Skip to Content

PoC for FIORI SoD analysis

Sep 27, 2017 at 10:26 AM


avatar image

Dear All,

We are doing PoC for FIORI SoD analysis for the following, please assist if you have worked on designing Ruleset for FIORI SoD , as we are facing challenges in getting permission level SoD results for FIORI for different combinations mentioned below.

We have created separate functions as below

Functions Function descripitions (EN) Business ProcessZTCD01ZTCD01 - Function with TCODESFI00ZTCD02ZTCD02 - Function with TCODES restricted with permissionsFI00ZODT01ZODT01 - Function with ODATA servicesFI00ZFAP01ZFAP01 - Function with Fiori AppFI00ZWDP01ZWDP01 - Function with WebDynPro applicationsFI00

Have Risk IDs for different combinations

Risk IDs Function 1 Function 2 Business Process Criticity Status Risk Type Rule SetZSOD01ZTCD01ZODT01FI00HighActiveSoDFIORI_TESTZSOD02ZTCD01ZFAP01FI00HighActiveSoDFIORI_TESTZSOD03ZTCD01ZWDP01FI00HighActiveSoDFIORI_TESTZSOD04ZODT01ZWDP01FI00HighActiveSoDFIORI_TESTZSOD05ZFAP01ZWDP01FI00HighActiveSoDFIORI_TESTZSOD06ZODT01ZFAP01FI00HighActiveSoDFIORI_TESTZSOD07ZTCD02ZODT01FI00HighActiveSoDFIORI_TESTZSOD08ZTCD02ZFAP01FI00HighActiveSoDFIORI_TESTZSOD09ZTCD02ZWDP01FI00HighActiveSoDFIORI_TESTZCRP01ZODT01FI00HighActiveCritical PremissionFIORI_TESTZCRP02ZFAP01FI00HighActiveCritical PremissionFIORI_TESTZCRP03ZWDP01FI00HighActiveCritical PremissionFIORI_TEST

At permission level for each function values maintained

Function ID Function description Action Permission Field Value From Value To Logical Operator StatusZTCD01ZTCD01 - Function with TCODESCV01NN/AN/AN/AN/AN/A0ZTCD01ZTCD01 - Function with TCODESCV04NN/AN/AN/AN/AN/A0ZTCD01ZTCD01 - Function with TCODESBPN/AN/AN/AN/AN/A0ZTCD02ZTCD02 - Function with TCODES restricted with permissionsCV01NC_DRAW_TCDDOKARTESTAND0ZTCD02ZTCD02 - Function with TCODES restricted with permissionsCV01NC_DRAW_TCDACTVT01AND0ZTCD02ZTCD02 - Function with TCODES restricted with permissionsCV01NC_DRAW_TCDACTVT02AND0ZTCD02ZTCD02 - Function with TCODES restricted with permissionsCV01NC_DRAW_DOCDOKARTESTOR0ZTCD02ZTCD02 - Function with TCODES restricted with permissionsCV01NC_DRAW_DOCACTVT02OR0ZFAP01ZFAP01 - Function with Fiori App^!TEST_F_APPS_SERVICESRV_TYPEHTAND0ZFAP01ZFAP01 - Function with Fiori App^!TEST_F_APPS_SERVICESRV_NAME4AEF0B1B609165AB1F1B406F75799FOR0ZFAP01ZFAP01 - Function with Fiori App^!TEST_F_APPS_SERVICESRV_NAME63D5D2B293EF3AB6D73A10C0893873OR0ZFAP01ZFAP01 - Function with Fiori App^!TEST_F_APPS_SERVICESRV_NAME75B1441FF4DE5AA6906ADEB2326695OR0ZFAP01ZFAP01 - Function with Fiori App^!TEST_F_APPS_SERVICESRV_NAME7AD2B9B152A399009BC97DFABA884BOR0ZFAP01ZFAP01 - Function with Fiori App^!TEST_F_APPS_SERVICESRV_NAMEAB088B10113EAC3BC6349F4E933053OR0ZFAP01ZFAP01 - Function with Fiori App^!TEST_F_APPS_SERVICESRV_NAMEFB3151E3518C6479718DF337170962OR0ZODT01ZODT01 - Function with ODATA services^!TEST_ODATAS_SERVICESRV_TYPEHTAND0ZODT01ZODT01 - Function with ODATA services^!TEST_ODATAS_SERVICESRV_NAMEABC5A2651FDDDA3E4C90CF317938F0AND0ZWDP01ZWDP01 - Function with WebDynPro applications^!TEST_WDPS_STARTAUTHOBJNAMWDA_FCLM_BAM_ACC_MASTEROR0ZWDP01ZWDP01 - Function with WebDynPro applications^!TEST_WDPS_STARTAUTHOBJNAMWDA_FCLM_BAM_HIERARCHYOR0ZWDP01ZWDP01 - Function with WebDynPro applications^!TEST_WDPS_STARTAUTHOBJNAMWDA_FCLM_BAM_HIER_BPOR0ZWDP01ZWDP01 - Function with WebDynPro applications^!TEST_WDPS_STARTAUTHOBJNAMWDA_FCLM_BAM_HIER_MAINTAINOR0ZWDP01ZWDP01 - Function with WebDynPro applications^!TEST_WDPS_STARTAUTHOBJNAMWDA_FCLM_UPLOAD_DOWNLOADOR0ZWDP01ZWDP01 - Function with WebDynPro applications^!TEST_WDPS_STARTAUTHOBJTYPWDYAOR0ZWDP01ZWDP01 - Function with WebDynPro applications^!TEST_WDPS_STARTAUTHPGMIDR3TROR0

Roles having conflicting functions

Role ID Role contents Relevant SoD FunctionsZHP1:0001_TILESS_TCODE ZTCD01 & ZTCD02ZHP1:0001_TILESS_SERVICE [Fiori App]ZFAP01ZHP1:0001_TILE1S_SERVICE [ODATA]ZODT01ZHP1:0003_TILE2S_START [WEBDYNPRO App]ZWDP01

Users assigned with roles and expected SoDs, we are ok with action level and critical permission level but not able to detect at permission level.

Test Users Assigned Roles Expected SoD resultsZTESTSOD01ZHP1:0001_TILESZSOD02 - Action Level
ZSOD08 - Permission Level
ZCRP02 - Critical PermissionZTESTSOD02ZHP1:0001_TILE1ZODT01 - Critical PermissionZTESTSOD03ZHP1:0003_TILE2ZWDP01 - Permission Level


  1. Here risks are not getting detected at the permission level for following couples:
  1. TCODES (ZTCD02) vs ODATA (ZODT01)
  2. TCODES (ZTCD02) vs FioriApp (ZFAP01)
  3. TCODES (ZTCD02) vs WebDynpro (ZWDP01)
  4. WebDynpro (ZWDP01) vs ODATA (ZODT01)
  5. WebDynpro (ZWDP01) vs FioriApp (ZFAP01)

if possible can you share your inputs or feedback to get the desired outcome as expected above

PS : Not able to detect any risk at action, permission or critical permission for webdynpro for any possible combinations.

Appreciate your quick response with solution


Maltesh J

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Alessandro Banzer
Oct 20, 2017 at 12:50 PM

Dear Maltesh,

that should be available in 10.1 SP19. Please check the following advance note that might be helpful:

Let us know if it works.

Regards, Alessandro

10 |10000 characters needed characters left characters exceeded