This website is not affiliated with, sponsored by, or approved by SAP AG.

Auths object F_BKPF_BUK

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Auths object F_BKPF_BUK

Postby billya » Fri Nov 22, 2013 12:36 am

Hi All

We have a User who is responsible to transact on SAP within two Company Codes. However, the User is reporting to two different Managers.

The one Manager wants the User to utilise transaction FB08 whilst the other one wants this restricted for his Company.

We have found that the user is allowed to run transaction FB08 for both Company Codes even though he only has access thereto for the Company Code which he is allowed to have. I have indicated to my Colleagues that due to the fact that the user has access to transaction FB08 for Company Code 4062 he will also be able to run the transaction for Company Code 1239 as Object F_BKPF_BUK dictates Company Code access with the SAP Authorisations Concept. This theory is however under discussion.

Any input regarding my theory is most welcome and I am looking forward to any suggestions in this regard.

The access profile of the User thus looks as follows:

Role1 (Transaction FB08)
S_TCODE: FB08
F_BKPF_BUK: ACTVT: 01
F_BKPF_BUK BUKRS: 4062

Role2 (F-90)
S_TCODE: F-90
F_BKPF_BUK ACTVT: 01
F_BKPF_BUK BUKRS: 1239

Role2 (GENERAL FI DISPLAY ROLE FOR OTHER COMPANY CODES)
S_TCODE: FB03
F_BKPF_BUK ACTVT: 03
F_BKPF_BUK BUKRS: 1239

Regards
Billy
billya
 
Posts: 1
Joined: Thu Nov 21, 2013 4:10 am

Re: Auths object F_BKPF_BUK

Postby Al. » Mon Nov 25, 2013 6:01 am

Hi,

You are correct. This is standard functionality.

You have a few options, a couple of them being:

1. Use the enhancement framework to include an additional check on one of the transactions (a developer can help with this)
2. Implement a mitigating control (and for 1 user this makes more sense based on the info available) where the dissenting manager reviews activity. Your functional team can give you options for how this can be achieved.

Cheers
http://www.turnkeyconsulting.com/
Al.
 
Posts: 3050
Joined: Tue Feb 25, 2003 5:35 am
Location: London

Re: Auths object F_BKPF_BUK

Postby henrik » Sun Dec 08, 2013 5:08 pm

For some strange reason, some people are under the impression that the auth objects only work within the role they are assigned through, so in your case, the F.90 role should not have any impact on the FB08 role.
Of course that is nonsense, but I have seen that belief being argued several times...
www.turnkeyconsulting.com.au
henrik
 
Posts: 493
Joined: Wed Oct 23, 2002 6:38 am
Location: London, UK

Re: Auths object F_BKPF_BUK

Postby os » Sat Dec 28, 2013 3:02 pm

What is the problem?
os
 
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am


Return to SAP Security

Who is online

Users browsing this forum: No registered users and 2 guests





loading...


This website is not affiliated with, sponsored by, or approved by SAP AG.