Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Object PLOG disabled for certain OM transactions

gv_s
Explorer

‎08-27-2014 7:49 AM

0 Kudos

On analysing the Autho Objects enabled in GRC for Organisation mgmt module of HR I notice that :

1. A key OM Authorisation Object 'PLOG' is disabled and instead P_ORGIN is Active. for e.g - Tcodes like PO14 & PO01, included in HR05

 

2. In some instances the values of field 'Otype' for PLOG are inadequate for e.g. A.) for Tcodes- PPOC, PPOCE only values C & P have been included which are inadequate. B) Tcode PP01 - only C & P are enabled. 

My Concern :

P_ORGIN controls PA modules in HR  & also maybe getting called due to integration between PA & OM. However, without PLOG object , OM tcodes cannot be executed. On testing I find that without P_ORGIN I can still make changes on the OM side, but PLOG is mandatory (these changes maynot get reflected in PA side due to missing P_ORGIN). Hence I am trying to understand why PLOG is disabled in standard ruleset for certain OM tcodes.

 

I have tried numerous searches on SCN/ net to find any relevant notes / updates on these objects & treatment in GRC , but barring a few notes wherein new tcodes have been included in some function ids, I donot get any reference.( for e.g in Note 1083611, PPOC is updated with Autho object P_ORGIN, but not PLOG! )

 

Since I am neither a developer/programmer or functional consultant working actively on any project right now, I donot have any means to raise an incident in SAP market place.

Hence requesting the experts to please provide insight

4 REPLIES 4

alessandr0
Active Contributor

‎08-27-2014 8:28 AM

0 Kudos

Hi Gauravi,

what I can tell you so far: infotypes for PLOG are OM infotypes (1000-1999) for OM object type (O, S, ...).  Infotype for P_ORGIN are PA infotypes.

As I am not really aware of HR module I cannot really help you.

Regards,

Alessandro

Colleen
Advisor
Advisor

‎08-27-2014 9:02 AM

0 Kudos

Hi Gauravi

This analysis is similar to the thread you raised for a different function:

As mention on that one, the rule set requires continual update. I see your point that PLOG makes sense to be activated with the PO* transactions. I recall seeing a note in the marketplace for a general overview of the rule set and best practises for management (inc quarterly releases). Like SU24, I would assume you need to report these shortcomings to SAP for them to be updated.

Actions and permissions are generally built on the SU24 default data. One thing to note is you don't have to put all of the values in the action definition of the functions. It is about identifying the ones that form the function for the risk. But you are right, if you cannot perform the function without the object PLOG then the action definition for that function is incomplete. I still suspect HR/PY is quite open due to country specific requirements.

Not having a system would make it difficult to report to SAP.

Regards

Colleen

HR07- Why only IT0014,0015 have been considered in Permission

gv_s
Explorer

‎08-27-2014 6:38 PM

0 Kudos

Thanks Alessandro & Collen, I will raise the issue in Security Forum perhaps , where they may have HR-Authorisation experts who can provide further  insight

Colleen
Advisor
Advisor
In response to gv_s

‎08-28-2014 1:34 AM

0 Kudos

Hi Gauravi

I don't think the security space will be of much help in this instance as this relates to the function definition in SAP GRC (unless the  SU24 data is incorrect). Also, you don't need to raise a new thread but instead add the URL to the space and it will appear in their feed as a "cross-post". This keeps all of the information together.

Regards

Colleen