SCN : Document List - Governance, Risk and Compliance (SAP GRC)

Purpose of User Defaults:

When a new user is being created in the target system, all users of that system might require few common user defaults like Logon Language, Time Zone, Decimal Notation, Date Format, Parameters etc. Hence when a user is getting created through GRC, based on the request type these user defaults can be assigned to the users.

By including user defaults as part of request type (mostly New Account), user gets created with required user defaults in the target system.

Important SAP notes regarding User Defaults to refer before configuring User Defaults:

1615552 - GRC 10.0 How to set User Default

1665585 - User Defaults BRF+ rule not working correctly

2020712 - UAM: User group not provisioned after request provisioning

Steps to Implement User Defaults:

Step 1: Maintain “User Defaults “action as part of your Request Type. My Request Type 36 is for “New Account” and I have assigned “User Defaults” as shown below.

SPRO =>Governance, Risk and Compliance =>Access Control =>User Provisioning =>Define Request Type

Step 2: Go to SPRO -> IMG -> GRC -> Access Control -> User Provisioning -> Maintain User Defaults

Define User defaults for different connectors connected to your GRC system. One example as shown below:

You can assign default User Group and default Parameters based on the connector by using options “Set the User Group” and “Set Parameter ID” in the above screen as per your requirement.

Once you define the User Defaults as mentioned above and save it, a unique “Default-Id” gets created as shown below. This is the User Default Id which will be used in BRF+ decision table while configuring User Defaults.

Step 3: Existing BRF+ User Defaults application “GRAC_BRFP_USER_DEFAULTS” provided by SAP will be used during configuration of user defaults.

Copy the Function Id of USER_DEFAULT_FUNCTION from BRF+ application.

Now map the BRF+ Application for user defaults under the IMG configuration shown below:

Go to IMG->Governance, Risk and Compliance->Access Control->Maintain AC Applications and BRFPlus Function Mapping

Step 4: Add Decision Table and Loop expression to BRF+ User Defaults function as shown below:

Decision Table: In the decision table maintain entries as shown below

Loop: For using "System" as one of the fields in setting the conditions for User Defaults, SAP suggested for implementing a LOOP in BRF+ Rule. This might be needed since "System" field is not available under Request Header attributes, rather it is available as Role Attributes which are called as line-item fields while calling the BRF Rule. So, in such cases LOOP is a suggested solution, rather than using the Decision Table directly. Though within the LOOP, we can still call the Decision Table or implement IF/ELSE conditions.

Step 1:

Change the Mode of the BRF+ User Defaults Function from “Functional and Event Mode” to “Event Mode”

Now click on “Assigned Rule sets” tab in Function and click on “Create Ruleset”

Ruleset gets created as shown below. Now click on the Ruleset and navigate to Ruleset screen

Click on “Insert Rule” and select “Create” option as shown below

In the Rules screen, fill in the role description and click on “Add” button and select the options as shown below

Once the above step is completed LOOP is created. Now navigate to LOOP by clicking on LOOP_CONNECTOR_ITEMS and you will see below screen.

Once you click on “Create Rule”, you will get the below screen.

Select the decision table as you want to LOOP on the entries in your decision table. Once done click on “OK” button.

Ruleset: When a Function is in event mode, it looks for additional logic execution depending on the Rule-set defined.

Once all above things are done, activate the Decision table, Loop, Ruleset, Function and Application.

Step 5: Now Create an Access request to test the User defaults and once the User is created please cross check the User Defaults in SU01 to check if everything is fine. If all the above steps are followed properly, User defaults will get updated properly as below in SU01.

Reference Links: http://wiki.scn.sap.com/wiki/display/GRC/Setting+up+User+Defaults

Access Request Management (ARM) can connect to ABAP-based SAP systems such as SAP ERP (ECC), SAP SCM, SAP CRM, SAP Business Intelligence (BI) to create users and assign roles with pre-delivered ABAP-based programs. Enabling the same functionality with a Java-based system such as the SAP Enterprise Portal requires a different procedure and separate configuration. To connect to Java-based systems, you use pre-delivered Web services installed on the SAP Enterprise Portal for integration.

A step-by-step guide demonstrates the required configuration to integrate SAP Enterprise Portal with GRC 10.0.

Step 1:-Deploy the AC 10.0 web service and you will find the following in WS Navigaton.

Step 2:-Create a G type SM59 connector. This will connect to the above web service for AUTH extraction and password generation.

Step 3:-Create a G type SM59 connector. This will connect to EP’s SPML interface for PROV.

Step 4:-Maintain the Logical port for WS connector in tx LPCONFIG.

Step 5:-Maintain Connector and Connection Types.

WS will be attached to the LPCONFIG end point SPML1 logical port will be same as Target Connector

Step 6:-Define the EP Group (this will be used in field mapping).

Step 7:-Attach both the connectors (WS and SPML) to AUTH scenario.

Make sure that the following classes are attached to the scenario.

Step 8:-Do same for PROV scenario.

Step 9:- And for ROLMG scenario.

Step 10:-Set as Production system.

Step 11:-Create the group field mapping.

Default connector is the one which will make a runtime call to get the F4 for system field names in figure below.

Define the field mapping for the group applicable to all the system in that group (F4 from default connector)

Define the technical parameter mapping .

Step 12:-Synchronize EP SPML Schema.

Connector is the one for SPML we earlier created

Step 13:-Now sync user, roles, auths from EP.

This is from WS connector.

Step 14:- Deploy GRC Portal Content -add-on portal business package GRC_POR which contains the GRC Portal UI elements to access the GRC suite.

Step 15:Deploy GRC Portal Plugin(GRCPIEP)(Must for GRC AC)

Step 16:- Set the system Alias for GRC system in SAP Netweaver Enterprise Portal as follows:

SAP-GRC

SAP-GRC-AC

SAP_GRC(in case of issue-faced by me in SP8)

SAP_GRC_AC(in case of issue-faced by me in SP8)

*In case of GRC PC is activated then system alias must be SAP-GRC & SAP-GRC-PC,for GRC RM SAP-GRC & SAP-GRC-RM.

Step 17:-Create a same user both in GRC and EP and assign following Portal Roles to the user.

a.GRC Access Control

b.ERP Common

Assign Required GRC Roles to the user in the GRC System.

*In case of GRC PC or RM activated assign GRC SUITE & ERP COMMON Portal Role to the user,additionally GRC Internal Audit Management if required by the user.

Procedure for creating user in the Portal for Accessing GRC Roles.

1.Log on as portal user administrator and access the User Administration function.

2.If the user has been created by the User Management Engine (UME) that is connected to the GRC ABAP system, you do not need to create the user in the portal system.

If not, create a new portal user and assign the system to the user in the User Mapping for System Access tab, along with a mapped user ID and password.

3.After creating the user, go to the Assigned Roles tab and assign the role GRC Access Control to the user who has the power user role SAP_GRAC_FN_ALL in the ABAP system, to enable viewing of all the Work Centers.[Only in case of GRC AC is activated].

Hope this was useful. Please use the comments section to share your feedback and questions.

Purpose

The purpose of this document is to provide links to the top 10 most viewed SAP KBA's for Governance, Risk and Compliance.(GRC)

Overview

This page will be updated regularly as new documents are published.

Click on the month below to view the publications for each GRC component:

Access Control

Process Control

Risk Management

Please note, in order to view the contents of the Knowledgebase Articles (KBA), you will need to be logged into Service Marketplace.

Dear GRC Community,

as moderator of the GRC space I would like to hand out some general information of what is expected in a good discussion thread. Since I am following most of the threads in the GRC space I can easily identify if the question is going to be answered quickly or if it's going round in circles for several days.

As most of the contributors are volunteers and offer up their free time I would like to decrease the unproductivity and instead pointing the questions to more specific and helpful answers.

Prior to your first posting make sure that you have read and understood the rules of engagement: The SCN Rules of Engagement

The use of the search engine (that can be found on the top right corner) and also Google or any other is well appreciated as most of the content is already available here on SCN or SAP Wiki. To date, almost 12'000 discussions have been started on the GRC space including 400 documents and 180 blogs.

What is the minimum information required?

Please provide the following information in each discussion thread:

Detailed information on your current release and service pack level. It is enough to mention 10.0/SP12, 10.1/SP3, etc.
Already implemented SAP notes releated to your issue
Elaborate your business case (what you are trying to achieve, etc.)

Also never assume that your counterpart has the background information of your project or environment. Hence provide useful information especially when you are not using standard functionalities.

Please note that discussion threads that do not meet the minimum requirements will be rejected by the moderators.

Looking forward to your contribution in the GRC space.

Best regards,

Alessandro

This document is a collection of the most useful SAP GRC Access Control documents, blogs, resources, links, etc. here in SCN.

Legend

	SAP SCN Documents
	SAP SCN Blogs
	SAP Wiki
	Newly added document (Contributors: please select from Emoticons )

Please help in updating the collection so that new users can get a well structured overview for their information.

Best regards,

Alessandro

Offline Workflow Process is used to process Workflow tasks offline through email and submit back to GRC Process Control system for further processing.

In GRC Process Conrol 10.1, OWP workflow text does not contain information about relevant Organization,Subprocess, Control,Period and Year of

assessment. But there is a flexibiltity to include this information, as these parameters are contained in OWP exit class responsible for sending OWP workflow.

This functionality shall be available in Support package assembly only.

However if customer want to include the functionality :

Modify the document 'GRFN_OWP_DELIVER; responsible for sending the workflow text.

Execute transaction SE61 and chose the document class as 'general text'.

Select the document 'GRFN_OWP_DELIVER' and chose to change the object :

You might change the general text to below (example)Workflow text:

Dear Colleague,

Please complete this task on or befor due date: %DUE_DATE%

Task:%TASK_NAME%

Organization:%ORGANIZATION%

Control:%CONTROL%

Period and Year:%PERIOD_YEAR%

Open and complete the attached form. Submit it and send the resulting email.

Regards,

GRC Team

Save and activate the changes under suitable correction request to reflect the changes in OWP Workflow text.

Customer enhancement for change in the message class 0FN_OWP_DELIVER is required or we need to wait for Support Package11 assembly.

If you have a situation where you need approval of Manager's Manager.

like we have scenario for normal role and critical role.

when we have workflow for request type New/Change account for assignment of role. Which goes for 2 level of approval process unless it is a critical role where it goes for 3 level of approval process.

Critical role are marked as critical within Role in GRC Access Control 10.1 Business Role Management which is repository of roles in GRC System.

When a request is submitted by user it creates a request number and a workflow is also triggered.

The work flow takes the approval path based on Initiator rule created in BRF+.

The initiator rule contains the input parameter in decision table and gives the rule result values which are directly mapped to follow the path based on rule result.

here is example of BRF+ decision table.

For example, New/Change Request type is 001, and when submitted a role assignment it check in the Initiator rules and takes the approval process.

The approval stages are maintained in MSMP for each path where Agent rules (approver determination Function Module) are mapped.

The Non critical role path is maintained with 2 stages of approval process

Manager
Role Owner

Critical Role Path is maintained with 3 stages of approval process

Manager
Manager's Manager
Info Asset Owner

Determination of approver (Agent Rule) is mapped to stages and the workflow reads the stage detail in background and sent it to approver's inbox.

There are SAP Standard Function Module based rule for determining approver like Manager and Role Owners

Determination of Manager's immediate head is not a standard functionality but can be achieved using ABAP Class based function module Rule

SAP GRC 10.1 Access Control provides interface GRFNMW_DEV_RULES to develop your own rules and can be contained to be mapped into MSMP.

The rules created will be maintained in the MSMP Rules as approver, and will be used in MSMP Stages as approver agent.

When a request goes to the stages it sends the workflow item to the approver determined by the rule.

To achieve this, A Function group (ZGRAC_FM_RULE) and Function Module based rule (ZMGR2_CRA_AR). Needs to be created

Step 1: Create a function group ZGRAC_FM_RULE

Step 2: Execute tcode GRFNMW_DEV_RULES Create a Function Module based Agent rule ZMGR2_CRA_AR.

Copy GRAC_MSMP_MANAGER_AGENT to create a function module ZMGR2_CRA_AR.

It will be linked to MSMP process id SAP_GRAC_ACCESS_REQUEST by GRC Team (TECHM) once the development of new Function module rule is complete.

The agent based Function module rules, should first run a query on table GRACREQ to get the Request GUID. Then it looks up in table GRACREQOWNER using Request GUID for that particular request, looks for Usertype=MAN and determines the value of USERID from the table which is managers ID of the user for whom the request is raised. The Manager ID will be used as User ID and will look up for its managers based on data source configuration.

This is already configure`d in SPRO, Data Source configuration.

The Function Module Rule will be maintained Under Maintain Rule in MSMP.

And will be mapped to Agent ID, which will be used in Stage for approval.

Whenever a request is submitted GRACREQOWNER table is updated with Request ID, with information of Manager is stored under User Type as MAN ,and Manager's ID is stored under USERID.

1. The RFC Information are stored in table GRACV_DETAIL_DS, where Connector ID is the RFC Name and User Data type = HR ,

Table GRACV_DETAIL_DS is a maintenance view table. Select queries cannot be applied on maintenance tables. As discussed, we can refer to table GRACUSERSOURCE, this is the root table of GRACV_DETAIL_DS.

Read table GRACUSERSOURCE using the ff. parameters:

User Data Type: HR
Data source type: 01

if There are 2 HR systems the loops will check the systems based on sequence.

Once Manager ID is retrived, the value of Manager ID will be passed to HR System Using RFC and the RFC should call function Module /GRCPI/GRIA_USR_GET_DETAILS provide the Manager ID and path and retrive the Managers Manager ID and pass it to GRC System agent rule as an Agent for that stage.

The following input parameters will be passed to FM /GRCPI/GRIA_USR_GET_DETAILS

Manager’s of the user
Path ID – will look at table GRACCONNSTAT passing the connector = RFC connection.
(SPRO àààMaintenance Connector Settings)

Thanks you.

This document will explain step-by-step process to delete below type of roles from AC 10.

Business Roles
Composite Roles
Single Roles

Deletion of Business Role:

When you try to delete the business role, you may get below error. It means that Business role is being used in some request which is still open.

To check all the requests for particular PFCG/Business Role, check GRACREQPROVITEM table.

This table will give you the list of all CUP request where this role is being used. In field "Provisioning Item" put Business role (PFCG role if you need to see request for PFCG role) and execute. You can give date criteria as well if you are very much sure that beyond that date no request is open or using mentioned role.

This will give you the list of all requests open/closed. Please note that field "Line Item Status in Application" of table GRACREQPROVITEM sometime do not update the status of rejected/cancelled request (see below screen shot for ref.) so please verify the status in Search Request to make sure all requests are in Finished status..

Once above check is complete. You can delete the Business role.

Please note that in order to remove business role, you don't have to remove composite/single role from Business role.

Deletion of Composite Role:

When you try to delete the Composite role, you may get below error.

In this case also, please make sure that Composite role is not part of any Business role and there are no open request for composite role.

Sometime even after doing above steps you might face the same error, in that case refresh your session and try again. Role will be deleted.

Dear all,

This document will gives you basic details about how to create regulations for GRC process controls

Regulations and Policies are provides visibility into your compliance framework and access to end-to-end policy management

Regulations are assigned to Sub process, controls, IELC (Indirect Entity-Level Controls), Policies and Ad-Hoc Issues, which are assigned to organizations.

Regulations will be part of master data.

By using Regulations link we can create Regulation group,Regulation and Regulation Requirement

Step1:Creation of Regulation Group

Provide the details and click on SAVE

Once regulation group has been created, then create Regulation

Step2-Creation of Regulation

Select the regulation group and click on Regulation to create

Provide the regulation name, description and select the Assign regulation configuration from drop down.

Assign regulation configuration will be maintained in SPRO

SPRO>GRC>Process Controls>Multiple Compliance Framework>configure compliance Initiatives

Select the Assign regulation configuration from drop down, click on save

Now regulation will created under regulation group

Select the regulation and create regulation requirement

Step3:Creation of regulation requirement

Provide the details and Save

Regards

Baithi

Dear all,

This document will gives you basic details about how to create Policies in GRC process controls

Regulations and Policies are provides visibility into your compliance framework and access to end-to-end policy management.

To create policy, we need to create Policy group

Step1:Create Policy group

Provide Name, Description and Select Approval survey from drop down

Approval Survey are available from Survey Library. Which comes under Assessments work center

Select the category as Policy Approval and provide other details

Note:We need to use Policy Approval as category then it will be available for Policy

Click Add to select the questions, which is defined in question library

Select the category as Policy Approval and provide other details, Save.

Now we can see this survey under Approval survey drop down of Policy group

Now created policy group is available to create Policy

Select Policy group and click on Create Policy

Step2:Create Policy

Regards

Baithi

Purpose

The purpose of this document is to provide links to the top 10 most viewed SAP KBA's for Governance, Risk and Compliance.(GRC)

Overview

This page will be updated regularly as new documents are published.

Click on the month below to view the publications for each GRC component:

Access Control

Process Control

Risk Management

Please note, in order to view the contents of the Knowledgebase Articles (KBA), you will need to be logged into Service Marketplace.

Dear GRC Community,

As most of the contributors are volunteers and offer up their free time I would like to decrease the unproductivity and instead pointing the questions to more specific and helpful answers.

Prior to your first posting make sure that you have read and understood the rules of engagement: The SCN Rules of Engagement

What is the minimum information required?

Please provide the following information in each discussion thread:

Detailed information on your current release and service pack level. It is enough to mention 10.0/SP12, 10.1/SP3, etc.
Already implemented SAP notes releated to your issue
Elaborate your business case (what you are trying to achieve, etc.)

Also never assume that your counterpart has the background information of your project or environment. Hence provide useful information especially when you are not using standard functionalities.

Please note that discussion threads that do not meet the minimum requirements will be rejected by the moderators.

Looking forward to your contribution in the GRC space.

Best regards,

Alessandro

This document is a collection of the most useful SAP GRC Access Control documents, blogs, resources, links, etc. here in SCN.

Overview

Getting Started with SAP Governance, Risk and Compliance Solutions (GRC)

GRC Processes, Lifecycles and Responsibilities

GRC Systems Compatibility

General opinion and thought-leadership

Are you ready to implement GRC 10?

A lot of help from my friends

If I had it to do all over: looking back on GRC 10 projects

Lessons learned from SAP GRC projects

Remediating Access Control SoD Risks

Internal Controls - a step towards strong controls

Defining Mitigating Controls / Compensating Controls

IT Control Testing - SOX Compliance

A #GRC tool is just part of the solution

It’s Just a Few GRC Ideas….Place

GRC General

Helpful transactions, tools, programs, tables, etc. for a SAP GRC Consultant

NWBC screen layout options for GRC

Customizing NWBC for New Menus with our own Transactions, Reports and Accessing SAP Backend Systems from NWBC

Configure LaunchPad for Menus

Customizing Access request and approval screens in GRC Access Control

Issues, Bugs in GRC SP13 - Related Fixes

General tips to help in troubleshooting scenarios

Access Control Debugging tips

SAP GRC AC 10.1 - Enhancements

How to delete roles, mitigation controls, users, and other informations from one connector

Product Support

GRC Product Support Monthly Newsletter

GRC Weekly News - Governance, Risk and Compliance - SCN Wiki

Top Ten - 2015 - Governance, Risk and Compliance - SCN Wiki

HR Triggers

Understanding HR Triggers in Access Control 10.0 - Governance, Risk and Compliance - SCN Wiki

GRC 10.0 - HR Trigger configuration - Governance, Risk and Compliance - SCN Wiki

Example of decision table for GRC 10 HR Trigger rule, using BRF+ tool

GRC Access Control - Compliant User Provisioning: HR Triggers

Debugging HR Trigger - GRAC_HR_TRIGGER_EVENT_RECIEVER

Debugging HR Trigger - Simulation

Debugging HR Trigger - PA40 changes to infotypes

MSMP Workflows

AC 10.0 - Customizing Workflows for Access Management

MSMP - Multi Step Multi Process – GRC’s answer to Workflow Configuration Flexibility

BRF+ Configuration

Determining the Logic behind Decision Tables

LDAP

Configuring LDAP Connector in Compliant User Provisioning of GRC Access Control

LDAP Group parameter mapping.. what does it mean?

Mobile Apps in SAP GRC

Administrator guides for Access Approver, Policy Survey, etc.

Fiori apps in GRC – Install two applications in 5 easy steps

Access Control with Identity Management (IdM)

SAP BusinessObjects GRC 10.0 Integration Guide – Access Control 10.0 and NetWeaver Identity Management

SAP Access Control 10.0 Interface for Identity Management

SAP GRC with SAP BPC

How to Assign SAP Business Planning and Consolidation Authorizations via the SAP Governance, Risk, and Compliance (GRC) Access Control Compliance User Provisioning Product

Access Risk Analysis (ARA)

ARA - For the new kid on the block

Rule set - Rules & Rule Types

Business Risks / Rule Set

Download, Modify and Upload the Access Risk Analysis Rule Set in SAP Access Control 10.x.

How to set up a Configurable Business Rule

Online vs. Offline Risk Analysis

Creation of Mitigation Controls in GRC 10.0

Organizational Rules in GRC Access Control

Mass change of Mitigation Assignments

SAP GRC AC 10.0 Alerting

The Action Usage Sync job in technical details - GRC Access Control 10.0

The Repository - GRC Access Control 10.0

Access Request Management (ARM)

ARM - For the new kid on the block

AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls

Approve/Reject Own Requests

How to Change Subject Line in SAP GRC Email notification

Recommendations for using Business roles provisioning in access request

Configure Manager Look-Up in ARM for GRC 10

Role Search Screen Enhancement – GRC 10

Terminate Account - Request Process - GRC 10

Creating Access Request: Template Based Requests and Configuring End User Personalization forms for use with Access Requ…

GRC Request with both System and Role Line Items

Access Control 10 (ARM) – Risk Analysis Report Type is editable in Access Request.

Access Control: - Create Access Request Using Web Service in GRC10

Design Considerations to reduce Password Self Service (PSS) Intruder Risk

User Access Review(UAR) Workflow Configuration and Description - Governance, Risk and Compliance - SCN Wiki

Direct vs. Indirect Role Assignment

Business Role Management (BRM)

BRM - For the new kid on the block

Maintain Default Roles in BRM GRC AC 10.1

Role Import - GRC 10

Import Role from ECC to GRC system

Business Roles concept and usability in GRC AC10

Enabling Business Role updates to existing assigned users

BRM Default Approvers via Condition Groups

BRM Role Methodology via Condition Groups

Emergency Access Management (EAM)

EAM - For the new kid on the block

Usage of EAM

EAM - Provisioning Strategies

EAM Utilisation and Log Review Process

ID-Based Firefighting vs. Role-Based Firefighting

AC 10.0 - Centralized Emergency Access

Configure Emergency Access (EAM) in GRC 10

De-centralized EAM GRC 10.0

EAM - Approve through Wrokflow

Emergency Access Management Reporting

Analysis and Recommended Settings of the Security Audit Log (SM19 / SM20)

EAM: Requesting emergency access via access request workflow in SAP GRC - step by step.

Legend

	SAP SCN Documents
	SAP SCN Blogs
	SAP Wiki
	Newly added document (Contributors: please select from Emoticons )

Please help in updating the collection so that new users can get a well structured overview for their information.

Best regards,

Alessandro

Offline Workflow Process is used to process Workflow tasks offline through email and submit back to GRC Process Control system for further processing.

In GRC Process Conrol 10.1, OWP workflow text does not contain information about relevant Organization,Subprocess, Control,Period and Year of

assessment. But there is a flexibiltity to include this information, as these parameters are contained in OWP exit class responsible for sending OWP workflow.

This functionality shall be available in Support package assembly only.

However if customer want to include the functionality :

Modify the document 'GRFN_OWP_DELIVER; responsible for sending the workflow text.

Execute transaction SE61 and chose the document class as 'general text'.

Select the document 'GRFN_OWP_DELIVER' and chose to change the object :

You might change the general text to below (example)Workflow text:

Dear Colleague,

Please complete this task on or befor due date: %DUE_DATE%

Task:%TASK_NAME%

Organization:%ORGANIZATION%

Control:%CONTROL%

Period and Year:%PERIOD_YEAR%

Open and complete the attached form. Submit it and send the resulting email.

Regards,

GRC Team

Save and activate the changes under suitable correction request to reflect the changes in OWP Workflow text.

Customer enhancement for change in the message class 0FN_OWP_DELIVER is required or we need to wait for Support Package11 assembly.

If you have a situation where you need approval of Manager's Manager.

like we have scenario for normal role and critical role.

Critical role are marked as critical within Role in GRC Access Control 10.1 Business Role Management which is repository of roles in GRC System.

When a request is submitted by user it creates a request number and a workflow is also triggered.

The work flow takes the approval path based on Initiator rule created in BRF+.

The initiator rule contains the input parameter in decision table and gives the rule result values which are directly mapped to follow the path based on rule result.

here is example of BRF+ decision table.

For example, New/Change Request type is 001, and when submitted a role assignment it check in the Initiator rules and takes the approval process.

The approval stages are maintained in MSMP for each path where Agent rules (approver determination Function Module) are mapped.

The Non critical role path is maintained with 2 stages of approval process

Manager
Role Owner

Critical Role Path is maintained with 3 stages of approval process

Manager
Manager's Manager
Info Asset Owner