I am an SAP R/3 4.6 security administrator and after a chat with our SAP consultants I understood that they have created some user-exits for the purchase request process (specifically the release strategy). They claim that the exits they have created define the order of the approvals that have to be made and as such even when the user has the authorization to approve a purchase request (tcode: ME54), he or she will not be able to unless it's their turn for approval. The SAP consultants have not documented the functioning of the exits they have created. However, by performing a review of the users authorizations (through RSUSR002) I have found that 60% of users are able to make approvals for the manager level (that should be around 5% of users). How can I better check that the process is adequatly secured? Could it be that the 60% of users cannot perfom an approval at the manager level because of the exit? Note that they have all the required authorizations and transaction (ME54) for that.
Unfortunately, since the consultants coded in specific user exits for the approval functionality, none of the SAP delivered reports are going to be reliabe in determing who has what (unless the code is looking for a specific auth value). It sounds like that built some sort of workflow functionality into the transaction to allow it to wait for different approvers. I would have an ABAP person evaluate the code and document its intentions.
Dig Deeper on SAP security
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.