Showing results for 
Search instead for 
Did you mean: 

Organizational Rules in GRC Access Control GRC 12.0

0 Kudos


We have an issue where we have users that have SOD conflicts at transaction and auth object level but are false positives as the user has access to PO creation in one plant and GR in another. I read the blog about setting up organisational rules and following the steps, enabling the value $WERKS in the relevant functions and also using the wizard to create all the plant values in the organisational rules for the production systems where we have the issue.

I created two users one with access to PO and GR in plant A, the other with access to PO in plant A and GR in Plant B. I generated the SOD reports at permission level as as expected both users appeared with the SOD.

I ran the report selecting "consider org rule" but both users still appear and I can see my Org Rule IDs appearing, what is strange is that the two transactions shown below appear against the rule ID USSK when PO is for plant A and the GR is for plant B so this SOD should be excluded.

I dont know If I have missed a step here but I dont know why both users are still appearing when the org rule is clearly activated



Accepted Solutions (0)

Answers (1)

Answers (1)

0 Kudos

Hi Mark,

we face the same issue as you have described.

Did you get any solution on that?

At the moment we think that only organizational level is working, if you have maintained a plant which is also to be checked in the organizational level in frontend - so it means it is working as a filter. It is NOT designed to make a comparison if in function 1 another plant is maintained as in function 2, what is also your confusion is about. But this is only our idea after testing this.

Let us know if you have further information.