Skip to Content
0

GRC Access Control: What causes S_TCODE conflicfts?

Oct 18, 2016 at 02:52 PM

88

avatar image

Without giving away too much information, I am on GRC 10.1 and am having issues with the Role Level Analysis (Access Management > Access Risk Analysis > Role Level). We have recently made changes to our rule set and have regenerated all the rules via GRAC_GENERATE_RULES. I now have many role conflicts that are appearing and the following is happening for all of them...

Headings are as follows: Risk ID, Function, T-Code, Auth Object, Field Value, Value From. Let's call the Risk ID ZZ99 and the first blurred function XX01 and the second XX02.

I have the following auth objects in XX01:
F-63 / F_BKPF_KOA / ACTVT 01 / AND
F-63 / F_BKPF_KOA / KOART K / AND
F-66 / F_BKPF_KOA / ACTVT 01 / AND
F-66 / F_BKPF_KOA / KOART K / AND

I have the following auth objects in XX02:
FV60 / F_BKPF_KOA / ACTVT 01 / AND
FV60 / F_BKPF_KOA / KOART D / AND
FV65 / F_BKPF_KOA / ACTVT 01 / AND
FV65 / F_BKPF_KOA / KOART D / AND

The role contains auth objects of the following:
S_TCODE / F-63
S_TCODE / F-66
S_TCODE / FV60
S_TCODE / FV65
F_BKPF_KOA / KOART / K
F_BKPF_KOA / ACTVT / 03

Functions XX01 and XX02 make up Risk ID ZZ99. As you can see, neither FV60 or FV65 has any conditions that will become TRUE for XX02, and as such, a risk should not be triggered. However, it is triggering a risk, and it's only triggering S_TCODE, which makes absolutely no sense. I have validated the t-code shows up in both the Action and the Permissions tab in XX02. And there are active auth objects that XX02 is checking for.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

1 Answer

Alessandro Banzer
Oct 20, 2016 at 08:41 AM
0

Dear David,

please share the definition of the functions (action / permission) to check what is missing. Either with screenshots from the definition or from the report "Access Rule Detail".

Thanks and regards, Alessandro

Share
10 |10000 characters needed characters left characters exceeded