07-14-2009 5:02 PM
Hi GRC Guys,
I am setting up the organization rule using CC 5.2 for one of my clients and met one issue which confuses me. I give you an example below.
We had a user BRUT01 in the backend system and this user has two roles, BRRT01 and BRRT02.
BRRT01 has the following authorization:
TCODE: ME21N
AO: M_BEST_EKO/ACTVT=01
M_BEST_EKO/EKORG=0001
BRRT02 has the following authorization:
TCODE: ME29N
AO: M_BEST_EKO/ACTVT=02
M_BEST_EKO/EKORG=BP01
So this user should have the authorization to create POs on purchase organization 0001 and release POs on purchase organization BP01. Suppose this is a conflict and the company doesn't allow employee to both have PO creation on 0001 and PO release on BP01.
I set the SOD rules in CC 5.2 as follows
S_TCODE/TCD=ME21N AND
S_TCODE/TCD=ME29N AND
M_BEST_EKO/ACTVT=01 AND
M_BEST_EKO/EKORG=$EKORG AND
M_BEST_EKO/ACTVT=02 AND
M_BEST_EKO/EKORG=$EKORG AND
I also set the organization rule as follows:
RISK1* EKORG=0001 AND
RISK1* EKORG=BP01 AND
When I analyze without organization rule, I got the correct SOD risk answer. However when I choose to analyze with the above organization rules, no conflict is found.
Can anyone tell me what's wrong with the above settings?
Thanks.
07-14-2009 5:39 PM
Hi,
just to be sure: have you done the organization user mapping, the activity that you can find in Configuration?
07-15-2009 3:14 AM
Yes. I have first imported the users and roles with an incremental logic and then run the organization user mapping successfully.
Actually I have got a SAP GRC Quick Reference Guide which describes the organization rule setting in detail. The instructions in this guide is given based on different level of organization rule, i.e. "Company Code" vs "Plants". However in my case the organization rule is set on one level "Purchase Organization".
Does it matter?
07-15-2009 3:33 AM
By the way, I have also tried using different levels of organization rules, i.e. "Purchase Organization" vs "Purchase Group" and it works fine.
So it seems to me the issue is that I set the organization rule on one level. Is this the reason?
07-16-2009 8:41 AM
Hi Ben,
Currently the org rules only works for one Org Unit in single rule.
For example in your above rule you have given following values.
set the SOD rules in CC 5.2 as follows
S_TCODE/TCD=ME21N AND
S_TCODE/TCD=ME29N AND
M_BEST_EKO/ACTVT=01 AND
M_BEST_EKO/EKORG=$EKORG AND
M_BEST_EKO/ACTVT=02 AND
M_BEST_EKO/EKORG=$EKORG AND
So when the org rules will be executed all $EKORG will be replaced by either 0001 or BP01.
So this rule will be satisfied if user has same org unit for both the TCODE.
Org rule does not work for different value of same org unit in same rule.
So as a workarround for your issue you should use static value only i.e give the actaul value instaed of using the $ or org rule.
For your scenario org rule does not work as it was not designed like tht.
Regards,
Shweta
07-23-2009 12:48 AM