Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization object S_DATASET

Go to solution
ashish_vikas
Active Contributor

‎09-16-2011 1:45 PM

0 Kudos

Hello friends,

I have a question..(may be silly one )

If i have a auth object say S_DATASET available in 2 roles with different values.

S_DATASET

Activity 33, 34 ACTVT

Physical file name /transfer/C11/order/aus FILENAME

Program Name with Search Help * PROGRAM

S_DATASET

Activity 33, 34, A6, A7 ACTVT

Physical file name * FILENAME

Program Name with Search Help ZP1, ZP2, ZP3 PROGRAM

Now what happens when both roles are assigned to a single user. Does he get S_DATASET with activity merged ?? means will he have auth lieke this :

S_DATASET

Activity 33, 34, A6, A7 ACTVT

Physical file name * FILENAME

Program Name with Search Help * PROGRAM

thanks

ashish

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎09-16-2011 7:06 PM

Hi Ashish,

Yes, He will get the merged Authorizations for his access !

During authorization check, Authorization fields are always checked in an AND relationship for each authorization object instance within role(s).

Regards,

Raichand

9 REPLIES 9

Go to solution
jurjen_heeck
Active Contributor

‎09-16-2011 2:03 PM

0 Kudos

Nope, authorizations do not merge.

Go to solution
Former Member

‎09-16-2011 7:06 PM

Hi Ashish,

Yes, He will get the merged Authorizations for his access !

During authorization check, Authorization fields are always checked in an AND relationship for each authorization object instance within role(s).

Regards,

Raichand

Go to solution
ashish_vikas
Active Contributor
In response to Former Member

‎09-16-2011 7:11 PM

0 Kudos

thanks for reply.

Edited by: ashish vikas on Sep 16, 2011 8:12 PM

Go to solution
Former Member
In response to Former Member

‎09-16-2011 7:17 PM

0 Kudos

Jurjen Heeck is correct, but Actvt A7 with program * is critical for the operating system. Not a good idea and seldom needed.

Cheers,

Julius

Go to solution
ashish_vikas
Active Contributor
In response to Former Member

‎09-16-2011 7:22 PM

0 Kudos

Hi Julius,

but in Role 2, I am not giving * for Program. it has only 3 programs ZP1, ZP2, ZP3 with Activity A7.

thanks

ashish

Go to solution
Former Member
In response to Former Member

‎09-16-2011 7:33 PM

0 Kudos

Yes you are correct, but it does depend on what those 3 programs do and which import parameters / selection screens they have.

Why do you want to put * into the program name of the first role though?

Can the user create a file in the order directory with the name permitted, then use ZP1 to move it to a different directory and rename it and execute it?

The mix seems suspect to me because of the combined access from building roles using different techniques, but they are not merged!

Cheers,

Julius

Go to solution
Former Member
In response to Former Member

‎09-30-2011 8:02 PM

0 Kudos

Wait, to be clear....

The reason why "auths don't merge" in OP's case... is because ACTVT, FILENAME, and PROGRAM are unique in the two profiles, correct? But if the situation was like below instead, then you could think about it as "auths merging" even though technically that doesn't happen.

so if it was:

S_DATASET

Activity 33, 34 ACTVT

Physical file name /transfer/C11/order/aus FILENAME

Program Name with Search Help ZP1, ZP2, ZP3 PROGRAM

S_DATASET

Activity 33, 34 ACTVT

Physical file name * FILENAME

Program Name with Search Help ZP1, ZP2, ZP3 PROGRAM

Then the FILENAME restriction from 1st role would be ignored because of the * in the 2nd role. But if we added ACTVT A6 to the 1st role, then this role would not be overriden the 2en, because the auths don't match, meaning in this case, the user would have ACTVT A6 for filename transfer/C11/order/aus and nothing else. Correct?

Go to solution
Former Member
In response to Former Member

‎09-30-2011 11:37 PM

0 Kudos

Having added A6 would have kept the merge appart, but that is no reason to keep the merge appart from a cosmetic perspective. The access is the same if all other fields are identical.

I sometimes use "banana" values to avoid merging so that I can later keep them appart. But this is only because there is not unmerge function to split them appart again.

Yes, you could achieve actvt A6 for the first authorization's other fields by adding it first, but if A6 is not needed then it would add not value...

--> ZP1, ZP2 etc will anyway read and write to /TRANSFER/C11/... etc and does not need A6.

But okay, they are two seperate authorization instances assigned to the same user and they look different.... if that is your goal

Using transaction FILE and SPTH you could however achieve more granularity (beyond the "file name"),

Cheers,

Julius

Go to solution
Former Member

‎09-16-2011 7:10 PM

0 Kudos

From an academic perspective they could however be merged by program ZP1, ZP2 or ZP3 using actvt A7, because this permits operating system commands to any file system location. At the operating system level you could then do almost anything (such as merging the two roles into one in a transport request, adding it to the tp buffer and importing it).

Your first priorities should be to restrict the program name and the A* actvties and maintain su24 with the; then restrict / validate what the programs are capable of doing.

Cheers,

Julius