cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RAR for BCS

Go to solution
Former Member

on ‎05-20-2010 4:59 PM

0 Kudos

Hi Guys,

I am working on a ruleset for BCS and as part of this there is an SoD between Submission and Signoff for a particular company code.

This is all related to a single authorisation object (R_UC_TASK).

Submission is made up of the following:

Tcode Auth Obj Field Value

UCMON R_UC_TASK ACTVT 16

UCMON R_UC_TASK TASK SUBMITGRP

UCMON R_UC_TASK TASK_FLD2 Company code

Signoff is made up of the following:

Tcode Auth Obj Field Value

UCMON R_UC_TASK ACTVT 16

UCMON R_UC_TASK TASK ZSIGN*

UCMON R_UC_TASK TASK_FLD2 Company code

The SOD is only an issue when the person can perform both functions for the SAME Company code.

In ERP, this could be generated into an ORG unit and we could configure RAR to consider this via the Org Rules. The only way I can think of to do this for BW is to effectively create a function for Submit for every company code and also a function for every Sign off. These can then be configured individually as risks.

I have no desire to be hard coding in the Company code into the rules as that will have massive maintenance efforts and duplication of effort not to mention the potential performance impact on running the risk analysis.

If you can think of a better way of achieving this, I'm open to suggestions.

Simon

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-21-2010 8:12 AM
0 Kudos

Hello Simon,

What i could understand from your problem is that you do not want to enter each and every company code into the rules so that they could give you correct SoD instead of false positive which exist when person cannot perform function is same company code but still shows as violation. If this is correct then, you do not need to put each and every company code in the functions permission object. All you need to do is put a $ sign in front of the org value. for eg. for BUKRS ideally you would replace it with the exact company code in the rules. However, when you will put it as $BUKRS instead of exact value in function permission then the system will automatically replace the exact value of company code in place of $BUKRS for performing risk analysis. So if a user is having multiple values of company codes associated with it, during the run time the system will automatically replace $BUKRS with each and everyone of them one-by-one to conduct risk analysis based on each and every company code and will show the result.

This way you are saved from the effort to duplicate the function permission and put each and every company code value there..

Hope it helps.

Regards, Varun

Show replies
Show replies

Answers (1)

Answers (1)

Former Member
‎05-21-2010 10:39 AM
0 Kudos

Hello Simon,

Here is the link to documentation about org rules

https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/805a8744-42ab-2a10-5194-b45be270...

in this document it should tell you about exactly how you need to modify function permissions so that you do not have to put every org level value in it.

Regards, Varun

Show replies
Show replies
Former Member
‎05-24-2010 3:16 PM
0 Kudos

Hi Varun,

Thanks for this. I already knew about Org levels but this is restricted to the ERP ones! I don't see how we can do this for BCS fields which are not set up as org level values.

If the backend authorisations are not already set as Org Levels, then RAR will not treat them as such. For the ERP side of things, this works but this does not seem to be available for the BCS side of things.

Effectively I would be looking for $TASK_FLD2 within the Auth object R_US_TASK but this is just a standard text field not an org level.

Simon

Ask a Question