Hi
During a recent review of GRC rule sets for HR, I came across certain OM Tcodes for which Object PLOG is not being checked, instead only P_ORGIN is being checked in the ruleset. i.e the SOD analysis will get all the users for having the Tcode & P_ORGIN values, irrespective of whether they have PLOG defined in their profile. (for e.g - Tcodes like PO14 & PO01, included in HR05 function, P_ORGIN values are being checked)
On further testing it was observed that one can make changes in certain OM infotypes (IT1000), irrespective of P_ORGIN values. i.e only on the basis change access provided for PLOG. These changes where not reflected on the PA side though. for e.g I could create a Job with values only for PLOG, However I couldnot assign the same t a person, since P_Orgin was missing.
However on assigning only P_ORGIN without PLOG, I was unable to execute the transaction
While I understand that P_ORGIN would be necessary due to the PA-OM integration, I am trying to validate which is the more crucial object.
Hence I request inputs from Security team memebers who have handled HR-authorisations to share their insights on which of the objects - PLOG or P_ORGIN is more relevant for OM tcodes, It would be even great if we can debate which object should be enabled in GRC