PFCG based agent rule on steroids :)

Requirement: Many clients do not have one to one or one to many assignment of roles to role owners rather they have some specific logic to define role owners. In our setup, GRC approvers are defined based on functional area, business process, connector etc. For easy maintenance of GRC approvers role-based agent rule was created.

Resolution: Create a BRF+ Agent rule that will fetch approvers, based on decision table criteria and dummy role assignment.

BRF+ Design:

Below Steps will be followed to achieve required results:

Step 1: Create Structure “AGE_USERS”

Step 2: Create a decision table to provide “dummy role name” based on suitable selection.

Step 3: Create a DB lookup on table “AGR_USERS” to fetch users assigned to appropriate dummy roles.

Step 4: Create a “Ruleset” to process DB lookup and return approvers.

BRF+ Configuration:

You have to generate the BRF+ Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.

Run the transaction SPRO, go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control => Define Workflow related MSMP rules.

Or

Directly execute TCode GRFNMW_DEV_RULES

  • Fill generation criteria (Process ID, Rule type, etc.)
  • Specify Generation options
  • Generate rule shell (Execute button)

After successful rule generation, goto BRF+ to check newly created BRFPlus Application

Function Signature update:

In BRF+ function, change the mode to “Event Mode” and activate the function as shown below.

  • Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
  • In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID

Create Structure:

  • From context menu of BRF+ application, create a Structure and bind it to AGR_USERS.
  • Save and activate this structure.

Create a Decision Table:

  • From context menu of BRF+ application, create an Expression of type “Decision Table”

  • Add “Condition” as well as “Result” column based on requirement
  • Note that AGR_NAME in result column can only be selected if structure AGR_USERS has already been created.
  • Create dummy roles in GRC backend system and assign to approvers
  • Populate the decision table with business data as required

 

Create DB Lookup:

  • From context menu of BRF+ application, create an Expression of type “DB Lookup”
  • Add below details to the DB Lookup, here we are applying DB lookup based on result received from ZROLEOWNER on table AGR_USERS and inserting user ID into  GRFN_MW_T_AGENT_ID
  • Save and generate the DB Lookup

Create Ruleset:

Click “Create and Navigate To Object”

Create Rule as below:

 

Assign the ruleset to the function

Go to the function and under assigned ruleset you should be able to fine “GET_APPROVER” ruleset.

Simulate BRF+ rule:

Provide mandatory context values like Business Process, Functional Area, Connector.

The function should return users IDs of the role owner as per the settings in decision table.

Conclusion: This custom agent rule will allow us to skip standard role owner maintenance process in GRC and simply assign approvers by assigning them dummy roles created in GRC system. Dummy roles can be created as per our requirement for example based on system\client, departments, business process etc.