Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SD security issue - VA02

Former Member

‎06-16-2011 10:56 AM

0 Kudos

In VA02 TCode, for a particular sales order, if you check at Line item level in additional data B, you can find a check box as "Review by CM".

We have Custom Object ZXXX which is used to control the access to modify(Check or Uncheck) that Checkbox. In the object we have a fiel in which if you give Value as N, the checkbox will grey out and the user won't be able to manually modify it and if Y, then user has access to manually check or uncheck.

One of the end user has never had access to modify this check box(is greyed out), but when we saw the changes made to that pageAdditional Data B ; in Menu ENVIRONMENT --> CHANGES) we can see that last year october(2010) the CM review checkbox was modified by this User,i.e it was checked by the user. We have checked change documents for this user, and we are 100% sure that this user never had authorization to manually check or uncheck the CM review checkbox. It is pretty much confusing as to how the changes are showing his name.

If you guys have any confusion in understanding what i want to explain please let me know.

Help in solving this issue will be highly appreciated.

Regards,

Ritesh

8 REPLIES 8

Former Member

‎06-16-2011 1:36 PM

0 Kudos

In VA02 TCode, for a particular sales order, if you check at Line item level in additional data B, you can find a check box as "Review by CM".

Not sure which version of SAP you work with, but i dont see the Review by CM check box in the version i have (ECC6.0 Release 710 SP13)

Former Member

‎06-16-2011 2:35 PM

0 Kudos

Ritesh,

We have the latest version (EHP4 on ECC 6.0) and there is no checkbox "Review by CM". I have a feeling that this is something that may have been personalised on your system, either by your SI or your internal project team, not a standard SAP function. On that basis, you would probably need to speak to them to get an understanding how it has been implemented, as there may be something within their code that is responsible.

Regards

Tony

Former Member

‎06-16-2011 10:43 PM

0 Kudos

Did you check your custom object ZXXX for VA02 in SU24 is checked. If it is unmaintained in SU24, then even you have custom exit, it won't check authorization and all the users can modify it

mvoros
Active Contributor

‎06-17-2011 1:26 AM

0 Kudos

Hi,

I would review that custom development. There might be a logic that automatically sets that field and in that case the user who was running that application would be on change document. An unmaintained record in SU24 does not mean that check is not preformed.

Cheers

Former Member

‎06-17-2011 5:57 AM

0 Kudos

Thank you all for your response.

Shekhar/Tony - It is a customized page and the CM(Configuration Management) Reviewed is not a Standard SAP function.

Venkat - The ZXXX object has been maintained in SU24

Martin - Thanks so much for helping me on this. Actually the User whose name is in the change documents is saying that he has never checked that box. And as the change doc. shows, the change happened last yr Oct(2010), it was pretty much difficult to find out the exact cause, I have checked all the roles that have been assigned to or removed from that user's account and could not find anything, as such I am 100% sure that he never had the authorization to check that box.

There is a possibilty that something is wrong with the ABAP code. Today i will check with my abap team on this and will update you guys.

I am new to SD security, Martin if you could find anything on this, please let me know.

Regards,

Ritesh

Former Member

‎06-17-2011 11:08 PM

0 Kudos

Martin, if the check is NO in SU24 for that custom object, then it won't even check that object. I faced this issue in one of my client

mvoros
Active Contributor
In response to Former Member

‎06-17-2011 11:34 PM

0 Kudos

Hi.

I agree but you wrote something else.You wrote "If it is unmaintained in SU24" and that for me means there is no record for that object in SU24.This is common if you add additional check to standard transaction.

Cheers

Former Member
In response to Former Member

‎06-19-2011 7:40 AM

0 Kudos 
Martin, if the check is NO in SU24 for that custom object, then it won't even check that object. I faced this issue in one of my client

This is not exactly correct either, though it would appear as if the check is not even there anymore...

The check is still performed, but the return code sy-subrc is reset to 0 if the object has "no check" status and system field sy-tcode is still set for the context in SU24. A reason code is then also set if sy-subrc is overwriten and you can see the reason in the system trace. Reason codes are also set for other interventions with sy-subrc.

All this is also only true in systems with transport\system_type = 'CUSTOMER'.

However this seems to be a custom program with strange behaviour when writing and / or reading change documents, so there is not much we can do if the OP does not post the code...

I place my bets on there being a check to see whether the field is not initial and then writing change doc from the custom code, but the field already was not initial. This would mean that the user did not actially change the field.

Cheers,

Julius

Edited by: Julius Bussche on Jun 19, 2011 8:44 AM