08-16-2010 8:40 AM
Hi Experts,
Today we have experienced that below combination has been declared as violation in our system
Below Transactions with it's related objects
/VIRSA/VFAT
/VIRSA/ZVFAT_U02
/VIRSA/ZVFAT_U03
/VIRSA/ZVFAT_U04
/VIRSA/ZVFAT_V01
Object
S_PROGRAM for SUBMIT for any program group
Now the person having access to FF transaction has access to S_PROGRAM for many other transactions via different roles. So It is impossible that we can remove any of the side to eliminate the violation.
However we are thinking about mitigation. But before that we would like to know that what is risk involve for above combination of access??
Regards,
Arpan
08-16-2010 1:40 PM
Arpan,
Our 5.1 system does not throw an error for this combination. The Virsa transactions can be limited in a separate authorization by the User Actions BTCSUBMIT, SUBMIT, VARIANT and Authorization Group ZVFAT*. That's also the default.
Happy Complying,
Robert
08-16-2010 6:08 PM
Hi ,
If you see the default role it will not have S_Program by default
this should be the role which has to be assigned to users who need firefighter access.
Can you validate which role from the list below you have assigned to users
/VIRSA/Z_VFAT_ADMINISTRATOR Firefighter Administrator Role with full access
/VIRSA/Z_VFAT_FIREFIGHTER Firefighter Firefighter's role
/VIRSA/Z_VFAT_ID_OWNER Firefighter FirefighID owner's role
I strongly believe that you have assigned the administrator/Owners role.
Best solution will be to identify the administrators and assign the admin roles only to them.
Make sure to have the following for S_program
User action ABAP/4 program BTCSUBMIT, SUBMIT, VARIANT P_ACTION
Authorization group ABAP/4 pro ZVFAT, ZVFAT* P_GROUP