12-13-2008 6:48 PM
gurus,
For and particular authorization object i have given value 02 but not 03. Does it mean he can still view it because he has authorization for change. If you need to change something you need to have display access right.
Thanks for your help
12-13-2008 8:12 PM
There is no clear answer to this, without knowing the program context.
But generally, the user will be able to change with an activity authorization value of '02' even if they don't have '03' at all. What it will do, is that their navigation means to those program contexts will be restricted as many will check '03' at the start of the transaction (the user must have something... otherwise they have nothing to look for here...).
But if the user is already in the context of a "change mode" or their navigation assumes "change mode" in it's call, then '02' is enough. Note that if it fails, then '03' is often checked and if okay then the mode is switched to display.
This can be used in several ways to prevent certain navigation and also to prevent certain screens from appearing... e.g. ones which have mandatory selection criteria.
Certainly if you have attempted a "Display All Role", then it is best to not mix it with any other role assigned to the same user at the same time which relies too heavily on the access points (the transaction codes) to enter the functionality.
You can use '03' to grant access to a user to navigate in a certain application area. Generally, they will be able to do so regardless of S_TCODE and will change anything they are authorized to change '02' without necessarily having the tcode for it. You need to use more granular checks (sometimes on optional objects) to restrict the access if you want to open all the '03' access.
Many folks do not understand this navigability, and sometimes developers also don't check the correct granular authority because they are expecting some obscure tcode to protect it....
Hope that helps you a bit. These checks have changed over time, but the above is my opinion on it.
Cheers,
Julius
12-17-2008 9:02 AM
Hi,
You can get view access when you have 02(change) access.
Regards,
Digambar
12-17-2008 9:05 AM
> You can get view access when you have 02(change) access.
Can you please tell us on which information (SAP website links etc) you have based this answer?