Organization rules are used to eliminate false positive risks in your access risk analysis reports. They are required when there is a need to define rules to establish more granular Segregation of Duties (SoD) functionality.

This functionality should not be used to try to group users by organizational levels in order to distribute SoD reports to various management levels. Organization-level rules should be used for exception-based reporting in order to remove false positive conflicts that result from organization-level segregation. Because of the sizable performance impact that organization-level rules can have, they should be used minimally.

A false positive in the context of a risk analysis report is the scenario in which a risk analysis report shows an access risk for the user. However, in reality, users cannot execute the transactions for that business entity (for example, company code). Now even if the user has been assigned a different business entity (for example, a business risk can only be realized if the user runs the transactions for company code 1000, whereas the user has 0001 as the company code) the risk analysis report will show an access risk at the permissions level. In order to filter these false positives you need to use organization rules for the business entity (for company code 1000) to check whether the access risk is actually valid.

I have provided step-by-step guidance for creating an organization rule in SAP Access Control. I also explain the benefits of the Organization Rule Creation Wizard over the traditional approach of maintaining organization rules manually.

Create the Organization Rule Creation Wizard

The Organization Rule Creation Wizard makes the process of creating an organization rule faster and eliminates possible invalid entries due to manual input. The main objective of the Organization Rule Creation Wizard is to generate all possible combinations of rules of a new system/connector initially into the GRC system (such as what rule set is to be selected and all the organization values that need to be selected to be part of an organization rule). Once the system/connector is added then you can do the modification of existing organization rules directly from the organization rule Personal Object Work list (POWL). You can open the organization rule POWL by following menu path nwbc > Setup > Exception Access Rule > Organization Rules.

Earlier, companies used to upload rules via Microsoft Excel. However, it required a huge cost and effort to maintain these rules manually, plus there was the possibility for maintaining wrong combinations as a user could select any combination and generate it. The Organization Rule Creation Wizard provides real-time assignments from ERP systems so the risk of maintaining wrong assignments is removed.

The steps for generating organization rules using the Organization Rule Creation Wizard are shown in Figure 1.

Figure 1

Flow diagram of the Organization Rule Creation Wizard

There are two ways to access the Organization Rule Creation Wizard:

1. Open SAP NetWeaver Business Client (NWBC) and follow menu path Setup > Exception Access Risks > Organization Rule Creation Wizard.
2. Follow IMG menu path Governance Risk and Compliance > Access Control > Access Risk Analysis > SOD rules > Organization Rule Creation Wizard.

Below are the steps required to create an organization rule using the Organization Rule Creation Wizard. Go to NWBC and follow menu path Setup > Exception Access Risks > Organization Rule Creation Wizard) to open Organization Rule Creation Wizard screen shown in Figure 2.

Figure 2

Overview of steps to open the Organization Rule Creation Wizard

Step 1. Click the Next button in Figure 2, and the Select System and Rule set screen appears (Figure 3).

Figure 3

Select a system and a rule set

Step 2. In Figure 3, all the systems and rule sets that exist in the system are visible. You can select the system and rule set as per your business requirements. I selected GH7CLNT600 as the system and Global as the rule set in Figure 3.The System field drop-down shows physical, logical, and cross systems. The organization rules are related to the HR system only, so if you select a non-HR system, then the system will not display any organization values. You can select multiple rule sets by holding down the Ctrl key on the keyboard and then clicking your selections. Click the Next button to switch to the Review Organization Levels screen (Figure 4).

Figure 4

Review the organization levels

Step 3. Based on the system and rule set selection in Figure 3, the access risk and corresponding organization levels are displayed in Figure 4, which is just for review of the organization levels associated with the access risks. Click the Next button and the Select Org Values screen appears (Figure 5).

Figure 5

Select the organization values

Step 4. The organization values are based on the ERP system that you selected in Figure 3. You can remove particular items by selecting the corresponding check boxes under the Remove column (in Figure 5). Once a particular line item is checked for removal, then it will not be considered as part of an organization rule. After you’ve made your entries, click the Next button in Figure 5, and the Review Organization Rules screen appears again (Figure 6).

Figure 6

Review the organization rules

Step 5. Here you see the exact assignment that exists in the ERP system. The Organization Rule Format field is required when you want to use your own organization rule format. For example, if you add any two characters in the field, then the system adds that common prefix to all the rules that are generated. The prefix provides for easier sorting. Once you enter your required prefix in the field, click the Apply button. You can change the values of the condition and status by selecting the drop-down icons under Condition and Status columns, respectively. Click the Next button in Figure 6 and the Generate Rules screen (Figure 7) appears.

Figure 7

Generate the rules

Step 6. You can run the job either in the foreground or the background by clicking the corresponding button on the bottom left of the figure. Once you click either button the organization rules are generated.

Once the organization rules are generated in the Organization Rule Creation Wizard then those organization rules are visible in organization rule POWL (Figure 8). You can open organization rule POWL by following menu path Setup > Exception Access Rule > Organization Rules.

Figure 8

Organization rule POWL

After the initial setup of the Organization Rule Creation Wizard, if you want to do some modifications to an existing organization rule, you need to go to organization rule POWL. To modify an organization rule, select the Organization Rule ID, then click the Open button (Figure 9).

Figure 9

Open the organization rule POWL screen

After you click the Open button, Figure 10 appears.

Figure 10

The Organization Rule pop-up screen opens

In Figure 10, you can do the modification such as adding organization levels and description-related changes. You can see a new tab Systems has been added in the Organization Rule screen. The user can add one or multiple systems for one organization rule. It is a new feature of Access Control 10.1 for maintaining system-specific organization rules. To add systems, go to the Systems tab and click the Add button to add the systems effective for the rule. You can add a new system name with F4 help. Then click the Save button.

Sonia Sohal

Sonia Sohal is a senior developer at SAP Labs India Pvt. Ltd. She has more than seven years of experience and is currently working with the Installed Base Maintenance Support (IMS) organization, SAP Labs, India, for SAP Access Control 10.0 and 10.1. Sonia has vast experience and has worked on multiple technologies, including ABAP OO, SAP ABAP dictionary, function modules, SAPUI5, SAP HANA, and ABAP WebDynpro, for a broad range of SAP modules and SAP Access Control.

 

You may contact the author at sonia.sohal@sap.com.

If you have comments about this article or publication, or would like to submit an article idea, please contact the editor.