Announcement:
wanna exchange links? contact me at sapchatroom@gmail.com.
Posted by
Admin at
Reply from SAPAUSSEC on Aug 1 at 9:22 PM there is some hard logic in the abap which differentiates between XN
codes (certainly not all but many). In addition remember we are
talking an end user so there is less likelihood they can or will over
ride defaults proposed by these other transactions. F-02 is for vendor
postings so it will be more difficult to post to non vendor accounts
(but not impossible).
However FB01 is unrestricted for account type, document type, posting
key etc which can be manually entered provided there are full
authorisations. Why would such an open transaction be given to an end
user when there are more specific transaction available even if they do
have shortcomings. More specific transactions are also easier to use.
Remember the user may be a novice so it should be made as easy as possible.
In terms of FI postings FB01 is a sledge hammer more prone to mistakes
and a security nightmare..
I restrict FB01 to power users and require informed process owner
approval prior to granting access. Start asking what document types
account types and posting keys of the process owner if they persist with
fb01 and make certain they are aware it is a power transaction.
| | | ---------------Original Message---------------
From: James Johnson
Sent: Thursday, July 31, 2014 10:30 PM
Subject: Locking down FB01 and associated tcodes
Hi Adrian,
Thanks for your comments.
I did mention in my original post that FB01 was only an example of the issue. I did ask a pretty narrow question but it is actually part of a much bigger issue which I am looking at and you've touched on it with your post.
Program SAPMF05A which is called by FB01 is called by over a hundred other tcodes - such as all of the tcodes you mentioned. F-02 you label as "more appropriate" but in fact the definition of F-02 (in SE93) is that it calls FB01 with 2 default values (which can be overwritten when using the tcode).
So in fact F-02 is no more secure than FB01 in my experience. I have entered a vendor invoice with F-02 that looks identical as one entered in FB60 - but using the tcode whose description is "Enter G/L Account Posting". (FB60 also uses SAPMF05A)
There may well be hard coded logic in SAPMF05A which differentiates between tcodes but I can't see any alternative to treating the majority of those tcodes as being as dangerous as FB01 until they are individually tested.
I'd certainly value your thoughts on this as an easy solution would be great.
Cheers, James. |
| Reply to this email to post your response. __.____._ | In the Spotlight Become a blogger at Toolbox.com and share your expertise with the community. Start today.   _.____.__ |
