Jun 18

With respect to my document Rule set - Rules & Rule Types and as I've got some requests to discuss the org rules in more detail I would like to share some more information about organizational rules.

Organizational rules in GRC Access Control are used to eliminate false positive SOD reporting based on organizational level restrictions for users. Organizational rules should not be created for mass org level reporting as it should only be enabled for functions that you specifically need to segregate. Most companies control what data a user has access to via role assignment. There are only very few companies who have a business need to create org rules.

Basically organizational rules allow you to filter false positives from the risks analysis. What does that mean? If you have a role concept where you derive roles from master roles, for example the leading organizational level is the company code, the risk analysis might show a risk which is due to the limitation of the authorization based on the organizational level no risk. Let me give you an example:

Role A: Z_ROLE_A_1000 for company code 1000 with action FB60

Role B: Z_ROLE_B_2000 for company code 2000 with action FK02

Role A contains transaction FB60 (posting of vendor invoices) for company code 1000, whereas Role B contains transaction FK02 (changing vendor master data) for company code 2000.

The combination of FK02 and FB60 is a SOD risk, as posting of vendor invoices and changing of vendor master data shouldn’t be performed by the same person. A user who gets the two roles would have both transactions assigned hence the risk analysis shows a risk. Actually this isn’t a risk, but as the organizational values are not considered it shows as a risk. This behavior is false positive as the user cannot execute FB60 and FK02 for the same company code. To filter these false positives you can utilize organizational rules.

While running a regular risk analysis, the user would show up with a SOD conflict, as he has both conflicting transactions assigned.  To find out if the risk exists for the same company code you can use the organizational rule. Therefore create an organizational rule hat filters the company code 1000 and apply this org rule to the risk analysis. After adding the org rule to the analysis the user won’t show up with the risk. Please be aware that after creating org rules the SOD rules must be regenerated (GRAC_GENERATE_RULES).

In most of the cases org rules are created for designated risks. Alternatively it is also possible to define org rules for all possible false positives by using wildcards (e.g. XGPR*).

Looking forward to your input.

Best regards,

See also on SAP SCN: http://scn.sap.com/docs/DOC-55986

Posted by Alessandro Banzer

Twitter Facebook

0 Trackbacks

  1. No Trackbacks


Display comments as(Linear | Threaded)
  1. No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.

You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.