12-21-2010 2:22 PM
Dear Gurus,
What is use of this table when we can get information on USOBT_C. Apart from some additional object we anyway go for trace/check program etc..
Regards,
Arpan Paik
12-21-2010 2:48 PM
Hi Arpan,
When the user executes a transaction code which has some authorization checks, SAP system will check USOBX_C. You can notice the OKFLAG field. If this field is set to Y, it means an authorization check is required here. The corresponding entries will be stored in USOBT_C table.
In simple, table USOBX_C will have the authorization checks that are to be performed within a transaction and the table USOBT_C will have the default values for the authorization object that should have to be populated in the Profile Generator.
Hope this clears your question
Regards,
Raghu
12-21-2010 4:51 PM
Hi Arpan,
Table USOBX_C contains all authorization objects which could be used to govern complete capability of a particular transaction code. This table stores following status:
OKFLAG. Meaning
Y. Check Maintained- checked in tcode program
and values suggested in PFCG
X. Check- checked in tcode program but values
not suggested in PFCG
N. Do Not Check- not checked at tcode run
You can change the status of the set of auth objects for a tcode a per your requirement. For example if status of any auth object (non basis and non HR objects which are not maintained in table TSTCA for the tcode) is changed to N, authority check for that object in tcode program is suppressed.
Now, USOBT_C will contain the default + customized values for authorization with only status Check Maintained which are suggested in PFCG when tcode is added to a role. So if any object is switched to status X or N, only table that stores them is USOBX_C which can be referred in case of future requirements to revert the change in status.
With upgrades and support pack, these tables USOBT, USOBX are updated with Sap delivered object status and default values suggested by Sap. Through Su25 step 2a you write the SAP default values into customer tables (suffix _C) for object which do not have any customized status or values and step 2b helps you choose between SAP delivered values and your custom status\ values for auth objects which were customized earlier and then update the same into customer tables (suffix _C)
Hope that helps. Thanks
Sandipan
Edited by: Sandipan Choudhury on Dec 21, 2010 5:57 PM
12-22-2010 5:20 AM
...this is 46C documentation.
In 7.00 the check flags are different (only YES/NO).
b.rgds, Bernhard
12-22-2010 5:32 AM
Hi Bernhard,
In 7.00, for Check Indicator= Check, the proposals are YES/NO/unmaintained. Also, under drop down Check indicator, you do have options to make a auth object - either Check or Do no Check.
Thanks
Sandipan
12-22-2010 7:30 AM
Dear All,
Thanks for your explanation towards the same.
@ Sandipan
You can change the status of the set of auth objects for a tcode a per your requirement. For example if status of any auth object (non basis and non HR objects which are not maintained in table TSTCA for the tcode) is changed to N, authority check for that object in tcode program is suppressed.
Does it happens that way or authorization check is not dependent on customer table data. Customer table data are for building role only. Authorization check will anyway takes place as per program or underlying FM etc. However TSTCA is force check to pass through initial screen.
@ Raghu
I like your explanation. But why we need 2 table? Why USOBT_C is not sufficient for the same. Apart from that the "Do not check" status escape me from the begining. I do not understand why it has been given. May be that's why ECC discard the same. Still I do not understand use for "check no" status. As when we need additional authorization then anyway we go by trace, program check etc.
Edited : Please note that I forgot to check the question checkbox whil posting this one. So I won't be able to aprreciate you with points. Hope you won't mind.
Regards,
Arpan Paik
Edited by: P Arpan on Dec 22, 2010 1:10 PM
12-22-2010 8:01 AM
Does it happens that way or authorization check is not dependent on customer table data. Customer table data are for building role only. Authorization check will anyway takes place as per program or underlying FM etc. However TSTCA is force check to pass through initial screen.
I was of the same opinion just a year and half back when I was told that authority check of non-HR and non-BASIS objects in a program can be suppressed by changing its check indicator status to DO NOT CHECK. I tested it throughly across 4.7C and 7.0 versions, and the concept seems to be TRUE :-)...however if the object is placed in TSTCA for that tcode, you cannot change its check indicator status to DO NOT CHECK ...
Thanks
Sandipan
12-22-2010 8:05 AM
Well then, now I know use of DO NOT CHECK. Thanks for sharing the experience. However still want to know "check no" usage.
12-22-2010 8:22 AM
Check- NO would mean that the authorization object and its default values will not be inserted/suggested into the roles when tcode is added in PFCG, however an authority check on the object will be done during the runtime of the transaction. No defaults values are allowed to be maintained for "Check" objects in SU24 .
Frankly speaking I don't see any functional difference between "Check" and "new/unmaintained" status (later means "untouched yet"?).
I would also like to mention the below thread where the SU24 check indicator status has been discussed in details ()
Thanks
Sandipan
12-22-2010 10:13 AM
(later means "untouched yet"?).
Good guess
Yeah that thread gives good piece of information. So SAP withdraw functionality for authorization supress for a transaction? In ECC "no check" is no more there.
Regards,
Arpan Paik
12-22-2010 12:25 PM
Hi Arpan,
In Netweaver 7.0, couple of things changed, viz:
Check Maintained is selected with Check Ind.= Check and Proposal=YES
Check is selected with Check Ind.= Check and Proposal = NO
Unmaintained is selected with Check Ind.= Check and Proposal= new/unmaintained
and, DO NOT CHECK option is still available under the dropdown Check Ind. in SU24 tcode.
Thanks
Sandipan