BRF+ (Business Rule Framework Plus) Concept in SAP GRC ACCESS CONTROL

BRF+ (Business Rule Framework Plus) is a business rule management system (BRMS) offered by SAP.

In Simple language you can just think BRF+ as a web-based tool where you can create some logic
which can be used in MSMP Configuration.

As we all are aware that based on client’s requirement and process, we need to configure MSMP for
different Processes used in GRC AC. So BRF+ can be used for this same purpose.

Using BRF+ we can create Initiator Rule, Routing Rules, Agent Rules, Notification and Variable Rules
etc. which we can use in MSMP Configuration.

Creating rules in BRF+ is simple because it does not involve programing and you just need to create a
conditional simple expression.
Technically, what we are doing is just creating a logic in BRF+ and then mapping the Rule ID
generated from BRF+ to MSMP “Maintain Rules” stage.

Further in this document I have given all the steps required to be followed to create rules in BRF+
which will make your understanding clear.

Key Features for BRF+ are as follows:

Helps maintain complex business logic in Business rules
ABAP based framework which provides a web-based interface for defining, modeling and processing
Business rules.

BRF + Ruleset Contains Variables and Expressions

No coding is required - Rules can be changed without changing program code

For GRC Access Control - we use DECISION TABLE as the Expression Type (There are few other
expression types available in BRF+)

We need to define some inputs and their outputs to form an expression

(In simple language, if my input is A & B or A or B (some parameters in business) then my output
should be C)

BRF+ Accessed via

1. Transaction Code - BRFPLUS/BRF+

OR

2. SPRO Path – SPRO – SAP Reference IMG – Governance, Risk and Compliance – Access
Control – Workflow for Access Control – Define Business Rule Framework

As soon as you enter T code or go via SPRO path, BRF+ gets opened in a browser. So, by saying
ABAP based framework we mean it is a web interface where we are working to create BRF+ rules.
COMPONENTS OF BRF+
We will try to understand some theory related to structure of BRF+ now.

Below are the components of BRF+. You don’t need to memorize anything. But to clearly and
technically understand BRF+ we should know what exactly it comprises of and how we are building
the logic.

***we mostly use DECISION TABLE as our expression type for GRC Access Control

BRF+ INTEGRATION RULES FOR MSMP

Using BRF+ we can create Initiator Rule, Routing Rules, Agent Rules, Notification and Variable Rules
which is to be used in MSMP Configuration.

We are creating a logic in BRF+ and then mapping the Rule ID generated here in MSMP Maintain
Rules stage.

There are few other Rules types as well which can be created in BRF+. But these are something not
very commonly used.
You can read below 2 tables to understand usage of BRF+ in GRC Access Control.

TABLE 1:

TABLE 2:
BRF+ Usage in GRC Access control BRM Module
Below table will give you an idea about how BRF+ is being used in BRM module of GRC-AC.

Now let’s get into the actual thing. Below, I have tried to put all the steps which we follow to create
BRF+ rules.

There are 2 parts of process which you need to follow in your GRC system

PART 1: DEFINE WORKFLOW-RELATED MSMP RULES

PART 2: DEFINE BUSINESS RULE FRAMEWORK (BRF+)

PART 1: DEFINE WORKFLOW-RELATED MSMP RULES

STEP 1:
STEP 2
Upon following step 1 below window opens in SAP Systems.

You have to key in fields here:

As an example, inputs are entered in below picture.

Let’s clearly understand each field now:

RULE INFO

1. MSMP Process ID

This is the field where you get options to select Process IDs used in MSMP

Example: SAP_GRAC_ACCESS_REQUEST,

2. Rule Type

**Mostly we use BRFplus Flat Rule in GRC AC MSMP

 3. Rule Kind

4. Rule ID

5. Application/Func. Group Name

GENERATION OF OPTIONS
1. Generate Rule
2. Gen. Ruleset Work-area (BRF+)
3. Override BRF+ Application Text
4. Override BRF+ Function Text

TEST RULE

1. Validate Rule Execution

2. Validate w. Internal Structure
3. Execute Rule with Empty Input
4. Add Initial Line to Line Items
STEP 3
Click execute button on top and view the rule generation log
PART 2: DEFINE BUSINESS RULE FRAMEWORK (BRF+)
In supporting images for every step, I have highlighted fields in yellow color to have better
understanding of steps to be followed

As an example, creation of an Initiator Rule is taken

STEP 1
Define Business Rules Framework

STEP 2
STEP 3
STEP 4

STEP 5
STEP 6
STEP 7
STEP 8
STEP 9
DECISION TABLE RULES CAN BE UPDATED USING EXCEL FILE as well (if lots of data)
STEP 9
STEP 10

SIMULATION OF CREATED RULES INSIDE BRF+

Example for test:

Steps for Simulation:

1. In General tab click on Start Simulation Button

2. Key in the fields

3. Click on Run Simulation

 4. Result is Displayed

INITIATOR RULE CREATION EXAMPLE: SUMMARY OF STEPS TO BE FOLLOWED

Similarly, you can create Routing Rules, Agent Rules, Notification and Variable Rules to be used in
MSMP Configuration