03-20-2012 6:26 PM
Hi everybody, does anybody knows why the authority check is carried out at every authorization objects in every profiles attached to the user? I need to carry out the check authority by individual profile and his authorization objects where the transaction code was assigned.
thank u
Regards,
Donald
03-20-2012 9:07 PM
it has worked this way for as long as I can remember. maybe someone can provide a highly technical answer.
I actually don't understand your question. if you want to see which role gives a certain TCode or auth object to a user, then you can join tables agr_1251 and agr_users . there are tricks to doing that so if that is what you want to do let us know. or experiment a bit yourself.
03-20-2012 9:07 PM
it has worked this way for as long as I can remember. maybe someone can provide a highly technical answer.
I actually don't understand your question. if you want to see which role gives a certain TCode or auth object to a user, then you can join tables agr_1251 and agr_users . there are tricks to doing that so if that is what you want to do let us know. or experiment a bit yourself.
03-20-2012 9:46 PM
Thank you Kesayamol.
I give you an example:
User A has 2 profiles: Profile A1 and profile A2
The profile A1 contains CO01 transaction code with an authorization object that includes the Work Center X
The profile A2 cointans CO02 transaction code with an authorization object that includes the Work Center Y.
When the user A runs CO02 transaction he can view the order productions at Work Center X.
Thank you,
Donald Tatun
03-20-2012 10:22 PM
Hi,
this is how authorizations work in SAP. User's authorization buffer is a union of all authorizations from all roles/profiles attached to user. You can't say that this authorization is valid only for transaction X. This is a common misunderstanding of authorizations in SAP. At least once a month somebody asks similar question to yours.
Cheers
03-20-2012 11:04 PM
yep. there are exceptions to the merge though. In the example about CO01 and CO02, you really need to look at the auth objects they bring in. PFCG sorts the fields of an auth object by how they merge, at least that is my understanding. So if an auth object in role A has ACTVT and SOMETHING1 and SOMETHING2. then... if ACTVT=03 in both role A and roleB, then SOMETHING1 will merge. But if ACTVT=03 in roleA but RoleB=01,02,03, then SOMETHING1 will not merge. someone correct me if I'm wrong but that is my observation and understanding.
03-22-2012 1:41 PM
Hi,
have a look here: http://scn.sap.com/thread/2073837
especially the details added by Julius on 8th Nov. 2011....
cherio!
Bernhard