09-16-2011 2:43 PM
Hello
I am not sure if this is the right forum to post this query as my query below is partly functional (Finance) and partly technical.
We have an issue with transaction FSS0 (access to maintain G/L account master record). This change level transaction was added few years back to a "Display" type role by restricting the authorisation objects related to the role at Display level.
However,no one factored in the general security issue that user would have access to a transaction based on the total set of roles which the person gets in the system. Thereby, there are many users who still have the ability to run FSS0 with change level ability as the change level authorisation object access are from the other roles which the user has in his/her profile. This is because some of the other transactions also validate on the same authorisation object which is used by FSS0 and those cannot be revoked.This has been a fundamental error in the role designing process which is more of a historical issue.
The information I am looking out for is whether there is a display level transaction version for FSS0. I tried to do a search via. TSTC using the program linked to FSS0 and evaluating if there are other t-codes that use the same program as used by FSS0. There are few but none of these seem to be a display version of FSS0.
Thanks for the advise in this regard
Regards
Dins
09-21-2011 8:06 AM
You can use FS03. Also look in FS* army. However just curious what does your functional guys saying? And the culprit objects are as below if I remember correctly.
F_SKA1_KTP - Chart of A/C level
F_SKA1_BUK - Company code level
For company code level you may encounter few objects for other txn commonly used in finance. But COA level object should be a rare piece accross the role? If no, I would raise serious concern accross the GEO.
Regards,
Arpan Paik
09-22-2011 6:38 AM