Monday, 14 October 2013

Key difference between MSMP BRF+ rule and BRF+ flat rule ( lineitem by lineitem)




Key difference between MSMP BRF+ rule and BRF+ flat rule ( lineitem by lineitem)




In MSMP, Access Controls 10.0 and 10.1 provides extremely flexible and powerful tool to configure Access Control workflows. In this blog we will try to understand some basic concepts about MSMP and BRF+.
Before we can start creating any BRF+ rule for MSMP, we need to understand the difference between MSMP BRF+ rule and BRF+ flat rule ( lineitem by lineitem ). The logic executed in both the rules is same but the difference is in the input, output and the way it is processed.

Following are some of key differences:


1.) MSMP BRF+ flat rule (lineitem by lineitem):
This rule is called flat rule or lineitem by line item rule because this rule is called by MSMP multiple times, once for each lineitem. So if in access request you have added 3 roles/systems, then this BRF rule will be called 3 times. As an input to this rule, MSMP sends detail of one lineitem at a time and this BRF rule provides result for that one lineitem only. BRF+ flat rule is easy to create as no loop is required and only one decision table (or other expression) is required for the logic. For example, consider an access request with 3 roles/system. In this case the BRF flat rule is called 3 times by MSMP with following input and output:

Input provided by MSMP to BRF+ flat rule in first call:
Item NameSystemRole TypeLINEITEM KEY...
ROLE1SYSTEM 1SIN0001


Output given by BRF+ to MSMP in first call:  
Lineitem KeyRule Result
0001RolePath



Input provided by MSMP to BRF+ flat rule in second call:
Item NameSystemRole TypeLINEITEM KEY...
ROLE2SYSTEM 2COM0002


Output given by BRF+ to MSMP in second call:  
Lineitem KeyRule Result
0002RolePath



Input provided by MSMP to BRF+ flat rule in third call:
Item NameSystemRole TypeLINEITEM KEY...
SYSTEM1SYSTEM10003


Output given by BRF+ to MSMP in third call:  
Lineitem KeyRule Result
0003SystemPath


So the flat rule is called once for each lineitem which makes its creation easier as no looping is required which is required in case of BRF+ rule.



2.) MSMP BRF+ rule:
In this case, all the lineitems (roles, systems and FFID...) present in the Access Request are sent to the BRF rule in form of a table. After processing, this rule has to return a table with lineitem key and result. For example, in case of initiator rule the input to BRF rule can be following table. The roles/system shown here are one that are added to access request.


INPUT sent by MSMP to BRF+
Item NameSystemRole TypeLINEITEM KEY...
ROLE1SYSTEM 1SIN0001
ROLE2SYSTEM 2COM0002
SYSTEM 1SYSTEM 10003





For the above input, the output of BRF rule will be something like following:
OUTPUT given by BRF+ to MSMP
Lineitem KeyRule Result
0001RolePath
0002RolePath
0003SystemPath

Please note that we have not shown the decision table which contains the logic to determine the path in case of initiator rule. Since complete request details are sent by MSMP to BRF+ rule for execution, so this rule is called only once by MSMP. Hence it is required that the logic to loop on all the lineitems has to be done within BRF+ rule. The decision table or other condition is called within the loop so that it is executed for all the lineitems one by one.





Key differences between BRF+ rule and BRF+ flat rule are again summarized below:



BRF+ Flat RuleBRF+ Rule
1.) Executed multiple times, Once for each lineitem1.) Executed only once
2.) Details of one lineitem at a time passed to BRF rule by MSMP2.) Complete request details passed to BRF rule by MSMP in form of a table
3.)Output of flat rule is result of one line item only3.) Output of BRF+ rule is complete table with all lineitems
4.) Easy to create as no loop is required4.) Complex as compared to flat rule as loop is required
5.) Some of business cases not possible in flat rule5.) Almost all business cases can be achieved by BRF+ rule

No comments:

Post a Comment