Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Org criteria constraint in PFCG?

Gentlemen,

Please help to dispel my doubts as you know the score..

We have found that line-oriented authorization mechanism does not work as expected in our system in case when authorizatins/profiles for different org. criteria are merged into single profile in role in PFCG. Say, we have custom transaction Z1 which provides maintenance view ZV1 and have org. criteria ZORG1 with defined fields for that. And have another transaction Z2 for ZV2 and org. criteria ZORG2. Provided S_TABU_LIN object has proposal values for Z1 and Z2 transactions in SU24, when adding these transactions into menu of a role PFCG would merge authorizations into single profile under S_TABU_LIN (irrelevant of type of fields defined for org. criteria).

S_TABU_LIN

ACTVT *

ORG_CRIT ZORG1, ZORG2

ORG_FIELD1 <some value>

...

ORG_FIELD8

In this case it will not protect the ZV1 and ZV2 views based on field values in S_TABU_LIN, but will allow to change/display all possible data of a table. When authorizations for ZORG1 and ZORG2 are in separate profiles under S_TABU_LIN of the same role it does work as expected limiting the data in the maintenance view:

S_TABU_LIN

ACTVT *

ORG_CRIT ZORG1

ORG_FIELD1 <some value>

...

ORG_FIELD8

ACTVT *

ORG_CRIT ZORG2

ORG_FIELD1 <value1>

...

ORG_FIELD8

I could not find a note for this and was told by SAP AGS briefly this is a contraint and you can only assign one org. criteria into a profile. Could you confirm the same based on your experience so I am 100% sure we now have security issue in our production.

Igor

Edited by: Igor Kustov on Jun 3, 2011 1:20 PM

Former Member
Not what you were looking for? View more on this topic or Ask a question