Sensitive Transaction issue

arpan_paik · ‎08-16-2010

Hi Experts,

Today we have experienced that below combination has been declared as violation in our system

Below Transactions with it's related objects

/VIRSA/VFAT

/VIRSA/ZVFAT_U02

/VIRSA/ZVFAT_U03

/VIRSA/ZVFAT_U04

/VIRSA/ZVFAT_V01

Object

S_PROGRAM for SUBMIT for any program group

Now the person having access to FF transaction has access to S_PROGRAM for many other transactions via different roles. So It is impossible that we can remove any of the side to eliminate the violation.

However we are thinking about mitigation. But before that we would like to know that what is risk involve for above combination of access??

Regards,

Arpan

Former Member · ‎08-16-2010

Arpan,

Our 5.1 system does not throw an error for this combination. The Virsa transactions can be limited in a separate authorization by the User Actions BTCSUBMIT, SUBMIT, VARIANT and Authorization Group ZVFAT*. That's also the default.

Happy Complying,

Robert

Former Member · ‎08-16-2010

Hi ,

If you see the default role it will not have S_Program by default

this should be the role which has to be assigned to users who need firefighter access.

Can you validate which role from the list below you have assigned to users

/VIRSA/Z_VFAT_ADMINISTRATOR Firefighter Administrator Role with full access

/VIRSA/Z_VFAT_FIREFIGHTER Firefighter Firefighter's role

/VIRSA/Z_VFAT_ID_OWNER Firefighter FirefighID owner's role

I strongly believe that you have assigned the administrator/Owners role.

Best solution will be to identify the administrators and assign the admin roles only to them.

Make sure to have the following for S_program

User action ABAP/4 program BTCSUBMIT, SUBMIT, VARIANT P_ACTION

Authorization group ABAP/4 pro ZVFAT, ZVFAT* P_GROUP