I am currently doing some consulting work at an engineering firm who rolled out SAP GRC (compliance colaborator) during my time with them. As part of an initial rollout of the tool we are utilising the SAP Global ruleset. Since its implimentation to the latter part of last year, we have started to get to know the tool quite intimately, however I seem to have run into two rather puzzling problems.
The first: We decided, after consultation with business, to deactivate a transaction code in function PR02 of the Global rule set i.e. ME23N, however eventhough all of the objects i.e. M_BEST_BSA, M_BEST_EKG, M_BEST_EKO and M_BEST_WRK, has been deactivated and the status of ME23N in PR02 is reflected as disabled, we still get risks relevant to ME23N (for Function ID PR02) reported, whenever we run a simulation on either all or specific users. What could the reason be for this to occur?
The second: During some simulations we have identified that a couple of transaction codes have pulled through in conflict reporting, which has not even been assigned to roles allocated to users (using SIUM in SAP to investigate). When analysing the detail reports the risk, user and role is therefore inaccurate. Is there any possibility that GRC has identified this incorrectly (why would this occur) and if not incorrect how could we investigate the matter?
I would like to thank anyone who takes the time to read this post, and provide any information, advice.