Announcement:
wanna exchange links? contact me at sapchatroom@gmail.com.
Posted by
Admin at
Reply from SAPAUSSEC on Jul 31 at 8:41 PM I really think the approach here is not the best and offer the
following
1. You need to talk to functional teams as security should not be
decided solely by the security person - functional experts and business
management also have to agree what is necessary security.
1 FB01 should only be available to power users as it is a 'super' (my
term) FI transaction, which can be limited by authorisations but it is
better to use more appropriate transactions such as F-02, F-07, FB50 etc
2. All sub ledgers are linked to and summarised in GL control
account(s). You cannot post directly to a control account, you _must_
post to the subsidiary ledger account (with the authorisation needed)
and the control account is automatically updated - no direct postings
are allowed to the GL control account. Your concern about adjusting
postings is not possible by manipulating a control account.
3 IT is not possible in SAP to delete a posted document - it can only
be reversed, leaving a full audit trail.
4 Before being concerned about tightening FB01 I suggest you make
certain more appropriate transactions are allocated to end users.
5 As a security consultant you need to ask questions and include
functional experts and others in your decisions as part of your job
| | | ---------------Original Message---------------
From: James Johnson
Sent: Tuesday, July 29, 2014 10:37 PM
Subject: Locking down FB01 and associated tcodes
Thanks Peter,
I understand what you're saying but I'm not sure how to post to a subsidiary ledger without going via another account (customer / vendor etc).
If I use FB01 I get error message F5354 with diagnosis "Account xxxx in company code yyyy is marked as a reconciliation account for account type "K" and cannot therefore be directly posted to."
Do I conclude we (with current config) cannot directly post to a subsidiary ledger or should I be using a different tcode? (If so - which).
Cheers,
James |
| Reply to this email to post your response. __.____._ |   _.____.__ |
