Skip to Content
avatar image
Former Member

Organizational rules case

Dear all.

I am having some doubts about the functionality of the Organizational Rules. Let’s say for example that a user has transaction FK01 or FK02 and FB60 so the user has the potential risk of maintain vendor and perform some payments against this vendor. Let’s say risk F001.

Then imagine the following scenario:

  • The user has access to FK01 and the field BUKRS for the authorization object F_LFA1_BUK is = 0001
  • The user has access to FB60 and the field BUKRS for the authorization object F_BKPF_BUK is  = 0002

Now I have an organizational rule for the risk F001 to filter for users that have access to company 0001. So:

  • Is this user being considered for rule? In theory this user is not able to perform the transactions for the same company so it shouldn’t appear at the reporting.
  • How do the organizational rules work? Does it look for the field BUKRS, regardless the authorization object, and then if it is set for the company 0001 then the rule considers that this user could perform the two transactions over the same company?

And the last question. Imagine i have 30 different companies and i want fo filter by the users that are only able to perform the risk over a determinated company (in the scope of this 30).

  • Should i create 30 different organizational rules for the same risk?
  • If i create only 1 organizational rule an then i set the different companies with and OR do i get the same behavior than in the point mentioned before?

Regards and thanks.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    May 28, 2014 at 12:41 AM

    Sara:

    When you create Organizational Rules, you only need to have those that are in conflct.  In your example above, you would activate the Organizational Level in each of the functions involved.  In your case, the Organizational level is the same (i.e. BUKRS (Company Code).  You would enter a single line org rule for each organization that you have.  What this will do in effect is replace the $BUKRS field with the CoCode listed in each org rule.

    You have to create a rule for each company code in this case.  When you run a risk analysis, then the user who has TCD FK01; F_LFA1_BUK; and ACTVT 01 or 02 and BUKRS 0001 and TCD FB60; F_BKPF_BUK, with ACTVT 01 or 02, and BUKRS 0001 will show as a risk. 

    Conversly, If the user has TCD FK01; F_LFA1_BUK; and ACTVT 01 or 02 and BUKRS 0001 and TCD FB60; F_BKPF_BUK, with ACTVT 01 or 02, and BUKRS 0002, then he/she would not show up when analyzing by Org Rule.

    There may be times when you don't have the same organizational level to work with and then you will need to map out which ones will cause issues (i.e. BUKRS vs VKORG).  Here you may be able to manually extrapolate via the financial heirarchy of SAP if needed.

    I hope this helps.

    Kevin Tucholke

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thanks Kevin. Over your email.

      Sara:

      When you create Organizational Rules, you only need to have those that are in conflct.  In your example above, you would activate the Organizational Level in each of the functions involved.  In your case, the Organizational level is the same (i.e. BUKRS (Company Code).  You would enter a single line org rule for each organization that you have.  What this will do in effect is replace the $BUKRS field with the CoCode listed in each org rule.

      What i understand from your comments is that for the case mentioned before:

      • For the authorization object F_LFA1_BUK it will be set a 0001 if it set as $BUKRS and activate
      • For the authorization object F_BKPF_BUK it will be set a 0001 if it set as $BUKRS and activate


      So at the ruleset both authorization object and field should be activated at least with $BUKRS

      You have to create a rule for each company code in this case.  When you run a risk analysis, then the user who has TCD FK01; F_LFA1_BUK; and ACTVT 01 or 02 and BUKRS 0001 and TCD FB60; F_BKPF_BUK, with ACTVT 01 or 02, and BUKRS 0001 will show as a risk.

      Conversly, If the user has TCD FK01; F_LFA1_BUK; and ACTVT 01 or 02 and BUKRS 0001 and TCD FB60; F_BKPF_BUK, with ACTVT 01 or 02, and BUKRS 0002, then he/she would not show up when analyzing by Org Rule.

      There may be times when you don't have the same organizational level to work with and then you will need to map out which ones will cause issues (i.e. BUKRS vs VKORG).  Here you may be able to manually extrapolate via the financial heirarchy of SAP if needed.

      I hope this helps.

      Kevin Tucholke

  • May 27, 2014 at 04:58 PM

    Dear Sara,

    if you consider organisational rules it will be seperated by org rule values (e.g. BUKRS) and risk will not show if you do not have authorization for the same BUKRS.

    The combination of FK02 and FB60 is a SOD risk, as posting of vendor invoices and changing of vendor master data shouldn’t be performed by the same person. A user who gets the two roles (with differente BUKRS) would have both transactions assigned and the risk analysis shows a risk. Actually this isn’t a risk, but as the organizational values are not considered it shows as risk. This behavior is false positive as the user cannot execute FB60 and FK02 for the same company code. To filter these false positives you can utilize organizational rules.


    Does this answer your question?


    Best regards,

    Alessandro

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Thank you Alessandro.

      Sorry, but i don't see your point and i am not pretty sure that you answer my question.

      That is basically, using organizational rules is it possible to differentiate by Authorization Object?

      e.g

      - User having this --> Risk P001 because --> FK01 for Company 0001 and FB60 for Company 0002

      - Organizational rule defined as --> Risk = P001 and BUKRS = 0001

      The org.rule will be able to indicate if this user does not have risk? or no?

      I mean the user is able to change vendor master data over company 0001 but not posting over the same company and the org rule is filtering by one company where the user could perform something.

      regards and thanks.

  • avatar image
    Former Member
    May 27, 2014 at 04:49 PM

    Dear all does someone found this scenario before?

    Regards.

    Add comment
    10|10000 characters needed characters exceeded