Duplicate authorization object, which does SAP che...

Former Member · ‎12-28-2009

Hi everyone,

I just have a question regarding duplicate authorization object in a role.

For example I have this authorization object S_ADMI_FCD, one entry it only has the values AUDD, BTCH, COLA, and this object appears in the same role having * as the value. Which one is SAP checking the more restrictive authorization object or the one that has the *? Or is SAP checking both the object and looking if the user have the authorization.

This is the same as user having two different roles, same authorization object, but different values for the different roles in the authorization object, which does SAP check?

Thank you always.

Regards,

Joy

Former Member · ‎12-28-2009

Hi Marjorie,

SAP checks for the complete user master record which as per your scenario has different instances of same authorization objects (E.g S_ADMI_FCD) . SAP always checks each instances of the objects>>roles assigned to the users.

For examples:

Instance - 1

Object 1: ABC

Field 1: ABC1 Value: 01

Field 2 :ABC2 Value: 24

Different Instance of same object (Exist in same or different role)

Instance - 2

Object 1: ABC

Field 1: ABC1 Value: 03

Field 2 :ABC2 Value: 28

Now if there is an authorization check which checks for any of the above values it will give you a successful check i.e user will have authorization. If something like below is checked then it will throw an authorization issue:

Object 1: ABC

Field 1: ABC1 Value: 08

Field 2 :ABC2 Value: 28

Because the above values do not exist in any of the instances above.Hope this clarifies your doubt.

Now if you add a role having below Instance of same object, then it will give full access for the object and hence bypass all the values:

Instance - 3

Object 1: ABC

Field 1: ABC1 Value: *

Field 2 :ABC2 Value: *

Hence SAP check for the values in all the instances of a particular object which are assigned through multiple roles to a user. Let us know if you need any more information on this.

Edited by: sap.sec.akshay on Dec 28, 2009 7:44 PM

Former Member · ‎12-28-2009

Akshay is correct, with a little tweak in this case as the object only has 1 field.

So it does not matter where there value comes from or in which combination with other fields of the same object it is found in which instances, profiles, roles, you name it...

It is either there - as a value, a wildcard, within a range or a * anyway... or it is not.

What the system might however do it use 2 values for the same field in 2 checks which together build the end result of the check, but again it does not matter which authorization source they come from:

FORM PROGRAM_INIT.

* All the rest allowed to this user?
  AUTHORITY-CHECK OBJECT 'S_ADMI_FCD'
                  ID     'S_ADMI_FCD'
                  FIELD  'SPTD'.
  IF SY-SUBRC <> 0.
*   * no authority for client independent TemSe-Administration
    AUTHORITY-CHECK OBJECT 'S_ADMI_FCD'
                    ID     'S_ADMI_FCD'
                    FIELD  'SPTR'.
    IF SY-SUBRC = 0.
*     * with authority only for client dependent TemSe-Administration
      MAY_THIS_CLIENT = 'X'.
    ENDIF.
  ELSE.
    MAY_THIS_CLIENT = 'X'.
    MAY_ALL_CLIENTS = 'X'.
  ENDIF.
  MAY_I_KNOW = 'X'.

ENDFORM. " PROGRAM_INIT

Cheers,

Julius

Former Member · ‎01-05-2010

Hello,

You can also take a trace in ST01 for any one user who has this Object with different instances to know which Objects and Values its checking for,

And in the above case you will find return code = 0 for the object for all field values.

Julius is correct it checks for all instances in the USer master Record.

You can also try Merge authorizations in the role , goto Utilities->Merge authorizations , I think this will merge different instance for same objects and so its clear that SAp will cehck for all available instances.

Thanks

Former Member · ‎06-04-2010

So, let me get this straight:

If a user has 2 roles like:

Role 1: *ZDISPLAY_ALL_COMPANIES*_

Authorization Object = ABC

Organization Object = *

Activity = 3

Role 2: *ZCHANGE_ COMPANY_NL01*_

Authorization Object = ABC

Organization Object = NL01

Activity = 2

The user actually can also change the data in another company like BE01, despite he was only granted to change for company NL01 as per role 2?

And if this is indeed the case, how would you achieve that a user can display data for all companies but only is allowed to change the data for a specific company?

Especially when you work for a multinational/global company with several branches/companies you can imagine that particular users should be able to display (only) data of all branches/companies, but can change the data for the branch/company that heu2019s responsible foru2026

I find it hard to believe that this cannot be achieved within SAP standard authorization functionalityu2026

Former Member · ‎06-04-2010

>

> So, let me get this straight:

>

> If a user has 2 roles like:

>

> Role 1: *ZDISPLAY_ALL_COMPANIES*_

>

> Authorization Object = ABC

> Organization Object = *

> Activity = 3

>

> Role 2: *ZCHANGE_ COMPANY_NL01*_

>

> Authorization Object = ABC

> Organization Object = NL01

> Activity = 2

>

> The user actually can also change the data in another company like BE01, despite he was only granted to change for >company NL01 as per role 2?

No, they are separate authorisations (value sets). User can only change data for NL01 and only display data for all orgs.

You will only get the situation you are talking about for an auth object with a single value.

> And if this is indeed the case, how would you achieve that a user can display data for all companies but only is allowed to >change the data for a specific company?

As it's not the case, what you have detailed above will provide what you have described.

> Especially when you work for a multinational/global company with several branches/companies you can imagine that >particular users should be able to display (only) data of all branches/companies, but can change the data for the >branch/company that heu2019s responsible foru2026

Ah, the joys of data visibility. Not a problem to achieve what you are talking about

> I find it hard to believe that this cannot be achieved within SAP standard authorization functionality

Your disbelief is well founded

bashayreh · ‎03-03-2020

Dears

I would like to make sure that I understood that:

if the authorization object is repeated for a single user in different roles and the the authorization object has more than one field,

then the user will be authorized if he match the combination of values in any one of the roles.

My questions now:

1) what if the authorization object appears in a role and at least one of its fields has an empty value while other fields have values defined for them?

2) what if the authorization object is listed in one role but deactivated while it is defined in other roles?

Thank you

jurjen_heeck · ‎03-04-2020

Check the contents of the actual profile for such a role (via SUIM for instance) and you can see for yourself if and how empty fields or disabled objects end up in the profile. It's the profile that really matters for the authorizarion check, not the role.

bashayreh · ‎03-04-2020

Thank you Jurjen

do you mean the user profile.

can you please give details on how to display the user profile

bets regards

jurjen_heeck · ‎03-05-2020

I mean the profile that belongs to the role. Once you have maintained authorizations in a role you generate the profile, hence PFCG is the Profile Generator. Go to transaction SUIM -> Profiles ->By Profile name to have a close look at it's contents and view the differences with what's in PFCG's authorization tab.

As suggested in another thread here, you can also view a users' buffer (SU56) after assigning this role to view the effective authorizations.

Bottom line: Emtpy values will not bring surprise authorizations, deactivated objects do not make it to the profile so they have no effect whatsoever.

Duplicate authorization object, which does SAP check?