Organization Rules in AC 10


Organization Rules in GRC AC 10

Organizational rules allow you to filter „false positives” from the risk analysis.

What does that mean?
You have a role concept with master derived roles, where e.g.
the leading organizational level is the company code with
a corresponding organizational value set.

Role_A_0001 for Company Code 0001 – (FB60)


Role_B_DE01 for Company Code DE01 – (FK02)


The Role_A_0001 now contains transaction FB60 (posting of vendor invoices),
whereas Role_B_0001 contains transaction FK02 (changing vendor master data).


A combination of transaction FK02 (e.g. function ID PR01) and FB60
(e.g. function ID AP02) is a SOD risk reflected by the risk ID ZP001,e.g..


A user who gets the above roles assigned would have a combination of both transactions according to a regular rule set, and would show up with a SOD
risk if the organizational values are not considered.

This could be a “false positive” as the user can actually not call FK02 and FB60
for the same company code (legal entity) – depending on the company’s policies.
For filtering these “false positives” you can utilize organizational rules.

There are multiple ways to set up organizational rules depending on your actual
filter requirements, but always be careful when setting them up, so that you do not accidentally eliminate “real positives”.

User DE01_01 has the role Role_B_DE01 and the role Role_A_0001.
With that he has transaction FK02 and FB60, but for different company codes.
When we run a regular risk analysis for this user, he would show up with a SOD
conflict, as he has transaction FK02 as well as FB60 assigned.


User 0001_01 has the roles Role_A_0001 and Role_B_0001 assigned.
With that he has FK02 and FB60 within one company code, and would also
show up in the risk analysis.

Now we create an organizational rule that “filters” the Company Code 0001:


In a next step we want to apply this organizational rule to the analysis.


Please be aware that the corresponding organizational value has to be set to
in the functions, and that the rules need to be regenerated   

After that, only the user 0001_01 will continue to show up in the
risk analysis report when the corresponding organization rule is applied.


User DE01_01 will not have a SOD conflict listed when the organizational rule is applied.


You want to create an organizational rule that generally eliminates all possible
 “false” positives for roles that are strictly assigned based on organizational
level differentiation, meaning that users should never have SOD within one
legal entity, but may definitely perform these functions for different company codes.
The rule could look like this:


The risk ID could be generic:

Filename/Title Größe
Note_09_11_Organization_Rules_in_AC10.pdf 204.81 KB