GRC AC 5.3 SP12 - risk analysis with organizational rules
We have a risk with 2 functions.
The first function search for VF01 and other V_VBRK_VKO with ACTVT01 enabled.
The second function search for VA01 and V_VBAK_VKO with ACTVT=01 enabled and SPART field enabled.
Then we have defined an organizational rule having SPART=BB.
It seems that the risk analysis results is wrong on function 2 (VA01).
We have a user with 2 roles assigned:
- the first role gives an authorization to V_VBAK_VKO object with ACTVT=01 and SPART=AA
- the second role gives an authorization to V_VBAK_VKO object with ACTVT=03 and SPART=BB
The risk analysis results reports that the user has a violation because he his authorized to function 2.
This is wrong because the user has only a display authorization on SPART=BB.