P_ABAP vs. Payment Medium programs

Former Member · ‎02-04-2013

Hi,

we are trying to restrict P_ABAP instances with COARS = 2 in end user roles in our SAP HCM instance. The rationale for this exercise is that with such P_ABAP instances, reports are run without any authorization checks for PA master data >> which means "overriding" authorization checks and auth restrictions specified in P_ORGIN(CON) authorizations >> which is something auditors do not like very much.

We have some P_ABAP instances with COARS = 2 for “payment medium” programs in our end-user roles. If you read the P_ABAP information on this page, or this one, you may come to the conclusion however that P_ABAP authorization is actually required for the user to be able to run these programs. So that would be in conflict with the overall purpose of P_ABAP which is “deactivating” additional authorization checks.

Could you please help me to understand what this object does with regards to “payment medium” programs and if it is required for users to have in order to be able to run them? Wouldn’t it be sufficient for the user to have, let’s say, read access to extensive list of infotypes in his / her P_ORGIN(CON) authorizations for the respective country (PERSA = CC*) that they are responsible for?

Best regards,

Pawel

Former Member · ‎02-04-2013

You can give them the access (often they have it anyway), or you can use P_ABAP as an optional object to suppress the check. They can run the programs which process the data or return restricted fields or only summaries, without having to be authorized to see all the detailed data which the LDB would otherwise have checked for.

What is the problem?

You just need to make a choice, and the auditor must audit the program context (capability) of that choice). Much like S_DATASET, this is controlled by the program and it's capabilities. The auditor must read the code of that program... :-))))

(or maintain a white-list - like I have).

Cheers,

Julius

Former Member · ‎02-06-2013

Hi Julius (and all),

thanks for your reply.

Let me elaborate of what my understanding of the risk is: if the user has his/her responsibility and, as a consequence, his/her roles restricted to specific country (in P_ORGIN(CON) in PERSA field), and if we now include in his /her role the authorization check simplification (P_ABAP COARS=2) for the program that gives the ability to process/display Data Privacy sensitive data, the risk is that user will be able to see/process records outside of his/her area of responsibility. And that would be the violation of Data Privacy regulations.

Same goes with regards to infotypes - if the user has his/her roles restricted to specific non-Data Privacy sensitive infotypes only, and if we now include in his /her role the authorization check simplification (P_ABAP COARS=2) for the program that gives the ability to process/display Data Privacy sensitive information, the risk is that user will be able to see that information.

Please let me know if what I wrote makes sense or if I have confused something.

Also, please see my original question as it was more specific to what is written in the P_ABAP object documentation on the above mentioned websites (this page, or this one) with regards to Payment Medium programs. In my opinion from these descriptions one could understand that P_ABAP with COARS=2 is actually required for these programs to work correctly. I would like to confirm if my interpretation is correct and if this is really the case.

Regards,

Pawel

former_member612251 · ‎11-26-2020

Yes, this is my understanding too, I think this piece should be re-written or explained more clearly as its conflicting information. So is 2 needed here or not? Or does it check on the infotypes? Very confusing from an official SAP document. I contacted SAP and they have confirmed that 2 in COARS is indeed needed for Payment Medium.