02-03-2010 3:49 AM
Will anyone please confirm me that how authorization checking works with profiles combination in SAP? If I set two profiles for a user. In one profile, I grant auhorization object F_BKPF_BES with value 3/001. And in another profile, I grant F_BKPF_BES 1/002. Will the system reckon that the user have been granted F_BKPF_BES (1,3)/(001,002) or it will consider the two profiles separately?
Regards
Robbie
02-08-2010 5:59 PM
> Will the system reckon that the user have been granted F_BKPF_BES (1,3)/(001,002) or it will consider the two profiles separately?
Separately. The other two replies are not an answer to your question. You can safely ingnore them. You'll find tons of useful info if you have a look at the sticky thread in the Netweaver forum.
02-03-2010 5:46 AM
02-07-2010 3:52 PM
02-08-2010 5:59 PM
> Will the system reckon that the user have been granted F_BKPF_BES (1,3)/(001,002) or it will consider the two profiles separately?
Separately. The other two replies are not an answer to your question. You can safely ingnore them. You'll find tons of useful info if you have a look at the sticky thread in the Netweaver forum.
03-25-2010 2:43 PM
Just a short thing from my own experience:
Beware that the authorisations are not checked based on the roles.
e.g. I can give a user authorisation to a transaction, with possibilities to post to GL only.
Another role might be added, allowing AP postings, but not access to the S_TCODE.
Anyhow, in the transaction, the user will then be able to post both to GL and AP as the objects are not checked in combination with e.g. the S_TCODE.
I hope what I'm trying to explain makes sence
03-29-2010 5:55 PM
The answer your question is Yes. All the authorisations are loaded in the user buffer when the ID logs in and are combined to maximise the user buffer. Therefore your authorisations will be seen as if they are all combined.
I hope that helps.
Amrit
03-29-2010 6:23 PM
> All the authorisations are loaded in the user buffer when the ID logs in...
Yes, the reference to the authorizations are loaded, per authorization(!) for each object.
>... and are combined to maximise the user buffer.
Not completely. Authorizations are generated per role and per object. You cannot mix the field values of the objects in different authorizations.
> Therefore your authorisations will be seen as if they are all combined.
The consequence is combinations of all roles, per object. Not per field. Otherwise you could not create authorizations which permit you to display some values and change only a subset of them.
Cheers,
Julius