We have added search box. Key in SAP issue keyword to search
TopBottom

Announcement: wanna exchange links? contact me at sapchatroom@gmail.com.

RE:[sap-security] Locking down FB01 and associated tcodes

Posted by Admin at
Share this post:
Ma.gnolia DiggIt! Del.icio.us Yahoo Furl Technorati Reddit

Reply from JimmyJ2 on Jul 31 at 10:30 PM
Hi Adrian,

Thanks for your comments.

I did mention in my original post that FB01 was only an example of the issue. I did ask a pretty narrow question but it is actually part of a much bigger issue which I am looking at and you've touched on it with your post.

Program SAPMF05A which is called by FB01 is called by over a hundred other tcodes - such as all of the tcodes you mentioned. F-02 you label as "more appropriate" but in fact the definition of F-02 (in SE93) is that it calls FB01 with 2 default values (which can be overwritten when using the tcode).

So in fact F-02 is no more secure than FB01 in my experience. I have entered a vendor invoice with F-02 that looks identical as one entered in FB60 - but using the tcode whose description is "Enter G/L Account Posting". (FB60 also uses SAPMF05A)

There may well be hard coded logic in SAPMF05A which differentiates between tcodes but I can't see any alternative to treating the majority of those tcodes as being as dangerous as FB01 until they are individually tested.

I'd certainly value your thoughts on this as an easy solution would be great.

Cheers, James.

---------------Original Message---------------
From: James Johnson
Sent: Tuesday, July 01, 2014 6:04 PM
Subject: Locking down FB01 and associated tcodes

Hi,

I've recently come across SAP Note 1600667 which describes transactions with SoD conflicts with themselves.

One example is FB01 which the Note says has the risk "Process Vendor Invoices and Post Journal Entry" and "Permissions are not different, mitigating control required".

I have set up a test user and restricted F_BKPF_BLA to a GL authorisation group and F_BKPF_KOA to GL account types only.

If I use FB01 and attempt to create a document of type KR (Vendor Invoice) or a GL document type and post to a vendor account then I am prevented in both cases due to these restrictions.

This is contrary to the SAP Note information - so either there is another factor I'm not aware of or the SAP Note is not entirely correct.

I'd value any feedback on experiences others have had on this subject or implementing restrictions in general with core Finance areas for the purpose of Segregation of Duties.

Thanks,

James.

 
Reply to this email to post your response.
 
__.____._
Manage Settings | Unsubscribe | Create FAQ | Send Feedback
  
Copyright © 2014 Ziff Davis, LLC. and message author.
Ziff Davis, LLC. 28 E 28th Street New York, NY 10016
JimmyJ2  

achievements
 
Mark as helpful
View this online
Ask a new question
 
In the Spotlight
Become a blogger at Toolbox.com and share your expertise with the community. Start today.

_.____.__

0 comments:

Post a Comment

T r a n s l a t e to your language