he he he.. I wish i can.. But i don't have access to non-prod instance

You should get yourself a sandbox then to make tests in, as this is just a matter of testing, or reading  the code. Additionally you should verify the answers you get in the internet...  🙂

Sometimes the combination of multiple objects is needed, sometimes 1 stronger object can override a weaker one and in most cases config (SU24) can control the behaviour.

Where you are correct in this case is that the role has a conflict as both are required to complete the document. This means that another (probably bolt-on-role) is needed for the sales area authorization. This means you are dealing with a very unfortunate design of the roles (enabler concept) and will have to evaluate the access at a user level and not a role level as the role appears to be disfunctional.

The concept in such a case is not disfunctional, it is just rubbish. Often the cause of it is that roles must be free of being functionally capable of doing anything critical (or anything at all) so that the role concept "looks" fine, but trying to put it together at user assignment level is a nightmare.

You should not break the role concept and make it unmanageable just so that the roles look "nice" from an SOD analysis perspective, when in actual fact it is a mess and the buck is just being passed on to the assignments.

That is what you should right into your audit report as a bigger risk than the ability to create customer orders combined with anything else...

Cheers,

Julius

What I meant by "conflict" is that the user and the transaction code needs both objects: the document type and activity, and, the sales area and activity fields.

The roles contains the document type activity (01) to create but can only display (03) in the sales area it can create in. That is contradictory and mean that if the user can work at all, then there is some other "bold on" enabler role for the sales area and if the user is not meant to post sales orders then what is the authorization for the document type creation doing in the role?

-> kaput.. 

Cheers,

Julius

Thanks this helps

The risk with the enabler approach is more the folks who think it is scalable and less the use-case as exceptions.

The acid test for me is that it must be isolatable to only one or two auth objects without org.levels in them and the assignment to users must follow a logic which is related to their person. Basically you need something like derivation, but there is no derivation rule for you and the field does not support org.levels and you cannot maintain it in SU24.

In addition to your example, valid use-case is also granular controlling module access for cost center owners (at center or hierarchy node or profit center level) or release codes in purchasing. Things where you literally need to know who slept with whom to work out the role design..  🙂

To split VA01 into various enabler roles when everything you need fits into SU24 and org.levels is however a fail. There is no valid reason for it which I can imagine.

Cheers,

Julius

Besides display of sales orders not being particularly critical in any way, the user would be limited to the sales doc type OR and sales org 2000.

Where a "cross pollination" of objects would happen is create authorizations for CR + DR in 1000 and create authorizations for OR in 2000 and in both cases VA01 is used -> the user would be able to create OR in 1000 as well. But there is no number of roles which would help to get around that problem as it is at authorization instance level.

In hindsight perhaps SAP should have considered making 1 object out of it with 3 fields, instead of 2 objects each with 2 fields.

This is however a rather unlikely scenario to happen to one person though - however I have heard of consultants recommending that a completely foreign business unit (eg. Japan) perform some tasks for another (eg. Brazil) just so that SOD issues are reduced...

Cheers,

Julius

Jelena Perfiljeva wrote:


That would be a very strange setup though since these document types usually correspond to different roles in real life. 

Exactly that. The 2 objects with their activities and even document types and peripheral authorization objects which are needed can be proposed together from SU24 and make building roles for it literally idiot-proof as long as the tcode is in the menu and the status is standard.

If you check the SAP proposals then that is also always the case (proposed together, or set to "no check" together).

Hence my conclusion that someone tried to implement an enabler concept for org.levels here and, as it always does, a mess resulted beyond the imaginable boundaries of the original PowerPoint slide which was the designer of it...  🙂

That is from an audit perspective also more important and more risk for the concept than simply using SUIM to look at results of who can and who cannot.

Cheers,

Julius

Former Member thanks for the reply..  I too think these are not conflicts, but as @julius mentioned, these are not ideal authorization combination to have.