cancel
Showing results for 
Search instead for 
Did you mean: 

GRC 10.0 :SOD ruleset

Former Member
0 Kudos

Hi All,

Please let me know why it is a risk if the user has access to FBL5N(Customer Line Items) and VD02(Change Customer (Sales)) transactions.

I believe FBL5N tcode is diplay report where user cann't change any document untli we give change access to the user.

Thank you for your time in advance.

Regards,

Sushma M

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

Hello Sushma,

In my opinion, this is an example of a false positive in the standard GRC 10.0 ruleset.  The delivered ruleset is only a starting point.  What you really need to do is go through a comprehensive review of each function in the ruleset and determine whether or not it represents the true capabilities that function.  The problem is that many of the functions contain lots of tcodes, but the individual tcodes may not necessarily enable a user to carry out the entire "function".  So when SOD analysis is executed, if any single tcode of that function is flagged, then the whole function is flagged, and then the SOD that results could be a false positive.

I will give you a heads up that function AP02 "Process Vendor Invoices" especially causes many false positives.  I recommend replacing AP02 with a refined function that you create.

Regards,

Ken

Former Member
0 Kudos

Hi Ken,

Thank you so much for the update.

Actually we are in thinking to lowering the priority of risk related to
FBL5N tcode for now since we are concentrating on High risks to client up our
system.

Then we will go for function modification later but my client would like to
know why it is a risk at global level as they can see that has no risk in their
business prospective.

I really appreciate your time.

Regards,

Sushma M

Former Member
0 Kudos

Hi,

As explained by Ken, SAP considers best practices across various industries to build their standard rulesets. There are multiple permutations and combinations while defining risk. If any one of the standard risk is not suitable for your business, you can always customize it to your needs. Standard ruleset is for initial assessment of your current set up. You can also check at the SU24 level, which objects are being triggered for the 2 transactions in question and why it could be a risk from an SAP business perspective. If i have more info, i will let you know. Need time for research

Good Luck

Thanks

Venu Gudimalla

neerajmanocha
Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi Sushma,

Seems you are talking about risk provided in SAP Standard ruleset for transaction FBL5N.

Yes, from initial analysis, seems FBL5N cannot change anything and more of a display transaction. Need further investigation.

I have noted down this in our records for yearly review.

You can check with your business and disable this if your auditors accept the same.

For any kind of Rules recommendations/suggestions, you can send mail to me directly.

Neeraj.manocha@sap.com

Thanks & Regards
Neeraj

Former Member
0 Kudos

Hi Neeraj,

Thank you for your quick response.

Yes i am talking about SAP delivered rule set.I will email you with the details.

Once again Thank you for your time.

Regards,

Sushma M

Former Member
0 Kudos

Hi Sushma,

you have asked this question in not-so-relevant forum.please ask in SAP Security.

Could you provide us the risk no., so that we can advise.

Regards

Plaban