Prevent False Conflicts with Supplemental Rules in SAP Access Control
- by Akansha Gupta, Senior Developer in SAP: Access Control, SAP Labs India Pvt. Ltd.
- September 28, 2015
SAP Access Control provides you with the option to create a supplementary rule. The rule gives additional information to prevent a false conflict in a segregation of duties (SoD) risk analysis report. Learn the steps you need to complete to enable the supplementary rule.
By reading this article you will learn how to:
- Configure the SAP GRC system to run supplementary risk analysis for a user at the permission level of a segregation of duties (SoD) risk
- Create a supplementary rule and run supplementary risk analysis
A supplementary rule for segregation of duties (SoD) risk analysis helps you identify and prevent false reports of user conflicts. The supplementary rule is an additional check to decide whether the risk should be included in the report. The supplementary rule checks the field name in the database table. This database table exists in the SAP ERP (plug-in) system. The plug-in system contains information about users associated with the field name. For example, in database table name USR02 there is a BNAME field that contains the user name in the user master record.
The SAP Access Control supplemental rule is a functionality that eliminates false positives and provides additional information to identify segregation of duties (SoD) violations. It performs a check with the database table and field name and works to prevent having a false conflict reported as a SoD violation.
It identifies users who are allowed to perform a transaction, but are prevented from doing so by a false report. A false positive scenario in risk analysis wrongly indicates that the user could perform a fraudulent transaction with the given authorization access. For example, Akansha is a user who can run transaction code SU01 (Create User or Assign Role) anytime, which can be identified as a false positive risk. To check that false positive risk, the system does a further check to the database table that eliminates it.
Would you like to see this full item?