Ruleset Maintenance

Since every environment is unique, MTC Skopos does not include a built-in ruleset. Customers are expected to develop their own or engage our consulting services to tailor one to their needs. While we can provide a template ruleset as a starting point, it must be reviewed and adapted by the customer to reflect the specifics of their environment.

As Security consultants, we understand that implementing Segregation of Duties (SoD) and Critical Access (CA) rulesets goes far beyond technical configuration. While system-level controls and technical implementation of authorization are key, they represent only half the equation. The true effectiveness of an SoD and CA framework depends on a deep understanding of the organization’s business processes, organizational structure, and system configuration.

To identify risks, it’s essential to align technical roles and authorizations with business functions. This means engaging with business stakeholders, mapping out process flows, and ensuring that rulesets reflect the way the organization actually operates not just how the system is technically set up. This holistic approach ensures not only compliance but also operational efficiency and user acceptance.

How can I maintain the ruleset?

The ruleset file can be opened and maintained directly in Microsoft Excel. The structure is comprehensive and easy to be maintained.

How does cross-system ruleset work?

Maintain the field "System" to identify the system where the function is expected to be triggered from.

⚠️ Note: Ruleset for cross-system (i.e. containing multiple systems) can only be used in case of a cross system risk analysis scenario.

Can I change from a ruleset file to another?

Multiple rulesets can be imported. Please select the appropriate one before running your risk analysis.

Technical Considerations:

  • System:
    This field identifies the system where the function is expected to be triggered.

    ⚠️ Note: The system value must match exactly with the one defined in the corresponding data source(s).

  • Action:
    The Action field acts as a permission group; permissions with the same action are evaluated together to trigger a function.

    ⚠️ Note: An action is not bound to a specific Tcode. If a transaction is involved, the authorization object S_TCODE must be included separately.

  • Object:
    Represents the authorization object. All objects assigned to the same action are considered during evaluation.

  • Field:
    The authorization field within an object. All fields under the same object are taken into account.

  • Value From / To:
    A string range used for value matching. Values will be considered if they fall within the specified range, starting with special characters (e.g. /) and ending with a letter (e.g. Z).

  • Condition (AND / OR):
    Operators define how multiple values for the same field of the same object are interpreted:

    • AND requires the value to be met.
    • OR requires at least one value to be met.

    ⚠️ Note: Combining AND and OR is technically possible. In that case all value with condition AND is required in combination with at least one value with condition OR

  • Wildcard (*) – ANY vs ALL:

    • To trigger the function by any value: use *
    • To trigger the function by all values: use ' * ' (quoted with a space to distinguish the logic, depending on implementation)

Example explained:

⚠️ Note: The examples shown are not functionally correct, they’re simply meant to explain how the tool processes and interprets technical input.

FunctionActionAuthorization ObjectFieldValue FromValue ToCondition
Table MaintenanceSM30_NAMS_TABU_NAMACTVT01OR
Table MaintenanceSM30_NAMS_TABU_NAMACTVT02OR
Table MaintenanceSM30_NAMS_TABU_NAMACTVT03AND
Table MaintenanceSM30_NAMS_TABU_NAMTABLEZ*OR
Table MaintenanceSM30_NAMS_TABU_NAMTABLEA*BKPFOR
Table MaintenanceSM30_NAMS_TCODETCDSM30AND
Table MaintenanceSM30_DISS_TABU_DISACTVT01OR
Table MaintenanceSM30_DISS_TABU_DISACTVT02OR
Table MaintenanceSM30_DISS_TABU_DISDICBERCLS'*'AND
Table MaintenanceSM30_DISS_TCODETCDSM30AND

To trigger the Table Maintenance function, a user or role must be provisioned with either of the following sets of authorizations:

Option 1: Using S_TABU_NAM

  • Transaction code : SM30
  • Authorization Object: S_TABU_NAM
    • Field ACTVT must include:
      • 03
      • AND
      • 01 OR 02
    • Field TABLE must include:
      • Any table starting with Z
      • OR
      • Any table from A to BKPF

Option 2: Using S_TABU_DIS

  • Transaction code : SM30
  • Authorization Object: S_TABU_DIS
    • Field ACTVT must include:
      • 01 OR 02
    • Field DICBERCLS must include:
      • All table groups