Help Center / Rulesets / Ruleset Structure

Ruleset Structure

Ruleset Structure

A ruleset defines:

ElementDescription
RisksRisk ID, name, level (Critical/High/Medium/Low), type (SoD/Critical Access)
FunctionsBusiness functions that group related actions
ActionsTransaction codes or activities
PermissionsAuthorization object and field value requirements

Technical Considerations

  • System: This field identifies the system where the function is expected to be triggered.

    Note: The system value must match exactly with the one defined in the corresponding data source(s).

  • Action: The Action field acts as a permission group; permissions with the same action are evaluated together to trigger a function.

    Note: An action is not bound to a specific Tcode. If a transaction is involved, the authorization object S_TCODE must be included separately.

  • Object: Represents the authorization object. All objects assigned to the same action are considered during evaluation.

  • Field: The authorization field within an object. All fields under the same object are taken into account.

  • Value From / To: A string range used for value matching. Values will be considered if they fall within the specified range, starting with special characters (e.g. /) and ending with a letter (e.g. Z).

  • Condition (AND / OR): Operators define how multiple values for the same field of the same object are interpreted:

    • AND requires the value to be met.
    • OR requires at least one value to be met.

    Note: Combining AND and OR is technically possible. In that case all values with condition AND are required in combination with at least one value with condition OR.

  • Wildcard (*) – ANY vs ALL:

    • To trigger the function by any value: use *
    • To trigger the function by all values: use ' * ' (quoted with a space)

Example Explained

Note: The examples shown are not functionally correct, they're simply meant to explain how the tool processes and interprets technical input.

FunctionActionAuthorization ObjectFieldValue FromValue ToCondition
Table MaintenanceSM30_NAMS_TABU_NAMACTVT01OR
Table MaintenanceSM30_NAMS_TABU_NAMACTVT02OR
Table MaintenanceSM30_NAMS_TABU_NAMACTVT03AND
Table MaintenanceSM30_NAMS_TABU_NAMTABLEZ*OR
Table MaintenanceSM30_NAMS_TABU_NAMTABLEA*BKPFOR
Table MaintenanceSM30_NAMS_TCODETCDSM30AND
Table MaintenanceSM30_DISS_TABU_DISACTVT01OR
Table MaintenanceSM30_DISS_TABU_DISACTVT02OR
Table MaintenanceSM30_DISS_TABU_DISDICBERCLS'*'AND
Table MaintenanceSM30_DISS_TCODETCDSM30AND

To trigger the Table Maintenance function, a user or role must be provisioned with either of the following sets of authorizations:

Option 1: Using S_TABU_NAM

  • Transaction code: SM30
  • Authorization Object: S_TABU_NAM
    • Field ACTVT must include: 03 AND (01 OR 02)
    • Field TABLE must include: Any table starting with Z OR any table from A to BKPF

Option 2: Using S_TABU_DIS

  • Transaction code: SM30
  • Authorization Object: S_TABU_DIS
    • Field ACTVT must include: 01 OR 02
    • Field DICBERCLS must include: All table groups

Updated on: 2026-03-28

« Back to Rulesets