Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Relate authorization object to transaction

Former Member

‎02-18-2011 9:25 AM

0 Kudos

Hi experts,

I am currently working on authorization on AS ABAP, creating roles containing different SAP standard transactions

Actually I wonder if it is possible to relate an auth. object to a certain transaction. This could be necessary for my authorization concept because there are several SAP standard transactions checking the same auth. object.

As an example take transactions SE16 and SM30. Both check auth. object S_TABU_DIS.

If I now want to create a role which gives a user the permission to edit customizing tables in SM30 but not in SE16 there is no way (until now I do not know one) to define an instance of S_TABU_DIS with read/write permission for SM30 and another instance with only read permission for SE16.

I tried to use two roles putting one transaction into each. When I give the user the "SE16 role" he has no write permission in SE16. But when I give him the "SM 30 role" too he has write permissions in both, SM30 and SE16.

Therefore I guess that the authorization of the SM 30 role "overwrites" the read-only permission of the SE16 role.

Now my question to you: Is there any way to bind an auth. object to a transaction, so that an authorization defined from an auth. object is only valid for a certain transaction?

Thanks in advance for all answers!

Best regards,

Torben

3 REPLIES 3

Bernhard_SAP
Employee
Employee

‎02-18-2011 9:51 AM

0 Kudos

Hi,

no. If you have a look at the abap-statement authority-check, you know why.

The Kernel checks only auth.object name and required field values as per definition in the coding. It does not matter,

how that authorization had been assigned to the user (or with which role of for which t-code), it simply checks if it is present at the user conext.(user buffer->table usrbf2)

Workaround: any tcode would need to check its own auth.objects.....

b.rgds, Bernhard

Former Member
In response to Bernhard_SAP

‎02-18-2011 11:00 AM

0 Kudos

Hi Bernard,

With transaction se93 you can add an authorization object to a transaction as far as I know. I never used it but it is possible. If you call transaction PFCG you see that object S_USER_AGR is used. I understood that this is a static authorization and the dynamic authorization is in the abap.

Have fun

Bye

Jan van Roest

Edited by: J. van Roest on Feb 18, 2011 12:15 PM

Edited by: J. van Roest on Feb 18, 2011 12:16 PM

Former Member
In response to Bernhard_SAP

‎02-18-2011 2:42 PM

0 Kudos

The problem with that is it's checked directly after execution and as you say is static. Once you've got past that you are still at the mercy of the (standard) checks that won't differentiate between SE16 & SM30 once you are past the initial S_TCODE + SE97 check.