PR Release WF - GRC ME54N
Kjetil Kilhavn
list.sap-wug at vettug.no
Tue Aug 23 18:43:37 EDT 2016
I would counter and say that release procedures can not be used if no user
should have access to ME54N.
Best of luck when trying to convince your coworkers/opponents that the goal
should be to have "correct authorizations assigned to everyone at all times",
not "no authorization assigned to anyone at any time".
I've saw a solution where, although users had access to ME54N no business
person (but a lot of external IT people...) had access to the release code
required to release the highest-value requisitions. The business could still
carry on though, because the solution had been hacked to avoid authorization
checks by letting WF-batch run a background step to approve the release code.
The preceding step (the step where a busines user would choose to approve) had
no authorization check at all - no restriction of possible agents and no
autorization check when the step was executed.
To top it all off the change documents table was subsequently updated directly
to "correct" the user name for the change document where the release code was
approved. In that method "sy-datum" was hardcoded instead of using the
execution date of the preceding step, so when there was a delay in the
execution for some reason that method selected the wrong change document(s)
and updated them.
To me it is a perfect example of why it often does not pay off to try to
replace the SAP solutions. Customize, extend and integrate as needed - but
don't try to replace them unless you really must.
tirsdag 16. august 2016 09.43.55 CEST skrev Jeffrey A. Rappaport:
> Hey WUG’ers,
>
> Has anyone had any Clients out there that wound up restricting their Users
> from having access to both ME51N/ME52N with ME54N, due to real tight GRC
> ‘Segregation of Duties’ outcomes? And ended up having to redesign the
> entire PR Release WF process due to no one having access to ME54N?
>
> Thanx for your feedback,
>
> Jeffrey A. Rappaport
> Business Workflow Inc.
--
Kjetil Kilhavn / Vettug AS (http://www.vettug.no)
More information about the SAP-WUG
mailing list