Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Same Authorization (M_BEST_BSA)with different values in two different roles

Former Member

‎02-21-2012 9:35 PM

0 Kudos

It is basic SAP security knowledge that when two roles combined with the same authorization and different values, the user will have access to all combinations of the two roles. Right?

So when I have role with

M_BEST_BSA

ACTVT 03

BSART *

and another role with:

M_BEST_BSA

ACTVT 01,02,03

BSART NB

You would think the user would be able to update all document types including but not limited to NB (ex: cust doc type "EB") right? However the user gets error message and SU53 shows no access to M_BEST_BSA 02, EB.

Is there something wrong the user buffer or what am I missing?

Edited by: Kelly Bishop on Feb 21, 2012 10:38 PM

6 REPLIES 6

martin_voros
Active Contributor

‎02-21-2012 10:21 PM

0 Kudos

Hi,

wrong, you don't get all possible combination. You get sum of all authorizations. In this case the first role gives you access to display any document type. The second one gives you to create/modify documents with type NB. None of the roles gives you authorization to modify document type EB.

Cheers

Former Member

‎02-21-2012 10:48 PM

0 Kudos

Hmmm, so when I look at the user buffer, it shows from the top down, display to update so I guess that makes sense. I just know that it has burned me in the past but I guess it was always the same activity type just different BSART fields? In that case, the access would be granted correct?

>Authorization Object M_BEST_BSA Document Type in Purchase Order

>Authorizat. KB_TEST_5500 Document Type in Purchase Order

Profl. KB_TEST_55 Kelly's Test Role

Role YKELLY:TEST5 Kelly's Test Role - ME23N

>Authorization Field ACTVT Activity

03, 08, 09

>Authorization Field BSART Purchasing Document Type

>Authorizat. KB_TEST_5502 Document Type in Purchase Order

Profl. KB_TEST_55 Kelly's Test Role

Role YKELLY:TEST5 Kelly's Test Role - ME23N

>Authorization Field ACTVT Activity

03, 08

>Authorization Field BSART Purchasing Document Type

>Authorizat. KB_TEST_5_01 Document Type in Purchase Order

Profl. KB_TEST_5_ Kelly's Test Role

Role YKELLY:TEST4 Kelly's Test Role - ME22N

>Authorization Field ACTVT Activity

03, 08

>Authorization Field BSART Purchasing Document Type

>Authorizat. KB_TEST_5_02 Document Type in Purchase Order

Profl. KB_TEST_5_ Kelly's Test Role

Role YKELLY:TEST4 Kelly's Test Role - ME22N

>Authorization Field ACTVT Activity

02, 03, 04, 08, 09

>Authorization Field BSART Purchasing Document Type

AB, AN, DB, FO, LP, LPA, LU, MK, NB, RV, WK

Former Member

‎02-23-2012 11:07 AM

0 Kudos

The both sets of authorization will act seperately it wouldn't be a union of authorization objects

Former Member

‎02-23-2012 12:25 PM

0 Kudos

Hi!

it is easy to see if you have a look at the source code....

AUTHORITY-CHECK OBJECT 'M_BEST_BSA'

ID 'ACTVT' FIELD '01'

ID 'BSART' FIELD 'EB'.

this is what the system checks in one step - against the authorization roles...

so no chance chance for the user to create a NB order....

I hope it helps...

Former Member

‎02-23-2012 3:40 PM

0 Kudos

Thanks everyone!

Former Member

‎02-24-2012 6:06 PM

0 Kudos

Just incase, I would also like to add that you cannot have the org-fields maintained in one role, the activities in another and the transaction codes in yet a third.

If this were possible then what you initially claimed would be the case, but it isn't.

Unfortunately this urban legend looks great in PowerPoint presentations of "value role" bolt-on concepts, but in reality it creates a mess beyond imaginable boundaries....

Cheers,

Julius