Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

authorization object: 'star' and 'all of the value'

Former Member

‎09-22-2009 2:36 AM

0 Kudos

hello all

i had got a problem.

my company code is 1100,and there are 7 plants belong to it.

i create a authorization object 'AAA'. I set the company code 1100,and i chose all of the 7 plants.

but when i run Tcd 's_alr_87011963'--asset balances,i got messages that i have no authorization on company code 1100.

i can run this tcd,the message appear in the output result.

then i changed that plant to '*', the problem was resolved.

and today i change this '*' to 7 values,it's also ok.

are there any different between 'star' and 'all of the value'?

and anyone get any idea about my problem?

thanks.

best regard. zokii

6 REPLIES 6

Former Member

‎09-22-2009 7:59 AM

0 Kudos

Dear Zokii,

As per my understanding, there is no difference between '*' and all values which you entered for plants.

Both works same.

And your problem may be because of not generating the profile or user comparison .

This is possible when you tried it again today , user is compared and you get the authorisation.

Regards,

Varun

Bernhard_SAP
Employee
Employee
In response to Former Member

‎09-22-2009 8:05 AM

0 Kudos

Hi Varun,

it is not the same in all cases. If the coding asks explicitely for '', it has to be assigned. All single values are not sufficient. Good example is the hidden check for the display of the buttons 'Other menu','Assign users',... in session manager. You need full auth for the authorization values checked ('' explicitely').

b.rgds, Bernhard

jurjen_heeck
Active Contributor
In response to Former Member

‎09-22-2009 8:59 AM

0 Kudos

> Good example is the hidden check for the display of the buttons 'Other menu','Assign users',... in session manager. You need full auth for the authorization values checked ('*' explicitely').

Another one is the authority to regenerate SAP_ALL, I believe that needs a * in S_USER_AGR.

Former Member

‎09-22-2009 9:29 AM

0 Kudos

Hi,

You can do the ST01 authorization trace analysis to know the required authorizations. Then role can be modified accordingly.

Regards,

Sandip.

fredrik_borlie
Contributor

‎09-22-2009 2:12 PM

0 Kudos

In addition to the very good responses I can only add the futuristic approach.

Cause if you add * instead of mark all values, every new value you activate is always granted.

In my humble opinion you should always try to use the select all activities, cause if you decide to expand some values, the roles have to be analyzed and changed accordingly.

If you only select what you need, you dont have to modify any roles that get too much access. Only create/adjust the roles that should allow the access.

/fredrik

jurjen_heeck
Active Contributor
In response to fredrik_borlie

‎09-22-2009 2:25 PM

0 Kudos

> In my humble opinion

Don't be humble, you've just proven to understand what authorizations are about and it's not about being lazy now and paying the price in the future! Very good point indeed.

Luckily OP wasn't considering to be lazy but frowned upon unexpected system behaviour.