Hello everyone,
I am new bee to GRC and I am getting very confused the way GRC is pulling the report.
In my organization, we have ran a report on permission level.

Now this screen is showing two conflicting function AP02 and GL01. In both the function, the permission level is set with AND condition for authorsation object F_BKPF_BUK but when I see the role in backend system, the role consists only activity 01 and not activity 02.
So my question, if it is AND condition the GRC should not generate this as a risk because 02 is not maintained in the role. This is my understanding, please let me know if I am wrong.