on 07-03-2014 12:35 PM
Hi All,
My query is to understand about SOD risk.
My Function 1 has 3 Tcodes.
FP05
FP30
FP30C
My Function 2 has no Tcodes. My Function 2 has only few objects added manually by maintaining Permission group as !^Z_FINANCE.
Created a risk between Function 1 and Function 2
Action Level Rules
Permission Level Rules
Issue is that my Role 1 has Tcodes from First Function and Role 2 is a enabler role and it has authorization objects (added manually) which are also in function 2
In action rules, a rule is created between my permission group !^Z_FINANCE with Tcodes of Function 1 FP30,FP05,FP30C.
My role 1 has only Tcodes FP05,FP30,FP30C. When i run risk analysis for this role, report says that this role itself has risks and this is because of the rule created at action level for permission group !^Z_FINANCE with FP30,FP05,FP30C. But actually this should not be a risk.
I am simulating role 1 with role 2.
Role 1 has Tcodes from function 1
Role 2 has objects from function 2
Now I am expecting that my risk analysis shows combination as risk.
Now i am getting risks at action level as well as at permission level. But actually speaking I should get only at permission level and not at action level.
In action rules, a rule is created between my permission group !^Z_FINANCE with Tcodes of Function 1 FP30,FP05,FP30C. This is making my role 1 iteslef as a risk role
Can someone suggest if there was any issue in my approach?
Please help.
Regards,
Sai.
Hi Sai,
how do your functions look like? Can you show us action and permission definition of function AR12 and CA04?
Theoretically the risk is reported if you have any possible combination between function AR12 and CA04. See also to get the understading of the structure.
Looking forward to your reply.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Alessandro,
Please find my functions, risk and rules below.
Function AR12 - No Actions only Permissions
Function CA04 - Actions
Function CA04 - Permissions
Action Rules
Permission Rules
My Role 1 has Tcodes and objects which are part of CA04 function
My Role 2 has objects which are part of AR12 function.
When I checked by simulating Role 1 and Role 2, I am getting Action Level risks as well as Permission Level risks.In my action level rules of CCI02 I observe that rules are defined for Permission Group of AR12 with Actions of CA04. These are showing up as Action level risks
Here I should get permission level risks only and not action level risks
When i run risk analysis for Role 1 alone,risk analysis report shows that Role 1 has Action level risks from my Risk ID CCI02
In my action level rules of CCI02 I observe that rules are defined for Permission Group of AR12 with Actions of CA04. But these rules are making Role 1 itself as a risk role which is incorrect as Tcodes of role 1 don't have any issues. Only when they combine with role 2 should show permission level risks.
I understand that any combination will appear as risk between AR12 and CA04.
But why are action level rules being created when there are actions only one function and other function don't have any actions.
Even if they are getting created, that should again be considered as a combination but these action rules are making individual Tcodes which are part of CA04 as risk Tcodes.
Can you please help me to understand this?
Thanks in advance.
Regards,
Sai.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.