Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP GRC Access Control: Critical Actions and Function-Permission File

Go to solution
reza_ahoui2
Participant

on ‎2019 Aug 13 8:47 AM

0 Likes
2,404

Hi

We have few more transactions marked as critical for Basis and want to add them to the existing rule set.

To do so we are doing the followings:

  1. We create a custom function called Extra Basis Critical Actions.
  2. We list the extra critical transactions and map them to the custom function.
  3. Assign the function to the right business process.
  4. We create a new custom risk linking it to the new custom function.

Now, I believe in order to eliminate any possible case of false-positive we must maintain these extra critical transactions somehow in the function-permission file. But the question is how to identify the right authorisations for each transaction? There could be many authorisation objects associated with each critical transaction, each having multiple non-display values.

So how to go about this? As a whole, or in details? Any advice is appreciated.

Thanks

Reza Ahoui

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
‎2019 Aug 13 2:11 PM
0 Likes

Hi Reza,

The answer in a way is in your question:

"We have few more transactions marked as critical for Basis". If you had identified additional transactions as critical then you may need to dig deeper and decide on what aspect those transaction are marked as critical. Is it the transaction itself critical or corresponding activities that will be performed using the transaction are critical?

Once you identify what aspect of the transaction is critical then you already have the answer to control at transaction level or object level and what values of object to be considered in the ruleset.

Regards,

Madhu

Show replies
Show replies

Answers (1)

Answers (1)

reza_ahoui2
Participant
‎2019 Aug 15 12:27 PM

Thank you Madu, this makes sense.

Since we don't know at this stage, we incline to put an entry for each of such critical transactions in the Function-Permission file but with blank authorisation (no specific object and value). Like this, we might get false positive risks, which would require a follow-up investigation, but at least we wont miss any risk.

Thanks

Reza Ahoui

Show replies
Show replies
Ask a Question