Rulebooks define the rules for the separation of duties (SoD) and sensitive access (SEN) that you will be testing for within the application. A rulebook is composed of rules and their associated permissions, transaction codes, authorization objects, and authorization values that make up their risk.
Your account is preloaded with default SoD and sensitive access rulebooks that include over 240 SoD risks and eight sensitive access risks based on industry-leading practices. The default rulebooks are defined down to the authorization object level to reduce false positives. For most users, the default rulebooks contain all of the risk management settings you will need, but you can edit a rulebook to meet your organization's needs.
Viewing Rulebook Details
You can easily see the hierarchy of rules defined in each rulebook by viewing the rulebook details.
Select RULEBOOKS and choose ALL RULEBOOKS.
You can search these rules by entering a string or value in the search field at the top of the list.
An SoD rule is made up of two or more business functions, and an SEN rule consists of just one function.
Example: The SoD rulebook example above has Create Business Transport (BS07) vs. Perform Transport (BS09) SOD as the rule. It contains two business functions: Create Basis Transport (BS07) and Perform Transport (BS09). Each business function has several transaction codes containing authorization objects and their values.
Understanding Rulebook Logic
Rulebooks define what type of access is considered a risk. This is enforced by the business functions' TCode and authorization objects.
TCode logic is used to determine if all, or just one, of the transaction codes are required for a user or role to have access to the business function.
Object logic is used to determine if all, or just one of the, authorization objects are required for a user or role to have access to the transaction code.
You can determine the TCode and object logic when you edit a rulebook.
After exporting a rulebook, go to the Business Functions tab and enter AND or OR under the Object Logic and TCode Logic columns.
After importing a rulebook, you can see this new logic by going to RULEBOOKS > ALL RULEBOOKS and selecting the view icon .
Understanding TCode Logic
TCode logic is used to determine what TCodes are needed for a user or role to access a business function.
For example, if a business function only consists of two TCodes and their related authorizations, and the TCode logic is set to OR, then the user or role will have access to that business function if they have the first or the second TCode.
If the logic is set to AND, then the user or role will need both transaction codes to have access to the business function.
Understanding Authorization Object Logic
Object logic is used to determine what authorization objects are required for a user or role to have access to the transaction code or just one of the authorization objects.
If the logic is AND, all authorization objects are required.
If the logic is OR, then only one of the authorization objects is required.
The example above shows the TCode F-07 and its authorization objects. There are two different objects. If the object logic is set to OR, the user or role will have access to TCode F-07 as long as they have the object F_BKPF_BUK or F_BKPF_KOA and if the logic is set to AND they will need both authorization objects.
Understanding Field/Value Logic
There is also field/value logic, which is used to determine what field/value criteria need to be met for a user or role to have access to the authorization object. This cannot be changed.
Logic is set for the fields and the values as follows:
Within the Same Field Value -- A user can have any of the values. The example above shows an OR between ACTVT 01 and 02 for auth object F_BKPR_KOA.
Between Different Field Values -- A user needs to have access to a value from each of the fields. The example above shows an OR for ACTVT 01 and 02 and an AND between fields ACTVT and KOART for auth object F_BKPF_KOA.
For this user to be considered as having access to auth object F_BKPF_KOA, they need KOART K AND (ACTVT 01 OR ACTVT 02).
Exporting a Rulebook
On the RULEBOOKS > ALL RULEBOOKS page, you can download rulebooks using the export feature. This is helpful for reviewing the rulebook outside of the application or editing a rulebook.
To export all rulebooks, select Export All. To export specific rulebooks, select the checkbox next to individual rulebooks and select Export Selected.
Editing a Rulebook
While we recommend using the default rulebooks, you may want to make common customizations such as excluding a rule from analysis, changing risk ratings, or adding custom transaction codes.
On the RULEBOOKS > ALL RULEBOOKS page, follow the directions to export all of your rulebooks by selecting the Export All option. Exporting all helps ensure nothing is lost or overwritten during the rulebook import required to update Access Risk Management with new rules.
If you want to create a rulebook from scratch, select Import and then Download Template to download a blank rulebook template.
To avoid potential errors, we strongly recommend that you use the default rulebooks instead of creating your own.
Importing a Rulebook
If you choose to edit or create a rulebook, you will need to import it into Access Risk Management to provide the information needed to identify and manage risks.
Select RULEBOOKS and choose ALL RULEBOOKS.
Use the dropdown menu to select your import type. You can choose ERPMRulebook or GRCRulebook.
Select Select files... to upload your rulebook .xlsx. You can repeat this step to import additional rulebooks as needed.
Select Upload to add your rulebook to Access Risk Management.
Uploading a new rulebook will overwrite the existing rulebook.
Downloading Rulebook Change Logs
You can see changes made to each rulebook in the Rulebook Change Log.
On the RULEBOOKS > ALL RULEBOOKS page, select the checkbox next to one or more rulebooks and select Download Logs. This will redirect you to the Activity History page where you can download the log.