A Detailed Guide to Building and

Customizing Workflows in SAP

Access Control 10.x Using Both
Business Rule Framework+ (BRF+)
and MSMP

Ruth Johnson
Customer Advisory Group

Produced by Wellesley Information Services,

LLC, publisher of SAPinsider. © 2015 Wellesley
Information Services. All rights reserved.
In This Session

• Walk through the latest features and capabilities of the new

workflow engine in SAP Access Control and learn how to
configure a framework for access requests
 During this session, you will explore:

 Capabilities and flexibilities of the multi-stage, multi-path

(MSMP) workflow, including rules, agents, paths, variables
 Why SAP Access Control workflow components cannot be
migrated, but can be manually configured and how to do so
 Key steps required for an MSMP workflow configuration

 Leading practices for creating and defining rules in the

Business Rule Framework+ (BRF+)

1
What We’ll Cover

• Introduction to AC 10 Workflow (MSMP)

• BC Sets
• Basic steps in MSMP workflow configuration
• Developing your own BRF+ rules
• Incorporating BRF+ rules into your workflow
• Tips and tricks
• Wrap-up

2
Introduction to AC 10 MSMP Workflow

• MSMP workflow
 Multiple Stage, Multiple Path workflow

 Initiator
 Decides which path the request will follow

 Path
 A linear group of stages which determine which approvals
are required
 Stage
 Defined approval action required

3
Introduction to AC 10 MSMP Workflow (cont.)

• Access Control 10 is now configured through the IMG

 SAP Transaction SPRO
• Migration from previous versions
 Migration Upgrade is available for several components
 SoD Rules
 Workflow components cannot be migrated, but must be
manually configured
 Access Control workflow now uses the SAP Workflow
functionality
 From 5.3, simplistic workflow to fully robust, multi-faceted
workflow (MSMP)
 SAP workflow transactions will control/monitor workflow
activity
4
Introduction to AC 10 MSMP Workflow (cont.)

• This allows for very robust and detailed workflows

• Attempting to migrate workflows from the simplistic workflow to

SAP standard workflow would be impossible

• Benefits
 Gain understanding of how workflows will be created and their
functionality
 You can incorporate the flexibility benefits for the 10.x workflow
right from the start

5
Different Types of Paths

• Multiple paths within an MSMP workflow would exist

 The Initiator would determine the path each request will take

 Each request could split onto multiple paths

• Paths by System
 Path #1 for Production access

 2 stages for Manager and Role Owner

 Checks for SoD violations; if SoD violations exist, the request

will flow to an additional stage of Business Owner
 Path #2 for Non-production system access

 2 stages for Manager and Functional lead

 No checking for SoD violations

6
Different Types of Paths (cont.)

• Paths based on role selections

 Roles in Production systems may have different stages than
roles selected for non-production systems
 SoD checking would be mandatory with production access

 More critical access roles could have additional approvers

 Less critical or display-only roles require less approvals

 Common_End_User role that every user should be assigned

may require no approvals

7
Different Types of Paths (cont.)

• Role Removals could go down their own path

• Roles that require specific actions could have their own paths
with stage approvals
 Training requirements

MSMP Workflow allows for flexibility in your workflows. No

reason to adhere to one workflow path forcing all of your roles
to follow the same approval path when your roles (access) may
have different approval requirements.

8
What We’ll Cover

• Introduction to AC 10 Workflow (MSMP)

• BC Sets
• Basic steps in MSMP workflow configuration
• Developing your own BRF+ rules
• Incorporating BRF+ rules into your workflow
• Tips and tricks
• Wrap-up

9
BC Sets

• SAP offers some base configuration data

• Delivered via BC Sets
 BC Sets = Business Configuration Sets

 BC Sets are how SAP delivers pre-defined data to your system

during implementation
 GRC specifically has BC Sets for various items

 Initial of parameters

 Suggested configuration values

 Such as priority, request types
 Demo configuration
 Such as the default path for the Access Request workflow
 SoD Rules
10
SAP Delivers Demo Workflows Through BC Sets

• Activate BC Sets to establish an SAP-delivered workflow

• Activate BC Sets to implement the SAP-delivered Workflow Rules
 Initiator Rule – Rule that directs the request to specific paths

 Agent Rules – Rules that determine the approver

 Manager

 Role Owner

 Others

 Routing Rules – Rules that will route the request to other paths

 SoD Detours

 Others

11
MSMP Workflow BC Sets

• Here are some of the BC Sets for the MSMP Workflow

 BC Sets may be different between the 10.x Releases; therefore,
it is important to review the existing BC Sets in the release you
will be implementing
 Not all of these need to be activated, just the one that pertains
to your requirements
 GRC_MSMP_CONFIGURATION

 BC Set for MSMP workflow for standard and sample config

 GRC_MSMP_SAMPLE_CONF

 BC Set for MSMP workflow configuration for sample paths

 GRC_MSMP_STD_CONF

 BC Set for standard MSMP workflow configuration

12
Other BC Sets

• Here are some other delivered BC Sets that could be activated

and could be helpful for your MSMP Workflow configuration
 GRAC_ACCESS_REQUEST_REQ_TYPE

 GRAC_ACCESS_REQUEST_EUP

 GRAC_ACCESS_REQUEST_APPL_MAPPING

 GRAC_ACCESS_REQUEST_PRIORITY

 Some BRM Configuration is required to load Roles for Access

Request functionality
 GRAC_ROLE_MGMT_SENTIVITY

 GRAC_ROLE_MGMT_METHODOLOGY

 GRAC_ROLE_MGMT_ROLE_STATUS

 GRAC_ROLE_MGMT_PRE_REQ_TYPE
13
Caution When Activating BC Sets

• Since BC Sets contain data and configuration parameters, re-

activating the BC Sets will overwrite data
 Choose to re-activate BC Sets cautiously

 Know what data is in the BC Sets

 The data and configuration options that are delivered via the BC
Sets can be used in your workflow configuration
 But if any changes were made, the BC Sets will overwrite
them

14
What We’ll Cover

• Introduction to AC 10 Workflow (MSMP)

• BC Sets
• Basic steps in MSMP workflow configuration
• Developing your own BRF+ rules
• Incorporating BRF+ rules into your workflow
• Tips and tricks
• Wrap-up

15
Basic Steps in MSMP Workflow

• Transaction SPRO
• SAP Reference IMG
 Governance, Risk, and
Compliance
 Access Control

 Workflow for
Access Control
 Maintain
MSMP Workflow

16
MSMP Workflow Configuration

• Configuration using the Step-by-Step approach

1. Process Global Settings

2. Maintain Rules

3. Maintain Agents

4. Variables and Templates

5. Maintain Paths

6. Maintain Route Mapping

7. Generate Versions

17
Display vs. Change for MSMP Workflow

• Only one user can be changing the workflow at a time

• Only place to choose is on the first screen of the workflow
• On Process Global Settings screen:
 Choose Display/Change

 If one user is in Change mode, other users will receive a

message that they can only be in display mode

18
Process IDs

• Process IDs contain workflows that pertain to the same

functionality:
 SAP_GRAC_ACCESS_REQUEST

 All Access Request workflows that allow access to be

requested for a user
 User Access by Roles

 Firefighter IDs

 SAP_GRAC_FIREFIGHT_LOG_REPORT

 Firefighter Log report – paths which send the FF Log to

controllers

19
Step 1 – Process Global Settings

• Every workflow path will belong to one of the delivered SAP

workflow Process IDs
• Each Process ID can only have one initiator
• The Process ID initiator can point to multiple paths

20
Step 1 – Process Global Settings (cont.)

• Notification Settings
 Request Submission emails

 End of Request emails

• Escape Conditions
 Auto Provisioning Failures

 No Approver Found

 Escape path and stage must be built in Step 5 – Maintain

Paths prior to setting the escape configuration on this step

21
Step 2 – Maintain Rules

• All Rules used in this Process ID workflow must exist as Rule IDs
• Rules can be SAP-Delivered or Custom
 SAP-delivered Rules are usually Function Module-Based Rules

 Custom Rules can be BRF+ Rules or ABAP Function Module

Rules

22
Kinds of Rules

• There are four types of Rules used in MSMP workflows

 Initiator Rule

 When a request comes into the workflow, which path does it

go down?
 Agent Rule

 How are the approvers determined?

 Notification Rule

 Who is notified of the request status?

 Routing Rule

 When a special circumstance is meant (i.e., Detour), where

does the request flow to?

23
Adding Custom Rules

• To add a Custom Rule, you will need to build one first

• Unfortunately, although you give your custom rule a name,
configuration will use it by the Rule ID number
 The Rule IDs for any custom rules will be the long Rule ID with
letters and numbers
 If using BRF+ Rules, cut and paste the Rule ID from the BRF+
screen of the Function
 Rule ID example: 00505881002203009081CFE87CA133E

24
Global Rules for Process ID

• Each Process ID will have one initiator rule and one notification
rule
 The Global Rules should reflect the custom Initiator Rule

 The Notification Rule should remain the SAP-delivered rule until

any customizations are done on the variables

• Global Rule Example with SAP-delivered Rule

• Global Rule Example with Custom Initiator Rule

25
Step 3 – Maintain Agents

26
Step 3 – Maintain Agents (cont.)

• SAP-delivered agent rules work great

• For custom agent rules:
 They are very flexible – any way you need an approver, it can
be configured
 Normally, they are BRF+ Rules

 But they could be built as function modules

 Add each custom agent rule using the Rule ID (list of numbers
and letters)

27
Step 3 – Maintain Agents (cont.)

• When adding the Agents:

 Agent ID: must begin with an X, Y, Z (for SAP requires custom
naming convention)
 This will be used as the agent name in the stage
configuration
 Agent Name: Should reflect the type of approver

 Purpose: Approval or Notification

 Agent Type: (4 different types of rules)

 Two common: GRC API Rules, Directly-Mapped Users

 Agent Rule ID: Use dropdown to find the long Rule ID with
letters and numbers
 Cut and paste the Rule ID from the BRF+ Function screen

28
Notification Agent Rules

• Notification Rules only need to be added if you will be sending a

notification to an agent who is not the current approver
 For instance, manager

 Sometimes you want to notify the manager, but they are not
the current approver

29
Step 4 – Variables and Templates

• Notification Templates
 The text that appears in the email notifications

 Examples of SAP-delivered templates:

 GRAC_MSMP_AR_NEWWORKITM_APP

 GRAC_AR_CLOSE

 All email templates can be modified and stored as custom

versions of the notification

30
Step 4 – Variables and Templates (cont.)

• Variables
 The values that are replaced with actual values when the email
notifications are sent
 Example: User ID and Username

 The variable for Provisioning would produce the list of roles

assigned to the user in the closing or end_of_request email

31
Step 4 – Variables and Templates (cont.)

• Delivered Notification Templates can be modified or custom

created
 Create a custom version of the Document Object
 Create a new custom template
 SAP has supplied detailed instructions on how to create
custom notifications
 SAP Note 1637900 – AC 10.0 creating new template for MSMP
workflow notification
 SAP Note 1614574 – UAM: Multiple Approver/Closing emails
not possible
 Pros
 Multiple email templates could exist for New Work Item
 Maybe there is different wording you would like in the email
32
Notification Templates

• Message Class – select to create custom or use SAP-delivered

• Message Number – multiple message numbers allow for
individual emails for each stage
• Document Objects – custom document objects allow for custom
email text details
• Template ID

33
Step 5 – Creating Paths

 Different paths for:

• Create Paths for each of the different scenarios
 Create, Change, or Delete User

 Request access for production or non-production system

 Auto Provisioning Failure

 SoD Detour

 Different roles require different approvals

34
Step 5 – Creating Paths (cont.)

• A path will need to be created for each Rule Result from the
Initiator Rule
 Initiator analyzes each request to determine which path request
and/or items on the request should follow
 Custom BRF+ initiator will return a rule result for each different
row listed in the initiator

 Example of Rule Results created with the custom initiator rule

35
Stages Creation

• Each Path requires one or more stages

 Actual order in which the request flows through the approval
stages

• Stage Sequence Number – the order the stages will be following

 Recommended to choose Stage Sequence Numbers with gaps
so that additional stages can be inserted later

36
Stages Creation (cont.)

• Add, Modify, or Delete Stages from the path

• As you select the action, additional fields will appear accordingly
 Example

 Agent ID will display a search criteria to find existing Agent

IDs (Agent Rules)
 Approval Type has a
drop-down list of options
 Routing rules enabled

 Escalation with the time

lapse configuration
37
Stage Routing and Escalation

• Modify Stage
 Escalation – number of minutes

 Escalation will happen within the same standard SAP

background job that processes the MSMP workflow items
 There is no additional unique job to process the
escalations of requests

38
Stage Definition

• Modify Task Settings  Stage Definition

 Configuration of the Stage – how does it work, what can the
approver do, and what requirements must be fulfilled?

39
Stage Definition – Notification

• Modify Notification Settings

 Each stage can send out various email notifications

 What notification event, what notification template is used, and

who is the recipient
 New_Work_Item

 Forward

 Return

 Approved

40
Stage Definition – Notification (cont.)

• Email/text messages will need to be create through IMG, but can

be assigned to each stage

Remember: Too many notifications can cause people to ignore

them. Carefully select which emails should be sent.
41
Step 6 – Maintain Routing Rules

• Routing determines the path a request will follow

• Two kinds of Routing
 Initiator Rules

 Rule results are defined with the initiator and the routing
table will coordinate on which path each result is sent
 Detours

 Rule Result Value would determine the path based on the

result of the detour rule

42
Step 6 – Maintain Routing Rules (cont.)

• Rule Results for the Initiator rules are entered in Step 2 –

Maintain Rules for MSMP configuration
 Select to modify the specific rule and a list of Rule Results will
appear
 Those Rule Results must match the output from the Initiator
Rules
• Rule Results for the SoD Detours are often delivered by SAP
 These can be customized by creating your own BRF+ rules
instead of using the delivered SAP BRF rules

43
Step 7 – Generate Versions

• Save, Activate the workflow

• Transport Required
 Best Practices suggest that the workflow be configured in
development and transported
along to production

44
Generation Log

• Generation Log will appear and give details of both the successful
and failed details of the workflow configuration
• Using this detailed log, it is easier to figure out the workflow
errors and correct them

45
What We’ll Cover

• Introduction to AC 10 Workflow (MSMP)

• BC Sets
• Basic steps in MSMP workflow configuration
• Developing your own BRF+ rules
• Incorporating BRF+ rules into your workflow
• Tips and tricks
• Wrap-up

46
BRF+ Rules

• BRF+ Rules are ways to customize and add flexibility into the
workflow

• BRF+ Rules allows for creating flexible rules without requiring the
user to be an ABAP Developer or have knowledge of ABAP
programming

• Although the BRF+ concepts are much easier than learning the
ABAP programming, it will still take time to learn and master

47
BRF+ Initiator Rule

• SAP delivers their basic initiator, which basically sends all

requests down one path

• Although this may work, often times companies will have more
than one requirement for access approval

• Basic Concept of BRF+ Initiator

 One Initiator per Process ID

 This initiator covers the combination of requests that will come

through this Process ID

48
BRF+ Initiator Rule (cont.)

• The BRF+ Initiator rule is basically a decision tree

 Application

 Expression  Decision Table

 Function

• SAP GRC recommends that each BRF+ Rule be unique and have a
one-to-one relationship
 There is one application to one decision table to one function

 Other BRF+ rules can share data objects, but it is important that
each BRF+ rule you build is its own unique application

49
BRF+ Initiator Rule (cont.)

• For each combination, a Rule_Result will exist

 Each Rule_Result will point to a separate path in the workflow

• Rule_Result can be duplicated in the Initiator so that multiple

initiator combinations can point to the same path
 For instance, several rows could all point to the same
Rule_Result of ZROLE_SOD, which may need to go down the
path for roles with SOD checking
• Order within the BRF+ Initiator Rule is important
 Only one match will be found in the Initiator

 Therefore, the bottom row can be the “catch-all”

 Removing the risk of having no initiator found

50
BRF+ Initiator Rule (cont.)

• Initiator tables can check whatever fields (columns) are required

to make the right routing decision

• Although you can’t see the whole screen, the Rule_Result is in the
end column
 Here is a picture of the decision table in Excel with all columns

51
BRF+ Initiator Rule (cont.)

• Initiator Rules can be set up at the Request Header level or at the

Request Detail level
 Request Header

 Contains request type, user information

 Request Detail

 Contains connector; role information, including the

provisioning action (whether the role is to be added or
removed)

• Determine how your requests should follow the paths, then you
can decide how to build your BRF+ Initiator

52
BRF+ Initiator Rule (cont.)

• Another Initiator Rule Decision Table

 Most requests will follow Basic workflow with some exceptions

 Exceptions are determined by the system and requested role

critical level
System Role_Critical_Level Rule_Result
Production High CRITICAL_ACCESS
QA High CRITICAL_ACCESS
Development High DEV_HIGH
All Systems Medium BASIC_APPROVAL
All Systems Low NO_APPROVAL
All remaining All remaining BASIC_APPROVAL

53
BRF+ Rules: Import Decision Table via Excel

• Decision table within the BRF+ Rule can be exported and

imported from Excel
 So if you have a large Initiator decision table, you can maintain
the rows in Excel and import the data
 Recommendation: Build the BRF+ Rules manually first

 Manually create the BRF+ Rule with decision tables with all
the appropriate columns
 Add a few lines of decisions

 Then export it

 Add the additional lines in Excel

 Then import the entire list of decisions

54
BRF+ Rules: Simulate Results

• On the BRF+ Function screen, there is a simulate feature

• This will be helpful in testing your BRF+ Rule before implementing
it into the MSMP workflow

55
BRF+ Rules: Agent Rule

• Agent Rules will return the approver’s ID

• More than one approver ID can be returned
• The Agent rule is part of the Stage configuration
• When the request reaches the stage, the Agent Rule is called and
the approver is determined
• If notification for New Work Item is configured, this returned
approver will receive an email notification that a request is waiting
for their action
• Agent Rule IDs must be added to the workflow under Step 3 –
Maintain Agents before they can be assigned to a stage

56
BRF+ Rules: Agent Rule (cont.)

• Agent Rules will return the approver’s ID (cont.)

 Example 1:

System Business Process User ID

Production Finance JOHNSONR
Production Order-to-Cash SMITHT
Development Configuration GREEND
Development Configuration THOMPSONH

 Example 2:
System Role User ID
Production Z:STAFF_ACCOUNTANT JOHNSONR
Production Z:SALES_ORDER* COLEP
QA Z:SALES_ORDER* WHITES
57
BRF+ Rules: Agent Rule (cont.)
• If the SAP solution for Alternative Approvers does not work for your
application, here is a suggestion
• Build an Alternative Approver BRF+ Rule
 A BRF+ rule can be created for Alternative Approvers for escalation
 An alternate approver rule looks just like the original Agent Rule; the
difference would just be where in the workflow it is called
 In an Alternate Agent Rule, every occurrence in the original Agent
(Approver) Rule will need to be duplicated over into the Alternative
Approver Rule, but with a listing of an escalation agent
 Therefore, some items could be escalated to the same user
 In previous versions, there was a limitation on escalation; items
would escalate to another user without retaining the first approver’s
ability to approve
 Now, both approver and alternate approver can be listed in the
Alternate Approver Rule
58
What We’ll Cover

• Introduction to AC 10 Workflow (MSMP)

• BC Sets
• Basic steps in MSMP workflow configuration
• Developing your own BRF+ rules
• Incorporating BRF+ rules into your workflow
• Tips and tricks
• Wrap-up

59
Incorporating BRF+ Initiator Rule

• Adding BRF+ Initiator Rule to Workflow

• The Rule ID for any custom rules will be the long Rule ID with
letters and numbers
 Cut and paste the Rule ID from the BRF+ Function screen

 Example: 00505881002203009081CFE87DA153E

60
Incorporating BRF+ Initiator Rule (cont.)

• Select Modify Rule and enter the Rule_Results

Highlight the Rule ID and press Modify

A table will appear and list the

Rule_Results that are listed in
the Initiator Rule

61
Incorporating BRF+ Initiator Rule (cont.)

• On Maintain Route Mapping, relate each of the Rule_Results from

the initiator to the appropriate path
Rule_Result Path

Configuration order is important: Path has to be created

and saved on the path first, then it can be related to a
Rule_Result
62
Incorporating BRF+ Agent Rule

• Agents
 Add each Agent Rule with a unique ID and name. Unlike the
initiator rule, agent rules are referred to in the workflow, but
these are unique agent IDs.
 Approver Agent Rule should be set up twice – once with the
purpose of Approval and once with the purpose of Notification
 Additional fields will relate the custom BRF+ Rule ID to this
Agent
 The BRF+ long number ID will be entered on this screen

 Again, cutting and pasting this Rule ID is the most accurate

way of adding this Rule ID
63
Incorporating BRF+ Agent Rule (cont.)

• Example
Either select Add to add new Agent or Modify
after highlighting Agent ID to be changed

Fields appear to enter Agent and, when

selecting Agent Type of GRC API Rules,
the BRF+ Rule ID field appears

Once added, you may need to save the workflow prior to seeing
this Agent ID available in Path-Stage configuration

64
What We’ll Cover

• Introduction to AC 10 Workflow (MSMP)

• BC Sets
• Basic steps in MSMP workflow configuration
• Developing your own BRF+ rules
• Incorporating BRF+ rules into your workflow
• Tips and tricks
• Wrap-up

65
Tips and Tricks #1

1. Remember Flexibility in Configuration

 There is so much flexibility in MSMP workflows

 Don’t need to stick with the standard delivered Paths, Stages,

Agents, emails, etc.
 Determine your “To-Be” process and see if MSMP can handle it
via configuration
 Create your own Paths, Stages

 Determine your own approver agents

 Create your own BRF+ rules

 Create your own email notifications

66
Tips and Tricks #2

2. Configure in steps, saving the workflow in between completed

steps
 Some changes to the workflow must be done individually

 For instance:

 Creating a Detour Path

 Create the detour path and save/activate the workflow

 Then go back into the workflow to apply the detour path to

a regular path
 Adding a new BRF+ Rule

 Create and add the rule individually, save/activate the

workflow
 Then go back in and apply the rule

67
Tips and Tricks #3

3. Business Role Management will need to be activated and some

configuration done to import roles into Access Control so the
user can request roles on the Access Requests
 A couple of quick configuration steps

 Through IMG

 Change SAP-delivered to allow role maintenance directly

 Create a BRM landscape – separate from the SoD analysis

landscape
 Mainly because roles behave differently in the system than SoDs.
Roles are created in dev and transported through production;
therefore, further configuration of BRM may require different
landscapes.

68
Tips and Tricks #3 (cont.)

3. Business Role Management

 Define Default Methodology

 Methodology Processes

 Define Roles, Maintain Authorizations

 Define Methodology Steps

 Definition, Action, and Permission

 BC Sets
 For roles to be available in Access Request workflows, the
following BC sets should be activated:
GRAC_ROLE_MGMT_ROLE_STATUS
GRAC_ROLE_MGMT_METHODOLOGY
69
Tips and Tricks #3 (cont.)

3. Business Role Management: Importing Roles

 To help the user find roles, you may want to assign roles to
functional areas and/or business processes
 Create functional areas

 Create Business Processes and sub-processes

 Import roles

 Role import can be a combination of the role attributes and

the import from the back-end system
 Import roles via the NWBC  Access Management  Role
Mass Maintenance  Role Import
 Import directly or using a created text file

 Import with Methodology Status of “Complete”

70
Tips and Tricks #4, 5, and 6

4. Custom Naming Conventions

 Recommendation and sometimes a requirement that custom
Rules begin with a “Z” or “Y”
 Specifically the custom Agent ID

5. Workflow: Restart Requests that have been stuck

 SWI2_DIAG – Diagnosis of workflows with error

 SAP transaction allows you to view those requests that are

“hung” or have errors. You will be able to review details and
restart them.
6. BRF+ transactions may need to be added to your security roles;
they did not come standard in GRAC-delivered roles

71
Tips and Tricks #7

7. Debug for MSMP Workflow

 SAP Note 1624069 GRC 10.0 – Enabling Debug Logging for
MSMP
 Use SAP Document: EnableDebugLoggingforMSMP.pdf to turn
on the workflow debug
 SAP Transaction: GRFNMW_DEBUG

 Use SAP Transaction AL11 to analyze the results

 SAP Transaction AL11 – SAP Directory: /tmp
72
What We’ll Cover

• Introduction to AC 10 Workflow (MSMP)

• BC Sets
• Basic steps in MSMP workflow configuration
• Developing your own BRF+ rules
• Incorporating BRF+ rules into your workflow
• Tips and tricks
• Wrap-up

73
 Where to Find More Information

• SAP Service Marketplace

 https://service.sap.com *
 SAP Support Portal  Search for SAP Notes
 SAP Note 1637900 – AC 10.0 creating new template for MSMP
workflow notification
 SAP Note 1614574 – UAM: Multiple Approver/Closing emails
not possible
 SAP Note 1624069 – GRC 10.0 Enabling Debug Logging for
MSMP (Document: EnableDebugLoggingforMSMP.pdf)
• SAP Community Network (SCN)
 https://scn.sap.com
• Carsten Ziegler and Thomas Albrecht, BRFplus – Business Rule
Management for ABAP Applications (SAP PRESS, 2011).
* Requires login credentials to the SAP Service Marketplace 74
7 Key Points to Take Home

• GRC Access Control 10 MSMP Workflow is much different from

previous versions, but very linear in its configuration steps

• Although the basic concepts are the same as in previous

versions, there is much more flexibility into how your workflow
can be configured

• Your Access Request workflow can be as complicated and as

flexible as your business requires

• Create your own BRF+ rules; do not limit your workflow to SAP-
delivered workflow rules
75
7 Key Points to Take Home (cont.)

• Remember, with all that flexibility, configuration can be very

detailed, where a small misconfiguration will change the way the
workflow works

• Use the workflow debug functionality in testing your workflow

• Through SAP Notes and SCN websites, there is a lot of help for
Access Control Workflow Configuration, just not located all in one
place

76
Your Turn!

Please remember to complete your session evaluation

77
Disclaimer

SAP and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE (or
an SAP affiliate company) in Germany and other countries. All other product and service names mentioned are the trademarks of their respective
companies. Wellesley Information Services is neither owned nor controlled by SAP SE.

78
Wellesley Information Services, 20 Carematrix Drive, Dedham, MA 02026
Copyright © 2015 Wellesley Information Services. All rights reserved.