on 11-05-2009 3:22 AM
Hi,
<p>I have few questions regarding when the conflicts occur based on the values and conditions in permission section</p>
<p>FOr eg: Under permission tab for t-code se09 the auth.object S_TRANSPRT has</p>
<p>Field Value From Value To Condition Status</p>
<p>----
</p>
<p>ACTVT 01 02 OR ENABLE</p>
<n>ACTVT 05 90 OR ENABLE</n>
<p>ACTVT 02 AND ENABLE</p>
<p>ACTVT 06 AND DISABLE</p>
<p>ACTVT 01 02 OR ENABLE</p>
<p>TTYPE PIEC OR ENABLE</p>
<p>TTYPE TASK OR ENABLE</p>
<p>What does OR and AND condition column mean? Is it a conflicts occur if any value between the range 05 - 90 is given in the S_TRANSPRT object or just for the values 05 and 09.</p>
<p>For eg: conflict b/w SE09 and STMS, </p>
<p>1. if i remove STMS i am getting 0 conflicts.</p>
<p>2. if i remove values 01-02 and range from 05-90 i am getting 0 conflicts. </p>
<p>3. if i give just 03(display) and 60(import) {which falls in the range of 05-90} i am getting some conflicts.</p>
<p>? are the risks occurring between the inner value like lock-copy with PIEC or TASK? </p>
<p>Transaction Code Check at Transaction Start Transaction Code Transport Organizer (SE09)
<p>Transaction Code Check at Transaction Start Transaction Code Transport Management System (STMS)</p>
<p>S_TRANSPRT : Transport Organizer ACTVT : Activity Lock - Copy</p>
<p>S_TRANSPRT : Transport Organizer TTYPE : Request Type (Change and Transport System) PIEC</p>
<p>S_TRANSPRT : Transport Organizer TTYPE : Request Type (Change and Transport System) TASK</p>
<p>S_C_FUNCT : C calls in ABAP programs ACTVT : Activity Execute</p>
<p>S_DATASET : Authorization for file access ACTVT : Activity Write with filter</p>
<p>S_DATASET : Authorization for file access ACTVT : Activity Delete</p>
<p>S_DATASET : Authorization for file access ACTVT : Activity Write</p>
<p>S_RZL_ADM : CCMS: System Administration ACTVT : Activity Create or generate</p>
<p>S_RFC : Authorization Check for RFC Access ACTVT : Activity Execute</p>
<p>For S_TABU_DIS</p>
<p>Field Value From Value To Condition Status</p>
<p>----
</p>
<p>ACTVT 01 02 AND ENABLE</p>
<p>Does the risk occur if the auth.object has both 01 and 02 as it has AND condition? (the risk also occurs if i give only 02 value) So, i am confused about "AND" and "OR"? Can some one help pls. Thanks</p>
Edited by: crvr sap on Nov 5, 2009 4:49 AM
Hi,
SAP GRC does not allow mix of AND and OR for the multiple values of same field within an authorization object group.
If we set the values of an Authorization object like below,
ACTVT 01 AND
ACTVT 03 AND
ACTVT 04 OR
ACTVT 05 OR
System will automatically replace AND with OR as below, once you save the Function.
ACTVT 01 OR
ACTVT 03 OR
ACTVT 04 OR
ACTVT 05 OR
It is always recommended to use below approach while creating/changing the SOD rules for multiple values of same field within an object group.
1. Only AND (in all multiple field values of an object).
2. Only OR (in all multiple field values of an object).
_Does the risk occur if the auth.object has both 01 and 02 as it has AND condition? (the risk also occurs if i give only 02 value) So, i am confused about "AND" and "OR"?
For more information go through with SAP OSS note no. 1330165.
or
https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1330165
Note: If you have Service market place id then you will be able to see.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This is little confusing but it works in this way-
Hi,
Belwo will happen-
You have given e.g.
t-code se09 the auth.object S_TRANSPRT
ACTVT 01 02 OR ENABLE
ACTVT 05 90 OR ENABLE
ACTVT 02 AND ENABLE(obsolete because it is in row one)
ACTVT 06 AND DISABLE(obsolete as in row 2)
ACTVT 01 02 OR ENABLE(obsolete as it is in row 1)
TTYPE PIEC OR ENABLE
TTYPE TASK OR ENABLE
-
In above case, any role having ACTVT value 01-02, or 05-90(any one value or more than one) range with TTYPE - PIEC or TASK will come up as a risk.
AND was initially given to combine two values. If you want to show a risk only when it is both 01 and 02 value in ACTVT, then it should configured as
ACTVT - 01 AND
ACTVT 02 AND
Also when two different fields are configured in Risk, by default it will be AND combination, so to say both field values must meet to make it a risk. Even if you put OR still it will take it as AND.
In above case if you put
TTYPE PIEC OR ENABLE
or,
TTYPE PIEC AND ENABLE it will combine with ACTVT field. But if you put both -
TTYPE PIEC AND ENABLE
TTYPE TASK AND ENABLE
Then above both values should meet with ACTVT field.
Please correct me if I am wrong.
Regards,
Sabita
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.