cancel
Showing results for 
Search instead for 
Did you mean: 

Creation of a Risk Based on Company Code/User Group

alexei_001
Explorer
0 Kudos
536

Hello,

There is a current requirement in which management would like the following scenario:

Associate from User Group France is requesting access to a role with company code/plant in Canada, this should be an SOD Violation in our access request process.

Now, based on what I been able to find or not, it is not possible to include a user group as part of a rules please correct me if I am wrong.

The only other possible solution is to create a new function based on the transactions that have company code/plant authorization objects/fields, and while I think I managed to get all of the authorization objects(41) we are talking about too many transactions.

So, my question to anyone is is this feasible?

Accepted Solutions (1)

Accepted Solutions (1)

muhaish
Discoverer
0 Kudos

Hi Alexei,

if you add a new function restricted to Canada company code/plant, then will trigger SoD risk for other users.

There is only one viable solution to resolve this issue, which involves taking the following steps:

Step 1: Create a critical role specifically for the Canada company code/plant.

Step 2: Isolate the Canada company code/plant from all derived roles, ensuring that no one will have access to it.

Step 3: Implement a request process for access to the Canada company code/plant, where any requests made will be directly forwarded to the role data owner for approval.

By following these steps, we can effectively control and manage access to the Canada company code/plant.

Answers (1)

Answers (1)

vijayakumarsuth
Advisor
Advisor
0 Kudos

Hi Alex,

Option 1

In case, your question is from GRC Access Control Request where your Associate from User Group French is requesting for company code with Canada then,

(1) Make Risk Analysis mandatory while request submission

(2) Set your SOD Violation rules so that, if User Group French conflicts with company code Canada

(3) In your workflow stage level add detour with this standard rule GRAC_MSMP_DETOUR_SODVIOL. or you can make your custom rule as well, this way, when request is has violation, it will move to different path based on your requirement if not risk, regular path will be continued

Option 2

In case, your question is from tcode PFCG level where Associate from User Group French is requesting for company code with Canada, then try to implement same logic in workflow (in Option 1) but you need to follow Risk Terminator option.

Regards,

Vijay.