Skip to Content
0
Former Member
Dec 18, 2008 at 11:35 AM

accumulation of rights within roles - SECURITY GAP?

27 Views

Hi

my user has following access

In role A she has P_ORGINCON with following values, Read access

AUTHC M, R

INFTY 0001

0002

0024

0041

9010

PERSA *

PERSG *

PERSK * (employee subgroups)

PROFL ZZ_ALL

SUBTY *

VDSK1 *

In role B she has P_ORGIN with following values, Read access

AUTHC M, R

INFTY 0001

0002

0003

0006

0007

0025

0032

0034

0041

2001

2002

2003

2004

9010

9015

PERSA *

PERSG *

PERSK Z0

Z1

Z2

Z8

ZB

ZD

ZE

ZF

ZJ

ZK

ZL

ZM

ZN

ZP

PROFL ZZ_ALL

SUBTY *

VDSK1 *

When she tries to display any infotype NOT included in role A (e.g. IT06), for any subgroup which is NOT in group B (e.g. Z3), she can do it! Security gap!!

Is it because SAP will combine the authorisations, no matter what the individual limitations are?

Thanks for any help. We really need to find a solution for this

Nadia