on 04-14-2016 5:09 AM
Hi Friends,
I would like to enquire the behaviour on below query. Appreciate your response.
We have created a Critical Action Risk with Function F1. Function F1 comprises as below
Function ID | Action |
---|---|
F1 | Tcode 1 |
F1 | Tcode 2 |
Function ID | Permission Group | Field | Value | Condition |
---|---|---|---|---|
F1 | Tcode 2 | ACTVT | 01 | AND |
F1 | Tcode 2 | BUKRS | 1000 | AND |
My objective is to reflect the critical action risk when a user has both tcodes tcode1 and tcode 2. However, I noticed that based on above definition when risk analysis is performed, the user with only tcode 1 is reflected in the results.
My understanding is that when multiple actions are added, they are considered as AND operation. Here it seems to behave as OR operation between them.
Appreciate your advise.
Thanks
Ravi
Hi Ravi
Try building a normal SoD (two conflicting functions) instead of critical action.
Build it as
F1 contains Tcode 1 with F_BKPF object (I assumed) for ACTVT 01/BUKRS
F2 contains Tcdoe 2 with F_BKPF ojbect (I assume) for ACTVT 01/BUKRS
Therefore, the user will flag as a risk if they have Tcode1, Tcode2 and F_BKPF ACTV01
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colleen,
Thanks for your response. I understand the SOD part. These two tcodes doesn't form an SOD risk for the business but they just want to flag them so that approver is altered when user requests for such a role. That's the reason we want to use Critical Action risk. It doesn't seems to make much business care though. I'll discuss again with customer on the requirements. But can I clarify if the multiple tcodes in Actions tab are combined as OR operation or AND operation.
Thanks
Ravi
Hi Ravi
I would see S_TCODE to be an OR not AND as transaction code is type of "action" in the system.
Based on how GRC works I see it as:
If your goal is to say if a user asks for any of the transactions in the critical list then defined them as a critical action. E.g the Action could be Unlock User which could be Tcode SU01 OR tcode SU10 along with S_USR_GRP ACTVT = 05.
Regards
Colleen
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.