04-24-2013 10:39 AM
Dear all,
I am currently working on authorization issues and in this context I am trying to understand how the AGR_USERS table is structured.
I am having trouble understanding what is the use of the fields :
- EXCLUDE (Field label being "Exclusive")
- CHANGE_TST (Field label being "UTC Time Stamp in Short Form (YYYYMMDDhhmmss)")
- ORG_FLAG (Field label being "HR Org Mgt")
Could anyone tell me by the use of which transaction the field is being updated in the table and in which context this information can be usefull.
Thank you in advance for your help.
Regards
Sanddie
04-24-2013 3:47 PM
hi Sanddie,
I can only give you a conclusive answer on one of your three questions. the ORG_FLAG indicates whether a role is assigned via OM instead of the usual assignment via SU01 or PFCG. this is called indirect role assignment.
the CHANGE_TST field is indeed the UTC timestamp, but in the system I'm currently logged into this field is not populated for any role assignment.
I was not able to find any info for the EXCLUDE field. this is not populated for any entry in my AGR_USERS table either...
Message was edited by: Dimitri van Heumen
04-25-2013 1:19 PM
Hi Dimitri : that is great I will have a look at this indirect role assignement !
I just have one more field to go : does anyone have any idea of where this EXCLUDE field comes from ?
Thank you
Sanddie
04-24-2013 6:30 PM
HR Org Mgt is where the role is available to the user through position based assignment (they inherit the roles through the being assigned to an org structure which itself has access assigned to it). Do a search on "position based security" for a bit more info.
The other fields? No idea
04-25-2013 1:18 PM
Hi Alex,
Thank you very much for this answer : two more fields to go !
Sanddie
05-31-2013 2:52 AM
EXCLUDE should not be used by ABAP stack according to note 908563. But PRGN_J2EE_USER_GET_ROLES will ignore the roles with this flag set to 'X'. So it seems like you could use it to hide some roles from Java stack in case of dual stack installation.
The field CHANGE_TST is initialized few times in ABAP stack but I can't see any meaningful logic for this field.
Cheers
06-03-2013 10:41 AM
Hi Martin,
Thank you very much for this very helpful answer : I will have a closer look at the note 908563 !
Sanddie
05-31-2013 12:37 AM
lI dont get it.
What authorization issues makes you analyse the table holding the content visible via the pfcg.
You can get even better help if you share your real issue with us.
06-03-2013 10:43 AM
Hi Fredrik,
I am working on mass analysis of the authorization meaning that I don't go through PFCG (too tidious) : I directly go to the table. This is why I need to understand the detailled structure of the tables.
Hope that helps you understand my question
Sanddie