cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ARA Risk Function with Multiple Tcodes

Go to solution
Former Member

on ‎04-14-2016 5:09 AM

0 Kudos

Hi Friends,

I would like to enquire the behaviour on below query. Appreciate your response.

We have created a Critical Action Risk with Function F1. Function F1 comprises as below

Function IDAction
F1Tcode 1
F1Tcode 2

Function IDPermission GroupFieldValueCondition
F1Tcode 2ACTVT01AND
F1Tcode 2BUKRS1000AND

My objective is to reflect the critical action risk when a user has both tcodes tcode1 and tcode 2. However, I noticed that based on above definition when risk analysis is performed, the user with only tcode 1 is reflected in the results.

My understanding is that when multiple actions are added, they are considered as AND operation. Here it seems to behave as OR operation between them.

Appreciate your advise.

Thanks

Ravi

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Colleen
Advisor
Advisor
‎04-14-2016 5:36 AM
0 Kudos

Hi Ravi

Try building a normal SoD (two conflicting functions) instead of critical action.

Build it as

F1 contains Tcode 1 with F_BKPF object (I assumed) for ACTVT 01/BUKRS

F2 contains Tcdoe 2 with F_BKPF ojbect  (I assume) for ACTVT 01/BUKRS

Therefore, the user will flag as a risk if they have Tcode1, Tcode2 and F_BKPF ACTV01

Regards

Colleen

Show replies
Show replies
Former Member
‎04-14-2016 6:40 AM
0 Kudos

Hi Colleen,

Thanks for your response. I understand the SOD part. These two tcodes doesn't form an SOD risk for the business but they just want to flag them so that approver is altered when user requests for such a role. That's the reason we want to use Critical Action risk. It doesn't seems to make much business care though. I'll discuss again with customer on the requirements. But can I clarify if the multiple tcodes in Actions tab are combined as OR operation or AND operation.

Thanks

Ravi

Colleen
Advisor
Advisor
‎04-14-2016 7:15 AM
0 Kudos

Hi Ravi

I would see S_TCODE to be an OR not AND as transaction code is type of "action" in the system.

Based on how GRC works I see it as:

  • Critical Action - the user has tcode1 OR tcode2
  • SoD - the user has both tcode1 AND tcode2

If your goal is to say if a user asks for any of the transactions in the critical list then defined them as a critical action. E.g the Action could be Unlock User which could be Tcode SU01 OR tcode SU10 along with S_USR_GRP ACTVT = 05.

Have a look at:

Regards

Colleen

Answers (0)

Ask a Question