Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorisation Check failed. Misunderstanding.

Former Member

‎02-01-2012 11:26 AM

0 Kudos

Hello, we design nonstandard roles conception in our company. The essence of this conception - we create organisation roles which contain organization levels defined only and functional roles which contain the specific user transactions. Then we assign two roles to user.

There is a special moment. The ACTIVITY field of Org. authorisation object is assigned in functional role only. In Org. role this field is left unsigned.

For example. We want to create Sales Order.

1) For this, we create Org. role which contains Authorization object: V_VBAK_VKO. We fill all necessary auth. fields of V_VBAK_VKO. The activity field we leave empty.

2) Then we create functional role which contains transaction VA01. We fill the activity field of V_VBAK_VKO only (01-create order value). Other fields of V_VBAK_VKO we leave as unsigned (certainly don't forget to add V_VBAK_AAT).

But this approach DOES NOT work. When we try to create sales order the system reports the user have NO authorization for maintaining sales documents. The system states we need to assign V_VBAK_VKO authorization to the user.

If we fill all authorization fields of V_VBAK_VKO objects including activity field in Org. role(or func. role) all works fine.

Tell me why it happens. Why the authorisation fields value of the same authorization objects of two roles are not summarized???

Thank you very much.

5 REPLIES 5

Former Member

‎02-01-2012 11:36 AM

0 Kudos

How you got this idea of creating roles without giving activities in Org role?

Anyone told or seen in any site?

In both the roles Org role and in Fun role maintain all the fields, In org role activity and org level ,In func role give activity and in org field put xxxx ,otherwise it wont work

You cannot change the way sap checks authorizations

Former Member

‎02-01-2012 11:57 AM

0 Kudos

Hi,

The reason why it doesn't work as you expected is

when you are creating a functional role and not maintianing org field over there you are creating one authorization and similarly in org role you are maintaining only org values in this case you are creating another authorization as mentioned below.

ACTVT - 01 & Sales ORG - " " -

Auth 1

ACTVT - " " & Sales ORG - "1000" -

Auth 2

In SAP Users are checked against authorizations, not on induvidual authorization fields

Hope this helps

Regards,

Rakesh

Former Member

‎02-01-2012 12:08 PM

0 Kudos

So, if you are right then we have to define functional activity in Org. role!

it seems to me this scenario simply makes no sense of Org. roles.

Former Member
In response to Former Member

‎02-01-2012 12:40 PM 

So, if you are right then we have to define functional activity in Org. role! 
> it seems to me this scenario simply makes no sense of Org. roles.

Exactly! Who gave you the impression that this would work??

It looks nice in PowerPoint sometimes but does not work and sooner or later (mostly sooner) created a big mess...

Cheers,

Julius

Former Member

‎02-02-2012 10:10 AM

0 Kudos

I'm very grateful to all for useful comments.