07-15-2010 11:22 AM
Dear experts,
I find something strange in SUIM report.
I created a role, assigned values, when i searched using SUIM to check the result, the result is not expected.
Below is the steps:
1) Create a role, named 'ztest', assign t-code va01 in menu tab, and then choose 'change authorization data' in authorization tab.
2) Configure the authorization field value in authorization object 'v_vbak_vko' as below:
V_VBAK_VKO:
ACTVT 01
SPART *
VKORG 1000
VTWEG *
3) Save and generate profile.
4) Using SUIM to check the result, Roles -> Roles by Complex Selection Criteria,
Enter the role name in 'Standard selection -> role',
Enter the authorization object 'v_vbak_vko' in 'Selection according to authorization values -> Object 1',
Click 'Entry values', enter '1000' in Sales Organization' & '02' in Activity, 'Distribution Channel' & 'Division' left blank.
5) I have tested this senario in R/3 enterprise, the role 'ztest' will not shown, but now this senario in ECC6, the role 'ztest' is shown.
I can not believe it. is it changed in ECC6, or it is a bug in our system?
My system 'SAP_BASIS' release is 700, the support package level is 0009.
Look forward your kindly help, thank you in advanced.
Best Regards!
Brian Li
SAP GRC Consultant
07-15-2010 12:37 PM
Hi Brian,
sounds like correction of note 961294 is necessary for your system.
b.rgs, Bernhard
07-15-2010 11:55 AM
07-15-2010 12:40 PM
07-15-2010 12:37 PM
Hi Brian,
sounds like correction of note 961294 is necessary for your system.
b.rgs, Bernhard
07-15-2010 12:48 PM
08-24-2010 8:47 AM
Dear Bernhard,
The problem has been resolved, thank you very much for your help.
Sorry for the late response.
Best Regards.
Brian Li
07-15-2010 5:18 PM
Hi ,
Make sure you are not opening the Parent role
be sure that you have derived roles from Parent , check and see after you have created the role the authorization tab is green for both Parent and child ( in case you have them ) or else check for the Single role itself .
Lastly see if the authorization object is entered manually in your role , rather than inserting object using "SU24"
SUIM might not be catching the manually added object( Guessing)
07-16-2010 3:48 AM
hi, Franklin Jayasim,
Thank you for your reply.
The role is flat, no hierarchy. So it is no need to care about the relatinship between template role and derived role.
As far as i knowk, the object in or not in SU24 and authorization status in roles is no relationship with SUIM.
07-16-2010 5:50 PM
Hi Brian LI,
Can you let me know if the object you mentioned is added manually in your ROLE?
are you still facing the problem, then you may have to see if the system is uptodate with latest security notes/patches/services.
Yes adding it manually still shows the output in SUIM
Edited by: Franklin Jayasim on Jul 16, 2010 6:54 PM
07-16-2010 6:01 PM
Hi ,
From your question posted , I understand the steps clearly but I think you have not entered the values of
SPART
VKORG
VTWEG
from the organizational level tab, can you enter the values at the "organization level" area and try it out one more time.
Also your entry is "01"
but you are searching "02" activity
Edited by: Franklin Jayasim on Jul 16, 2010 7:06 PM
07-15-2010 9:20 PM
Hi Brain,
Before you come to consulsion try different search sceniors in SUIM.
Try to search with only role name ZTEST.
Try to Search criteria authorization object/transaction code
There are many bugs reported in SUIM and SAP has delivered notes as well like 171805 / 1227083 / 1393940 .
Thanks,
Sri