Security Gurus,
I am facing a unique situation with regards to Security Admin’s access in Production to deactivate authorization objects.
The Security Admin in Production when opens a role in PFCG, then goes to Authorization tab and tries to deactivate authorization objects with different status, the results are as follows:
- Authorization Object (Manually) : Cannot deactivate/ or activate
- Authorization Object (Maintained) : Cannot deactivate/ or activate
- Authorization Object (Changed): Cannot Deactivate/ or activate
- Authorization Object (Standard): Can Deactivate, but cannot activate
So the Security Admin can deactivate “Authorization Object (Standard)”, however it cannot reactivate the same or any other authorization object.
The trace is not picking up any check when “Authorization Object (Standard)” is Deactivated, however for every other failed deactivation & re-activation it is showing missing authorization for S_USER_VAL (which is assigned as all ‘’, i.e. No authorization). S_USER_AGR is assigned with 02 access, which is coming in for user assignment.
Do you think it is a bug, or there is a way to that deactivation of “Authorization Object (Standard)” can be limited without affecting access for user assignment ?
