Skip to Content
Author's profile photo Seema Saboo

Dual Control Functionality in SAP

1. Introduction


Sensitive Data Fields provides dual control function in SAP to provide more security when changes are made in Customer and Vendor Master Data records. After activating Sensitive Data Fields functionality, changes done by one profile (Ex. Clerk) in AP and AR Master Data has to be confirmed by another profile (authorized person), thereby facilitating strong control over unauthorized modification. Changes made in relevant Customer or Vendor Master Data are visible but the account is automatically blocked for payment run till the changes are confirmed.

If this function is not activated then when the master data for a customer/vendor is changed then all business processes, including for example a payment run, can be executed immediately afterwards without the changes having being confirmed regarding the 4-eyes-principles. The risk of fraudulent behavior, especially in payments to vendor and customer, remains higher than a situation where the changes of sensitive data fields need to be confirmed by another person.


2. Steps


Standard SAP offers the possibility to define sensitive fields for both customer and vendor data. This customization is at Client level and is applicable for all Customer or Vendor account groups.


Customer Master Data

      1.    IMG Path for customization of Sensitive Fields for Customers:

IMG -> Financial Accounting -> Accounts Receivable and Account Payable -> Customer Accounts -> Master Data -> Preparations for Creating Customer Master Data -> Define Sensitive Fields for Dual Control. Single data fields can be defined as sensitive.

Screenshot 1.jpg

  Similar customizing exists for vendor accounts.


     2.    Maintaining Sensitive Fields:

       Below screenshot shows various fields available for customization as Sensitive data fields.

       This includes Customer name and address, Bank details etc.

      Screenshot 2.jpg

     3.    Terms of payment saved as Sensitive Field:

        Screenshot 3.jpg

     4.    Changing Payment Terms in Customer Master Data:

         Screenshot 4.jpg

         Screenshot 5.jpg

        Existing payment term is FB00

      Screenshot 6.jpg

        Terms of payment have been changed from FB00 to FB09

         Screenshot 6.jpg

      /wp-content/uploads/2014/03/q_404937.png

         Changes saved with an information message to confirm the changes


     5.    Display Customer Master Data:

        /wp-content/uploads/2014/03/q_404937.png  

         /wp-content/uploads/2014/03/q_404937.png

         Changes available for display but the same are required to be confirmed.

    6.    Confirmation of Change:

        /wp-content/uploads/2014/03/q_404937.png

        /wp-content/uploads/2014/03/q_404937.png

        /wp-content/uploads/2014/03/q_404937.png

       Changes made can be displayed by clicking Changes to sensitive fields

       Below screen provides details of changes made

      /wp-content/uploads/2014/03/q_404937.png

       Changes have not been confirmed

     7. Executing Automatic Payment Run:

       Customer has open item (T Code: FBL5N)

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

        Executing Payment Run without confirming the changes (T Code: F110)

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

       Account was not considered for payment run due to unconfirmed changes.


Vendor Master Data

    1. IMG Path for customization of Sensitive Fields for Vendors:

     IMG-> Financial Accounting-> Accounts Receivable and Account Payable-> Vendor Accounts-> Master Data-> Preparations for               creating Vendor Master Data-> Define Sensitive Fields for Dual Control. Single data fields can be defined as sensitive.

       /wp-content/uploads/2014/03/q_404937.png

     2.    Maintaining Sensitive Fields:

      

      Below screenshot shows various fields available for customization as Sensitive data fields.

      This includes Vendor name and address, Payment terms, Dunning data etc.

         /wp-content/uploads/2014/03/q_404937.png

      3.    City and Accounting Clerk Field have been saved as Sensitive Field:

         /wp-content/uploads/2014/03/q_404937.png

     4.    Changing Sensitive Fields in Vendor Master Data:

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

        City changed from Montvale to Rutherford

       /wp-content/uploads/2014/03/q_404937.png

        Accounting clerk field was empty

      /wp-content/uploads/2014/03/q_404937.png

        Now filled with AP

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

       Changes available for display but the same are required to be confirmed.

    5.    Display Vendor Master Data

        /wp-content/uploads/2014/03/q_404937.png

         /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

          Changes made are available for display

   6.    Confirmation of Change

     /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

       Changes done in city comes under Vendor Master General Data

     /wp-content/uploads/2014/03/q_404937.png

       Changes done in Accounting clerk comes under the preview of Company Code Data

      /wp-content/uploads/2014/03/q_404937.png

      /wp-content/uploads/2014/03/q_404937.png

7.  Executing Automatic Payment Run:

       Vendor Open item ready for payment run (T Code: FBL1N)

      /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

        Executing Automatic Payment Program (T Code F110)

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

      Vendor is blocked for payment due to unconfirmed changes.


3.    Customized solution


As already mentioned, Sensitive Data Field functionality provided by standard SAP is at client level and therefore applicable for all the customer and Vendor account groups existing in the system. Based on customer request, this functionality can be activated for specific account groups.

In our project, Customer and Vendor Account groups have been created at country level. To fulfill customer requirement, A custom table has been created to maintain the relevant account groups and Sensitive Data Fields.

      /wp-content/uploads/2014/03/q_404937.png

Also we have added one enhancement spot in include MF02DFEX for customer MF02KFEX for vendor. Accordingly Sensitive Data Field functionality has been activated at account group level.

       /wp-content/uploads/2014/03/q_404937.png

       /wp-content/uploads/2014/03/q_404937.png

In this way, unauthorized changes in Customer and Vendor master data can be effectively controlled thereby reducing overall business risk.

Assigned tags

      26 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Hi Seema,

       

       

      Very Informative..Thanks for sharing.

       

      Can you please tell me were we need to maintain the Authorisation Level and the User ID,s of approving Hierarchy.

       

       

      Thanks,

      M.Shiva Kumar

      Author's profile photo Seema Saboo
      Seema Saboo
      Blog Post Author

      Hello Shiva,

       

      Thanks for your comments.

       

      Maintenance of Authorization level and User ID separately is not required. This will be taken care of by Authorization roles assigned to User ID having access to confirm the Vendor/Customer Master data changes (FK08/FK09/FD08/FD09)

       

      Nevertheless, Changes done by one User ID cannot be confirmed with same User ID even thought access for confirmation of changes is available.

       

      Regards,
      Seema

      Author's profile photo Mariks .
      Mariks .

      Thanks for sharing the valuable knowledge....Good presentation......Thanks...

      Author's profile photo Prashant Govind Rane
      Prashant Govind Rane

      Hi,

       

      Nice docs - Thanks!

       

      Is is possible to use this dual functionality by company code dependent?

       

      I have one scenario for small size companies where in one client we have two company codes. One company want to use this functionality, but other company code business owner do not want this functionality reason in that company only 1 accounting user exist.

       

       

      B/R

      Prashant Rane

      Author's profile photo Seema Saboo
      Seema Saboo
      Blog Post Author

      Hello Prashant,

       

      Since in SAP, General data of Customer master  can be created with no reference to Company code, so activation of sensitive field functionality at Company code level is not possible.

       

      Regards,

      Seema Saboo

      Author's profile photo Aniket Dharmadhikari
      Aniket Dharmadhikari

      Good work Seema

      Author's profile photo ' MoazzaM '
      ' MoazzaM '

      Seema Saboo

       

      I liked the way you have presented this document. Though this is not possible in standard but still I wana ask that have you ever came across such requirement in which user asks you to put some field from Sales area data to sensitive fields? I can see that there is no field available from KNVV table. What if we want to add some field from KNVV to this field catalogue which we have in defining sensitive field IMG activity?

       

      Thank$

      Author's profile photo Seema Saboo
      Seema Saboo
      Blog Post Author

      Hi Moazza,

       

      Thanks for your message.

       

      In custom functionality as well, If an entry is maintained in custom table for a field with reference to table KNVV, the same will definitely work. This is applicable to all customer master data relevant tables.

       

      Regards,

      Seema

      Author's profile photo Pajaczkowski Lukasz
      Pajaczkowski Lukasz

      Hi,
      Could you explain how we can add references to KNVV using a custom table? Which objects should be modified?

      Best Regards

      Lukasz

      Author's profile photo Shivaji Shivaji
      Shivaji Shivaji

      Hi Seema,

       

      Hi Seema,

       

      Can you please explain what needs to be done in program MF02KFEX in order to activate sensitive field functionality at account group level & Company Code level?

       

      Thanks

      Shiva

      Author's profile photo Lakshmi Sama
      Lakshmi Sama

      Hello Seema,

       

      Very well explained and nicely articulated the info. Thanks for sharing your knowledge.

       

      Regards,

      Lakshmi S

      Author's profile photo Former Member
      Former Member

      Hi Seema,

       

      Can you please explain what needs to be done in program MF02KFEX in order to activate sensitive field functionality at account group level?

       

      Regards,

       

      Melih

      Author's profile photo Former Member
      Former Member

      Hi Seema,

       

      I also need to define sensitive fields based on account group. Could you please show/explain your solution (-> enhancement in include MF02KFEX) in detail? 

       

      I would really appreciate your help!!!

       

      Kind regards,

      Nicki

      Author's profile photo Pavan Kumar Raju Sagiraju
      Pavan Kumar Raju Sagiraju

      Hello Nicki,

       

      The subroutine  AUFRUF_USER_EXIT can be enhanced as below.

       

         Check if a new entry is added or existing sensitive field entry is changed, if so update the below flags.

       

               lfa1-confs = '1'.

               kred-xadspl = 'X'(For general data)  or  kred-xbdspl = 'X'(for company code data)

            

      Indicating confirmation has to happen by setting the above flags.



      Change in include MF01AINT:

       

      The subroutine   KRITAB_FUELLEN can be enhanced as below.

       

      Here append the table  kritab mentioning all the additional sensitive fields information.S

      o that the system understands these are sensitive fields.


      This will display the new fields in FK08 when the display sensitive fields button is clicked.



       

      Change in include MF02KFS0:

       

      The subroutine   SENSIBLE_FELDER can be enhanced as below.

       

      Mark the flag  p_xsensibel = 'X' for all the new sensitive fields.

       

      This will make  confirm buttom enable in FK08.

       

      Regards,

       

      Pavan Kumar.

      Author's profile photo Shivaji Shivaji
      Shivaji Shivaji

      Hi Pavan Kumar,

       

       

      I am also faceing same issue. Client want sensitive fields activate specific to Once Vendor Account group and Company codes. How i can build the logic.

       

       

      I would really appreciate your help!!!


      Thanks

      Shiva

      Author's profile photo Shivaji Shivaji
      Shivaji Shivaji

      Hi Nicki,

       

       

       

      I am also facing same issue. Client want to sensitive fields activate specific to one Vendor Account group and Company codes.

       

      Please provide the information how you achieved this issue.

       

       

       

      I would really appreciate your help!!!



      Thanks

      Shiva

      Author's profile photo Dibyendu Patra
      Dibyendu Patra

      Shivaji ,

       

      Please use discussion to ask a question. Comment portion is used to give a review of a document/blog.

      Author's profile photo Former Member
      Former Member

      Hello Seema,

       

      Very informative Document. Thanks for Sharing.

       

      Regards,

      Mukesh

      Author's profile photo Sree Kumar Nair
      Sree Kumar Nair

      Well written useful document..

       

      Thanks

      Author's profile photo Former Member
      Former Member

      Dear Seema,

       

      Thank you for very useful information.

      We have requirement that, along with AC block, user should not be able to create any document related to that customer (Overall block XD05).

       

      Is there any way, by which we can achieve Overall block for Sensitive fields changes in SAP.

       

      Thanks

      Author's profile photo Former Member
      Former Member

      Explained in great detail. This is very helpful. Thanks for sharing.

      Author's profile photo Former Member
      Former Member

      Hey guys,

       

      For #3 Customized Solution, it doesn't say how to actually do it, so I found a way to do it via an enhancement implementation, hopefully my blog post will help you:

       

      How to activate sensitive fields for a specific vendor account group/company code

       

      Regards,

      Scott

      Author's profile photo Amit Kumar
      Amit Kumar

      Dear SAP experts,

      Nice blog

       

      Could you please guide how to do a mass upload

      How to deactivate this workflow for FK08/FD08 during mass load?

       

      With regards,

      Amit Kumar

      Author's profile photo Nagarajan Narayanaswamy
      Nagarajan Narayanaswamy

      Hi,

      Thank you for the detailed information. Can we have the sensitive control activated for one time vendors also? I mean, during transaction if the one time vendor's bank information is entered, can we have dual control for that as well?

      regards

      Nagarajan

      Author's profile photo Oceans Blue
      Oceans Blue

      Hello,

      I did maintain a vendor for dual confirmation, but i did not get the error warning during the payment run via F110 like the understated screenshot.

      What is needed to get the warning in the log for F110 run?

       

      /wp-content/uploads/2014/03/q_404937.png

      Author's profile photo Ganesh Naidu
      Ganesh Naidu

      Hi Seema,

      Thank for this article

      But only in F110 tcode payment is blocked . User can do payment by F-53,F-48. How to restrict vendor payment from all payment related tcodes.

      Ganesh