Wednesday, 30 October 2013

GRC AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls


AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls


In Access Request, sometimes you would want to route your request based on the risk violations present in the request. There are some standard function module based detour/initiator rules which are available in MSMP like 'GRAC_INITIATOR_SOD_VIOLATIONS' and 'GRAC_MSMP_DETOUR_SODVIOL' where you can route your request based on risk violations. But these standard rules are inflexible, so if you want to add another condition for routing along with risk violation then you will have to change the abap logic within these function modules.
So using these standard rules you can route request based on risk violation only. If you want to create an initiator rule based on risk violation and 'Sensitivity' of role or if you want to create a routing rule based on the 'Risk Level' of violations then it is not possible using standard rules unless you change ABAP logic.
In this document we will see how we can utilize power of BRF+ by creating a very flexible initiator/routing rule where we can check combination of multiple conditions and not just Risk Violations. We will be taking example of following business scenario :  
Business Scenario :
If an access request contains risk violations with Risk Level as 'High', then the request should be routed to a special path, and if no violations with Risk Level  'High' are found, then continue with normal path
We will use BRF+ procedure call to get risk violations in the request. In BRF+ Procedure call, we will use one of the standard function module to get risk violation details of a request.
Untitled.png
Follow steps below to create a BRF+ flat rule to achieve above scenario
1.) Generate BRF+ Shell for Access Request Initiator from transaction 'GRFNMW_DEV_RULES'
  • Fill generation criteria (Process ID, Rule type, etc.)
  • Specify Generation options and select any field from Header or Item to ensure decision table is generated automatically
  • Generate rule shell (Execute button)
Untitled.png


2.) Activate Empty BRF+ Rule using transaction BRF+
  • To locate the generated function, use menu, 'Workbench -> Open Object' and specify object ID from previous step
  • Activate the function
  • Change the mode to “Event Mode”
Untitled.png
3.) Change Result Data Object of BRF Function
  • Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
  • In “Signature” tab of BRF Function, change the result data object to GRFN_MW_S_ROUTING
Untitled.png
Untitled.png
4.) Function Module to Get Risk Violation Details
  • We will be calling function module  “GRAC_IDM_RISK_WITH_NO_SERVICES” in BRF+ rule to get violations details 
  • It returns a table with violations; so first, we will create a table in BRF rule which will hold the result of the function call
Untitled.png
5.) Create Data Object
  • From context menu of BRF+ application, create a Data Object of type “Table”
  • This data object will hold the risk analysis result

Untitled.png


Untitled.png
  • Select DDIC Binding and provide name of DIDC Table Type of “GRAC_T_WS_RA_OP_RISK_ANLYS_ID”
  • Activate the Data Object
Untitled.png


6.) Create Procedure Call to Get Risk Analysis Result
  • Create a procedure call from context menu of BRF application
Untitled.png
Untitled.png

  • Within procedure call, select Call Type of “Function Module” and provide Function module name as “GRAC_IDM_RISK_WITH_NO_SERVICES.” Press “Enter” key after providing function module name.
  • Add parameters to the procedure call
Untitled.png

  • Select the Data Object created in step 5 as “Result Data Object” for this procedure call
Untitled.png
Untitled.png

Map Parameters to Context Fields
  • Click on Mapped parameters to expand the details
  • Assign value to these parameters using BRF+ context parameters
  • Activate procedure call

Untitled.png
Untitled.png


7.) Create Expression — Table Operation : Check Risk Analysis Result Table for Risks
  • Create an expression of type “Table Operation”
  • This expression will read the result table of procedure call to check if any violations exist
Untitled.png


Untitled.png

  • This expression will read the result table of procedure call “RISK_ANALYSIS_RESULT” to check if any violations exist
  • Additionally, here we are checking for any risk with “High” risk level
  • Activate “Table Operation” expression

Untitled.png


8.) Add Condition Column to Decision Table

  • Go to Decision Table that was generated automatically
  • From decision table settings, add a column from expression and use expression “READ_RISK_VIOLATION,” which is a table operation
Untitled.png

Untitled.png


9.) Add Business Logic to Decision Table
  • Add conditions to the decision table
  • Based on the result of “Table Operation,” which checks whether any “High” risk violations exist in request or not, the path of request is decided

Untitled.png


10.) Create Ruleset

  • Go to BRF+ function and create a new ruleset
Untitled.png
  • Add variable “RISK_ANALYSIS_RESULT,” which was created in previous steps, to the ruleset
Untitled.png
Untitled.png
Untitled.png


11.) Add Rule to Ruleset

  • Create new rule within ruleset
  • Within this new rule, call the procedure that was created in previous steps
Untitled.png
Untitled.png

Untitled.png

12.) Add Second Rule to Ruleset

  • Within same ruleset, create second rule that will call the “Table Operation” expression “READ_RISK_VIOLATION”
  • This table operation will read the violations, which are returned by procedure call

Untitled.png
Untitled.png


13.) Add Third Rule to Ruleset

  • Within same ruleset, create third rule that will call the “Decision Table” expression
  • Decision table operation will internally call table operation to check if any violation was returned by procedure call and, based on the result, it can decide the path of request

Untitled.png
14.) Check sequence of rules within ruleset
  • Check the sequence of rules within ruleset
  • First rule in the sequence should be procedure call, second should be table operation, and last should be decision table
  • Activate all objects
Untitled.png

Now you can configure this rule in msmp configuration and use it as routing or initiator rule

1 comment:

  1. Really appreciate your post.Thanks for all that work.Its very easy to understand as well.

    ReplyDelete