Solved: Authorizations

Former Member · ‎01-12-2009

If you have the same auth object listed in a role multiple times which one takes precedent? I was under the impression that the most recent entry, the one with the highest number was the object checked and the others would be ignored.

For example, in my role AG_CRM_PROJECT_TEAM I have the auth CRMICM_ALL listed twice:

CRMICM_ALL

T-D128001400

ACT: 16

and

CRMICM_ALL

T-D128001401

ACT: 16

Both authorizations are active. If you have the same authorization listed multiple times with different values-which auth is checked and valid? If only the auth with the highest ending number (401) is checked can I set the other auths to inactive? I would think that any authorization which is listed and active would be checked and either allow/disallow access. So to my way of thinking only the most recently generated authorizations should be active - everything else which isn't explicitly needed should be deactivated. I hope I made this question clear enough.

Thanks

Todd

Former Member · ‎01-12-2009

Hi Todd,

If authorizations are listed twice , then it will combine both authorizations and combination of field values is checked.

Regards,

Sneha

Former Member · ‎01-12-2009

Hi Todd,

If authorizations are listed twice , then it will combine both authorizations and combination of field values is checked.

Regards,

Sneha

Bernhard_SAP · ‎01-12-2009

>


> Hi Todd,
> If authorizations are listed twice , then it will combine both authorizations and combination of field values is checked.
>

Hi Sneha,

this is not true.

Each authorization is checked itself. Values of different authorizations are not combined.

It does not matter, which authorization has been created when. The Kernel simply checks one assigned authorization after the other until the check is successful. If no fitting authorization is found, the check fails.

This check never combines values of different assigned authorizations....

b.rgds

Bernhard

Former Member · ‎01-12-2009

Bernhard-

Does this mean all authorizations and activities are checked? If that is the case then I would imagine only the latest authorization and fields should be active in the profile. Otherwise outdate authorizations could be checked and permit the user to execute or access things he/she shouldn't.

Is there any reason why you would want the same auth listed multiple times with different values? Again, I would think this could cause problems.

Thanks everyone for your input.

Todd

Former Member · ‎01-12-2009

I think what Bernhard is refering to (and where Sneha's comment is misleading...) is that authorization objects can have multiple of fields.

To be able to achieve a scenario where the user can change some documents, but only delete some others, and display all except a few... the authorization instances of that object are not combined.

> Is there any reason why you would want the same auth listed multiple times with different values?

You achieve the above by having "same object listed multiple times with different values in different auths".

Cheers,

Julius

Former Member · ‎01-12-2009

Thank you for clearing that up Julius, I understand completely. I'm trying to clean up some of the work from our SI and a few things I have seen simply don't make sense to me.

Thank you everyone who answered this question!

Todd

Former Member · ‎01-12-2009

Hi Todd,

Please refer the following SAP note. I think it should clear all your doubts and also show you how to deal such situations.

[679050|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=679050]

Regards,

Subbu