Solved: auth/object_disabling_active

Former Member · ‎08-14-2008

auth/object_disabling_active

Hello what exactly does this system parameter and should this be active. I know that it means This parameter allows checks on individual objects to be switched off globally within SAP

But in simple terms what does this mean.

Thanks.

Maritza

Former Member · ‎08-14-2008

I believe that this parameter is active by default. (Default value = Y). So for all practical purposes your system parameter may already be activated to globally ignore authorization object checks. However, you may have noticed that your system does not behave as if all auth checks are ignored. The reason being, this setting in itself has no meaning. It is just a prerequisite for globally deactivating auth objects.

To deactivate an auth objects you would have to use transaction AUTH_SWITCH_OBJECTS and in the subsequent tree select (de-select rather) the object you want deactivated. Objects in object class BC and HR are exception to this rule for obvious reasons.

Whether or not you should utilize this feature depends on how certain you are that once an object is deactivated it will not be necessary to reactivate later. Deactivation certainly has its advantages -- for example, your role design could become lean or easy to manage and upgrades or support packs will not switch the changes back to previous state. However, if for some reason you choose the re-activate an object, consider the number of roles/profiles you would need to adjust. In short: Be careful what you ask for.

Hope this helps.

Former Member · ‎08-14-2008

I believe that this parameter is active by default. (Default value = Y). So for all practical purposes your system parameter may already be activated to globally ignore authorization object checks. However, you may have noticed that your system does not behave as if all auth checks are ignored. The reason being, this setting in itself has no meaning. It is just a prerequisite for globally deactivating auth objects.

To deactivate an auth objects you would have to use transaction AUTH_SWITCH_OBJECTS and in the subsequent tree select (de-select rather) the object you want deactivated. Objects in object class BC and HR are exception to this rule for obvious reasons.

Whether or not you should utilize this feature depends on how certain you are that once an object is deactivated it will not be necessary to reactivate later. Deactivation certainly has its advantages -- for example, your role design could become lean or easy to manage and upgrades or support packs will not switch the changes back to previous state. However, if for some reason you choose the re-activate an object, consider the number of roles/profiles you would need to adjust. In short: Be careful what you ask for.

Hope this helps.

Former Member · ‎08-16-2008

> auth/object_disabling_active

> ...

> But in simple terms what does this mean.

Not all, but most parameters which can be changed in customer systems (others are "owned" by SAP only) have some documentation in transaction RZ11 (or report RSPFPAR). This would normally explain how the parameter works, which dependencies there are, whether it is dynamic or not, etc.

My understanding is the same as Ashutosh - the param only determines whether or not transaction auth_switch_objects can be used in that system, regardless of the authority of the user (atleast for a while and whether already deactivated objects will be ignored in the authority-check.

"Ignore" = the return code in system field SY-SUBRC is globally set to 0 for any authority-check against the deactivated object.

There used to be some old transactions which worked in a similar way - but those have been deactivated as well.

Cheers,

Julius