This website is not affiliated with, sponsored by, or approved by SAP AG.

Auths object F_BKPF_BUK

SAP Security

Moderators: Snowy, thx4allthefish, jurjen

Post Reply
billya
Posts: 1
Joined: Thu Nov 21, 2013 4:10 am

Auths object F_BKPF_BUK

Post by billya » Fri Nov 22, 2013 12:36 am

Hi All

We have a User who is responsible to transact on SAP within two Company Codes. However, the User is reporting to two different Managers.

The one Manager wants the User to utilise transaction FB08 whilst the other one wants this restricted for his Company.

We have found that the user is allowed to run transaction FB08 for both Company Codes even though he only has access thereto for the Company Code which he is allowed to have. I have indicated to my Colleagues that due to the fact that the user has access to transaction FB08 for Company Code 4062 he will also be able to run the transaction for Company Code 1239 as Object F_BKPF_BUK dictates Company Code access with the SAP Authorisations Concept. This theory is however under discussion.

Any input regarding my theory is most welcome and I am looking forward to any suggestions in this regard.

The access profile of the User thus looks as follows:

Role1 (Transaction FB08)
S_TCODE: FB08
F_BKPF_BUK: ACTVT: 01
F_BKPF_BUK BUKRS: 4062

Role2 (F-90)
S_TCODE: F-90
F_BKPF_BUK ACTVT: 01
F_BKPF_BUK BUKRS: 1239

Role2 (GENERAL FI DISPLAY ROLE FOR OTHER COMPANY CODES)
S_TCODE: FB03
F_BKPF_BUK ACTVT: 03
F_BKPF_BUK BUKRS: 1239

Regards
Billy

Al.
Posts: 3049
Joined: Tue Feb 25, 2003 5:35 am
Location: London
Contact:

Re: Auths object F_BKPF_BUK

Post by Al. » Mon Nov 25, 2013 6:01 am

Hi,

You are correct. This is standard functionality.

You have a few options, a couple of them being:

1. Use the enhancement framework to include an additional check on one of the transactions (a developer can help with this)
2. Implement a mitigating control (and for 1 user this makes more sense based on the info available) where the dissenting manager reviews activity. Your functional team can give you options for how this can be achieved.

Cheers
http://www.turnkeyconsulting.com/

henrik
Posts: 493
Joined: Wed Oct 23, 2002 6:38 am
Location: London, UK

Re: Auths object F_BKPF_BUK

Post by henrik » Sun Dec 08, 2013 5:08 pm

For some strange reason, some people are under the impression that the auth objects only work within the role they are assigned through, so in your case, the F.90 role should not have any impact on the FB08 role.
Of course that is nonsense, but I have seen that belief being argued several times...
www.turnkeyconsulting.com.au

os
Posts: 469
Joined: Wed Dec 21, 2005 10:51 am

Re: Auths object F_BKPF_BUK

Post by os » Sat Dec 28, 2013 3:02 pm

What is the problem?

Post Reply