Hey specs, I count on your help...
If a user has several roles assigned to him - how can he switch between the roles?
E.g. User1 has PFCG role assigned as a Customer Manager - with the authorization to operate with invoices - for that he has one flavor assigned as default screen and then he got also role within the company where he needs to record his time in CAT2 transaction - this is another role for him (HR assistant) with another flavor assigned to him on logon.
So my question is - how can the user switch between the roles to complete his tasks depending on the role?
Yuksel AKCINAR replied
There is no switch between roles like you mentioned. Whatever the authorizations are given to users they can use those authorizations whenever they want. They donot need anything like switch etc.
SAP Authorization concept is not so. SAP authorizations rely on "Authorization Objects and their field values". Roles are only groups of authorization objects. They make the authorization concept simpler and maintenance easier. They are just for appearence.
SAP looks at whole authorizations.
Here is a script from training book.
When a user logs on to a client of an SAP system, his or her authorizations are loaded in the user context. The user context is in the user buffer (in the main memory, query using transaction SU56) of the application server.
When the user calls a transaction, the system checks whether the user has an authorization in the user context that allows him or her to call the selected transaction.
All authorizations are permissions. There are no authorizations for prohibiting. Everything that is not explicitly allowed is forbidden. You could describe this as a “positive authorization concept”.
So users can use all authorizations whenever they wants.
You can only restrict the usage of roles' transactions by unassigning the role from them.