Showing results for 
Search instead for 
Did you mean: 

unexpected risks after rule update

0 Kudos

I wanted to updat RAR rules in dev GRC as per Q2 2009 rule update provided by SAP.

SAP recommendation for transaction FBV0 is:

remove auth objects F_BKPF_KOA and add F_BKPF_BUK with actvt 01 or 02.

As client wants to keep KOA active, I have done following in function AP02 and GL01, to test user risk analysis result in each case

case 1. KOA and BUK both active

case 2: KOA inactive and BUK active

I tested 5 users who have acccess to FBV0.

Among those, in case of 2 test users I found some unexpected results.

In case 1, both users have less number of risks where as in case 2(inactive KOA) I got more risks in user analysis in dev grc.

I am surprised, if I make an auth obj inactive, how can the new risks be generated. The new risks are related to FBV0 and functions AP02, GL01.

Other three users have same risks in both cases.

Can you suggest me what could be the reasons behind this.

Accepted Solutions (0)

Answers (1)

Answers (1)

0 Kudos

In case 2, number of conditions are less : if any user satisfies the condition of BUK active - user will show respective risk. For specific 2 users, they may have authorization for BUK only, but not for KOA. So they are not showing the risks in case1. But in case 2, they have the required authorization to satisfy the risks for BUK only. When case1 is set as risk condition(bith KOA and BUK active) those 2 users can not satisfy the conditions to show rish as they may not have authorization of both KOA and BUK.