1. Introduction


Sensitive Data Fields provides dual control function in SAP to provide more security when changes are made in Customer and Vendor Master Data records. After activating Sensitive Data Fields functionality, changes done by one profile (Ex. Clerk) in AP and AR Master Data has to be confirmed by another profile (authorized person), thereby facilitating strong control over unauthorized modification. Changes made in relevant Customer or Vendor Master Data are visible but the account is automatically blocked for payment run till the changes are confirmed.

If this function is not activated then when the master data for a customer/vendor is changed then all business processes, including for example a payment run, can be executed immediately afterwards without the changes having being confirmed regarding the 4-eyes-principles. The risk of fraudulent behavior, especially in payments to vendor and customer, remains higher than a situation where the changes of sensitive data fields need to be confirmed by another person.


2. Steps


Standard SAP offers the possibility to define sensitive fields for both customer and vendor data. This customization is at Client level and is applicable for all Customer or Vendor account groups.


Customer Master Data

      1.    IMG Path for customization of Sensitive Fields for Customers:

IMG -> Financial Accounting -> Accounts Receivable and Account Payable -> Customer Accounts -> Master Data -> Preparations for Creating Customer Master Data -> Define Sensitive Fields for Dual Control. Single data fields can be defined as sensitive.

Screenshot 1.jpg

  Similar customizing exists for vendor accounts.


     2.    Maintaining Sensitive Fields:

       Below screenshot shows various fields available for customization as Sensitive data fields.

       This includes Customer name and address, Bank details etc.

      Screenshot 2.jpg

     3.    Terms of payment saved as Sensitive Field:

        Screenshot 3.jpg

     4.    Changing Payment Terms in Customer Master Data:

         Screenshot 4.jpg

         Screenshot 5.jpg

        Existing payment term is FB00

      Screenshot 6.jpg

        Terms of payment have been changed from FB00 to FB09

         Screenshot 6.jpg

      /wp-content/uploads/2014/03/q_404937.png

         Changes saved with an information message to confirm the changes


     5.    Display Customer Master Data:

        /wp-content/uploads/2014/03/q_404937.png  

         /wp-content/uploads/2014/03/q_404937.png

         Changes available for display but the same are required to be confirmed.

    6.    Confirmation of Change:

        /wp-content/uploads/2014/03/q_404937.png

        /wp-content/uploads/2014/03/q_404937.png

        /wp-content/uploads/2014/03/q_404937.png

       Changes made can be displayed by clicking Changes to sensitive fields

       Below screen provides details of changes made

      /wp-content/uploads/2014/03/q_404937.png

       Changes have not been confirmed

     7. Executing Automatic Payment Run:

       Customer has open item (T Code: FBL5N)

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

        Executing Payment Run without confirming the changes (T Code: F110)

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

       Account was not considered for payment run due to unconfirmed changes.


Vendor Master Data

    1. IMG Path for customization of Sensitive Fields for Vendors:

     IMG-> Financial Accounting-> Accounts Receivable and Account Payable-> Vendor Accounts-> Master Data-> Preparations for               creating Vendor Master Data-> Define Sensitive Fields for Dual Control. Single data fields can be defined as sensitive.

       /wp-content/uploads/2014/03/q_404937.png

     2.    Maintaining Sensitive Fields:

      

      Below screenshot shows various fields available for customization as Sensitive data fields.

      This includes Vendor name and address, Payment terms, Dunning data etc.

         /wp-content/uploads/2014/03/q_404937.png

      3.    City and Accounting Clerk Field have been saved as Sensitive Field:

         /wp-content/uploads/2014/03/q_404937.png

     4.    Changing Sensitive Fields in Vendor Master Data:

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

        City changed from Montvale to Rutherford

       /wp-content/uploads/2014/03/q_404937.png

        Accounting clerk field was empty

      /wp-content/uploads/2014/03/q_404937.png

        Now filled with AP

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

       Changes available for display but the same are required to be confirmed.

    5.    Display Vendor Master Data

        /wp-content/uploads/2014/03/q_404937.png

         /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

          Changes made are available for display

   6.    Confirmation of Change

     /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

       Changes done in city comes under Vendor Master General Data

     /wp-content/uploads/2014/03/q_404937.png

       Changes done in Accounting clerk comes under the preview of Company Code Data

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

7.  Executing Automatic Payment Run:

       Vendor Open item ready for payment run (T Code: FBL1N)

      /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

        Executing Automatic Payment Program (T Code F110)

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

      Vendor is blocked for payment due to unconfirmed changes.


3.    Customized solution


As already mentioned, Sensitive Data Field functionality provided by standard SAP is at client level and therefore applicable for all the customer and Vendor account groups existing in the system. Based on customer request, this functionality can be activated for specific account groups.

In our project, Customer and Vendor Account groups have been created at country level. To fulfill customer requirement, A custom table has been created to maintain the relevant account groups and Sensitive Data Fields.

      /wp-content/uploads/2014/03/q_404937.png

Also we have added one enhancement spot in include MF02DFEX for customer MF02KFEX for vendor. Accordingly Sensitive Data Field functionality has been activated at account group level.

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

In this way, unauthorized changes in Customer and Vendor master data can be effectively controlled thereby reducing overall business risk.

To report this post you need to login first.

22 Comments

You must be Logged on to comment or reply to a post.

  1. Shiva Maryala

    Hi Seema,

     

     

    Very Informative..Thanks for sharing.

     

    Can you please tell me were we need to maintain the Authorisation Level and the User ID,s of approving Hierarchy.

     

     

    Thanks,

    M.Shiva Kumar

    (0) 
    1. Seema Saboo Post author

      Hello Shiva,

       

      Thanks for your comments.

       

      Maintenance of Authorization level and User ID separately is not required. This will be taken care of by Authorization roles assigned to User ID having access to confirm the Vendor/Customer Master data changes (FK08/FK09/FD08/FD09)

       

      Nevertheless, Changes done by one User ID cannot be confirmed with same User ID even thought access for confirmation of changes is available.

       

      Regards,
      Seema

      (0) 
  2. Prashant Govind Rane

    Hi,

     

    Nice docs – Thanks!

     

    Is is possible to use this dual functionality by company code dependent?

     

    I have one scenario for small size companies where in one client we have two company codes. One company want to use this functionality, but other company code business owner do not want this functionality reason in that company only 1 accounting user exist.

     

     

    B/R

    Prashant Rane

    (0) 
  3. Seema Saboo Post author

    Hello Prashant,

     

    Since in SAP, General data of Customer master  can be created with no reference to Company code, so activation of sensitive field functionality at Company code level is not possible.

     

    Regards,

    Seema Saboo

    (0) 
  4. ' MoazzaM '

    Seema Saboo

     

    I liked the way you have presented this document. Though this is not possible in standard but still I wana ask that have you ever came across such requirement in which user asks you to put some field from Sales area data to sensitive fields? I can see that there is no field available from KNVV table. What if we want to add some field from KNVV to this field catalogue which we have in defining sensitive field IMG activity?

     

    Thank$

    (0) 
    1. Seema Saboo Post author

      Hi Moazza,

       

      Thanks for your message.

       

      In custom functionality as well, If an entry is maintained in custom table for a field with reference to table KNVV, the same will definitely work. This is applicable to all customer master data relevant tables.

       

      Regards,

      Seema

      (0) 
      1. Shivaji Shivaji

        Hi Seema,

         

        Hi Seema,

         

        Can you please explain what needs to be done in program MF02KFEX in order to activate sensitive field functionality at account group level & Company Code level?

         

        Thanks

        Shiva

        (0) 
  5. Melih Özbağı

    Hi Seema,

     

    Can you please explain what needs to be done in program MF02KFEX in order to activate sensitive field functionality at account group level?

     

    Regards,

     

    Melih

    (0) 
  6. N A

    Hi Seema,

     

    I also need to define sensitive fields based on account group. Could you please show/explain your solution (-> enhancement in include MF02KFEX) in detail? 

     

    I would really appreciate your help!!!

     

    Kind regards,

    Nicki

    (0) 
    1. Pavan Kumar Raju Sagiraju

      Hello Nicki,

       

      The subroutine  AUFRUF_USER_EXIT can be enhanced as below.

       

         Check if a new entry is added or existing sensitive field entry is changed, if so update the below flags.

       

               lfa1confs = ‘1’.

               kredxadspl = ‘X'(For general data)  or  kredxbdspl = ‘X'(for company code data)

            

      Indicating confirmation has to happen by setting the above flags.



      Change in include MF01AINT:

       

      The subroutine   KRITAB_FUELLEN can be enhanced as below.

       

      Here append the table  kritab mentioning all the additional sensitive fields information.S

      o that the system understands these are sensitive fields.


      This will display the new fields in FK08 when the display sensitive fields button is clicked.



       

      Change in include MF02KFS0:

       

      The subroutine   SENSIBLE_FELDER can be enhanced as below.

       

      Mark the flag  p_xsensibel = ‘X’ for all the new sensitive fields.

       

      This will make  confirm buttom enable in FK08.

       

      Regards,

       

      Pavan Kumar.

      (0) 
      1. Shivaji Shivaji

        Hi Pavan Kumar,

         

         

        I am also faceing same issue. Client want sensitive fields activate specific to Once Vendor Account group and Company codes. How i can build the logic.

         

         

        I would really appreciate your help!!!


        Thanks

        Shiva

        (0) 
    2. Shivaji Shivaji

      Hi Nicki,

       

       

       

      I am also facing same issue. Client want to sensitive fields activate specific to one Vendor Account group and Company codes.

       

      Please provide the information how you achieved this issue.

       

       

       

      I would really appreciate your help!!!



      Thanks

      Shiva

      (0) 
  7. swapnil rane

    Dear Seema,

     

    Thank you for very useful information.

    We have requirement that, along with AC block, user should not be able to create any document related to that customer (Overall block XD05).

     

    Is there any way, by which we can achieve Overall block for Sensitive fields changes in SAP.

     

    Thanks

    (0) 

Leave a Reply