We have role with Transaction Code VA88
The transaction code VA88 is used to reverse document. A user from a different company code was able to change the sales order of a different company code.
When checked in i see that the Transaction Code VA88 uses "Sales Organization" field for generating output.
I see from SU24 that there is no Authorization Object set to check/restrict Sales Organization. This results in any user from any sales organization can reverse document for any salers organization.
I have added the Authorization Objects V_KNA1_VKO and V_VBAK_VKO in SU24 for Transaction code VA88 and set the restrication of Sales Organization in Org.Levels. However, though restricting the Sales Organization this transaction allows access to other other Sales Organization.