sapnote_0001600667
TRANSCRIPT
7/22/2019 sapnote_0001600667
http://slidepdf.com/reader/full/sapnote0001600667 1/4
27.06.2013 Page 1 of 4
SAP Note 1600667 - Transactions that conflict withthemselves
Note Language: English Version: 3 Validity: Valid Since 09.06.2013
Summary
Symptom
A transaction code is shown as conflicting with itself. This note provides
an explanation of why transaction codes may conflict with themselves.
Other terms
rule, action, permission, ruleset files, Risk Analysis and Remediation,
Access Risk Management, function, delivered rules, conflict, risk
Reason and Prerequisites
Certain SAP transactions allow users to perform multiple functions which
can be inherent segregation of duties risks.
Solution
In the SAP delivered ruleset, there are currently 15 transactions that
conflict with themselves. For some of these transactions, there are
security authorization objects that can be used to limit the transaction to
one function. For these transactions, the permissions enabled in the
functions they're included in are different. Therefore, for these, it is
possible to segregate in the system by setting the authorization objects
appropriately in order to remove the segregation of duties risk.
For other transactions, there is no way to limit the transactions through
authorization objects so that they can only perform one of the functions.For these transactions, there is no way via security to remove the
segregation of duties risk. In these cases, the only option is to apply a
mitigating control to the risk.
An example would be for risk F028 and transaction code F-02. A mitigating
control would be for someone to run a report of manual journal entries and
review periodically to determine whether any manual journal entries were
made inappropriately.
The exact transactions that conflict with each other are listed below:
o Risk BO19: Function BS13 - Maintain User Master and Function BS14
- Maintain Profiles / Roles
- PFCG - Permissions are different, can segregate by security
o Risk F027: Function FI08 - Create / Change Treasury Item and
Function FI09 - Confirm a Treasury Trade
- TM_65 - Permissions are different, can segregate by security
o Risk F028: Function AP02 - Process Vendor Invoices and FunctionGL01 - Post Journal Entry
7/22/2019 sapnote_0001600667
http://slidepdf.com/reader/full/sapnote0001600667 2/4
27.06.2013 Page 2 of 4
SAP Note 1600667 - Transactions that conflict withthemselves
- ACACACT - Permissions are not different, mitigating control
required
- ACEREV - Permissions are not different, mitigating control
required
- F-02 - Permissions are not different, mitigating control
required
- FB01 - Permissions are not different, mitigating control
required
- FB01L - Permissions are not different, mitigating control
required
- FB02 - Permissions are not different, mitigating control
required
- FBRA - Permissions are not different, mitigating control
required
- FBV0 - Permissions are not different, mitigating control
required
o Risk F029: Function AR01 - AR Payments and Function GL01 - Post
Journal Entry
- F-04 - Permissions are not different, mitigating control
required
- FB05 - Permissions are not different, mitigating control
required
- FB05_OLD - Permissions are not different, mitigating control
required
o Risk F030: Function AR02 - Cash Application and GL01 - Post
Journal Entry
- F-04 - Permissions are not different, mitigating control
required
o Risk M012: Function MM03 - Enter Counts & Clear Diff - IM and
Function MM04 - Goods Movements
- MI10 - Permissions are not different, mitigating control
required
- MI40 - Permissions are not different, mitigating controlrequired
7/22/2019 sapnote_0001600667
http://slidepdf.com/reader/full/sapnote0001600667 3/4
27.06.2013 Page 3 of 4
SAP Note 1600667 - Transactions that conflict withthemselves
o Risk SO20: Function SD04 - Sales Document Release and Function
SD05 - Sales Order Processing
- VA02 - Permissions are different, can segregate by security
o Risk F012: Function FA01 - Maintain Asset Document and Function
FA02 - Maintain Asset Master
- ABNAN - Permissions are different, can segregate by security.
(Note:- In current available latest Standard ruleset,
permissions are delivered identical in both the Functions for
ABNAN tcode. This has been decided to change them based on
Master & Document objects. This is scheduled to be changed in
Q3, 2013 review. If any customer would like to get the exact
changes which are going to be done in Q3, 2013, raise a CSSmessage under GRC-SAC-ARA component and ask for the same)
Header Data
Release Status: Released for Customer
Released on: 10.06.2013 16:09:30
Master Language: English
Priority: Recommendations/additional infoCategory: FAQ
Primary Component: GRC-SAC-ARA Access Risk Management
The Note is release-independent
Related Notes
Number Short Text
1604722 Risk Analysis and Remediation Rule Update Q3 2011
1446680 Risk Analysis and Remediation Rule Update Q2 2010
1373465 Rule Upload and Rule Import - Explanation of functions
1326497 Risk Analysis and Remediation Rule Update Q2 2009
1173980 Risk Analysis and Remediation Rule Update Q2 2008
1083611 Compliance Calibrator Rule Update Q3 2007
7/22/2019 sapnote_0001600667
http://slidepdf.com/reader/full/sapnote0001600667 4/4
27.06.2013 Page 4 of 4
SAP Note 1600667 - Transactions that conflict withthemselves
Number Short Text
1061380 Compliance Calibrator Rule Update Q2 2006
1050832 ME23N in Compliance Calibrator (RAR) Default rules
1035070 Compliance Calibrator Rule Update Q1 2007
1033326 Risk Analysis and Remediation Rule Upload guidance
986996 GRC Access Control- Best Practice for Rules and Risks