- SAP Community
- Products and Technology
- Additional Q&A
- Modifying Role to remediate violations
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Modifying Role to remediate violations
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 08-18-2011 6:31 AM
Hi,
To remediate the role level violations we need to remove certain tranactions from a given role.
Could you help me understand is it advisable to create a new role for those sod causing tcodes Or it is better to include these tcodes to an existing role?
In case of existing role, we have a role in system which is combination of VA11 create Inquiry, VA21 Quatation, VA51 Item Proposal, Can you advise if violation causing tcode i.e VB21 & VB22 (create sales deal) be included in this role? (Though there is no SOD violations in doing so)?
Thanks!!
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Umesh,
If you create a new role, to take out the existing violations in the current role, you may end up with 10000 roles and most of them may contain only 1-2 transaction code.
In turn when you assign these roles, the risks will pop-up at the user level How do you handle them??
The good practice is to speak to your Line of Business and understand how they wish to maintain and manage these risks. When there is proper mitigation and monitoring in place, you need not worry and can live with them.
Also, your other question on transaction violation should be based on your role design. Might be these two tcodes are okay to add in the same role.
Hope this helps!!
Regards,
Raghu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thanks for ur reply...
Correct! new roles would again have violations for those users, but we need to go to the business to determine removal of these roles or mitigation advise.
On the second part, yes adding the the tcode to the same role wud not get violations, BUT who decides it if this is allowed in the system....
Regards
Umesh
Answers (0)
- Cloud ready RAP object using legacy BAPI - Clean Core objective in Enterprise Resource Planning Blogs by Members
- RISE with SAP: Navigating Vulnerability and Patch Management in SAP Enterprise Cloud Services – Part 1 in Enterprise Resource Planning Blogs by SAP
- The SAP LUW in ABAP Cloud in Enterprise Resource Planning Blogs by SAP
- Data Decommissioning and Data Aging for SAP S/4HANA in Technology Blogs by SAP
- GRC Tuesdays: Building The Case For Your Access Governance Solution in Financial Management Blogs by SAP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.