cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ML81N Display along with ME21N without risk

Go to solution
jain_prashant31
Explorer

on ‎04-09-2014 9:11 AM

0 Kudos

Hi All,

We have requirement for users to have ML81N only display and ME21N with create access.

Both tcodes share common object M_BEST_BSA. And Change access to ML81N with ME21N is a high risk as per ruleset.

Please advise on approach to meet the requirement.

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

jain_prashant31
Explorer
‎04-14-2014 6:19 AM
0 Kudos

We were able to find a easy solution.

Actually though ML81N and ME21N use the same oject for authorization check, they check entirely different set of activity.

Activity 01/02/03 are applicable for ME21N

Activity 03/75/76 is applicale for ML81N

Hence we have modified the roles and rule set accordingly to remove the violations.

Show replies
Show replies

Answers (1)

Answers (1)

former_member204204
Active Participant
‎04-09-2014 9:39 AM
0 Kudos

HI Prashanth,

In the higher patch level of GRC we dont have this combination of risk.

Also if this combination is available in your SP then you can deactivate either of the T-Code from the function whichever your business think should not be applied.

Regards,

Neeraj Agarwal

Show replies
Show replies
jain_prashant31
Explorer
‎04-09-2014 9:50 AM
0 Kudos

Thanks Neeraj for the response.

If we disable the ML81N tcode in the function if stop giving risks for genuine cases also wherein user has change access to ME21N and ML81N together.

To be more precise my question is, is there a way we can actually restricy access of only display in ML81N and change in ME21N for one user ?

Regards,

Prashant Jain

Former Member
‎04-09-2014 10:51 AM
0 Kudos

Hello Prashant,

In addition to Neeraj comment, instead of deactivating the T code ML81N at function level, try to inactivate the Change access of auth obejct M_BEST_BSA against to t code ML81N in  the same function with in permissions tab.  Then this will help you for not getting the high level risk.

Thanks,

Siva.

jain_prashant31
Explorer
‎04-09-2014 12:05 PM
0 Kudos

Hi Siva,

If we deactivate the activity 02 in M_BEST_BSA, this is impact other rule definiations and 02 activity becomes risk free in all possible scenario. This is what shouldn't happen.

Probably main requirement is identifying if there's some solution/SAP note, which can make ML81N free from M_BEST_BSA object , atleast in display mode or some solution.

Former Member
‎04-09-2014 12:32 PM
0 Kudos

Copy ML81N to a custom variant and remove the authorization checks in the code.

Ask a Question