Question:
Our company gets hit every year with the audit saying we have too many users with access to customer master. We're trying to decide between cleaning up roles and just removing customer master from all roles and creating unique roles for customer master. Any advice?
Answer:
We created Field groups (OB31, OB30) to resolve this issue. We now have users gaining access to change only pre-determined fields.
The object for which you add the field group value is F_KNA1_AEN.
Hope this helps!
_________________
Thank You,
Tracy
Answer:
It is difficult to comment without knowing the extent of the access or the view to the master record being used which your auditors "hit" with a risk to justify this for the industry you are in? What risk do they have?
What access does this "general role(s)" provide with respect to activities and which tcodes are involved?
We're trying to decide between cleaning up roles and just removing customer master from all roles
If they gonīt need it, donīt give it. Problem solved.
Track down the requirement for it being in the role (it may have been ST01 symptom) or ask why it is required now.
and creating unique roles for customer master. Any advice?
Based on which tcode / object / field / value did they identify this as a risk? If it is just to keep them happy, you could change one of them (creating a new tcode works wonders) so that it no longer appears in their output.
But that would be cynical.
You say "master records", but what about the transactional data in SD or the users with access to the G/L AR accounts and see who the customers are and, in special cases, change them?
Tarr