Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

duplicate authorization objects in custom roles for user

Go to solution
Former Member

‎03-12-2016 6:13 AM

0 Kudos

Our company never had anyone to manage the roles of the users. When user request access to certain transactions, we simple just added the transaction in one of the roles we thought it would fit the best based on description.

At this point , multiple roles for that user have the same authorization objects.

I got a request to restrict the transaction based on a cost center. Restricting the authorization object on K_CCA for the role that contains the transaction doesn't work because  K_CCA can be found in other roles for the user. We can restrict all the K_CCA objects we find for that user in all the roles but this doesn't seem to be the right solution or is it?

what is the best solution for such scenraios? Should be restructure roles so all the transactions that use the same authorization objects are under the same role?  or create a program enhancment and programmatically set a authorization based on user and cost center?

any ideas would be welcomed

thanks

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎03-14-2016 9:55 AM

0 Kudos

Hi Juan,

As a temporary fix (considering the current request has some fixed ETA), i would recommend to update the all the roles of user which contain this auth object but this can cause issue to other users having common roles hence you need to check this beforehand.

As a long term solution to make whole security task easy, its highly recommended to make your SAP roles consistent and adaptive to further subsequent changes.

Thanks

5 REPLIES 5

Go to solution
michael_kozlowski
Active Contributor

‎03-12-2016 8:58 AM

0 Kudos

I would highly recommend to restructure the authorization concept. Implementing of enhancements is definetely not the right way.

Go to solution
martin_voros
Active Contributor

‎03-12-2016 10:56 AM

0 Kudos

Depending on if you want to keep digging your grave or you want to clean up the mess.In other words I agree with Michael.

Cheers

Go to solution
Former Member

‎03-14-2016 9:55 AM

0 Kudos

Hi Juan,

As a temporary fix (considering the current request has some fixed ETA), i would recommend to update the all the roles of user which contain this auth object but this can cause issue to other users having common roles hence you need to check this beforehand.

As a long term solution to make whole security task easy, its highly recommended to make your SAP roles consistent and adaptive to further subsequent changes.

Thanks

Go to solution
Former Member
In response to Former Member

‎03-14-2016 2:33 PM

0 Kudos

Santosh,

Thanks for help.

What is the correct why to structure the authorization object?what do you mean by consistent?

The way I see it, multiple authorization objects will always be shared in multiple roles because transaction have multiple authorization objects. 

Go to solution
Former Member
In response to Former Member

‎03-16-2016 3:31 AM

0 Kudos

Hi Juan,

You need to define all your roles as per any recommended role design policy such as based on user's position/job description. Multiple roles will share the common authorization objects provided multiple JDs have some common activities among them.

Hope this helps

Thanks