RAR 5.3 - Organisation Level grouping

Hi All,
I am currently running an project to setup a new Restricted Transaction ruleset, the business require the results to be grouped together by Organisational Level, for example:
If a user has access to VK11 they want to know the Sales Org (VKORG) value also, however they do not want to see the value  but what the underlying Company Code this is used for (Value 2010 = GB01 and 2060 = GB02 etc)
So what they are after is something that looks like:
Joe Black has VK11 access to GB01 and GB02 rather than Joe Black has access VK11 with value 2010 and 2060.
Without building 100's of single Functions with one transaction and org value within is there another way around this?
I have read some documentation around Organizational Rules but this states that Org Level rules are not designed to be used to group org levels together for Management reports.
Does anyone have any ideas?
Kind Regards
Andrew

Hi Andrew,
This depends on whether you treat specific org values as risks or if you just want to know what people have.
RAR is designed to specify the rules around access and not just to run analysis on who has what.
If you have specific company codes which are particularly high risk, then specify them as such in the ruleset and you can then make use of the Org rule functionality if needed.
If you want to know who has access to a specific list of org level values then you may find that running reports from SUIM or against AGR_1252 may yeild better results.
Simon

Similar Messages

  • Delivery Quantity Control at Purchase Organisation Level

    Hi All,
    In this scenario, I would like to have a control on the Delivery quantity by a vendor.
    Quantity released: 100 pcs for Vendor ABC
    Total Number of Plants: 3
    Out of this 100 pcs, it can be delivered to any of the 3 plants by vendor ABC. Quantity delivered by vendor to these 3 plants should not exceed 100 pcs in total. How can we have a control for total released quantity at Purchase Organisation level.
    Breakup of quantity to be delivered to each plant cannot be given as releasing is done at corporate level.
    We checked same scenario by using purchase Info record maximum quantity field. We created purchase info record at Purchase Organisation level.
    Scenario 1. which i tested
    Maximum Qty:100
    PO creation
    Plant 1: 100 qty-- No error/warning
    Plant 2: 100 qty-- No error/warning
    Plant 3: 101 qty-- warning maximum qty exceeded than 100 pcs.
    Above scenario will not help me as I need to total release control on all plants together.
    Scenario 2. Expected
    Plant 1: 60 qty-- No error/warning
    Plant 2: 45 qty-- Error, Total released qty exceed by 5 pcs.
    Thanks and Regards,
    VV

    Hi
    You cannot do GR for a plant which is not given in Purchase order. Corporate level you can have contract but not Purchase orders. If you have reference purchase organization create a corporate contract and try creating a po against that contract.
    regards
    Antony

  • Multi level Group Above Report

    I have a multi level Group Above report like this.
    School name : xxxx
    Course1
    Student1
    Student2
    Course2
    Student1
    School name : yyyy
    etc...
    No students are enrolled in some of the courses. I used the Outer Query in SQL to include those courses. Everything looks okay, except the header for the students are still appearing. how do I supress the student heading if no drecords are present?
    Can somebody help me.
    Thank you
    David Smith

    hello,
    you will have to create a counter, that tells you the numbers of students (summary-column, function : count, reset on : course) and create a format-trigger on the heading that hides it when the number of students is 0.
    regards,
    the oracle reports team --pw                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  • Built-In Domain Level Groups dont have permissions on domain they should on 2012

    Hello,
    First this is a brand new domain environment with everything running server 2012 datacenter edition.
    Second I've never seen anything like the following occur in a domain environment. What I had is what appears to be a bad 2012 AD structure however so far all AD tests come back good. The problem is the built-in domain level groups do NOT offer any level
    of access that they should. For example if I add a user in the administrators group, they don't have any permissions that group is supposed to have. THe same with every other builtin, backup operators, server operators, account operators and on and on. The
    only way a user gets that level of access is if I add them into the domain admins group. As you can imagine this is crazy and not a solution for my help desk crew. (having them all be domain admins that is) So while I could very well use delegation, I need
    to find out why my builtin groups don't function as they should.  Anyone have any ideas on what to check or where to look?  I'm at the point of opening a case with Microsoft on this.
    Thanks in advance

    Because those builtin groups AREN'T domain level groups in the way you're thinking. The Administrators group on the server gives users administrator permissions on the server, but that doesn't mean permissions on the entire domain.
    If you look in the user list in ADUC you'll see that while Domain Admins are a Global security group, Administrators is only a local group, eg local to the server (or more accurately since they no longer have local details, to domain controllers), so doesn't
    grant permissions to anything outside of the domain controller. On all non DC's the machines have their own local administrators group which is independent of the domain one, and can have different memberships.
    So if you only need a user to have permissions to the DC then administrators is fine, but if you need them to have access to the entire network, eg other servers and workstations, then they need to be members of domain admins. If you only want them
    to have limited permissions then you need to grant those permissions either via a global/universal group, or by adding them to the relevant local group on each machine they need access to.

  • Partner number of Purchasing organisation and group

    Hi
    I have to find the partner number of the Purchasing organisation and group to which a user is assigned. I have the partner number of the user.
    I know that we can view this in PPOSA_BBP, I want to write a code to fetch this.
    I have found the purchasing group of the user using BBP_OM_STRUC_GET_ORG_FROM_USER( here I have to pass the user name which I found from the partner number of the user using BUP_PARTNER_TO_USER_CONVERT.)
    Eventually, once I have the partner number of Purchasing org and grp I have to fetch the address details using BUPA_ADDRESS_GET_DETAIL(this requires the partner number.)
    Someone suggested me to use BAPI_ADDRESSORG_GETDETAIL but I dont know how to pass data in this bapi.
    Please help me.

    hi ,
    consult your  functional person some where they will assign link between purchasing organization -purchasing group--product category.
    T024E - organization
    T024   - groups
    for exact solution get the link from where the configuration do.
    rgds
    Chalam

  • Multi level grouping in views

    Hi 
    I am using SharePoint 2013, I wanted help on how to do multi level grouping in views.
    The view should be like as follows:
    -Category1
       -Level1
          -Title1
               data
    -Category2
        -Level2
           -Title2
               data 

    http://social.technet.microsoft.com/Forums/sharepoint/en-US/7085c62f-ee31-4655-bca9-0d4cef946374/multi-level-grouping-issue-in-sharepoint-2010?forum=sharepointgeneralprevious
    previously asked questions contain a link to:
    http://techtrainingnotes.blogspot.in/2011/01/sharepoint-group-by-on-more-than-2.html
    The article basically describes how to create and use a DVWP instead of a XSLT List View. The out of the box SharePoint list view cannot have more than two groups. You need to either edit the View page and add a DVWP or create a new page with a DVWP.
    SP 2010 view pages lose some functionality if web parts are added (showing ribbon is not as straightforward and view selector disappears), but there are workarounds.
    In some cases, a Web Part Page with a DVWP may be a better alternative.
    http://social.msdn.microsoft.com/Forums/sharepoint/en-US/82e7123d-9ff1-430b-a43c-0b937185574f/multiple-level-grouping-and-counting-help-in-sharepoint-designer?forum=sharepointcustomizationlegacy
    http://suguk.org/forums/11092/ShowThread.aspx

  • Item level Group Condition

    Hello,
    I have created one Item level condition type ZZXX and set "group condition" check box and maintained condition records with fixed amount.
    In the sales order, i have given 3 line items (different materials). system determined the condition type ZZXX and distributed amount to 3 materials with different values.
    Could you please let me know how a Item level group condition distributes amount among 3 line items?
    Thanks in advance.
    B Regards,
    Bhaskar.K

    Must be the Material Group is same in all the three different material in 3 line Items.
    Best Regards,
    Ankur

  • How to Deactive the Organisation and Group in BP tcode?

    Hi All,
    In CRM, Tcode BP, In the Application Toolbar Objects like Person,Organisation and Group.
    In that How to Deactive the Organistaion and Group.and the Person should be active only.
    Please let me know it.

    A simple solution would be:
    Goto transaction 'BUSD' (transaction to maintain roles).
    Select the role '000000'(Business Partner -General) -> Click on theDetails (CtrlShiftF2) in the tool-bar above. In the new screen showing the details of the role disable the Category 'GROUP' for thisrole. This would disable the 'Create Group' button in the 'BP'transaction.The role '000000' is the basic role for a partner. If the requirement is to disable the group button for all the roles -> Follow the same procedure for the remaining roles.
    Edited by: Smita Singh on Jun 30, 2008 2:00 PM

  • Upper and lower level groups for pages

    Is it possible to create different level groups for pages that show up in the navigation menu?

    Your question is not that clear.
    Are you talking about hidden pages? If so, yes it is possible. You would need to create your own navigation bar though. I did this on my first website by creating my own nav bar at the top of the page. I had a couple of extra pages that were not linked to the nav bar. I used Back and Next buttons on the other two pages to link them back.
    When I re-designed my site, I increased the page size, so that I had room for two nav bars, one at the top of the page which is fixed and another at the side which changes as I add new things to the site.

  • PFCG - Organisation Levels

    Hi,
    Need to know, how to input organisation levels? like company code, cost center, department etc.
    Which table holds these values in it.. Would appreciate, more info.
    Thanks,
    Sam

    Hello Sam,
    It depends totally on what you want in organizational level management. For example there is a role in which you want to give authorizations for only a set of company codes/controlling area etc. Then you can fill in only those values in the organizational level. However if you feel that a role should give access to all values then you can keep the value as *. You can find out the allowed values by doing an F4. For example you have a department A and department B. Department A is represted by company code XXXX while Department B is represented by company code YYYY. If you are creating a role that will be assigned to Department A users then it makes sense to fill in value XXXX in the organization level. Similarily the role for Department B should have value of company code as YYYY only. However if it a role for a manager who is taking care of both Department A and Department B then you can give both company codes XXXX and YYYY in the role created for him.
    However it is just not a basis decision but also one which is governed by business requirements. From business point of view organizational level helps you in differentiating the authorizations between the set of users while from a purely technical point of view it reduces the manual effort in filling in field values repeatedly. For example if you give the value of company code as XXXX in organization level the value xxxx will get populated in all the fields for company code with in that role.
    As suggested in the previous mail you can discuss this with functional consultants as well with some of the manager level end users. They will be able to provide you an entire organizational plan for the organization.
    Please let me know if you need further details.
    Please award points accordingly.
    Regards.
    Ruchit.

  • Multi Level Grouping Issue in SharePoint 2010

    Hi All
    I want to acheive multilevel grouping in my SharePoint Views.I need to acheive grouping up to 5-6 levels of columns.
    Is there any way we can acheive this?
    Any Pointers to Custom Solutions,Custom Controls in .NET can be utilised in SharePoint to acheive this?
    Please provide some pointers
    Regards
    Mahesh

    Hello,
    previously asked questions contain a link to:
    http://techtrainingnotes.blogspot.in/2011/01/sharepoint-group-by-on-more-than-2.html
    The article basically describes how to create and use a DVWP instead of a XSLT List View. The out of the box SharePoint list view cannot have more than two groups. You need to either edit the View page and add a DVWP or create a new page with a DVWP.
    SP 2010 view pages lose some functionality if web parts are added (showing ribbon is not as straightforward and view selector disappears), but there are workarounds.
    In some cases, a Web Part Page with a DVWP may be a better alternative.
    cheers, teylyn

  • RAR - Risk Analysis - Permission Level - V_VBAK_AAT||AUART - Error

    I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
    At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
    D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
    If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*'   for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
    I have done the following checks, all of them correct:
    - The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
    - All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
    - All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
    Any suggestions?
    Thanks in advance

    I've detected the same problem for the following authorization objects:
    - F_BKPF_BLA||BRGRU
    - V_VBRK_FKA||FKART
    - M_MSEG_BWE||WERKS
    RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
    This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
    Anybody else has experienced this issue????

  • Change sequence of organisational levels in Material Master

    Hi,
    Can we change the sequence or remove any Organisational element such as Plant, Storage Location, Sales Organization, Division etc. before creating Material Master.(Organistional level dialog box)
    Please suggest if it is possible.
    Regards,
    Goraksh.

    Hello
    Go to MM01 and to to the 'Defaults' tab and select the 'organizational levels'.
    Give the default values and tick the ' organizational levels only on request'.
    Then the organizational levels will be shown only if u click organizational levels in the view selection box.
    Hope this helps.
    Regards
    Gregory Mathews

  • XML Publisher - Multi Level group totals, subtotals and grand totals

    Hi Experts,
    I have a question in BI Publisher report in R12 Projects. The report has the following information: Project Parent Org -> Project Org -> Supervisor name(An employee who might be owning multiple projects)  -> Project -> Task -> Expenditure and Revenue amounts.
    I am able to generate the RTF report considering the above hierarchy. I am able to list Expenditure, Revenue, profit margin and few other calculated fields in the report.
    Now, user is looking for the total of the amount at various levels:
    Task Level
    Project Level
    Supervisor Level
    Project Org level
    Parent Org level
    In my Data Definition, I have data something like this:
    <group name="G_PROJECT_DETAILS"  source="Q_PROJECT_DETAILS">
      <element name="PROJECT_TYPE"             value="PROJECT_TYPE"/>
      <element name="AREA"                     value="AREA"/>
      <element name="PARENT_ORG"                value="PARENT_ORG"/>
      <group name="G_SUPERVISOR_DETAILS"   source="Q_PROJECT_DETAILS">
      <element name="CHILD_ORG"                 value="CHILD_ORG"/>
      <element name="SUPERVISOR"           value="SUPERVISOR"/>
      <group name="G_DETAILS"  source="Q_PROJECT_DETAILS">
      <element name="PROJECT_TYPE"              value="PROJECT_TYPE"/>
      <element name="PRJ_NUMBER"                value="PRJ_NUMBER"/>
      <element name="CREW"                      value="CREW"/>
      <element name="TOTAL_REVENUE_YTD"         value="G_REVENUE_DETAILS.TOTAL_REVENUE_YTD_C"       function="SUM()"/>
      <element name="TOTAL_DIRECT_COST_YTD"     value="G_EXPENDITURE_DETAILS.TOTAL_DIRECT_COST_YTD_C"    function="SUM()"/>
      <element name="HOUR_YTD"                  value="G_EXPENDITURE_DETAILS.HOUR_YTD_C"       function="SUM()"/>
      <group name="G_REVENUE_DETAILS"  source="Q_REVENUE_DETAILS">
      <element name="TOTAL_REVENUE_YTD_C"         datatype="NUMBER" value="TOTAL_REVENUE_YTD"/>
      </group>
      <group name="G_EXPENDITURE_DETAILS"  source="Q_EXPENDITURE_DETAILS">
      <element name="TOTAL_DIRECT_COST_YTD_C"     datatype="NUMBER" value="TOTAL_DIRECT_COST_YTD"/>
      <element name="HOUR_YTD_C"                  datatype="NUMBER" value="HOUR_YTD" />
      </group>
      </group>
      </group>
    </group>
    I am trying to calculate SUM for 'TOTAL_REVENUE_YTD', 'TOTAL_DIRECT_COST_YTD' fields at a higher level (i.e. Child and Parent Org level containing multiple projects). I tried accessing them like
      <element name="TOTAL_REVENUE_YTD_C"         value="G_DETAILS.TOTAL_REVENUE_YTD"       function="SUM()"/>
      <element name="TOTAL_DIRECT_COST_YTD_C"     value="G_DETAILS.TOTAL_DIRECT_COST_YTD"    function="SUM()"/>
    using the group name G_DETAILS. But, I am not able to get the sum of all entries (i.e. grand child of current group). I also tried using SUM() with <group1>.<group2>.elementname to get grand-total of all grand child. But, its not working.
    Please suggest how to calculate totals for grand-child.
    Thanks in advance
    Rathnam

    Try by creating a formula like this :
    Whileprintingrecords;
    Col1 + Col2 + Col3 + Col4

  • Very imp purchase organisation and group

    please provide me the exact differences between purchase organisation and purcahse group.
    regards

    Dear,
    A purchasing group is a key for a buyer or a group of buyers who are responsible for purchasing activities. The purchasing group is not assigned to other units of the enterprise structure in SAP R/3.
    Purchasing organization is an organizational unit within logistics that subdivides the enterprise according to the purchasing requirements.
    A purchase organization procures materials or services, negotiates conditions of purchase with vendors, and assumes responsibility for these transactions.
    You can incorporate purchasing into company structure by assigning the purchasing organization to a company code and to plants. This means you can take into account whether purchasing is organized on a centralized or decentralized basis in your company. You can have a combination of these two also.
    You can assign several purchase organizations to one company code. However a certain purchase organization is belongs to only one company code.
    You can decide not assign a purchase organizations to company code in case of cross-company purchasing.
    You can assign several plants to a purchase organizations and one plant to several purchase organizations.
    For plant specific purchases, a purchase organization is purchase materials to only one plant.
    If a purchase organization is to procure materials or services for several plants in a company code, you can set up a cross-plant purchasing organization within the company code. To do so, you assign the purchase organization to company code and after this you assign the plants for which the purchase organizations are to be responsible.
    If a purchase organizations is responsible for procurement for all plants of a company code, the above setting not enough, but you must always assign the plants to a purchasing organization that is to procure for them.
    However, assignment of purchase organizations to a company code is not necessary.
    If you want to assign cross-company code purchasing, you must not assign the purchasing organization to any company codes in customizing.
    Regards,
    Syed Hussain.

Maybe you are looking for

  • I need to file a compliant to Corporate since the store is no help!

    First of all I want to say that I am HIGHLY disappointed and upset with the service I received from your Fair Oaks, VA Store. I been going to this location for years and I haven't ever had an issue until I purchased a new phone with your mobile depar

  • Layout of an appender (log4J)

    Hello,, iam creating a new appender file log.addAppender(new RollingFileAppender(new SimpleLayout(),appenderFileName)); but iam not beeing able to set its layout as i want in a conversionLayout anyone can help

  • ITunes 11.1.4 vs 11.1.5 on SL, update or no?

    I'm currently at 11.1.4 and all is well. When an updated comes out for iTunes, I generally follow this forum to see if there are any "consistent" issues. I've noticed many threads of "not being able to open iTunes" after updating to 11.1.5. That said

  • How to protect application from being run by 2 browser with same session ?

    Hi all, As we know, in Firefox, if we open two browser windows or tabs it will share same session. In IE, it does the same thing if we open two tabs in same window. The impact is user can open the application twice (or more) yet share the same sessio

  • Weird response on logon

    I have gotten a really weird response with a logon. I have a Before Header PL/SQL process on page 1 This is the code <pre> SELECT count(*) INTO :GLOBAL_ADMIN FROM sys.dba_role_privs WHERE GRANTED_ROLE = 'ADMIN_ROLE' and grantee = upper(:app_user); IF