out the return table
    get_element_id(
      EXPORTING
        iv_cr_type = lo_crequest->ds_crequest-usmd_creq_type
        iv_name    ='PCTR'
      IMPORTING
        ev_brf_expr_id = lv_brf_expr_id ).
    ls_context-id = lv_brf_expr_id.
    CREATE DATA ls_context-value TYPE fb_segment.
    ASSIGN  ls_context-value->* TO <value>.
    <value> = <pctrseg>.
    APPEND ls_context TO et_rule_context_value.
    endmethod.

• How to do binding of rule with workflow

  hi all
  i have a problem regarding the binding of rule ,which i have maintained ,with the workflow on which i am working.
  can any one please guide me how to do the binding of rule with workflow,the way am doing is like:
  i have vreated a container element in workflow compatible with container element used in rule where agents are kept.
  problem is arising when am trying to import that container in rule to my workflow ,at this step please suggest what should i bind in the binding of the workflow container.
  the exact parameters detail will really appreciated.
  am not new to the rule or workflow but somehow thing am doing is not working exactly the way i want it to be so.
  full marks will be rewarded
  best regards
  ashish

  Hi Ashish,
  Please refer the following link. It may be helpful.
  http://help.sap.com/saphelp_crm60/helpdata/en/c5/e4b0ae453d11d189430000e829fbbd/content.htm
  Regards,
  Johnny.

• Rule in Workflow

  What is a rule in workflows, when is it used

  Hi,
  Rule is widely used for determining the workitem responsible agents using any custom logic. You can create it using transaction PFAC. Once you  create it you can use the rule in your activiy for assigning it to the agents.
  You need to pass the required parameters to the rule container so that your custom logic reads it from there and determines the agents.
  I am sure SAP documentation provides you a much detailed explanation on how to create and use rule. For reference you can check the rule 00000168.
  Thanks,
  Prasath N

• What is rule in workflow

  Hi all
     What is rule in workflow . How to create one.
      Kindly explain a scenario where rule is used.

  Hi,
  Rule is widely used for determining the workitem responsible agents using any custom logic. You can create it using transaction PFAC. Once you create it you can use the rule in your activiy for assigning it to the agents.
  You need to pass the required parameters to the rule container so that your custom logic reads it from there and determines the agents.
  I am sure SAP documentation provides you a much detailed explanation on how to create and use rule. For reference you can check the rule 00000168.
  1. Go to PFAC --->   00000168 ---> display.
  Check this for more Info.
  http://help.sap.com/saphelp_nw04s/helpdata/en/04/926f8546f311d189470000e829fbbd/frameset.htm
  Thanks,
  Reward If Helpful.

• Responsibility rule in workflow

  hi ,
  i have created a resposibility rule for workflow.
  i want to agent assignment to the responsibilitys.
  i have implementd in client 060.
  i want to do agent assignment in client 090.
  that icon is disable in 090 client.
  how cani do agent assignment for diffrent clients.
  <b>i cant transafer the agent assignment in the workflow, becuase positions client dependent.</b>
  pls give me suggestion.
  Thanks
  Sankar
  Message was edited by: sankar surya

  Sankar,
  You have to use txn OOCU_RESP to maintain agent assignments for responsibility rules in different clients.
  Cheers,
  Ramki Maley.

• BRF (Business Rules Framework)

  Hi all,
  Anybody knows what is the scope of BRF (Business Rules Framework) and for what is used for? Advantages and disadvantages?
  I already read the information in help.sap.com… But is very technically and unclearly for me.
  Thanks in advance,
  Ricardo.

  Hi Ricardo,
    Here is just a detailed info for your questions
  BRF - is an event-controlled runtime environment for processing rules.
  The BRF also contains a maintenance environment in which a rule administrator can edit and configure BRF objects.
  The BRF is object-oriented and therefore offers appropriate enhancement mechanisms that are modification-free and upgrade-independent.
  Advantages
          Easy implementation and configuration of rules with minimal coding
          Easy maintenance of rules as there is not much coding involved
          Easy extension in order to support application specific data
  Reward Points if found helpfull
  Message was edited by:
          Seemanthini R

• Associate Business Rules with Workflow

  Hi All,
  We have a planning application, and forms are having some business rules.
  Now our requirement is, when a user promote his cost center to another user, he should not have the access the Business Rules for that cost center.
  so, is there any way that we can associate business rules with workflow?
  Thanks in Advance,
  Edited by: user12865804 on Oct 4, 2010 2:26 AM

  Ya that will be a tricky one.
  The only general comment is to build this into your process.
  So you will give everyone a window to add To Be Hires during 1 or 2 week period. Then you block everyone and remove the ability to launch the script. Then managers review. So this becomes disconnected from "workflow" the tool inside of Planning.
  You could build something but this would be way outside the out of the box process and I wouldn't want to go there personally. You would move the calc into a maxl script and build in code to validate against the workflow tables to see if the calc will work or not. This would require all sort of validate scripting and error handling and would require bring in some experts probably. The only other scenario is to troll the forums and maybe find someone how built something like this and get them to share their code.
  In principal what you want sounds obvious and make sense to be in the tool.

• BOIS 4.2 - Disabling Rule Approval Workflow

  Greetings,
  How can we disable the rule approvals workflow in Information Steward ? from the application itself or from CMC ?
  Regards,

  Rule Approval is a part of rule management and governance process around validation rules. It's not possible to disable the rule approval.
  Can you explain your scenario and need for disabling the rule approval?

• How to use rule in workflow

  Hi all.
       I am new to workflow. Can you pls let me know how to use the rule in worklow .I have created a rule using the transaction PFAC. Pls provide  me some screen shots which demonstrates   hoe to use  this rule in workflow.Thanks in advance.
  Cheers,
  sami.

  Hi SAMI
  go to this pdf in SCN.All about rules.
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/d053fe48-6513-2b10-a59f-871923ff99d8
  Second thing workflows related question should be posted at
  SAP-Netweaver -> workflow
  Regards
  s@chin