10-16-2007 2:43 PM
Hello all,
I would like to know how different values for a same authorization object are combined when the star character is used ?
For example, with activity group 1, a user can administrate all users
via CLASS * for S_USER_GRP authorization object.
With activity group 2, a user can only administrate the group 1 of users
via CLASS group1 for S_USER_GRP authorization object
If both activity group are combined in a composite activity group,
does that composite activity group allow management of all users or only the users assigned to group1 ?
Thank you for your help.
Regards.
Didier Paris.
Message was edited by:
Didier Paris
10-16-2007 3:21 PM
Hi Didier,
SAP will look in the user buffer for any way to satisfy the auth check. That means that the highest level of authorisation that you have assigned will be available.
In your example you have 2 roles:
Role1: S_USER_GRP: ACTVT=01,02,03 CLASS=*
Role2: S_USER_GRP: ACTVT=01,02,03 CLASS=group1
If you combine then SAP will take the highest, therefore the user who has been assigned that composite role (or both single roles) will have admin access to all user groups.
A common pitfall is that while the authorisations are additive, they are still evaluated as a set. Therefore if you have:
Role1: S_USER_GRP: ACTVT=03 CLASS=*
and
Role2: S_USER_GRP: ACTVT=01,02,03 CLASS=group1
Your user will have display access for all groups, but only create or change for group 1.
10-16-2007 3:21 PM
Hi Didier,
SAP will look in the user buffer for any way to satisfy the auth check. That means that the highest level of authorisation that you have assigned will be available.
In your example you have 2 roles:
Role1: S_USER_GRP: ACTVT=01,02,03 CLASS=*
Role2: S_USER_GRP: ACTVT=01,02,03 CLASS=group1
If you combine then SAP will take the highest, therefore the user who has been assigned that composite role (or both single roles) will have admin access to all user groups.
A common pitfall is that while the authorisations are additive, they are still evaluated as a set. Therefore if you have:
Role1: S_USER_GRP: ACTVT=03 CLASS=*
and
Role2: S_USER_GRP: ACTVT=01,02,03 CLASS=group1
Your user will have display access for all groups, but only create or change for group 1.