on 05-22-2015 12:32 PM
Dear All,
As we all know that FB01 and F-02 are some of the transactions of SAP Finance module which can perform activity related to various account types (A K D M S).
SAP Standard ruleset has multiple objects enabled for these transactions, leading to lot many false positives in SOD report, viz, a user is having access to only customer invoice processing (restricted access to account type D), but SOD report shows risks related to vendor invoice processing because for F-02 has object level definitions like F_BKPF_BUK , etc are common for vendor and customer activities. Just this object doesn't really allow the user to process vendor invoice and F_BKPF_KOA is mandatory object.
In order to remove such false positives, is it a good approach to deactivate other objects and only keep F_BKPF_KOA object active in the ruleset with required account types maintained for FB01, F-02, etc ?
Please advise.
Thanks in advance !
Dear Prashant,
it's very tough to answer this question as this is an individual specification that only belongs to your environment/requirement.
Basically you do need to keep all object combinations that indicate your risk. If F_BKPF_KOA and F_BKPF_BUK are both required for a risk to be conducted you do need to keep both.
Also be aware that the pre-delivered rule set is based on "best practise" that belongs to a wide range of companies but not to everyone. Hence it is always required to validate all the rules and do adjustments when required.
Hope this helps.
Regards,
Alessandro
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Prashant,
Risks will appear, the way you define it. for F-02 and FB01, please identify which auth. objects are used in roles. Then, find the non-org. and org. objects, which determine the risk. include those objects, in your risk definition. for org. values, you can set Org. level Risks
regards
plaban
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.