Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

SAP ECC and SAP HR Authorizations - Transactions

Former Member
0 Kudos

Hello,

We have to do an internal auditory our SAP systems. We need to review authorizations for any users.

Our systems are SAP Netweaver 2004s ECC and SAP HR.

Could you tell us, for example, which transactions are incompatible? that is, authorizations that can not have a user at a time.

Thanks in advance,

Néstor.

6 REPLIES 6

Former Member
0 Kudos

Hi Nestor,

You requirement is covered under SOD. You can search for SOD on web, you will get the releavent document on same.Most important is to identify the tasks that should not be performrd by a single person (SoD Matrix). This should be taken care at the time of implementation.

See link:http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/f02855c9-2091-2a10-8682-af41abe087ba?quicklink=index&overridelayout=true. and also check the Thread on SDN

Hope this helps you

Cheers:)

jurjen_heeck
Active Contributor
0 Kudos

> We have to do an internal auditory our SAP systems. We need to review authorizations for any users.

OK, why? And who is 'we'? What is your role in the company?

> Our systems are SAP Netweaver 2004s ECC and SAP HR.

And what do you use these systems for?

> Could you tell us, for example, which transactions are incompatible? that is, authorizations that can not have a user at a time.

So, you want us to guess what your business risks are? That's a strange one. Who in your company is going to sign off an audit performed based on (anonymous?!) information you got on the internet?

Besides that, checking for transactions only is quite useless. You'll need to do a bit more and I guarantee you that no-one in this forum (that is the security forum where this thread was originally posted) is going to provide you with a complete set of reliable criteria. Not only because we're generally not into doing work for free but more importantly because we do not know how your company works and/or uses its systems.

Please ignore any lists of transactions or objects posted in this thread, they will offer you no more than a fake sense of security.

Jurjen

Edited by: Jurjen Heeck on Feb 8, 2010 6:52 PM after move to GRC forum

Former Member
0 Kudos

Moved to the GRC forum...

0 Kudos

I don´t know what is your problem Jurjen, but nobody forces you to answer... least of this evil way.

I am a basis administrator and the "auditory" process is only for internal use of my company. What else need you know? Do not want anyone to do my work, only to tell me where to go ... sorry, but I think you've been clever.

Thanks for your reply connecpk, has been good for me.

thank you all for your help.

Néstor.

0 Kudos

Forget about transaction codes for SOD in HR. Half the application is run on reports, some of which can even update themselves. There are central transactions (such as PA20) which will let you access any infotype and process anything which is sometimes a fine-line between master data and transaction data. There is also the topic of not accessing your own data if you are an HR administrator or accessing only your own data via RFC (ESS).

This is all at authorization object level. Forget about a list of transaction codes.

Cheers,

Julius

0 Kudos

Nestor,

To start with building SOD matrix for your organization's ECC and HR system, you can refer the standard SOD logic (Risks, Functions, actions and permissions) provided by SAP along with GRC Access Control 5.3 application.

Please refer [Note 1326497 - Risk Analysis and Remediation Rule Update Q2 2009|https://service.sap.com/sap/support/notes/1326497] . (You need to have markeplace ID to access the note.)

You can then fine tune ECC, HR system SOD logic to meet your requirement.

Regards,

Amol