Announcement:
wanna exchange links? contact me at sapchatroom@gmail.com.
Posted by
Admin at
Reply from GRCQuest on Jul 25 at 12:53 PM The problem is with the object F_BKPF_KOA Accounting Document: Authorization for Account Types. If the field ACTVT = 01 and KOART (Account Type) = A (Asset), D (Customer) , K (Vendor) , M (Material) & S (General Ledger). Users who can post to control ledger should not have access to post to subsidiary ledger as well. Having access to both provide the opportunity to manipulate the subsidiary ledger and hide such activities using journal entries in the general ledger.
| | | ---------------Original Message---------------
From: James Johnson
Sent: Tuesday, July 01, 2014 6:04 PM
Subject: Locking down FB01 and associated tcodes
Hi,
I've recently come across SAP Note 1600667 which describes transactions with SoD conflicts with themselves.
One example is FB01 which the Note says has the risk "Process Vendor Invoices and Post Journal Entry" and "Permissions are not different, mitigating control required".
I have set up a test user and restricted F_BKPF_BLA to a GL authorisation group and F_BKPF_KOA to GL account types only.
If I use FB01 and attempt to create a document of type KR (Vendor Invoice) or a GL document type and post to a vendor account then I am prevented in both cases due to these restrictions.
This is contrary to the SAP Note information - so either there is another factor I'm not aware of or the SAP Note is not entirely correct.
I'd value any feedback on experiences others have had on this subject or implementing restrictions in general with core Finance areas for the purpose of Segregation of Duties.
Thanks,
James. |
| Reply to this email to post your response. __.____._ |   _.____.__ |
