on 09-14-2009 3:45 AM
Hi ,
We would like to confirm whether our understanding is correct in analysing the SoD analysis reports at Permission Level
Below is an example on how functions are configured at permission level
Under Function 0C0004 we have t-code as below
VA01 - Create Sales Order with Auth Objects
B_USER_STAT - ACTVT 01 AND
ACTVT 06 AND
K_CKBS_CO-PC - ACTVT 01 AND
ACTVT 06 AND
V_VBAK_AAT - ACTVT 01 AND 02 AND 06 etc.,
Similarly we have another Function GA0001 with t-code as below
F-03- Clear G/L Account
F_BKPF_BLA - ACTVT 01 AND
F_BKPF_BUK - ACTVT 01 AND
F_BKPF_KOA - ACTVT 01 AND
We have defined Risk betwee GA0001 & OC0004 with RISK ID 0045.
Does this means that a User / Role which are having t-code VA01 with the above permission values should be thrown as a conflict if the same user/ role is having t-code F-03 with the above permission values.
Do we need to understand the conflicts are only between two transaction codes and their permission values? or
Do we need to understand within the transaction code permission values also there are conflicts i.e. if a user is having 01,02 & 06 for V_VBAK_AAT in VA01 also.
When SoD reports are thrown for a User/ Role it just provides the Rule ID number and the t-codes conflicting followed by the permission values of the t-codes as below
004500101 : Transaction Code Check at Transaction Start Transaction Code Create Sales Order (VA01) OC00004
004500101 : Transaction Code Check at Transaction Start Transaction Code Clear G/L Account (F-03) OCA00001
004500101: B_USERSTAT : ACTVT : Activity Delete(06) OC00004
004500101: F_BKPF_BLA : ACTVT : Activity Create or generate(01) GA00001
004500101: B_USERSTAT : ACTVT : Activity Create or generate(01) OC00004
004500101: F_BKPF_KOA : ACTVT : Activity Create or generate(01) GA00001
004500101: V_VBAK_VKO : ACTVT : Activity Create or generate(01) OC00004
In the above scenario what exactly we need to understand ? Whether the conflicts are between t-codes & their respective permission values or the conflicts are intra conflicts i.e between permission values as well? User should not posses both 01 & 06 for Auth Object B_USERSTAT and remove the access to any of them.
Please provide your suggestions in our understanding.
Thanks and Best Regards,
Srihari.K
Hi Sri,
In RAR the conflict is always between Actions not permission. Permission level data is only for your info. All permission level details out of the box are not configured you have to activate it and fill in the value in the field. Now based on the value you feed in it will pull out the details.
eg: if you enter * it will show all values, If you enter 01 it will show all values with 01.
So to summarize the permission level details you need to configure based on needs and are not linked to conflicts they just show AS IS permission level details.
Thanks,
Darshan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sri,
Just go through with the SAP Note# 1223759.
I hope it would be helpful to you.
Regards,
Mohit
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
https://websmp209.sap-ag.de/~form/handler?_APP=01100107900000000342&_EVENT=REDIR&_NNUM=1223759
PS : You need to have Service market place id to access this message.
Cheers !!
Zaheer
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.