I'm looking into the risk of unauthorized transactions through access to editing existing IDOCs and reprocessing them.
In below scenarios, the following characteristics are applicable:
- User Y belongs to the finance department and has access to financial transactions in SAP.
- User Y has created the IDOC (related to financial transaction).
- User X belongs to the HR department and has NO access to financial transcations in SAP.
- User X has T-code level access to changing IDOCS.
My question is, which of the following scenarios is the correct one and what is the technical reasoning behind it?
- User X can edit an existing IDOC and reprocess it successfully because the IDOC/system checks the authorization of the IDOC creator (in this case: User Y).
- User X can edit an existing IDOC and reprocess it successfully because the IDOC is in the queue and does not check for additional authorization.
- User X can edit an existing IDOC but can NOT reprocess it because the IDOC/system checks the authorization of the IDOC changer (in this case: User X).