Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How does SAP deal with authorization profiles combination?

Go to solution
Former Member

‎02-03-2010 3:49 AM

0 Kudos

Will anyone please confirm me that how authorization checking works with profiles combination in SAP? If I set two profiles for a user. In one profile, I grant auhorization object F_BKPF_BES with value 3/001. And in another profile, I grant F_BKPF_BES 1/002. Will the system reckon that the user have been granted F_BKPF_BES (1,3)/(001,002) or it will consider the two profiles separately?

Regards

Robbie

1 ACCEPTED SOLUTION

Go to solution
jurjen_heeck
Active Contributor

‎02-08-2010 5:59 PM

0 Kudos

> Will the system reckon that the user have been granted F_BKPF_BES (1,3)/(001,002) or it will consider the two profiles separately?

Separately. The other two replies are not an answer to your question. You can safely ingnore them. You'll find tons of useful info if you have a look at the sticky thread in the Netweaver forum.

6 REPLIES 6

Go to solution
former_member190272
Active Contributor

‎02-03-2010 5:46 AM

0 Kudos

Hi,

Please try with T Code SU53.

Regards,

Pankaj

Go to solution
Former Member

‎02-07-2010 3:52 PM

0 Kudos

Hi

you can check from SU53 , check under S_TCODE

regards,

Balaram

Go to solution
jurjen_heeck
Active Contributor

‎02-08-2010 5:59 PM

0 Kudos

> Will the system reckon that the user have been granted F_BKPF_BES (1,3)/(001,002) or it will consider the two profiles separately?

Separately. The other two replies are not an answer to your question. You can safely ingnore them. You'll find tons of useful info if you have a look at the sticky thread in the Netweaver forum.

Go to solution
Former Member
In response to jurjen_heeck

‎03-25-2010 2:43 PM

0 Kudos

Just a short thing from my own experience:

Beware that the authorisations are not checked based on the roles.

e.g. I can give a user authorisation to a transaction, with possibilities to post to GL only.

Another role might be added, allowing AP postings, but not access to the S_TCODE.

Anyhow, in the transaction, the user will then be able to post both to GL and AP as the objects are not checked in combination with e.g. the S_TCODE.

I hope what I'm trying to explain makes sence

Go to solution
Former Member

‎03-29-2010 5:55 PM

0 Kudos

The answer your question is Yes. All the authorisations are loaded in the user buffer when the ID logs in and are combined to maximise the user buffer. Therefore your authorisations will be seen as if they are all combined.

I hope that helps.

Amrit

Go to solution
Former Member
In response to Former Member

‎03-29-2010 6:23 PM

0 Kudos

> All the authorisations are loaded in the user buffer when the ID logs in...

Yes, the reference to the authorizations are loaded, per authorization(!) for each object.

>... and are combined to maximise the user buffer.

Not completely. Authorizations are generated per role and per object. You cannot mix the field values of the objects in different authorizations.

> Therefore your authorisations will be seen as if they are all combined.

The consequence is combinations of all roles, per object. Not per field. Otherwise you could not create authorizations which permit you to display some values and change only a subset of them.

Cheers,

Julius