cancel
Showing results for 
Search instead for 
Did you mean: 

How to Read This SoD Issue?

Former Member
0 Kudos


Hi, I found an interesting SoD issue: It is between a custom tcode (S_TCODE) and then the following object in the detailed report:

ACTION: [PG] VFX3   RESSOURCE V_VBRK_VKO    ACT 02. What does the [PG] VFX3 mean? Does GRC check against the tcode program access even if S_TCODE for VFX3 is not avalaiable for the user? Could the custom tcode program "sneakily" give access to VFX3 program? - Thanks.

Accepted Solutions (1)

Accepted Solutions (1)

madhusap
Active Contributor
0 Kudos

Hi Joerg,

As per my understanding PG - Permission Group.

I assume your SOD risk is defined only at permission level.

For example conflict could be between a combination of a Tcode and Authorization object.

In Function 1 - S_TCODE (with conflicting Tcode)

In Function 2 - Since only autorization object is there and no Tcode, you can add Permission group for that object and maintain the values for that object

Then in your scenario, they might have defined F1 and F2 as risk.

Regards,

Madhu.

AndrzejP
Active Participant
0 Kudos

Hi Joerg,

as per Madhu email, this function is checked on permission level only (no tcode authorization check). Sometimes[PG] are also created when you remove transaction from rule definition but you leave authorization objects, system has to assign those permissions to action so PG with transaction name is created (in your case it might be [PG] VFX3). If you have both transaction and permission object in function definition, SAP GRC will not check for permission if user does not have access to transaction.

Best regards, Andrzej

Answers (0)