Skip to Content

BRF+ Flat Rule: How to combine approvals for an Agent

Dear all,

we use BRF+ Flat Rule for GRC Access Request:

For request type "New Account" and action "Create User" only Manager Approval is required = only one Stage.

Same request type but action "Role assignment" Manager Approval (same Manager as for Create User) AND Role Owner approval is required = two Stages.

If we now place a request type "New Account" for both action "Create User" and "Role assignment" an approval for Manager Stage is required twice by the same Manager:

1. line item: Create User

2. line item: Role Assignment

Using the above BRF+ Flat Rule we didn´t find any solution on how to enhance this Rule to combine approvals for BOTH line items into ONE request.

The Manager receives two notifications asking him to approve seperately the two line items of the same request. This is not really smart.

Any idea on how to enhance this scenario?

Many thanks,

Markus

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Best Answer
    May 22, 2013 at 01:43 AM

    Hi Markus

    What if you tried to introduce routing?

    1. Initiator Rule - send both request scenarios down the same path that has a single stage. Initiator rule can then capture other scenarios as well
    2. Path for Initiator:
      1. Single Stage which has the Manager Approval (Create User Scenario)
      2. Notification for New item can be sent to the manger. Role Owner does not need to know yet.
      3. Introduce a routing rule (flat rule) which has two outcomes to capture both scenarios
      4. Scenario 1: Role Owner = Manager - Route down a new path 2
      5. Scenario 2: Role Owner <> Manager - Route down new path 3
    3. Path for Routing to Path 2 - have no stages so it automatically Approves. manage does not receive line item notification either (remove duplicate notification)
    4. Path for Routing to Path 3 - have a single stage for Role Owner where notification is also sent

    I haven't attempted to prototype this one but figured it removes a duplicate approval/notification step (assuming the routing rule logic is possible)?

    I don't think there is a solution for both line items into a single notification request as BRFplus. Possibly, you could also look at a custom notification rule (Function Module) that checks the previous notifications and agents (can leverage the MSMP instance logs) to see if the person received the notification?

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Nov 13, 2013 at 04:49 AM

    Hi Markus,

    Below is the solution..... thanks to Amanjit & Colleen for showing the right path. This can be achieved using Multiple DBLookups....in this case 4 DBLookups:

    1. Get Request ID

    2. Get Role ID

    3. Get the Manager ID

    4. Get the Role Approver ID

    Following are the steps:

    Step 1: Get Request ID

    Request ID is in GRACREQ (Request Header) where REQNO = Request.ReqNo (select from context parameter) . This will be used as expression in Manager ID Table to get the Manager for this Request only and not any other request.

    Step 2: Get Role ID

    Request ID is in GRACROLE (Role) where Role_Name=Request.Role_Name (select from context parameter) . This will be used as expression in Role ID Table to get the Role for this Request only and not any other request.

    Step 3: Get Manager ID

    Now create DBLookup for Manager ID. Manager ID is in GRACREQOWNER Table with Req_ID=Get_REQ_ID (Request No from Step 1) and UserType="MAN". Put that ID in a variable lets say User ID.

    Step 4: Get Role Approver ID

    Role Approver ID is in GRACROLEAPPRVR Table where Role_ID=Get_Role_ID (Role ID from Step 2).We can put that in Approver Variable.

    Step 5: Create Condition in Decision Table

    Create simple condition that if DBLOOKUP-MGR=DBLOOKUP-ROW (Manager = Role Owner) then True otherwise False.

    Hope this helps.

    Best Regards.

    Shahid.


    1.JPG (127.8 kB)
    2.JPG (122.7 kB)
    3.JPG (121.0 kB)
    4.JPG (124.2 kB)
    5.JPG (242.4 kB)
    Add comment
    10|10000 characters needed characters exceeded

    • Former Member


      Hello Shahid,

      as I can see, you seems to be an expert for creating DB Lookups. I am trying to implement the solution from Amanjit "Using BRF+DB lookup to create complex MSMP rules". Im stucking in this step:

      I cant get this role guid from the context. Can you please have a look at the screenshot below? Am I on the right way? Where I can select this ROLE GUID (GRAC_S_R...-ROLE_GUID)? Select context parameter? If yes, I only can find the row GUID (Type Text).

      Please advise me!

      Thanks a lot in advance,

      Best regards

      Sabrina

      DB_Lookup_2.PNG (181.9 kB)
      DBLookup.png (61.5 kB)