Dual Control Functionality in SAP
1. Introduction
Sensitive Data Fields provides dual control function in SAP to provide more security when changes are made in Customer and Vendor Master Data records. After activating Sensitive Data Fields functionality, changes done by one profile (Ex. Clerk) in AP and AR Master Data has to be confirmed by another profile (authorized person), thereby facilitating strong control over unauthorized modification. Changes made in relevant Customer or Vendor Master Data are visible but the account is automatically blocked for payment run till the changes are confirmed.
If this function is not activated then when the master data for a customer/vendor is changed then all business processes, including for example a payment run, can be executed immediately afterwards without the changes having being confirmed regarding the 4-eyes-principles. The risk of fraudulent behavior, especially in payments to vendor and customer, remains higher than a situation where the changes of sensitive data fields need to be confirmed by another person.
2. Steps
Standard SAP offers the possibility to define sensitive fields for both customer and vendor data. This customization is at Client level and is applicable for all Customer or Vendor account groups.
Customer Master Data
1. IMG Path for customization of Sensitive Fields for Customers:
IMG -> Financial Accounting -> Accounts Receivable and Account Payable -> Customer Accounts -> Master Data -> Preparations for Creating Customer Master Data -> Define Sensitive Fields for Dual Control. Single data fields can be defined as sensitive.
Similar customizing exists for vendor accounts.
2. Maintaining Sensitive Fields:
Below screenshot shows various fields available for customization as Sensitive data fields.
This includes Customer name and address, Bank details etc.
3. Terms of payment saved as Sensitive Field:
4. Changing Payment Terms in Customer Master Data:
Existing payment term is FB00
Terms of payment have been changed from FB00 to FB09
Changes saved with an information message to confirm the changes
5. Display Customer Master Data:
Changes available for display but the same are required to be confirmed.
6. Confirmation of Change:
Changes made can be displayed by clicking Changes to sensitive fields
Below screen provides details of changes made
Changes have not been confirmed
7. Executing Automatic Payment Run:
Customer has open item (T Code: FBL5N)
Executing Payment Run without confirming the changes (T Code: F110)
Account was not considered for payment run due to unconfirmed changes.
Vendor Master Data
1. IMG Path for customization of Sensitive Fields for Vendors:
IMG-> Financial Accounting-> Accounts Receivable and Account Payable-> Vendor Accounts-> Master Data-> Preparations for creating Vendor Master Data-> Define Sensitive Fields for Dual Control. Single data fields can be defined as sensitive.
2. Maintaining Sensitive Fields:
Below screenshot shows various fields available for customization as Sensitive data fields.
This includes Vendor name and address, Payment terms, Dunning data etc.
3. City and Accounting Clerk Field have been saved as Sensitive Field:
4. Changing Sensitive Fields in Vendor Master Data:
City changed from Montvale to Rutherford
Accounting clerk field was empty
Now filled with AP
Changes available for display but the same are required to be confirmed.
5. Display Vendor Master Data
Changes made are available for display
6. Confirmation of Change
Changes done in city comes under Vendor Master General Data
Changes done in Accounting clerk comes under the preview of Company Code Data
7. Executing Automatic Payment Run:
Vendor Open item ready for payment run (T Code: FBL1N)
Executing Automatic Payment Program (T Code F110)
Vendor is blocked for payment due to unconfirmed changes.
3. Customized solution
As already mentioned, Sensitive Data Field functionality provided by standard SAP is at client level and therefore applicable for all the customer and Vendor account groups existing in the system. Based on customer request, this functionality can be activated for specific account groups.
In our project, Customer and Vendor Account groups have been created at country level. To fulfill customer requirement, A custom table has been created to maintain the relevant account groups and Sensitive Data Fields.
Also we have added one enhancement spot in include MF02DFEX for customer MF02KFEX for vendor. Accordingly Sensitive Data Field functionality has been activated at account group level.
In this way, unauthorized changes in Customer and Vendor master data can be effectively controlled thereby reducing overall business risk.
Hi Seema,
Very Informative..Thanks for sharing.
Can you please tell me were we need to maintain the Authorisation Level and the User ID,s of approving Hierarchy.
Thanks,
M.Shiva Kumar
Hello Shiva,
Thanks for your comments.
Maintenance of Authorization level and User ID separately is not required. This will be taken care of by Authorization roles assigned to User ID having access to confirm the Vendor/Customer Master data changes (FK08/FK09/FD08/FD09)
Nevertheless, Changes done by one User ID cannot be confirmed with same User ID even thought access for confirmation of changes is available.
Regards,
Seema
Thanks for sharing the valuable knowledge....Good presentation......Thanks...
Hi,
Nice docs - Thanks!
Is is possible to use this dual functionality by company code dependent?
I have one scenario for small size companies where in one client we have two company codes. One company want to use this functionality, but other company code business owner do not want this functionality reason in that company only 1 accounting user exist.
B/R
Prashant Rane
Hello Prashant,
Since in SAP, General data of Customer master can be created with no reference to Company code, so activation of sensitive field functionality at Company code level is not possible.
Regards,
Seema Saboo
Good work Seema
Seema Saboo
I liked the way you have presented this document. Though this is not possible in standard but still I wana ask that have you ever came across such requirement in which user asks you to put some field from Sales area data to sensitive fields? I can see that there is no field available from KNVV table. What if we want to add some field from KNVV to this field catalogue which we have in defining sensitive field IMG activity?
Thank$
Hi Moazza,
Thanks for your message.
In custom functionality as well, If an entry is maintained in custom table for a field with reference to table KNVV, the same will definitely work. This is applicable to all customer master data relevant tables.
Regards,
Seema
Hi,
Could you explain how we can add references to KNVV using a custom table? Which objects should be modified?
Best Regards
Lukasz
Hi Seema,
Hi Seema,
Can you please explain what needs to be done in program MF02KFEX in order to activate sensitive field functionality at account group level & Company Code level?
Thanks
Shiva
Hello Seema,
Very well explained and nicely articulated the info. Thanks for sharing your knowledge.
Regards,
Lakshmi S
Hi Seema,
Can you please explain what needs to be done in program MF02KFEX in order to activate sensitive field functionality at account group level?
Regards,
Melih
Hi Seema,
I also need to define sensitive fields based on account group. Could you please show/explain your solution (-> enhancement in include MF02KFEX) in detail?
I would really appreciate your help!!!
Kind regards,
Nicki
Hello Nicki,
The subroutine AUFRUF_USER_EXIT can be enhanced as below.
Check if a new entry is added or existing sensitive field entry is changed, if so update the below flags.
lfa1-confs = '1'.
kred-xadspl = 'X'(For general data) or kred-xbdspl = 'X'(for company code data)
Indicating confirmation has to happen by setting the above flags.
Change in include MF01AINT:
The subroutine KRITAB_FUELLEN can be enhanced as below.
Here append the table kritab mentioning all the additional sensitive fields information.S
o that the system understands these are sensitive fields.
This will display the new fields in FK08 when the display sensitive fields button is clicked.
Change in include MF02KFS0:
The subroutine SENSIBLE_FELDER can be enhanced as below.
Mark the flag p_xsensibel = 'X' for all the new sensitive fields.
This will make confirm buttom enable in FK08.
Regards,
Pavan Kumar.
Hi Pavan Kumar,
I am also faceing same issue. Client want sensitive fields activate specific to Once Vendor Account group and Company codes. How i can build the logic.
I would really appreciate your help!!!
Thanks
Shiva
Hi Nicki,
I am also facing same issue. Client want to sensitive fields activate specific to one Vendor Account group and Company codes.
Please provide the information how you achieved this issue.
I would really appreciate your help!!!
Thanks
Shiva
Shivaji ,
Please use discussion to ask a question. Comment portion is used to give a review of a document/blog.
Hello Seema,
Very informative Document. Thanks for Sharing.
Regards,
Mukesh
Well written useful document..
Thanks
Dear Seema,
Thank you for very useful information.
We have requirement that, along with AC block, user should not be able to create any document related to that customer (Overall block XD05).
Is there any way, by which we can achieve Overall block for Sensitive fields changes in SAP.
Thanks
Explained in great detail. This is very helpful. Thanks for sharing.
Hey guys,
For #3 Customized Solution, it doesn't say how to actually do it, so I found a way to do it via an enhancement implementation, hopefully my blog post will help you:
How to activate sensitive fields for a specific vendor account group/company code
Regards,
Scott
Dear SAP experts,
Nice blog
Could you please guide how to do a mass upload
How to deactivate this workflow for FK08/FD08 during mass load?
With regards,
Amit Kumar
Hi,
Thank you for the detailed information. Can we have the sensitive control activated for one time vendors also? I mean, during transaction if the one time vendor's bank information is entered, can we have dual control for that as well?
regards
Nagarajan
Hello,
I did maintain a vendor for dual confirmation, but i did not get the error warning during the payment run via F110 like the understated screenshot.
What is needed to get the warning in the log for F110 run?
Hi Seema,
Thank for this article
But only in F110 tcode payment is blocked . User can do payment by F-53,F-48. How to restrict vendor payment from all payment related tcodes.
Ganesh
Helpful Blog!