on 06-24-2015 11:19 PM
Hi All,
Please let me know why it is a risk if the user has access to FBL5N(Customer Line Items) and VD02(Change Customer (Sales)) transactions.
I believe FBL5N tcode is diplay report where user cann't change any document untli we give change access to the user.
Thank you for your time in advance.
Regards,
Sushma M
Hello Sushma,
In my opinion, this is an example of a false positive in the standard GRC 10.0 ruleset. The delivered ruleset is only a starting point. What you really need to do is go through a comprehensive review of each function in the ruleset and determine whether or not it represents the true capabilities that function. The problem is that many of the functions contain lots of tcodes, but the individual tcodes may not necessarily enable a user to carry out the entire "function". So when SOD analysis is executed, if any single tcode of that function is flagged, then the whole function is flagged, and then the SOD that results could be a false positive.
I will give you a heads up that function AP02 "Process Vendor Invoices" especially causes many false positives. I recommend replacing AP02 with a refined function that you create.
Regards,
Ken
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ken,
Thank you so much for the update.
Actually we are in thinking to lowering the priority of risk related to
FBL5N tcode for now since we are concentrating on High risks to client up our
system.
Then we will go for function modification later but my client would like to
know why it is a risk at global level as they can see that has no risk in their
business prospective.
I really appreciate your time.
Regards,
Sushma M
Hi,
As explained by Ken, SAP considers best practices across various industries to build their standard rulesets. There are multiple permutations and combinations while defining risk. If any one of the standard risk is not suitable for your business, you can always customize it to your needs. Standard ruleset is for initial assessment of your current set up. You can also check at the SU24 level, which objects are being triggered for the 2 transactions in question and why it could be a risk from an SAP business perspective. If i have more info, i will let you know. Need time for research
Good Luck
Thanks
Venu Gudimalla
Hi Sushma,
Seems you are talking about risk provided in SAP Standard ruleset for transaction FBL5N.
Yes, from initial analysis, seems FBL5N cannot change anything and more of a display transaction. Need further investigation.
I have noted down this in our records for yearly review.
You can check with your business and disable this if your auditors accept the same.
For any kind of Rules recommendations/suggestions, you can send mail to me directly.
Thanks & Regards
Neeraj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sushma,
you have asked this question in not-so-relevant forum.please ask in SAP Security.
Could you provide us the risk no., so that we can advise.
Regards
Plaban
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.