Question:
Hi Superman,
We re-design the authorization for make the compliance with SOX rule.
We meet the big problem when assign one user involve difference function in different company code by using seperated Activity group to make segregation. But it's not work, for this user can own the total authorization in this two company, not limited by company code setting in AG group.
For example: user01
1.We assign the Tcode: FS01 in company code 0001
Authorization setting: activity group 01, limit only company code 0001
2. Assign the Tcode : FK01 company code 0002
Authorization setting: activity group 02, limit only company code 0002
But finally, we find this user can doing all this two transaction both in the company code 0001 and 0002.
Could anyone share your idea?
Appreciated your help.
jongru
Answer:
This is as designed
SAP collects all authorisations and merges these to the widest values allowed, from the tables when users logon, regardless of the roles it was in.
The only way to do this kind of thing is when the autorisation object (like in Some PM Objects) also holds the T_CODE. But most objects can not be limited on a specific T_Code.
So if the same object is given to a user in different roles it will alow access in combination of the given values. However when you give 01 Create on company 1 and 02 change on company 2 the user should not be able to do 02 change on company 1 in both transactions. so there still is some control possible.
Advise here rethink your security strategy and limit on what is realy needed and possible.
Also evaluate what the real risk is when the same user can do create and change in both companies.
On the other hand users that should only have 03 display can be limted this way. Even if they have other activities allowed on other companies. So it can be secured!
Answer:
This is an good example of why TCODE based SOX evaluation is all but useless. You want to control BUSINESS ACTIVITY not transaction codes. SAP does not care how you get to the functionality only that you are authorized for the functionality.
_________________
John A. Jarboe