on 12-18-2008 11:35 AM
Hi
my user has following access
In role A she has P_ORGINCON with following values, Read access
AUTHC M, R
INFTY 0001
0002
0024
0041
9010
PERSA *
PERSG *
PERSK * (employee subgroups)
PROFL ZZ_ALL
SUBTY *
VDSK1 *
In role B she has P_ORGIN with following values, Read access
AUTHC M, R
INFTY 0001
0002
0003
0006
0007
0025
0032
0034
0041
2001
2002
2003
2004
9010
9015
PERSA *
PERSG *
PERSK Z0
Z1
Z2
Z8
ZB
ZD
ZE
ZF
ZJ
ZK
ZL
ZM
ZN
ZP
PROFL ZZ_ALL
SUBTY *
VDSK1 *
When she tries to display any infotype NOT included in role A (e.g. IT06), for any subgroup which is NOT in group B (e.g. Z3), she can do it! Security gap!!
Is it because SAP will combine the authorisations, no matter what the individual limitations are?
Thanks for any help. We really need to find a solution for this
Nadia
> Is it because SAP will combine the authorisations, no matter what the individual limitations are?
That should not happen. I would suggest to run a trace while the user accesses one of these 'prohibited' infotypes.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
The trace is quite long, but this is related to specific IT06
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=;PERSG=;PERSK=;VDSK1=;PROFL=*;
P_ORGINCON RC=0 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;PROFL= ;
P_ORGINCON RC=0 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA= ;PERSG= ;PERSK= ;VDSK1= ;PROFL= ;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL= ;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ZZ_ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ZZ_ORM;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ZZ_ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEECAA;PROFL=ZZ_ORM;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ORM;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ORM;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ORM;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BECAAA;PROFL=ZZ_ORM;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEDAAA;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEDAAA;PROFL=ZZ_ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BEDAAA;PROFL=ZZ_ORM;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_A
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_O
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_A
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_O
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z3;VDSK1=CNAT2HRHR;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z3;VDSK1=CNAT2HRHR;PROFL=ZZ_A
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z3;VDSK1=CNAT2HRHR;PROFL=ZZ_O
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z0;VDSK1=CNAT2CELT;PROFL=ALL;
P_ORGINCON RC=0 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z0;VDSK1=CNAT2CELT;PROFL=ZZ_A
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NERE;PERSG=1;PERSK=Z0;VDSK1=CNAT2CELT;PROFL=ZZ_O
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ALL;
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_A
P_ORGINCON RC=4 INFTY=0006;SUBTY=' ';AUTHC=R;PERSA=NARE;PERSG=1;PERSK=Z3;VDSK1=BNAT1HRHR;PROFL=ZZ_O
Well. There is one check in there that is successful:
P_ORGINCON RC=0 INFTY=0006; SUBTY=' '; AUTHC=R; PERSA=NERE; PERSG=1; PERSK=Z0; VDSK1=CNAT2CELT; PROFL=ZZ_A
Which indeed does confirm that, while the user does not appear have authorizations for INFTY 0006, she is still able to display the data. Authorization restrictions for 'PROFL' field are observed, however.
Please verify that (a) you have entered a range in 'INFTY' field of P_ORGINCON for role A and (b) that none of the other roles assigned to the user contain auth. obj. P_ORGINCON.
Edited by: Martinsh Shaiters on Dec 18, 2008 3:06 PM
User | Count |
---|---|
103 | |
12 | |
11 | |
6 | |
5 | |
4 | |
3 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.