Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization check at profile level not a every profiles attached to the user

Go to solution
Former Member

‎03-20-2012 6:26 PM

0 Kudos

Hi everybody, does anybody knows why the authority check is carried out at every authorization objects in every profiles attached to the user? I need to carry out the check authority by individual profile and his authorization objects where the transaction code was assigned.

thank u

Regards,

Donald

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-20-2012 9:07 PM

0 Kudos

it has worked this way for as long as I can remember.  maybe someone can provide a highly technical answer.

I actually don't understand your question.   if you want to see which role gives a certain TCode or auth object to a user, then you can join tables agr_1251 and agr_users .  there are tricks to doing that so if that is what you want to do let us know.  or experiment a bit yourself.

5 REPLIES 5

Go to solution
Former Member

‎03-20-2012 9:07 PM

0 Kudos

it has worked this way for as long as I can remember.  maybe someone can provide a highly technical answer.

I actually don't understand your question.   if you want to see which role gives a certain TCode or auth object to a user, then you can join tables agr_1251 and agr_users .  there are tricks to doing that so if that is what you want to do let us know.  or experiment a bit yourself.

Go to solution
Former Member
In response to Former Member

‎03-20-2012 9:46 PM

0 Kudos

Thank you Kesayamol.

I give you an example:

User A has 2 profiles:  Profile A1 and profile A2

The profile A1 contains CO01 transaction code with an authorization object that includes the Work Center X

The profile A2 cointans CO02 transaction code with an authorization object that includes the Work Center Y.

When the user A runs CO02 transaction he can view the order productions at Work Center X.

Thank you,

Donald Tatun

Go to solution
mvoros
Active Contributor
In response to Former Member

‎03-20-2012 10:22 PM

0 Kudos

Hi,

this is how authorizations work in SAP. User's authorization buffer is a union of all authorizations from all roles/profiles attached to user. You can't say that this authorization is valid only for transaction X. This is a common misunderstanding of authorizations in SAP. At least once a month somebody asks similar question to yours.

Cheers

Go to solution
Former Member
In response to Former Member

‎03-20-2012 11:04 PM

0 Kudos

yep.  there are exceptions to the merge though.  In the example about CO01 and CO02, you really need to look at the auth objects they bring in.  PFCG sorts the fields of an auth object by how they merge, at least that is my understanding.  So if an auth object in role A has ACTVT and SOMETHING1 and SOMETHING2.  then... if ACTVT=03 in both role A and roleB, then SOMETHING1 will merge.   But if ACTVT=03 in roleA but RoleB=01,02,03, then SOMETHING1 will not merge.   someone correct me if I'm wrong but that is my observation and understanding.

Go to solution
Bernhard_SAP
Employee
Employee
In response to Former Member

‎03-22-2012 1:41 PM

0 Kudos

Hi,

have a look here:  http://scn.sap.com/thread/2073837

especially the details added by Julius on 8th Nov. 2011....

cherio!

Bernhard