Skip to Content
avatar image
Former Member

IDOC Edit & Reprocessing Risk

I'm looking into the risk of unauthorized transactions through access to editing existing IDOCs and reprocessing them.

In below scenarios, the following characteristics are applicable:

  • User Y belongs to the finance department and has access to financial transactions in SAP.
  • User Y has created the IDOC (related to financial transaction).
  • User X belongs to the HR department and has NO access to financial transcations in SAP.
  • User X has T-code level access to changing IDOCS.

-

My question is, which of the following scenarios is the correct one and what is the technical reasoning behind it?

  1. User X can edit an existing IDOC and reprocess it successfully because the IDOC/system checks the authorization of the IDOC creator (in this case: User Y).
  2. User X can edit an existing IDOC and reprocess it successfully because the IDOC is in the queue and does not check for additional authorization.
  3. User X can edit an existing IDOC but can NOT reprocess it because the IDOC/system checks the authorization of the IDOC changer (in this case: User X).
Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

0 Answers