on 04-04-2013 9:38 AM
HI All,
We are running on SP09. We have two fucntions as below
Fucntion ID | Transaction | Object | Field | Low | High | Condition | Active/Inactive |
Func 1 | F.80 | F_BKPF_BUK | ACTVT | 01 | 02 | AND | Active |
Func 1 | F.80 | F_BKPF_KOA | ACTVT | 01 | AND | Active | |
Func 1 | F.80 | F_BKPF_KOA | KOART | S | AND | Active | |
Func 1 | F.80 | S_PROGRAM | P_ACTION | SUBMIT | AND | Active | |
Func 1 | F.80 | S_PROGRAM | P_GROUP | F_003 | AND | Active | |
Func 2 | FS00 | F_SKA1_BES | ACTVT | 01 | 02 | OR | Active |
Func 2 | FS00 | F_SKA1_BES | ACTVT | 05 | 06 | OR | Active |
Func 2 | FS00 | F_SKA1_BUK | ACTVT | 01 | 02 | OR | Active |
Func 2 | FS00 | F_SKA1_BUK | ACTVT | 05 | 06 | OR | Active |
Rule should be all the permissions of Function 1 along with any of the permissions of Function 2 together should be a risk.
But we are having a issue which is explained below.
If a role just have S_PROGRAM --> P_ACTION --> SUBMIT with no other values defined in function 1 this is getting pulled in User level detailed SoD analysis.
I am working to find any SAP note for the same, dropping this message if anyone can help me on this.
Please reply back if you need any further clarification on the issue.
Thanks,
Sravan
Hi Sravan
Have you looked at the User Master you the risk is appearing for (e.g. check SU56 buffer) to see if another role is providing them with the access to the rest of Function 1 and any of the values in Function 2?
Have you tried to run the Risk Analysis for the Role and only specified the role?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Colleen,
Thanks for your reply.
Yes, I have checked user buffer where user is having S_PROGRAM -> SUBMIT for F_003 together in a authorization from only two roles. But from other roles user has just authorization to S_PROPGRAM-> SUBMIT and not F_003. But all the roles are getting pulled in user level analysis instead of just the two roles.
Role level analysis is working fine. Violations are shown only for the two roles.
Regards,
Sravan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.