Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization combination within user master - SAP logic

Go to solution
Martin_H
Contributor

‎11-08-2011 9:11 AM

0 Kudos

I still am not fully sure about the system behavior when assigning single roles within a user profile. Having read and also the sticky notes of the Security forum has not added too much of clarity... maybe you can help me out with a short note from your experience?

Let's say I have two single roles:

MAT_CREATE with

S_TCODE: MM01

M_MATE_WRK: ACTVT 01 and WERKS 0001

MAT_DISPLAY with

S_TCODE: MM03

M_MATE_WRK: ACTVT 03 and WERKS *

Is this user now able to create materials for all plants, or not? And is there no SAP document where this is described?

Regards

Martin

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎11-08-2011 9:33 AM

0 Kudos

Martin,

Auth object values in an object are evaluated as a value set (authorisation). In this case you will have create for plant 0001 and display for all plants.

While SAP groups together authorisations, it does not merge them and combine activities from one value set with org values of another.

15 REPLIES 15

Go to solution
Former Member

‎11-08-2011 9:22 AM

0 Kudos

Hi Martin,

In a 2 Z-roles , if you assign MM01 & MM03 transactions thru Standard SAP menu tab (in different roles) then you have to give Plants (WERKS field) in Organization levels only. This is standard SAP practice. Recommended is we should not maintain WERKS fileld values manually at object level.

So assuming that you have assgined Plants (* value) in Organization levels, then YES user able to create material master records for all plants. It will only consider highest value which is * than 0001

plant.

Rgds,

Durga.

Edited by: Durga,Gadde on Nov 8, 2011 2:53 PM

Go to solution
Former Member

‎11-08-2011 9:33 AM

0 Kudos

Martin,

Auth object values in an object are evaluated as a value set (authorisation). In this case you will have create for plant 0001 and display for all plants.

While SAP groups together authorisations, it does not merge them and combine activities from one value set with org values of another.

Go to solution
Martin_H
Contributor
In response to Former Member

‎11-08-2011 10:24 AM

0 Kudos

Hello Alex,

as this differs to the answer of Durga, let me specify if I understand you right:

In the mentioned example I would have two value sets:

1. M_MATE_WRK ACTVT 01 WERKS 0001

2. M_MATE_WRK ACTVT 03 WERKS *

As the activities are different the authorizations do not get combined, correct? Is there a kind of hierarchy in each object (like here beeing ACTVT on a higher level than WERKS)? Because if I would look at it from the other way, it would be different:

1. M_MATE_WRK WERKS 0001 ACTVT 01

2. M_MATE_WRK WERKS * ACTVT 03

--> Then I would assume the two authorizations would get combined, right?

Regards

Martin

Go to solution
Bernhard_SAP
Advisor
Advisor
In response to Former Member

‎11-08-2011 12:56 PM

0 Kudos 
> 1. M_MATE_WRK WERKS 0001 ACTVT 01
> 2. M_MATE_WRK WERKS *        ACTVT 03
> 
> --> Then I would assume the two authorizations would get combined, right?

Hello Martin,

no.

technically, when you create 2 authorizations (most common in PFCG):

Auth 1: Object= M_MATE_WRK Field WERKS= 0001 filed ACTVT=01

and

Auth 2: Object= M_MATE_WRK Field WERKS= * filed ACTVT=03

what you assign to the user are not the field values, so the sorting of the fields (hierarchy you mentioned) does not matter at all, but you assign the authorizations (the authorizaton names/numbers) to the user.

And each authorization (name/number) has the assigned field value combinations, so a combination of values of different authorizations will not happen.

So in the user (authorization) buffer table usrbf2 you will find only the authorizaiton numbers(-names) which are assigned to the user, and the values for that dedicated authorizations are looked up then in table ust12.

So this is just a tecnical looking for realtions authorizations assigned to the user and which value combination for the checked object is behind that authorization.

I hope this could bring some light into the stuff(from another point of view).

b.rgds, Bernhard

Go to solution
Martin_H
Contributor
In response to Former Member

‎11-15-2011 10:43 AM

0 Kudos

One more question for full clarification: the combination of similar authorizations nevertheless happens, right?

First case

1) single role with CT04, C_CABN ACTVT 03, C_CABN_GRP ATAUTH *

2) single role with CT04, C_CABN ACTVT 02, C_CABN_GRP ATAUTH Y01

Result?

Second case

1) single role with CT04, C_CABN ACTVT 03, C_CABN_GRP ATAUTH *

2) single role with CT04, C_CABN ACTVT 02,03, C_CABN_GRP ATAUTH Y01

Result?

I am still trying to understand in which case SAP is combining the rights and in which not....

Regards

Martin Hinderer

Go to solution
arpan_paik
Active Contributor
In response to Former Member

‎11-15-2011 11:12 AM

0 Kudos

For 1st case qtn is the answer. For 2nd case 2nd role 03 is in vein which is covered by 1st role only. For both the case user will get change access for Y01 only and display for all.

Woman of the hour (3rd one) is missing here

Regards,

Arpan Paik

Go to solution
Former Member
In response to Former Member

‎11-15-2011 1:57 PM

0 Kudos 
I am still trying to understand in which case SAP is combining the rights....

You will never find an example where combining the rights of seperate authorization instances (such as two or more roles) will also combine all the fields and search for them individually. If coded this way, then it would be a program error.

and in which not....

Always.

Cheers,

Julius

Go to solution
mvoros
Active Contributor
In response to Former Member

‎11-15-2011 10:46 PM

0 Kudos

Authorization profile is a set of authorizations. Authorization is an instance of values for an authorization object. When you assign multiple profiles to user SAP reads all authorizations and put them into authorization buffer which can be seen in SU56. No merging is performed, you can check in SU56. A security role has one or more generated authorization profiles. So assigning multiple roles to users works exactly same as assigning multiple authorization profiles. Maybe what is confusing for you is that in PFCG you can merge multiple authorizations into one. But this merging is performed before generating authorization profile.

Cheers

Go to solution
Former Member
In response to Former Member

‎11-15-2011 10:53 PM

0 Kudos

This merging is also only performed if it does not make a difference. That means all but one field are proposed the same. Therefore whether they are in the same authorization instance or not makes no difference (except that you cannot easily unmerge them again...

Cheers,

Julius

Go to solution
mvoros
Active Contributor
In response to Former Member

‎11-16-2011 12:07 AM

0 Kudos

Thanks Julius, I forgot to mention it. But it does not matter, because it's under control of user. You have to merge it, it's not done automatically.

Go to solution
Former Member
In response to Former Member

‎11-16-2011 12:19 AM

0 Kudos

Hi Martin,

If you use Expert Mode --> Read New and Merge Old data.. then it is done automatically, but only for that which is not new, so you don't notice it the next time when it is actually merged when opening the authorizations.

But there is also a manual option to merge.

Cheers,

Julius

Go to solution
Former Member

‎11-08-2011 9:21 PM

0 Kudos

Another way of explaining it (in addition to reading the documentation on the AUTHORITY-CHECK statement in transaction ABAPDOCU)... also see the FOR USER extention...

Two women go shopping for shoes. A third woman follows them into the shop.

One has good eyesight (display all role for MM03) and the other has lots of money but expensive taste and has poor eyesight(only F4 search help and MM01 only for plant 'GUCCI' - hardcoded value in role which she created for herself and only has that role).

If they go shopping seperately, then the first one can see everything but buy nothing. The second one can only buy GUCCI shoes but it might be a surprise if she cannot try them on first.

If they go shopping together (both roles assigned to the user - as "team" of two roles) then they can select all shoes but when they get to the cashier they can only buy the GUCCI shoes in MM01.

However... if there is a 3rd woman who can buy all shoes (M_MATE_WRK = * plant but no tcodes - lots of money and does not care about actually using it in any tcode herself) then she can throw her handbag to either the first or the second woman standing at the cashier (assignment of roles via reference user) and then either of them could buy any of the shoes (the first one can also see what she is buying and the second it could be an even bigger surprise) using the handbag of the 3rd woman.

Hope that helps for another interpretation (this is possible in SAP without violating the offsides rules of soccer so is somewhat illogical at first...

Cheers,

Julius

Edited by: Julius Bussche on Nov 8, 2011 10:23 PM

Go to solution
Bernhard_SAP
Advisor
Advisor
In response to Former Member

‎11-09-2011 7:35 AM

0 Kudos

great.

....how comes, that one normally is married with the 3rd woman?

Go to solution
Former Member
In response to Former Member

‎11-09-2011 9:30 AM

0 Kudos

Speak for yourself - with SAP_ALL they will find you

Go to solution
mvoros
Active Contributor

‎11-08-2011 10:45 PM

0 Kudos

Sometimes it's good to test it by yourself. Just create a role with those authorizations, assign it to some testing user and confirm answers from guys here. Maybe they are wrong

Cheers