Solved: PFCG and SU24 understanding problem

former_member308518 · ‎11-26-2014

Hello,

I noticed that when I set up an new role in the profile generator PFCG only those authorization objects are per default added to the role which have the proposal status “Yes” or “Yes, without values” in the transaction SU24.

Authorization objects having in SU24 the proposal status “No” are per default not added to the role, also if they have the check indicator “Check” in the neighboring column. Why such roles work properly although they don’t have some authorization objects which are checked?

I will appreciate your explanation very much.

With best regards,

Robert

ACE-SAP · ‎11-26-2014

Hi

SU24 contains most of the Auth Obj required to perform a transaction.

SAP transactions can behave in very different ways depending on how the system is customized and this does have an impact on the authorization checks that are perform.

Some customizing options might activate access to extra data that are not specific to the main transaction, thus involving new security controls.

In SU24 only the objects that are needed for the default or core usage of a transaction are flagged as required. All the other objects might be needed only in specific customizing scenario, and this is why they are flagged as 'not necessary'.

You can change the flags in SU24 to adapt the role creation to the customization of your system

Regards

Syamkriz · ‎11-26-2014

Hi Robert,

Agreed, even I have this question to SAP

Is there any situation where in which authorization check is required and default include in role is not required for an authorization objects?

Thanks and Regards,

Syam

ACE-SAP · ‎11-26-2014

Hi

SU24 contains most of the Auth Obj required to perform a transaction.

SAP transactions can behave in very different ways depending on how the system is customized and this does have an impact on the authorization checks that are perform.

Some customizing options might activate access to extra data that are not specific to the main transaction, thus involving new security controls.

In SU24 only the objects that are needed for the default or core usage of a transaction are flagged as required. All the other objects might be needed only in specific customizing scenario, and this is why they are flagged as 'not necessary'.

You can change the flags in SU24 to adapt the role creation to the customization of your system

Regards

former_member308518 · ‎11-26-2014

Hi Yves,

thank you very much for the explanation. I understand, however I still have some doubts. For example the transaction KA03 - "Display Cost Element" is designed to show cost element master data. What can be the sense of checking S_TABU_DIS or S_PROJECT for this transaction, i.e. for a transaction presenting master data of a cost element? And these objects are checked in SU24, however not proposed.

May I ask you two more questions in this area?

Do you know the reason for putting authorization objects on the SU22 list in case they are not checked (e.g. transaction KKF6N, Object C_FVER_WRK)? Have these objects AUTHORITY-CHECK-clauses in this program? If an AUTHORITY-CHECK clause does not exist for an authorization object in the program, would it bring any results adding this object to SU24 manually with the option "check"?

And what is the difference between using in SU24 the proposal option "Yes, without values" (e.g. transaction KO88, object S_ALV_LAYO) and the proposal option "Yes" with leaving the fields empty? What is the reason of using the option "Yes, without values" at all ?

I will be very grateful for any explanations.

With best regards,

Robert

ACE-SAP · ‎11-27-2014

S_TABU_DIS is used to secure table access through generic table maintenance tools (SE16/SM30...) and maybe there are that kind of screen used somewhere in KA03.

All the objects available in SU24/SU22 (and the underlying USOB* tables) might not be relevant, but it is always better to have more than less !

Check all the OSS notes called "Missing authorization default values"

All these objects are there to help, you can activate them if you find they are needed on your system.

If an AUTHORITY-CHECK clause does not exist for an authorization object in the program, would it bring any results adding this object to SU24 manually with the option "check"?

=> no it won't be of any use, it will just lead to include not required authorization obj in the role you create that include that program/transaction.

This would by the end make your system's security weaker, as all authorization obj are merged in user authorization buffer, so this could lead to unwanted side effects.

If you really want to have a fully appropriate / accurate list of Auth. Obj in SU24 you could use the trace options (see the here under notes)

Option "Yes, without values",

Empty and no value could be different, I did not test this (I do not work on SAP security since a while...).

There are control for auth obj with dummy field (just checking if the object is granted without checking any of its properties). Check that thread on that topic http://scn.sap.com/thread/3439431

Best regards

1631929 - Using trace evaluation to maintain menus and authorizations

Transaction SU24: Using trace evaluation to maintain the authorization default values

You can also complete the authorization default values with values that you collect in the authorization trace or the system trace. Call transaction SU24 and display the authorization data for an application. Choose the 'Trace' function.

1745172 - SU24: Import of authorization objects from system trace

former_member308518 · ‎11-27-2014

Hallo Yves,

thank you very much for your very helpful explanations!

With best regards,

Robert

Former Member · ‎09-15-2015

Hi,

Another note here. I have added VD02 to a role and objects with Check (yes, without values) are not getting added to the role authorizations. Interestingly, when I check the change documents, these objects show up as being added to the role when they are actually not appearing.

Any one have the same issue?