Skip to Content
avatar image
Former Member

F-02 and FB01 Permission Level Definitions in SAP GRC Ruleset

Dear All,

As we all know that FB01 and F-02 are some of the transactions of SAP Finance module which can perform activity related to various account types (A K D M S).

SAP Standard ruleset has multiple objects enabled for these transactions, leading to lot many false positives in SOD report, viz, a user is having access to only customer invoice processing (restricted access to account type D), but SOD report shows risks related to vendor invoice processing because for F-02 has object level definitions like F_BKPF_BUK , etc are common for vendor and customer activities. Just this object doesn't really allow the user to process vendor invoice and F_BKPF_KOA is mandatory object.

In order to remove such false positives, is it a good approach to deactivate other objects and only keep F_BKPF_KOA object active in the ruleset with required account types maintained for FB01, F-02, etc ?

Please advise.

Thanks in advance ! 😊

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

1 Answer

  • May 26, 2015 at 09:44 AM

    Dear Prashant,

    it's very tough to answer this question as this is an individual specification that only belongs to your environment/requirement.

    Basically you do need to keep all object combinations that indicate your risk. If F_BKPF_KOA and F_BKPF_BUK are both required for a risk to be conducted you do need to keep both.

    Also be aware that the pre-delivered rule set is based on "best practise" that belongs to a wide range of companies but not to everyone. Hence it is always required to validate all the rules and do adjustments when required.

    Hope this helps.

    Regards,

    Alessandro


    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi Prashant,

      Risks will appear, the way you define it. for F-02 and FB01, please identify which auth. objects are used in roles. Then, find the non-org. and org. objects, which determine the risk. include those objects, in your risk definition. for org. values, you can set Org. level Risks

      regards

      plaban