- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Segregation of roles: authorization object/activit...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Segregation of roles: authorization object/activity
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2016 3:39 PM
Hello,
This question might sound basic to many of the user of this forum, but I would like to obtain a clear answer from a trusted source
In the following example:
Role A: Transaction code FB50 - Authorization object F_BKPF_BUK T001 - Activity 'Park'
Role B: Transaction code FB50 - Authorization object F_BKPF_BUK T002 - Activity 'Park', 'Post'.
A user is granted with roles A and B. Question: will SAP merge the activities making the user able to post on company code 'T001' or not?
I apologize again if the answer seems to be obvious.
Thanks in advance,
Eli
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2016 10:23 PM
A bullet proof way to find out would be to create the two roles as described, assign them to the same user and then try to post to T001.
That way we can't lie to you... 🙂
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2016 10:23 PM
A bullet proof way to find out would be to create the two roles as described, assign them to the same user and then try to post to T001.
That way we can't lie to you... 🙂
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2016 8:20 AM
That's my problem: I cannot believe my eyes. It seems to be that SAP merges the roles . I cannot comprehend the functional logic behind this behaviour!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2016 8:34 AM
Then something else (another role?) is tricking your test.
The AUTHORITY-CHECK statement respects "instances" of authorizations. A role can have multiple instances of an object but as BUKRS is an org level and you want different BUKRS values combined with different ACTVT, you will need 2 roles and must check that ACTVT 01 did not sneak into the role with T001 and that * or T001 did not sneak into the role with T002.
If any authorization instances are in status "Changed", then chances are fairly good that something went wrong and ACTVT '01' is probably still there in role 1...
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2016 9:01 AM
Yes, that certainly make sense. The problem is that the roles in this project are organized in a way, that there is always a lacuna, the way you described it. Anyway, the situation seems to be clear. Thanks, Julius.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2016 5:32 AM
