cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Compliance Calibrator Rules realting to FB01 & FB01L

Former Member

on ‎02-10-2015 11:31 PM

0 Kudos

Hi, I have a scenario where a large number of (existing) users have got PZ52 (Purchase unauthorized items, perform goods receipt, and initiate payment by invoicing) High risk.  Users have got this risk suddenly due to addition of the T-Code: FB01L to some of the existing roles.   As per the business team, addition of this T-Code should not have lead to the risk as all these users already had access to FB01 through other role(s).

But, the rule set is different for both these T-Codes and hence the users were not showing with high risk earlier when they had access to FB01 but started showing up as high risk when they got access to FB01L.

Rule Set for FB01:

The ones that are highlighted were added in the past to restrict the Inter company/ Inter plant transactions from the risk consideration.

Rule set for FB01L:

My questions are as follows:

1. As I see that the rule is set is different for FB01 and FB01L (even without considering the exceptions that were added by us), Should we consider that these transactions provide different level of access/ permissions and hence this is a real risk and we should look at options for remediation or mitigation of this risk. If Yes, How do i demonstrate to the business that these transactions are indeed different and cannot be treated in the same manner (or)

2. Is there a possibility of rule set not being complete/ incorrect and should we look at the options for modifying the rules based on the business team's advise.

Can any of you help?

Appreciate your time to read this question and posting answers.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

alessandr0
Active Contributor
‎02-11-2015 8:30 AM
0 Kudos

Dear Surya,

you have to consider the risk level of each transaction based on your business requirement. The pre-delivered rule set from SAP is a best-practice approach but not the ultimate truth. Hence you have to talk to your business responsibles and align if FB01L is considered as risky or not.

I suggest you talk with your business responsibles and consider if the transaction is risky and should be considered in the risk analysis. Some documents regarding internal controls are available on SCN and might give you an idea:

Let us know if you need further details.

Best regards,

Alessandro

Show replies
Show replies
Former Member
‎02-17-2015 4:26 PM
0 Kudos

Hi Alessandro,

Thanks for your reply.. Sorry, that I couldn't reply immediatley. I was not able to login to this site due to duplicate ID issue..

Went through all the 3 documents shared by you and it is very informative.

Just have couple of more question: Is there anyway we can track the following in the Compliance Calibrator:

1. Details of the changes done to the ruleset (Date, What was changed etc.,)

2. Is there any way to check if the rule set between my development system and the production system are same.

Appreciate your help.

Regards,

Surya Narayanan.

Ask a Question