https://community.sap.com/t5/application-development-and-automation-discussions/sensitive-transaction-issue/m-p/7157608#M1515419 <HTML><HEAD></HEAD><BODY><P>Hi Experts,</P><P></P><P>Today we have experienced that below combination has been declared as violation in our system</P><P></P><P>Below Transactions with it's related objects</P><P>/VIRSA/VFAT</P><P>/VIRSA/ZVFAT_U02</P><P>/VIRSA/ZVFAT_U03</P><P>/VIRSA/ZVFAT_U04</P><P>/VIRSA/ZVFAT_V01</P><P></P><P>Object</P><P>S_PROGRAM for SUBMIT for any program group</P><P></P><P>Now the person having access to FF transaction has access to S_PROGRAM for many other transactions via different roles. So It is impossible that we can remove any of the side to eliminate the violation.</P><P></P><P>However we are thinking about mitigation. But before that we would like to know that what is risk involve for above combination of access??</P><P></P><P>Regards,</P><P>Arpan</P></BODY></HTML> Mon, 16 Aug 2010 07:40:17 GMT arpan_paik 2010-08-16T07:40:17Z https://community.sap.com/t5/application-development-and-automation-discussions/sensitive-transaction-issue/m-p/7157608#M1515419 <HTML><HEAD></HEAD><BODY><P>Hi Experts,</P><P></P><P>Today we have experienced that below combination has been declared as violation in our system</P><P></P><P>Below Transactions with it's related objects</P><P>/VIRSA/VFAT</P><P>/VIRSA/ZVFAT_U02</P><P>/VIRSA/ZVFAT_U03</P><P>/VIRSA/ZVFAT_U04</P><P>/VIRSA/ZVFAT_V01</P><P></P><P>Object</P><P>S_PROGRAM for SUBMIT for any program group</P><P></P><P>Now the person having access to FF transaction has access to S_PROGRAM for many other transactions via different roles. So It is impossible that we can remove any of the side to eliminate the violation.</P><P></P><P>However we are thinking about mitigation. But before that we would like to know that what is risk involve for above combination of access??</P><P></P><P>Regards,</P><P>Arpan</P></BODY></HTML> Mon, 16 Aug 2010 07:40:17 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sensitive-transaction-issue/m-p/7157608#M1515419 arpan_paik 2010-08-16T07:40:17Z https://community.sap.com/t5/application-development-and-automation-discussions/sensitive-transaction-issue/m-p/7157609#M1515420 <HTML><HEAD></HEAD><BODY><P>Arpan,</P><P></P><P>Our 5.1 system does not throw an error for this combination. The Virsa transactions can be limited in a separate authorization by the User Actions BTCSUBMIT, SUBMIT, VARIANT and Authorization Group ZVFAT*. That's also the default.</P><P></P><P>Happy Complying,</P><P></P><P>Robert</P></BODY></HTML> Mon, 16 Aug 2010 12:40:20 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sensitive-transaction-issue/m-p/7157609#M1515420 Former Member 2010-08-16T12:40:20Z https://community.sap.com/t5/application-development-and-automation-discussions/sensitive-transaction-issue/m-p/7157610#M1515421 <HTML><HEAD></HEAD><BODY><P>Hi ,</P><P></P><P></P><P>If you see the default role it will not have S_Program by default</P><P>this should be the role which has to be assigned to users who need firefighter access.</P><P></P><P></P><P>Can you validate which role from the list below you have assigned to users</P><P></P><P></P><P>/VIRSA/Z_VFAT_ADMINISTRATOR Firefighter Administrator Role with full access</P><P>/VIRSA/Z_VFAT_FIREFIGHTER Firefighter Firefighter's role</P><P>/VIRSA/Z_VFAT_ID_OWNER Firefighter FirefighID owner's role </P><P></P><P></P><P></P><P>I strongly believe that you have assigned the administrator/Owners role.</P><P></P><P>Best solution will be to identify the administrators and assign the admin roles only to them.</P><P></P><P>Make sure to have the following for S_program</P><P></P><P>User action ABAP/4 program BTCSUBMIT, SUBMIT, VARIANT P_ACTION</P><P>Authorization group ABAP/4 pro ZVFAT, ZVFAT* P_GROUP</P></BODY></HTML> Mon, 16 Aug 2010 17:08:55 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sensitive-transaction-issue/m-p/7157610#M1515421 Former Member 2010-08-16T17:08:55Z