08-16-2007 11:51 PM
Hi all:
I am looking at whether Context sensitive authorization check is worth implementing in my organization. I have read sap help and some other documentation and all of them seem to suggest that when turning Context switch AUTSW-INCON to 1 we should turn off HR master data switch off AUTSW-ORGIN to 0. They can't be implemented simultenously. However in my case I think I could use if both of these switches are on so I can use context for some roles and not for others. When I tested this in a test client, it seems to be working fine with both switches set to 1. My question to you is: Is this possible and what are some impacts that I my encounter because of this? I would appreciate your input.
Thanks,
Netra
08-17-2007 2:15 PM
hi netra,
I can't think of a reason to use ORGIN and ORGINCON simultaneously.
what's the use of using both types of objects when you can use P_ORGINCON without specifying a PROFL. this will be identical to the P_ORGIN object.
have you SU24-ed the P_ORGINCON checks yet?
also, in your test-environment have you specified structural profiles at all? I would like to know whether that's working correctly as well.
08-17-2007 4:19 PM
Thanks Dimitri,
I understand what you are saying but the roles here are already setup and functioning with P_ORGIN and most of these have manually inserted objects. If I implement just Context then I will need to change all the roles to replace ORGIN with ORGINCON. I think that is a quite a bit of work. If I can have them activated simultaneously then I can only change few roles where the solution is needed. No, I have not started working on SU24 yet and I am not sure how helpful it will be maintain this as most roles have manually inserted objects. And also in my test environment I have str. profile setup and i have specified them in my context object.
I appreciate your thoughts.
Thanks,
Netra
08-20-2007 10:53 AM
hi again Netra,
I understand that it will be quite some work changing all P_ORGIN roles to P_ORGINCON. as a matter of fact I'm in the middle of doing so myself...
what I can tell you however, is that leaving the situation as you describe above, will result in poorer performance because now both objects will be checked at runtime.
I don't think you will notice on the testenvironment, but it could have a significant impact in a live productive system.
anyway, good luck on your project and let me know how things work out for you!
thanks,
dimitri
08-20-2007 4:58 PM
Thanks Dimitri. I did not really think about performance issues, thanks! I am going to include ORGINCON and disable ORGIN as you suggested.
Thanks again,
Netra
03-03-2008 6:47 PM
Hi:
As soon as P_ORGINCON is switched on, old roles using P_ORGIN doesn't work even if P_ORGIN is on too. System starts complaining like "No read authorization for...".
So how can you use both at the same time? Roles need to be change? Am I missing something? Help will be appreciated.
Thanks
Sukhbir Singh