10-05-2012 4:36 PM
Hi all,
in our prod.system we have for example 2 function-ID's with the following characteristics:
1) ZFI_2001
Z01 F_SKA1_BUK ACTVT 01 AND
Z03 F_SKA1_BUK BUKRS * AND
Z04 S_TCODE TCD FS00 OR
Z04 S_TCODE TCD FS15 OR
Z04 S_TCODE TCD FS16 OR
Z04 S_TCODE TCD FSS0 OR
Z04 S_TCODE TCD FSS1 OR
Z05 F_SKA1_KTP ACTVT 01 AND
Z05 F_SKA1_KTP KTOPL * AND
2) ZFI_2010
Z01 F_BKPF_BUK ACTVT 01 AND
Z02 F_BKPF_GSB ACTVT 01 AND
Z02 F_BKPF_GSB GSBER * AND
Z03 F_BKPF_KOA ACTVT 01 AND
Z03 F_BKPF_KOA KOART S AND
Z04 F_BKPF_BUK BUKRS * AND
Z05 S_TCODE TCD F-02 OR
Z05 S_TCODE TCD F-04 OR
Z05 S_TCODE TCD F-06 OR
Z05 S_TCODE TCD F-07 OR
Z05 S_TCODE TCD F-21 OR
Z05 S_TCODE TCD F-27 OR
Z05 S_TCODE TCD F-30 OR
Z05 S_TCODE TCD F-41 OR
Z05 S_TCODE TCD F-42 OR
Z05 S_TCODE TCD F-51 OR
Z05 S_TCODE TCD F-52 OR
Z05 S_TCODE TCD FB01 OR
Z05 S_TCODE TCD FB05 OR
Z05 S_TCODE TCD FB11 OR
Z05 S_TCODE TCD FB41 OR
Z05 S_TCODE TCD FB50 OR
Z05 S_TCODE TCD FBV0 OR
In access control I built the same function-ID's:
1) ZFI_2001
SAP Core FI/CO - Produktivsystem P03 Man FS00 F_SKA1_BUK ACTVT 01 AND activ
SAP Core FI/CO - Produktivsystem P03 Man FS00 F_SKA1_BUK BUKRS * AND activ
SAP Core FI/CO - Produktivsystem P03 Man FS00 F_SKA1_KTP ACTVT 01 AND activ
SAP Core FI/CO - Produktivsystem P03 Man FS00 F_SKA1_KTP KTOPL * AND activ
SAP Core FI/CO - Produktivsystem P03 Man FSS0 F_SKA1_BUK ACTVT 01 AND activ
SAP Core FI/CO - Produktivsystem P03 Man FSS0 F_SKA1_BUK BUKRS * AND activ
SAP Core FI/CO - Produktivsystem P03 Man FSS1 F_SKA1_BUK ACTVT 01 AND activ
SAP Core FI/CO - Produktivsystem P03 Man FSS1 F_SKA1_BUK BUKRS * AND activ
SAP Core FI/CO - Produktivsystem P03 Man FSS1 F_SKA1_KTP ACTVT 01 AND activ
SAP Core FI/CO - Produktivsystem P03 Man FSS1 F_SKA1_KTP KTOPL * AND activ
The rest is inactiv.
2) ZFI_2010
SAP Core FI/CO - Produktivsystem P03 Man F-02 F_BKPF_BUK BUKRS *
SAP Core FI/CO - Produktivsystem P03 Man F-02 F_BKPF_GSB ACTVT 01
SAP Core FI/CO - Produktivsystem P03 Man F-02 F_BKPF_GSB GSBER *
SAP Core FI/CO - Produktivsystem P03 Man F-02 F_BKPF_KOA ACTVT 01
SAP Core FI/CO - Produktivsystem P03 Man F-02 F_BKPF_KOA KOART S
SAP Core FI/CO - Produktivsystem P03 Man F-04 F_BKPF_BUK ACTVT 01
SAP Core FI/CO - Produktivsystem P03 Man F-04 F_BKPF_BUK BUKRS *
SAP Core FI/CO - Produktivsystem P03 Man F-04 F_BKPF_GSB ACTVT 01
SAP Core FI/CO - Produktivsystem P03 Man F-04 F_BKPF_GSB GSBER *
SAP Core FI/CO - Produktivsystem P03 Man F-04 F_BKPF_KOA ACTVT 01
This is only the beginning from a long list.
But unfortunately I get a different result.
Has anybody an idea what could be the mistake? I think that it will be the same! Isn't it?
Regards
Thorsten
10-05-2012 10:11 PM
Thorsten:
In your functions that you say are from your 'prod.system', I don't understand what the columns mean. Is that saying that all of those transactions are connected to all of those objects?? I can understand what you list for the access control side, but am confused aobut what the former list is stating.
Also, I am very surprised that you have so many organizational levels active in your rule set. I want to make sure that you are aware that in Access Control, a * in the rule set only means *, if you are looking for ANY value you need to use $ instead. Please review SAP note 1133589. Even though this states for 5.x, this also applies to 10.0 as well.
thanks
Kevin Tucholke
10-18-2012 1:55 PM
Hi Kevin,
thanks for your answer. I have been some days on holiday, that's why I can repeat till now.
The meaning of the columns are:
Group Object Field name from AND/OR*
Z01 F_SKA1_BUK ACTVT 01 AND
Z03 F_SKA1_BUK BUKRS * AND
Z04 S_TCODE TCD FS00 OR
Z04 S_TCODE TCD FS15 OR
Z04 S_TCODE TCD FS16 OR
Z04 S_TCODE TCD FSS0 OR
Z04 S_TCODE TCD FSS1 OR
Z05 F_SKA1_KTP ACTVT 01 AND
Z05 F_SKA1_KTP KTOPL * AND
Hopefully it will help you to understand my problem.
Thanks
Thorsten
10-18-2012 2:58 PM
Thorsten:
Can you explain what you mean by "Group" above? This term is not familiar to me. If what you are saying is that all Actions in your first group above have all the permissions that are also listed, I don't think that you set up the AC functions correctly. Also, I will state again, that in Access Control, * is NOT a wild card. Please see previous post.
In my opinion, with the limited knowledge that I have, I don't believe you have the same rules between the examples.
Thanks.
Kevin Tucholke
Sr Consultant
SAP America
Business Analytics Competency Center
10-29-2012 9:06 AM
Hi Kevin,
thanks for your first answer.
I have another question to you:
if I make an analysis there is the wrong function-ID evaluated. Where is the point to say to the system which rule set I want to evaluated. I just want to evaluate the own rule-set and not the "global"!
Maybe you can give me an screenshot?
Thanks
Thorsten
10-29-2012 9:24 AM
set the configuration parameter 1025 to the rule set you want to default to...
set this by following below path:
SPRO -> Governance, Risk and Compliance ->Access Control - > Maintain configuration settings