Create a Ruleset
To use a ruleset, prepare a CSV/TSV file following the ruleset format and load it into MTC Skopos. The ruleset file can be opened and maintained directly in Microsoft Excel.
The ruleset must contain the following headers:
Rule Set,Access Risk ID,Access Risk Description,Access Risk Type,Access Risk Level,Business Process Description,System,Functions,Function Description,Action,Action Description,Permission Object,Field,Value From,Value To,Condition,Change Doc Action,Change Doc Object Type
Field Reference
| Field | Description | Comments |
|---|---|---|
| Rule Set | The name/source of the ruleset (e.g., "ACME SoD Control") - identifies which framework or library the rules come from | |
| Access Risk ID | Unique identifier for the SoD conflict (e.g., S015, S016) - used for tracking and remediation | |
| Access Risk Description | Business explanation of the fraud/error scenario the conflict enables | |
| Access Risk Type | Classification of risk type - typically "Segregation of Duties" (SoD), "Critical Action" (CA), or "Critical Permission" (CP) | |
| Access Risk Level | Risk severity rating: High, Medium, or Low | |
| Business Process Description | The business area affected (e.g., Finance, Sales, Procurement) | |
| System | SAP system ID and client where the rule applies (e.g., EPRDCLNT100) | |
| Functions | Function ID - groups related transactions/permissions into a logical business capability (e.g., SD06) | |
| Function Description | Human-readable name for the function (e.g., "SD06 - Sales Pricing Condition") | |
| Action | The SAP transaction code being evaluated (e.g., VK11) | Action refers to a Permission Group |
| Action Description | What the transaction does (e.g., "Create Condition") | |
| Permission Object | The SAP authorization object being checked (e.g., V_KONH_VKS, S_TCODE) | All objects linked to the same Function-Action are checked during the analysis (AND) |
| Field | The specific field within the authorization object (e.g., ACTVT, TCD) | |
| Value From | The required authorization value (e.g., "02" for change, "VK11" for tcode) | |
| Value To | Upper bound for range values - empty if single value | |
| Condition | Logical operator linking multiple values rows within the same field (AND/OR) | |
| Change Doc Action | Transaction code used to check change document logging | Leave blank for Fiori |
| Change Doc Object Type | Object type for change document verification (e.g., OBJECTCLAS: COND_A for pricing conditions) | Multiple OBJECTLCAS can be set with comma or pipe separator |