Solved: Rebuild Authorizational data (User Buffer) Dynamic...

Former Member · ‎05-09-2009

We want to rebuild the authorizational data in a user's buffer by adding additional authorizations (auth obj with field values) during the logon procedure (user exit) (by executing a function module which will read a custom table) - however this has to be dynamic, that is we do not want the user to have to logoff.

Anyhelp is welcomed !

Mushtaq Mahmood

Saudi Aramco

WolfgangJanzen · ‎05-11-2009

May I know what is the rational behind this inquiry?

Why does a static assignment of authorizations (via roles) not satisfy your requirements?

Regards, Wolfgang

Former Member · ‎05-09-2009

Bad idea to reconstruct the buffer after login without making the "real changes" as well. The buffers will be synced every so often (you can control this to some extent) and the users will loose their access.

Rather have a role (or worste case a profile) to assign to the user in the exit. Take a look at the user BAPI's.

Note that you can only use this exit you are refering to for SAPGui based logins.

Cheers,

Julius

WolfgangJanzen · ‎05-11-2009

May I know what is the rational behind this inquiry?

Why does a static assignment of authorizations (via roles) not satisfy your requirements?

Regards, Wolfgang

Former Member · ‎05-11-2009

Hi,

Check this sap document http://www.scribd.com/doc/6999692/SAP-Security-System-Parameters

Also, if you set the parameter auth/new_buffering value to 4, the authorizations are updated dynamically with out user log out.

Regards,

Gowrinadh

Former Member · ‎05-11-2009

As a large corporate user, we want to replicate a similar authorization concept such the structural authorizations (in HR) based on positional authorizations in the core applications such as finance, controlling, plant maintenance etc.

Most of our organizational levels are so fluid that it takes lots of resources (time and manpower) to actually realize it into authorization roles and assignments. Another reason is that the SAP developers who developed these modules did not have a future vision (unlike the SAP HR developers !!!).

So instead of creating thousands of roles (we call these "variant") and assigning these to the thousands of users, we wanted to capture this in a more dynamic way, where if a organizational level changes, then the user's authorizations reflects these changes instantly - without going through the pain of creating a new "variant" role, deassign the previous role, assign the new role.

The way we plan to do this to use the logon user exit to "read" a dynamic structure we are building for each of the organizational levels and then build up the authorization information required in the user's buffer. Basically replacing the work of the USRBF3 table.

Thankx for teh info on preventing the refresh of the user buffer by changing the parameter !

Former Member · ‎05-11-2009

I would be very carefull of this.

Buffers, like caching, can become invalidated or corrupt so there are mechanisms to refresh or correct them after logon or a period of time has elapsed. This can be as little as 2 minutes appart as far as I know, depending on the memory area.

Additionally, saving of a change in SU01 etc or the import of a role which IS already assigned to a user will refresh the buffers as well and possibly wipe your dynamic buffer away if it thinks that you have also removed the role (or profile) when saving.

Depending on how you code this, it might even write the dynamic buffer data to the database, making it permanent and "stranded" data, which you might only be able to remove by synchronizing the tables again and resetting the buffers. If you do that while all your other dynamicly authorized users are logged on, it will cause a mess when they suddenly loose their access.

I would keep the USRBF3 mechanism and consider scheduling report RSUSR405 regularly to simulate a change incase there is something wrong...

Being a large organization with many orgs and users to administrate over a possibly large number of different systems, perhaps it is worth your while to take a look into an IdM (Identity Management System).

I am sure you will find one which is more supported and sustainable than a reconstructed user buffer...

Cheers,

Julius

Edited by: Julius Bussche on May 11, 2009 2:20 PM

WolfgangJanzen · ‎05-11-2009

>


> Additionally, saving of a change in SU01 etc or the import of a role which IS already assigned to a user will refresh the buffers as well and possibly wipe your dynamic buffer away if it thinks that you have also removed the role (or profile) when saving.

This is a very valid point.

Your approach (to manipulate the cached objects) is very dangerous / instable.

To me it sounds that you are trying to compensate a functional deficit of the ABAP Profile Generator (generic roles). What you actually need is a "role generator" (which could then "feed" the existing profile generator).

Regards, Wolfgang

jurjen_heeck · ‎05-11-2009

> To me it sounds that you are trying to compensate a functional deficit of the ABAP Profile Generator (generic roles). What you actually need is a "role generator" (which could then "feed" the existing profile generator).

This rings a bell! In SAP ISDFPS they're doing just that. I'll see if I can find links to documentation.

Former Member · ‎05-11-2009

>


> I would be very carefull of this.
> Additionally, saving of a change in SU01 etc or the import of a role which IS already assigned to a user will refresh the buffers as well and possibly wipe your dynamic buffer away if it thinks that you have also removed the role (or profile) when saving.
>

Valid point.... in addition PFUD also re-populates the buffer..

Former Member · ‎11-12-2009

Hi,

I was just wondering how you finally addressed this issue?

I have a similar need, whereby I am trying to avoid having to build 1000 derived roles simply to assign a different Plant to a user for the EHS Industrial Hygene & Safety module. I would like to have some way of dynamically assigning the Plant Authorisation at login, based on custom relationship between Position to Work Area & hence Plant.

Thanks,

Stephen

Former Member · ‎11-12-2009

A more reliable way would be to create 1 template role, download and replicate it for all the plants, and then upload the lot again into SAP again.

You can then use an indirect way to assign the corresponding roles to the users via "Position to Work Area" without middling around in the buffers and logon exits.

Cheers,

Julius

Former Member · ‎11-16-2009

Thanks for that Julius

Edited by: Stephen Hall on Nov 17, 2009 8:57 AM

Former Member · ‎11-16-2009

If you want to create your own indirect role assignment (and possibly don't have an org structure to re-use either) then there are also other ways if you choose the criteria for the assignment carefully. There are many ugly ways of doing this, but ones which in my opinion are okay as well.

An good ABAPer will be able to help you. If you have doubts, then I recommend that you start a question thread of your own explaining exactly where you have doubts, then we might be able to help.

The above mentioned techniques are not a reliable solution, not even to mention adding yet another runtime-only security concept to your system (per key field...per user, per object!) and typically no audit trail either.

To be honest with you, the security designs of EH&S is on a par with IS-OIL in my opinion... They have the habit of tempting you into doing things against your better judgement...

Cheers,

Julius

Rebuild Authorizational data (User Buffer) Dynamically