AC 10.

0 training - Demo ARM

Contents
1. BRF+ Lineitem by Lineitem Building an initiator.............................................................................2
2. Navigating the simple workflow...................................................................................................11
3. Customising Email Notifications...................................................................................................28

 Copyright Integrc 2012 Page: 1 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

1. BRF+ Lineitem by Lineitem Building an initiator.

1. Generating the Rule

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access Control
-> Define Workflow Related MSMP Rules

Before we can maintain the initiator rule in BRF+ workbench, we must generate it .

 MSMP Process for which the initiator will be generated = SAP_GRAC_ACCESS_REQUEST

 Ruletype = BRF plus Flat Rule (LineItem by LineItem)
 Rule Kind = Initiator Rule
 Rule ID <You type this in yourself>

There should be no red errors in the logs.

__________________________________________________________________________________

2. Define the Business Rule Framework

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access Control
-> Define Business Rule Framework

The BRF+ rule is a decision table; here we maintain the fields and their values from the requests,
which can then be used for routing purposes in the workflows.

The Repository will contain all of the BRF+ rules that you have created, expand the one at the
bottom of the list to the extent shown below.

 Copyright Integrc 2012 Page: 2 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Highlight the Decision table.

 Click on the ‘Edit’ button to go into change mode.
 Click on the ‘Table Settings’ button.

__________________________________________________________________________________

3. Select the fields to be included in the decision table

Here we are presented with all of the available fields that are or can be used by request, we will
choose the fields that we want to include in our initiator rule. When building an initiator, you
must be sure to cover all possible scenarios that may arise from a request. If a request is created
that is not covered by the initiator, the request will fail.

 In the ‘Conditions Column’ section, click on ‘Insert Columns’ -> ‘From Context Data
Objects’.

 Copyright Integrc 2012 Page: 3 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

Here you can see all of the fields that can be included (if you have created custom fields,
these will also be in this list.

 Scroll to the bottom of the list and you will see that the listed fields are also grouped
under sub-heading that show if they are relevant to a request’s header or it’s line items
(expand these).

 Open the sub-header ‘GRAC_S_REQUEST_RULE_HEADER’ and select fields ‘REQTYPE’ and

‘BROC’ (request type & business process).

Our initiator will use fields ‘request type’ and ‘business process’ to determine request
routing.

The ‘Results Column’ section does not need to be changed, the fields shown here are
defaults that must be populated with values (as we will do next).

__________________________________________________________________________________

 Copyright Integrc 2012 Page: 4 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

4. Populate the fields in the decision table with values

After selecting the fields, you will be returned to the main screen. The next task is to populate
the fields with actual values.

 Save the BRF+ rule by clicking on the ‘Save’ button at the top of the screen.

The Decision Table and Function icons are no longer green (see below), this means that
the changes that you have made have been saved, but are not activated. There are more
changes to be made before we activate these.

 In the ‘Table Contents’ section, click on the ‘Insert New Row’ button (see below).

You will see the two columns that you selected ‘Req Type’ and ‘Bus. Proc’. You will also
see the two default results colums.

 Click on the icon in the ‘Req Type’ column and populate as follows:

 Copyright Integrc 2012 Page: 5 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Select ‘Direct Value Input’ and click on the icon to select a request type and click on
‘OK’. You should see the pop-ups shown below.

 Do the same for column ‘Bus. Proc’. The Table Contents section of the screen should look
like this:

 Click on the icon in the ‘Line Item’ column and populate as follows:
 Select ‘Select Context Parameter’ and scroll down to the field ‘ITEMNUM’ and click on it
(The value in field ‘Line Item must always be ITEMNUM).

 Click on the icon in the ‘Trigr Val’ column and populate as follows:
 Select ‘Direct Value Input’ and directly type in ‘A’.
What we are doing now is giving a return value to this specific scenario. For example:
If ‘Req Type’ = 001 AND ‘Bus. Proc’ = AP00
THEN ‘Trigr Val’ = A
Endif

 Copyright Integrc 2012 Page: 6 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

‘A’ is the value that will be returned by the decision table if a request is submitted with
this value combination and the initiator will then route all requests that meet criteria ‘A’
down a specific workflow path.

__________________________________________________________________________________

5. Use Excel to complete the logic of the decision table.

We will now complete the decision table outside of the BRF+ Workbench, to do this you must
download what we have already created into Excel.

 Select ‘Additional Actions’ -> ‘Export to Excel’

Your spreadsheet will look like below.

 To see the other request types that we must cover, click on the icon in the ‘Req Type’
column (of the BRF+ rule), select ‘Direct Value Input’ and identify the other request types
by clicking on the icon.

Only request types 001-005 are relevant for MSMS Process

SAP_GRAC_ACCESS_REQUEST, so you only need to be concerned about these.

 Copyright Integrc 2012 Page: 7 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 To see the other business processes that we must cover, click on the icon in the ‘Bus.
Proc’ column (of the BRF+ rule), select ‘Direct Value Input’ and identify the other
business processes by clicking on the icon.

 Now we know the logic that we must build in Excel (e.g. one line for each combination of
request type 001-005 and each of the 4 business processes).

What we have in this scenario is the following:

If ‘Req Type’ = 001 AND ‘Bus. Proc’ = AP00
THEN ‘Trigr Val’ = A
Endif
If ‘Req Type’ = 001 AND ‘Bus. Proc’ = GL00

 Copyright Integrc 2012 Page: 8 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

THEN ‘Trigr Val’ = B

Endif
etc...

o The LINE_ITEM_KEY value will always be the same for each line.

o Each ‘RULE_RESULT’ represents a unique combination of request type and

business process (A to U) which the initiator can use to direct a request down a
specific workflow path, e.g.
If ‘RULE_RESULT’ = A
THEN send request to ‘Path 01’*
Endif
If ‘RULE_RESULT’ = B
THEN send request to ‘Path 02’*
Endif
etc...

* Building paths is not covered in this section.

 To upload the logic into the decision table, select ‘Additional Actions’ -> ‘Import From
Excel’.

Once the logic has been imported, click on the ‘Save’ icon at the top of the screen.

 Activate the decision table by highlighting it and clicking on the ‘Activate’ button (it will
turn green once active).

 Copyright Integrc 2012 Page: 9 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Activate the function by highlighting it and clicking on the ‘Activate’ button (it will turn
green once active).

 When working in BRF+ Workbench, the BRF+ rule referenced by the name that we have
given it, e.g. Z_DEMO_INIT_99, but ARM will see it only by it’s Application ID. To see the
Application ID, click on ‘Show More’ in the General section.

It will open out to reveal the Application ID.

 Copyright Integrc 2012 Page: 10 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Copyright Integrc 2012 Page: 11 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

2. Navigating the simple workflow

1. The initiator
Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access
Control -> Define Business Rule Framework
Search for initiator Z_INI_05 using the icon in the Repository.

Open it to show the class simple decision table.

The initiator must be associated with the MSMP (Multi-Stage-Multi-Path) workflow, so show
the Application ID (click on the ‘Show More’ icon in the General section) and copy it to a text
file for use later.

___________________________________________________________________________

 Copyright Integrc 2012 Page: 12 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

2. Associating the initiator to the Rule List

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access
Control -> Maintain MSMP Workflows

We have already defined the BRF+ rule in BRF+ Workbench, now it must be added to the
available rules. To do this make sure that:
 The Process ID ‘SAP_GRAC_ACCESS_REQUEST’ is highlighted.
 You are in step 1 ‘Process Global Settings’.
 You are in edit mode by clicking on ‘Process Global Settings’ and click on ‘Display /
Change’ button.

Click on ‘Maintain Rules’.

In the List of Rules section, click on the ‘Add’ button.

Click on the ‘Add’ button and complete as below (do not save because it already exists and it
will give an error).

___________________________________________________________________________

 Copyright Integrc 2012 Page: 13 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

3. Making the new initiator the default

As discussed, for each Process ID, only one initiator can be active at a given time. Therefore
when building a new initiator, it is essential that it covers every possible scenario that a
request might contain.

Obviously our example is totally unrealistic because it only covers requests that contain
Request Type value of 001 (new user) and ‘company is either ‘company 01 or company 02).
Show the BRF+ initiator Z_INI_05 decision table again to remind the class.

For the sake of this training we have made Z_INI_05 the default initiator for Process ID
‘SAP_GRAC_ACCESS_REQUEST’.

To do this:
 In the Global Rules section, of the step2 (Maintain Rules) select the initiator rule
‘000C296B61911EE18EF92BF644B22D54’ from BRF+ Workbench.

This is already in place, so do not try to change it, just show where it is that you
would change it.

All rules created in BRF+ Workbench must be included in ‘Maintain Rules’, these can
be initiator rules, agent rules, notification rules or routing rules.
___________________________________________________________________________

 Copyright Integrc 2012 Page: 14 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

4. Building the approval agent

This workflow is a combination of custom built stages and paths, as well as custom-built and
out-of-the-box approval agents. We have used BRF+ Workbench to create an approval agent
to be used at the Business Process Owner stage in Path 01 (show the workflow slide again to
remind the class).

For the other stages, we use out-of-the-box approval agents.

Show the approval agent for the Business Process Owner stage in BRF+

 Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for
Access Control -> Define Business Rule Framework
 Search for approval agent Z_AGENT_BUSPROC using the icon in the Repository.

 Show that if the request contains the value ‘Business Process’ = FI00, then the
decision table will identify the approver as ‘SU53-PF’.

 If the request contains the value ‘Business Process’ = PR00, then the decision table
will identify the approver as ‘INTEGRC-RD’.

 Copyright Integrc 2012 Page: 15 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Compare the format of the initiator and agent BRF+ decision tables, e.g. the initiator
returns a value based on a set of conditions and this ‘Trigr Val’ value is used to route
a request down a path (as below in Z_DEMO_INIT_99).

The agent BRF+ decision table identifies a specific approver based upon a set of
conditions (as below in Z_AGENT_BUSPROC).

__________________________________________________________________________________

 Copyright Integrc 2012 Page: 16 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

5. Adding the agent rule to the Rule List

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access
Control -> Maintain MSMP Workflows

As with the initiator rule the agent rule must be added to the list of available rules in MSMP
Workflow, to do this:

 In BRF+ Workbench record the Application ID of Z_AGENT_BUSPROC

o Click on the ‘Show More’ icon in the General section) and copy it to a text file
for use later.

 In ‘Maintain MSMP Workflows’, ensure that:

 The Process ID ‘SAP_GRAC_ACCESS_REQUEST’ is highlighted.
 You are in step 1 ‘Process Global Settings’.
 You are in edit mode by clicking on ‘Process Global Settings’ and click on ‘Display /
Change’ button.

Click on step 2 ‘Maintain Rules’.

In the List of Rules section, click on the ‘Add’ button.

Click on the ‘Add’ button and complete as below (do not save because it already
exists and it will give an error).

 Copyright Integrc 2012 Page: 17 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

__________________________________________________________________________________

6. Associating the agent with the list of existing agents

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access
Control -> Maintain MSMP Workflows

Once the agent has been added to the Rule List, it must be identified as either an approval or
a notification agent. In our case Z_AGENT_BUSPROC is an approval agent, which means it is
assigned to a stage in a workflow and will identify approvers for requests based upon it’s
decision table.

To do this:

 Click on step 3 ‘Maintain Rules’.

Click on the ‘Add’ button.

Populate the fields as shown below (do not save because it already exists and it will give
an error).

A notification agent can also be assigned to a stage in a workflow, it’s purpose is to ‘notify’
specific persons when a request has been approved or rejected. Notification will usually be
by means of SMTP email.

__________________________________________________________________________________

 Copyright Integrc 2012 Page: 18 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

7. Building stages and paths.

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access
Control -> Maintain MSMP Workflows

This workflow consists of 2 paths (show the workflow slide again to refresh memories). Once
all approver rules have been created, we can build the workflow stages and paths.

In our case we have only build one custom approver agent (Z_AGENT_BUSPROC), for the
other stages we will use the out-of-the-box approvers.

To build paths and stages:

 In ‘Maintain MSMP Workflows’, ensure that:

 The Process ID ‘SAP_GRAC_ACCESS_REQUEST’ is highlighted.
 You are in step 1 ‘Process Global Settings’.
 You are in edit mode by clicking on ‘Process Global Settings’ and click on ‘Display /
Change’ button.

Click on step 5 ‘Maintain Paths’.

Path 01

To create a new path, you would click on the ‘Add’ button in the ‘Maintain Paths’ section. In
our case the path already exists so there is no need to create a new one. Highlight path
Z_COMP_01_PATH and in the Maintain Stages section you will see the number of stages in
this path only one (Z_COMP01_STAGE) and the approver agent assigned to the stage
(Z_AGENT_BUSPROC).

 Copyright Integrc 2012 Page: 19 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

To add a new stage to the path

Click on the ‘Add’ button in the ‘Maintain Stages’ section (do this but do not save it) and click
on the ‘Show Details’ button.

The ‘Stage Seq. No’ field prompts you to place the stage in an order in the path (numerically
before or after existing stages).

By clicking on the search icons at the end of the ‘Stage Config ID’ and Agent ID’ fields
(respectively), you can select from the existing list of stages and approval agents
(respectively).

Alternatively you can type in the name and description of a new stage that you wish to
create.

Discuss the ‘Approval Type’ and ‘Escalation Type’ stage-specific drop-downs; these are
similar to those in AC5.3.

 Copyright Integrc 2012 Page: 20 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

To configure the stage details (and SoD Routing)

Highlight stage ‘Z_COMP01_STAGE’ and click on the ‘Modify Task Settings’ button.

Here you will see all of the stage-specific config settings, including the ‘Routing Enabled’
check-box. By selecting this we demonstrate that under a specific set of conditions, requests
should be routed from this stage to another stage in either the same or a different path.

If we select ‘Routing Enabled’ we must select a Rule ID to perform the routing, in this case
the rule is the out-of-the-box SoD detour routing rule ‘GRAC_MSMP_DETOUR_SODVIOL’.

By making risk analysis mandatory, we ensure that the approver identified by the approver
agent ‘Z_AGENT_BUSPROC’ must run a risk analysis on any request that is processed by this
stage and if there is a SoD violation, the routing rule ‘GRAC_MSMP_DETOUR_SODVIOL’ will
send it elsewhere for processing.

By clicking on step 6 ‘Maintain Route Mapping’, we can see that routing rule
‘GRAC_MSMP_DETOUR_SODVIOL’ has been configured to send the offending requests to

 Copyright Integrc 2012 Page: 21 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

path Z_SOD_PATH.

For Path 02 we did not configure request routing conditions, nor did we make use of any
custom agent rules, instead we used 2 stages, one is custom-built (Z_COMP02_STAGE) and
one is out-of-the-box; but each make use of out-of-the-box approver agents
(GRAC_MANAGER and GRAC_ROLEOWNER respectively).

 Copyright Integrc 2012 Page: 22 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

8. To configure the stage level notifications

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access
Control -> Maintain MSMP Workflows

Highlight stage Z_COMP02_STAGE and click on ‘Notification Settings’

By clicking on ‘Create’ you can select from an existing list of email notifications. Choose the
‘Notification Event’, the ‘Template ID’ to send and the ‘Agent ID’ to receive the notification.

Below you can only see out-of-the-box notification agents. If we had built custom notification
agent, you would see these as well. You could do this using BRF+ (as we have seen). In
section 6 ‘Associating the agent with the list of existing agents’, we would state if the agent is
an ‘Approval ‘or a ‘Notification’ agent.

By adding this combination, the stage approver will receive a notification email informing
them that there is a new work item that requires their attention, once a request has arrived
at that specific stage (click ‘Save’).

 Copyright Integrc 2012 Page: 23 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

___________________________________________________________________________

9. Run demos of the workflow in action:

Before running any of these scenarios, be sure to delete user ‘su53-pf’ in E10. The
initiator is only built for New User requests.

Scenario 1 – Company 01, Business Process = PR00 and SoD Violation

The point of this demo is to show the SoD detour in operation.

 Tcode NWBC -> Access Management -> Access Request Creation -> Access Request

 Select a role that contains a SoD (see below)

 Copyright Integrc 2012 Page: 24 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Highlight the ‘User Details’ tab and complete the missing information (see below).
Remind the class that a lot of this information could be pulled in from a data source,
e.g. SAP HR or MS Active Directory.

 Click on the ‘Submit’ button.

 Process the request as an administrator

Tcode NWBC -> Access Management -> Access Request Administration -> Search
Requests

Below we can see the request is on ‘Path 01’, show the workflow slide to remind the
class.

Click on the ‘Path ID’ to process the request as administrator and try to approve by
clicking on ‘Submit’.

You will see this message:

 Copyright Integrc 2012 Page: 25 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

Run the risk analysis and you will see some violations (as below).

Submit the request and it will go successfully.

Because there are SoD violations, the request will be routed to the detour path,
show this:
Tcode NWBC -> Access Management -> Access Request Administration -> Search
Requests

Click on the ‘Audit Log’ button and show that the request has been routed to the
detour path because of the SoD.

 Copyright Integrc 2012 Page: 26 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

Scenario 2 – Company 02 (Path 02).

The point of this demo is to show stage level notification working – the ‘new work
item’ email will be sent by stage Z_COMP02_STAGE in path 02.

Tcode NWBC -> Access Management -> Access Request Creation -> Copy Request

 Copy request 71 and make the changes shown below:

Change ‘Company 01’ to ‘Company 02’ (no need to change anything else) this will
send the new request down Path 02, show the workflow slide to remind the class.

Keep clicking on ‘Next’ until the request has been submitted.

 Copyright Integrc 2012 Page: 27 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Upon submission, the request will go to stage Z_COMP02_STAGE in path 02, (for
which we configured the ‘new work item’ notification to be sent to the current
approver – see section 8 ‘To configure the stage level notifications’). The following
email will be received.

 Show that the request has gone down Path 02 and is at stage Z_COMP02_STAGE by
opening the request and showing the Audit Log:

Tcode NWBC -> Access Management -> Access Request Administration -> Search
Requests

___________________________________________________________________________

 Copyright Integrc 2012 Page: 28 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Copyright Integrc 2012 Page: 29 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

3. Customising Email Notifications

Workflows can be customised to send out email notifications to recipients upon the occurrence of
specific events. Out-of-the-box templates are provided that can be used in this way (show the Out-
of-the-box Notifications templates slide ).

 Show a selection of the templates for some of the Process Ids.

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access
Control -> Maintain MSMP Workflows

o Select Process ID ‘SAP_GRAC_ACCESS_REQUEST’

Go to ‘Variables & Templates’ (step 4).

Every workflow event can trigger an email notification that corresponds to one pre-
defined message class. Each message class corresponds to one document object
containing a pre-delivered message body for the respective workflow event.

The link between message class and pre-delivered document object can be viewed, but
not altered in the table view GRFNVNOTIFYMSG (show this).

 Copyright Integrc 2012 Page: 30 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

The document objects can be viewed as Word files:

 Tcode SE61 (click on ‘Display’).

You can create custom document objects with message bodies and replace the pre-delivered
document objects.

You cannot include graphics or corporate branding in the notification templates. Customization is
limited to text messages and hyperlinks.

Each Process ID is delivered with a set of notification variables that can be used for all of the
notification documents that can belong to that Process ID (show these for Process ID
‘SAP_GRAC_ACCESS_REQUEST’ ).

Tcode SPRO -> Governance, Risk & Compliance -> Access Control -> Workflow for Access
Control -> Maintain MSMP Workflows – (step 4, bottom of screen).

o Select Process ID ‘SAP_GRAC_ACCESS_REQUEST’

o Go to ‘Variables & Templates’ (step 4 and bottom of the screen).

 Copyright Integrc 2012 Page: 31 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

You can create additional notification variables, but to do this you must edit the notification variable
rule GRAC_NOTIF_VAR_RULE_AR (show it) – this is a function module, so requires ABAP Developer
skills.

__________________________________________________________________________________

 Copyright Integrc 2012 Page: 32 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

Demo – Customising Email Notifications

Tcode SE61

Enter a name for the custom document, click ‘Create’.

Type in the something like the following, using % to show variables and click 'Save'.

You will find the variables in Step 4, bottom of the screen, (as far as I can tell you have to type these
directly into the Word doc with ‘%’ at the start and at the end.

Click on 'Save Active' and as a 'Local Object'.

 Copyright Integrc 2012 Page: 33 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

Associate the custom object with a message class.

Tcode SPRO -> Governance, Risk, and Compliance -> Access Control -> Workflow for Access Control ->
Maintain Custom Notification Messages

‘Description’ does not appear in the email notification.

‘Hide Recipients’ checkbox – if checked the email will display an empty list of recipients.

You will see the new template in step 4 ‘Variables & Templates’.

 Copyright Integrc 2012 Page: 34 of 35 Training AC 10.0 February 2012

 AC 10.0 training - Demo ARM

 Show an example of the new request by copying an existing request and submitting it.
Tcode NWBC -> Access Management -> Access Request Creation -> Copy Request

Click on ‘Next’ and accept the defaults without changing anything. Once it has been
submitted, the submission email will be generated.

 Copyright Integrc 2012 Page: 35 of 35 Training AC 10.0 February 2012