on 05-27-2014 12:17 PM
Dear all.
I am having some doubts about the functionality of the Organizational Rules. Let’s say for example that a user has transaction FK01 or FK02 and FB60 so the user has the potential risk of maintain vendor and perform some payments against this vendor. Let’s say risk F001.
Then imagine the following scenario:
Now I have an organizational rule for the risk F001 to filter for users that have access to company 0001. So:
And the last question. Imagine i have 30 different companies and i want fo filter by the users that are only able to perform the risk over a determinated company (in the scope of this 30).
Regards and thanks.
Sara:
When you create Organizational Rules, you only need to have those that are in conflct. In your example above, you would activate the Organizational Level in each of the functions involved. In your case, the Organizational level is the same (i.e. BUKRS (Company Code). You would enter a single line org rule for each organization that you have. What this will do in effect is replace the $BUKRS field with the CoCode listed in each org rule.
You have to create a rule for each company code in this case. When you run a risk analysis, then the user who has TCD FK01; F_LFA1_BUK; and ACTVT 01 or 02 and BUKRS 0001 and TCD FB60; F_BKPF_BUK, with ACTVT 01 or 02, and BUKRS 0001 will show as a risk.
Conversly, If the user has TCD FK01; F_LFA1_BUK; and ACTVT 01 or 02 and BUKRS 0001 and TCD FB60; F_BKPF_BUK, with ACTVT 01 or 02, and BUKRS 0002, then he/she would not show up when analyzing by Org Rule.
There may be times when you don't have the same organizational level to work with and then you will need to map out which ones will cause issues (i.e. BUKRS vs VKORG). Here you may be able to manually extrapolate via the financial heirarchy of SAP if needed.
I hope this helps.
Kevin Tucholke
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks Kevin. Over your email.
Sara:
When you create Organizational Rules, you only need to have those that are in conflct. In your example above, you would activate the Organizational Level in each of the functions involved. In your case, the Organizational level is the same (i.e. BUKRS (Company Code). You would enter a single line org rule for each organization that you have. What this will do in effect is replace the $BUKRS field with the CoCode listed in each org rule.
What i understand from your comments is that for the case mentioned before:
So at the ruleset both authorization object and field should be activated at least with $BUKRS
You have to create a rule for each company code in this case. When you run a risk analysis, then the user who has TCD FK01; F_LFA1_BUK; and ACTVT 01 or 02 and BUKRS 0001 and TCD FB60; F_BKPF_BUK, with ACTVT 01 or 02, and BUKRS 0001 will show as a risk.
Conversly, If the user has TCD FK01; F_LFA1_BUK; and ACTVT 01 or 02 and BUKRS 0001 and TCD FB60; F_BKPF_BUK, with ACTVT 01 or 02, and BUKRS 0002, then he/she would not show up when analyzing by Org Rule.
There may be times when you don't have the same organizational level to work with and then you will need to map out which ones will cause issues (i.e. BUKRS vs VKORG). Here you may be able to manually extrapolate via the financial heirarchy of SAP if needed.
I hope this helps.
Kevin Tucholke
Dear Sara,
if you consider organisational rules it will be seperated by org rule values (e.g. BUKRS) and risk will not show if you do not have authorization for the same BUKRS.
The combination of FK02 and FB60 is a SOD risk, as posting of vendor invoices and changing of vendor master data shouldn’t be performed by the same person. A user who gets the two roles (with differente BUKRS) would have both transactions assigned and the risk analysis shows a risk. Actually this isn’t a risk, but as the organizational values are not considered it shows as risk. This behavior is false positive as the user cannot execute FB60 and FK02 for the same company code. To filter these false positives you can utilize organizational rules.
Does this answer your question?
Best regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you Alessandro.
Sorry, but i don't see your point and i am not pretty sure that you answer my question.
That is basically, using organizational rules is it possible to differentiate by Authorization Object?
e.g
- User having this --> Risk P001 because --> FK01 for Company 0001 and FB60 for Company 0002
- Organizational rule defined as --> Risk = P001 and BUKRS = 0001
The org.rule will be able to indicate if this user does not have risk? or no?
I mean the user is able to change vendor master data over company 0001 but not posting over the same company and the org rule is filtering by one company where the user could perform something.
regards and thanks.
Dear all does someone found this scenario before?
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.