Skip to Content
avatar image
Former Member

F-02 and FB01 Permission Level Definitions in SAP GRC Ruleset

Dear All,

As we all know that FB01 and F-02 are some of the transactions of SAP Finance module which can perform activity related to various account types (A K D M S).

SAP Standard ruleset has multiple objects enabled for these transactions, leading to lot many false positives in SOD report, viz, a user is having access to only customer invoice processing (restricted access to account type D), but SOD report shows risks related to vendor invoice processing because for F-02 has object level definitions like F_BKPF_BUK , etc are common for vendor and customer activities. Just this object doesn't really allow the user to process vendor invoice and F_BKPF_KOA is mandatory object.

In order to remove such false positives, is it a good approach to deactivate other objects and only keep F_BKPF_KOA object active in the ruleset with required account types maintained for FB01, F-02, etc ?

Please advise.

Thanks in advance ! 😊

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • May 26, 2015 at 09:44 AM

    Dear Prashant,

    it's very tough to answer this question as this is an individual specification that only belongs to your environment/requirement.

    Basically you do need to keep all object combinations that indicate your risk. If F_BKPF_KOA and F_BKPF_BUK are both required for a risk to be conducted you do need to keep both.

    Also be aware that the pre-delivered rule set is based on "best practise" that belongs to a wide range of companies but not to everyone. Hence it is always required to validate all the rules and do adjustments when required.

    Hope this helps.



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Prashant,

      Risks will appear, the way you define it. for F-02 and FB01, please identify which auth. objects are used in roles. Then, find the non-org. and org. objects, which determine the risk. include those objects, in your risk definition. for org. values, you can set Org. level Risks