How to Generate an Organization Rule Using the Organization Rule Creation Wizard

  • by Sonia Sohal, Senior Developer for SAP Access Control, SAP Labs India Pvt. Ltd.
  • September 9, 2015
SAP Access Control includes a feature called the Organization Rule Creation Wizard that provides the ability to create an organization rule based on a specified system and rule set. Using this approach, you can avoid issues encountered while using the traditional manual method, which requires a lot of effort. You can also use the wizard to maintain the rules.
Learning Objectives

Reading this article you will learn about:

  • Organization rules
  • The Organization Rule Creation Wizard
  • Creating and maintaining an organization rule via the wizard
Key Concept

The Organization Rule Creation Wizard makes the process of creating organization rules faster and eliminates possible invalid entries due to manual input. The wizard also reduces the effort of maintaining organization rules manually.

Organization rules are used to eliminate false positive risks in your access risk analysis reports. They are required when there is a need to define rules to establish more granular Segregation of Duties (SoD) functionality.

This functionality should not be used to try to group users by organizational levels in order to distribute SoD reports to various management levels. Organization-level rules should be used for exception-based reporting in order to remove false positive conflicts that result from organization-level segregation. Because of the sizable performance impact that organization-level rules can have, they should be used minimally.

A false positive in the context of a risk analysis report is the scenario in which a risk analysis report shows an access risk for the user. However, in reality, users cannot execute the transactions for that business entity (for example, company code). Now even if the user has been assigned a different business entity (for example, a business risk can only be realized if the user runs the transactions for company code 1000, whereas the user has 0001 as the company code) the risk analysis report will show an access risk at the permissions level. In order to filter these false positives you need to use organization rules for the business entity (for company code 1000) to check whether the access risk is actually valid.

I have provided step-by-step guidance for creating an organization rule in SAP Access Control. I also explain the benefits of the Organization Rule Creation Wizard over the traditional approach of maintaining organization rules manually.

Create the Organization Rule Creation Wizard

The Organization Rule Creation Wizard makes the process of creating an organization rule faster and eliminates possible invalid entries due to manual input. The main objective of the Organization Rule Creation Wizard is to generate all possible combinations of rules of a new system/connector initially into the GRC system (such as what rule set is to be selected and all the organization values that need to be selected to be part of an organization rule). Once the system/connector is added then you can do the modification of existing organization rules directly from the organization rule Personal Object Work list (POWL). You can open the organization rule POWL by following menu path nwbc > Setup > Exception Access Rule > Organization Rules.

Earlier, companies used to upload rules via Microsoft Excel. However, it required a huge cost and effort to maintain these rules manually, plus there was the possibility for maintaining wrong combinations as a user could select any combination and generate it. The Organization Rule Creation Wizard provides real-time assignments from ERP systems so the risk of maintaining wrong assignments is removed.

Sonia Sohal

Sonia Sohal is a senior developer at SAP Labs India Pvt. Ltd. She has more than seven years of experience and is currently working with the Installed Base Maintenance Support (IMS) organization, SAP Labs, India, for SAP Access Control 10.0 and 10.1. Sonia has vast experience and has worked on multiple technologies, including ABAP OO, SAP ABAP dictionary, function modules, SAPUI5, SAP HANA, and ABAP WebDynpro, for a broad range of SAP modules and SAP Access Control.

 

See more by this author


Comments

No comments have been submitted on this article. 


Please log in to post a comment.

To learn more about subscription access to premium content, click here.