AC10.0/10.1: Create Rule Based on Risk Violation in Request, Using BRF+ Procedure Calls

In Access Request, sometimes you would want to route your request based on the risk violations present in the request. There are some standard function module based detour/initiator rules which are available in MSMP like 'GRAC_INITIATOR_SOD_VIOLATIONS' and 'GRAC_MSMP_DETOUR_SODVIOL' where you can route your request based on risk violations. But these standard rules are inflexible, so if you want to add another condition for routing along with risk violation then you will have to change the abap logic within these function modules.

So using these standard rules you can route request based on risk violation only. If you want to create an initiator rule based on risk violation and 'Sensitivity' of role or if you want to create a routing rule based on the 'Risk Level' of violations then it is not possible using standard rules unless you change ABAP logic.

In this document we will see how we can utilize power of BRF+ by creating a very flexible initiator/routing rule where we can check combination of multiple conditions and not just Risk Violations. We will be taking example of following business scenario :  

Business Scenario :

If an access request contains risk violations with Risk Level as 'High', then the request should be routed to a special path, and if no violations with Risk Level  'High' are found, then continue with normal path

We will use BRF+ procedure call to get risk violations in the request. In BRF+ Procedure call, we will use one of the standard function module to get risk violation details of a request.

Image may be NSFW.
Clik here to view.

Follow steps below to create a BRF+ flat rule to achieve above scenario

1.) Generate BRF+ Shell for Access Request Initiator from transaction 'GRFNMW_DEV_RULES'

• Fill generation criteria (Process ID, Rule type, etc.)
• Specify Generation options and select any field from Header or Item to ensure decision table is generated automatically
• Generate rule shell (Execute button)

Image may be NSFW.
Clik here to view.

2.) Activate Empty BRF+ Rule using transaction BRF+

• To locate the generated function, use menu, 'Workbench -> Open Object' and specify object ID from previous step
• Activate the function
• Change the mode to “Event Mode”

Image may be NSFW.
Clik here to view.

3.) Change Result Data Object of BRF Function

• Since Function mode has been changed to “Event mode,”the result data object has changed automatically, so it has to be reset manually
• In “Signature” tab of BRF Function, change the result data object to GRFN_MW_S_ROUTING

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

4.) Function Module to Get Risk Violation Details

• We will be calling function module  “GRAC_IDM_RISK_WITH_NO_SERVICES” in BRF+ rule to get violations details 
• It returns a table with violations; so first, we will create a table in BRF rule which will hold the result of the function call

Image may be NSFW.
Clik here to view.

5.) Create Data Object

• From context menu of BRF+ application, create a Data Object of type “Table”
• This data object will hold the risk analysis result

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

• Select DDIC Binding and provide name of DIDC Table Type of “GRAC_T_WS_RA_OP_RISK_ANLYS_ID”
• Activate the Data Object

Image may be NSFW.
Clik here to view.

6.) Create Procedure Call to Get Risk Analysis Result

• Create a procedure call from context menu of BRF application

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

• Within procedure call, select Call Type of “Function Module” and provide Function module name as “GRAC_IDM_RISK_WITH_NO_SERVICES.” Press “Enter” key after providing function module name.
• Add parameters to the procedure call

Image may be NSFW.
Clik here to view.

• Select the Data Object created in step 5 as “Result Data Object” for this procedure call

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Map Parameters to Context Fields

• Click on Mapped parameters to expand the details
• Assign value to these parameters using BRF+ context parameters
• Activate procedure call

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

7.) Create Expression — Table Operation : Check Risk Analysis Result Table for Risks

• Create an expression of type “Table Operation”
• This expression will read the result table of procedure call to check if any violations exist

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

• This expression will read the result table of procedure call “RISK_ANALYSIS_RESULT” to check if any violations exist
• Additionally, here we are checking for any risk with “High” risk level
• Activate “Table Operation” expression

Image may be NSFW.
Clik here to view.

8.) Add Condition Column to Decision Table

• Go to Decision Table that was generated automatically
• From decision table settings, add a column from expression and use expression “READ_RISK_VIOLATION,” which is a table operation

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

9.) Add Business Logic to Decision Table

• Add conditions to the decision table
• Based on the result of “Table Operation,” which checks whether any “High” risk violations exist in request or not, the path of request is decided

Image may be NSFW.
Clik here to view.

10.) Create Ruleset

• Go to BRF+ function and create a new ruleset

Image may be NSFW.
Clik here to view.

• Add variable “RISK_ANALYSIS_RESULT,” which was created in previous steps, to the ruleset

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

11.) Add Rule to Ruleset

• Create new rule within ruleset
• Within this new rule, call the procedure that was created in previous steps

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

12.) Add Second Rule to Ruleset

• Within same ruleset, create second rule that will call the “Table Operation” expression “READ_RISK_VIOLATION”
• This table operation will read the violations, which are returned by procedure call

Image may be NSFW.
Clik here to view.

Image may be NSFW.
Clik here to view.

13.) Add Third Rule to Ruleset

• Within same ruleset, create third rule that will call the “Decision Table” expression
• Decision table operation will internally call table operation to check if any violation was returned by procedure call and, based on the result, it can decide the path of request

Image may be NSFW.
Clik here to view.

14.) Check sequence of rules within ruleset

• Check the sequence of rules within ruleset
• First rule in the sequence should be procedure call, second should be table operation, and last should be decision table
• Activate all objects

Image may be NSFW.
Clik here to view.

Now you can configure this rule in msmp configuration and use it as routing or initiator rule