cancel
Showing results for 
Search instead for 
Did you mean: 

Conditions "AND" and "OR"in Permission

Former Member
0 Kudos

Hi,

<p>I have few questions regarding when the conflicts occur based on the values and conditions in permission section</p>

<p>FOr eg: Under permission tab for t-code se09 the auth.object S_TRANSPRT has</p>

<p>Field Value From Value To Condition Status</p>

<p>----


</p>

<p>ACTVT 01 02 OR ENABLE</p>

<n>ACTVT 05 90 OR ENABLE</n>

<p>ACTVT 02 AND ENABLE</p>

<p>ACTVT 06 AND DISABLE</p>

<p>ACTVT 01 02 OR ENABLE</p>

<p>TTYPE PIEC OR ENABLE</p>

<p>TTYPE TASK OR ENABLE</p>

<p>What does OR and AND condition column mean? Is it a conflicts occur if any value between the range 05 - 90 is given in the S_TRANSPRT object or just for the values 05 and 09.</p>

<p>For eg: conflict b/w SE09 and STMS, </p>

<p>1. if i remove STMS i am getting 0 conflicts.</p>

<p>2. if i remove values 01-02 and range from 05-90 i am getting 0 conflicts. </p>

<p>3. if i give just 03(display) and 60(import) {which falls in the range of 05-90} i am getting some conflicts.</p>

<p>? are the risks occurring between the inner value like lock-copy with PIEC or TASK? </p>

<p>Transaction Code Check at Transaction Start Transaction Code Transport Organizer (SE09)

<p>Transaction Code Check at Transaction Start Transaction Code Transport Management System (STMS)</p>

<p>S_TRANSPRT : Transport Organizer ACTVT : Activity Lock - Copy</p>

<p>S_TRANSPRT : Transport Organizer TTYPE : Request Type (Change and Transport System) PIEC</p>

<p>S_TRANSPRT : Transport Organizer TTYPE : Request Type (Change and Transport System) TASK</p>

<p>S_C_FUNCT : C calls in ABAP programs ACTVT : Activity Execute</p>

<p>S_DATASET : Authorization for file access ACTVT : Activity Write with filter</p>

<p>S_DATASET : Authorization for file access ACTVT : Activity Delete</p>

<p>S_DATASET : Authorization for file access ACTVT : Activity Write</p>

<p>S_RZL_ADM : CCMS: System Administration ACTVT : Activity Create or generate</p>

<p>S_RFC : Authorization Check for RFC Access ACTVT : Activity Execute</p>

<p>For S_TABU_DIS</p>

<p>Field Value From Value To Condition Status</p>

<p>----


</p>

<p>ACTVT 01 02 AND ENABLE</p>

<p>Does the risk occur if the auth.object has both 01 and 02 as it has AND condition? (the risk also occurs if i give only 02 value) So, i am confused about "AND" and "OR"? Can some one help pls. Thanks</p>

Edited by: crvr sap on Nov 5, 2009 4:49 AM

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Hi,

SAP GRC does not allow mix of AND and OR for the multiple values of same field within an authorization object group.

If we set the values of an Authorization object like below,

ACTVT 01 AND

ACTVT 03 AND

ACTVT 04 OR

ACTVT 05 OR

System will automatically replace AND with OR as below, once you save the Function.

ACTVT 01 OR

ACTVT 03 OR

ACTVT 04 OR

ACTVT 05 OR

It is always recommended to use below approach while creating/changing the SOD rules for multiple values of same field within an object group.

1. Only AND (in all multiple field values of an object).

2. Only OR (in all multiple field values of an object).

_Does the risk occur if the auth.object has both 01 and 02 as it has AND condition? (the risk also occurs if i give only 02 value) So, i am confused about "AND" and "OR"?

For more information go through with SAP OSS note no. 1330165.

or

https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=1330165

Note: If you have Service market place id then you will be able to see.

Former Member
0 Kudos

This is also a problem when you need to look for a combination of AND and OR in the same field e.g.

you need ACTVT 03 as well as either 02 OR 01.

Currently, this is not possible within the RAR configuration but I have heard rumours that this maybe looked at in GRC10.

Answers (1)

Answers (1)

Former Member
0 Kudos

This is little confusing but it works in this way-

Hi,

Belwo will happen-

You have given e.g.

t-code se09 the auth.object S_TRANSPRT

ACTVT 01 02 OR ENABLE

ACTVT 05 90 OR ENABLE

ACTVT 02 AND ENABLE(obsolete because it is in row one)

ACTVT 06 AND DISABLE(obsolete as in row 2)

ACTVT 01 02 OR ENABLE(obsolete as it is in row 1)

TTYPE PIEC OR ENABLE

TTYPE TASK OR ENABLE

-


In above case, any role having ACTVT value 01-02, or 05-90(any one value or more than one) range with TTYPE - PIEC or TASK will come up as a risk.

AND was initially given to combine two values. If you want to show a risk only when it is both 01 and 02 value in ACTVT, then it should configured as

ACTVT - 01 AND

ACTVT 02 AND

Also when two different fields are configured in Risk, by default it will be AND combination, so to say both field values must meet to make it a risk. Even if you put OR still it will take it as AND.

In above case if you put

TTYPE PIEC OR ENABLE

or,

TTYPE PIEC AND ENABLE it will combine with ACTVT field. But if you put both -

TTYPE PIEC AND ENABLE

TTYPE TASK AND ENABLE

Then above both values should meet with ACTVT field.

Please correct me if I am wrong.

Regards,

Sabita