on 07-07-2010 9:00 AM
I have a trouble related with risk analysis at permission level, when the V_VBAK_AAT||AUART is activated in two functions of my customized GRC rule-set (VIRSA_CC_FUNCPRM) for controlling some "document types" for tcodes VA01 and VA02. When I execute this customization in RAR, the system says "No match / No conflicts" for the risks where these functions appear, however performing some queries in the back-end systems, I have realized there are more than 80 users in conflict for some of them, given the fact that they have value '*' in object/field V_VBAK_AAT||AUART.
At a first time I thought that most probably would be related with the fact that these functions are part of risks that combine 3 and 4 functions at the same time, with OR logical activated in document types, but when I searched for the rules generated for these risks I noticed that only 34.000 rules were generated and this no overpass the limit of 45566 rules defined at RAR. Anyway, I performed some tests reducing the number of possible combinations and, basically, whenever the following line is activated, the outcome is u201Cno conflictsu201D:
D VIRSA_CC_FUNCPRM FN15 VA01 GRC-C21 V_VBAK_AAT||AUART ZSO ZSO OR 0 null
If this line is disabled, then, several users with conflicts are reported. As mentioned above, these users have value '*' for object/field V_VBAK_AAT||AUART, so I do not understand why those users are not reported when the line above is activated.
I have done the following checks, all of them correct:
- The user/role/profile synchro has been done and all the users has been stored in table VIRSA_CC_
- All the lines in VIRSA_CC_FUNCPRM part of my customized rule-set have been correctly inserted in the same Oracle table
- All the combinations of rules has been created (including VA01 and VA02 with V_VBAK_AAT||AUART)
Any suggestions?
Thanks in advance
I've detected the same problem for the following authorization objects:
- F_BKPF_BLA||BRGRU
- V_VBRK_FKA||FKART
- M_MSEG_BWE||WERKS
RAR reports no conflicts (at authoriztion level) when these objects are activated (of course having users with these conflicts in back-end systems)
This problem has been proved in the installation of different customer with SAP GRC Access Control 5.3 SP12.
Anybody else has experienced this issue????
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.