02-21-2012 9:35 PM
It is basic SAP security knowledge that when two roles combined with the same authorization and different values, the user will have access to all combinations of the two roles. Right?
So when I have role with
M_BEST_BSA
ACTVT 03
BSART *
and another role with:
M_BEST_BSA
ACTVT 01,02,03
BSART NB
You would think the user would be able to update all document types including but not limited to NB (ex: cust doc type "EB") right? However the user gets error message and SU53 shows no access to M_BEST_BSA 02, EB.
Is there something wrong the user buffer or what am I missing?
Edited by: Kelly Bishop on Feb 21, 2012 10:38 PM
02-21-2012 10:21 PM
Hi,
wrong, you don't get all possible combination. You get sum of all authorizations. In this case the first role gives you access to display any document type. The second one gives you to create/modify documents with type NB. None of the roles gives you authorization to modify document type EB.
Cheers
02-21-2012 10:48 PM
Hmmm, so when I look at the user buffer, it shows from the top down, display to update so I guess that makes sense. I just know that it has burned me in the past but I guess it was always the same activity type just different BSART fields? In that case, the access would be granted correct?
>Authorization Object M_BEST_BSA Document Type in Purchase Order
>Authorizat. KB_TEST_5500 Document Type in Purchase Order
Profl. KB_TEST_55 Kelly's Test Role
Role YKELLY:TEST5 Kelly's Test Role - ME23N
>Authorization Field ACTVT Activity
03, 08, 09
>Authorization Field BSART Purchasing Document Type
>Authorizat. KB_TEST_5502 Document Type in Purchase Order
Profl. KB_TEST_55 Kelly's Test Role
Role YKELLY:TEST5 Kelly's Test Role - ME23N
>Authorization Field ACTVT Activity
03, 08
>Authorization Field BSART Purchasing Document Type
>Authorizat. KB_TEST_5_01 Document Type in Purchase Order
Profl. KB_TEST_5_ Kelly's Test Role
Role YKELLY:TEST4 Kelly's Test Role - ME22N
>Authorization Field ACTVT Activity
03, 08
>Authorization Field BSART Purchasing Document Type
>Authorizat. KB_TEST_5_02 Document Type in Purchase Order
Profl. KB_TEST_5_ Kelly's Test Role
Role YKELLY:TEST4 Kelly's Test Role - ME22N
>Authorization Field ACTVT Activity
02, 03, 04, 08, 09
>Authorization Field BSART Purchasing Document Type
AB, AN, DB, FO, LP, LPA, LU, MK, NB, RV, WK
02-23-2012 11:07 AM
The both sets of authorization will act seperately it wouldn't be a union of authorization objects
02-23-2012 12:25 PM
Hi!
it is easy to see if you have a look at the source code....
AUTHORITY-CHECK OBJECT 'M_BEST_BSA'
ID 'ACTVT' FIELD '01'
ID 'BSART' FIELD 'EB'.
this is what the system checks in one step - against the authorization roles...
so no chance chance for the user to create a NB order....
I hope it helps...
02-23-2012 3:40 PM
02-24-2012 6:06 PM
Just incase, I would also like to add that you cannot have the org-fields maintained in one role, the activities in another and the transaction codes in yet a third.
If this were possible then what you initially claimed would be the case, but it isn't.
Unfortunately this urban legend looks great in PowerPoint presentations of "value role" bolt-on concepts, but in reality it creates a mess beyond imaginable boundaries....
Cheers,
Julius