Requirement: Client wants to keep "Critical", "High", "Medium" and "Low" risks in their ruleset but only wants to mitigate "Critical" and "High" risks through ac request and therefore only wants to send approval notification to risk owners owning only "High" and "Critical" risks in the request.
Resolution: Create a BRF+ Agent rule that will only send workflow approval item and notification to required risks owners. Also implement mitigation policy to bypass mitigation control assignment of medium and low risks. We will only focus on BRF+ Agent in this blog.
BRF+ Design:
Below Steps will be followed to achieve required results:
Step 1: Procedure call to get risk violations from the access request
Step 2: Create a “DB lookup” on table “GRACSODRISKOWN” to fetch risk owners for appropriate risk IDs
Step 3: Create a “Loop” expression to extract values from DB lookup created in step 2 and populate ‘Result Table’ for the agent rule
Step 4: Create a “Ruleset” and set of “Rules” to call above expressions sequentially
BRF+ Configuration:
You have to generate the BRF+ Rule via Transaction SPRO in GRC system. Follow the below steps in your GRC system.
Run the transaction SPRO, Go to IMG => Governance, Risk and Compliance =>Access Control =>Workflow for Access Control => Define Workflow related MSMP rules.
Or
Directly execute TCode GRFNMW_DEV_RULES
- Fill generation criteria (Process ID, Rule type, etc.)
- Specify Generation options
- Generate rule shell (Execute button)
After successful rule generation, goto BRF+ to check newly created BRFPlus Application
Function Signature update:
In BRF+ function, change the mode to “Event Mode” and activate the function as shown below.
- Since Function mode has been changed to “Event mode,” the result data object has changed automatically, so it has to be reset manually
- In “Signature” tab of BRF Function, change the result data object to GRFN_MW_T_AGENT_ID
Function Module to Get Risk Violation Details:
- We will be calling function module “GRAC_IDM_RISK_WITH_NO_SERVICES” in BRF+ rule to get violations details
- It returns a table with violations; so first, we will create a table in BRF rule which will hold the result of the function call
Create a Data Object:
- From context menu of BRF+ application, create a Data Object of type “Table”
- This data object will hold the risk analysis result
- Select DDIC Binding and provide name of DIDC Table Type of “GRAC_T_WS_RA_OP_RISK_ANLYS_ID”
- Activate the Data Object
Create Procedure Call to get Risk Analysis Result:
Create a procedure call from context menu of BRF application
- Within procedure call, select Call Type of “Function Module” and provide Function module name as “GRAC_IDM_RISK_WITH_NO_SERVICES.” Press “Enter” key after providing function module name.
- Add parameters to the procedure call
- Select the Data Object created earlier as “Result Data Object” for this procedure call
- Click on Mapped parameters to expand the details
- Assign value to these parameters using BRF+ context parameters
- Activate procedure call
Create a Data Object:
- From context menu of BRF+ application, create a Data Object of type “Table”
- This data object will hold the data coming from DB lookup on table “GRACSODRISKOWN”
- Select DDIC Binding and provide name of DIDC Table Type of “GRAC_T_SODRISKOWN”
Create DB lookup to fetch risk owners against the risk IDs:
Create DB Lookup for table GRACSORISKOWN
Update “With Condition” carefully as Risk ID from the GRAC table need to be mapped to Risk ID field from database object “RISK_ANALYSIS_RESULT” so that “Loop” expression can be implemented
Select the “Risk ID” under structure as above
Create Expression of Type “Loop”:
Set “With selection conditions” as risk ID = 1 or 3 (1 being “High” and 3 being “Critical”)
Create three rules under “Loop” as below:
Create Ruleset:
Associate the ruleset with function and include both data objects created earlier under “Detail”
Rule 1 will fetch risk analysis results by executing “Procedural Call” expression and store it to the “RISK_ANALYSYS_RESULT” table.
Rule 2 will update “Result Table” after processing loop expression which will in turn execute DB lookup and fetch “Risk Owners” owning “Critical” and “High” risks.
Simulate BRF+ rule:
For simulation, pass access request number and simulate.
Once rule is providing desired result, use function ID to create agent rule in MSMP and configure it in your SOD stage.
Conclusion: This custom agent rule will allow us to return risk owners owning "High" and "Critical" risks which cant be accomplished by standard solution. Solution provided by note 1670504 will send for approval to all "risk owners" without considering risk level.