Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

how different values of an authorization object are combined ?

Go to solution
former_member381522
Member

‎10-16-2007 2:43 PM

0 Kudos

Hello all,

I would like to know how different values for a same authorization object are combined when the star character is used ?

For example, with activity group 1, a user can administrate all users

via CLASS * for S_USER_GRP authorization object.

With activity group 2, a user can only administrate the group 1 of users

via CLASS group1 for S_USER_GRP authorization object

If both activity group are combined in a composite activity group,

does that composite activity group allow management of all users or only the users assigned to group1 ?

Thank you for your help.

Regards.

Didier Paris.

Message was edited by:

Didier Paris

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎10-16-2007 3:21 PM

0 Kudos

Hi Didier,

SAP will look in the user buffer for any way to satisfy the auth check. That means that the highest level of authorisation that you have assigned will be available.

In your example you have 2 roles:

Role1: S_USER_GRP: ACTVT=01,02,03 CLASS=*

Role2: S_USER_GRP: ACTVT=01,02,03 CLASS=group1

If you combine then SAP will take the highest, therefore the user who has been assigned that composite role (or both single roles) will have admin access to all user groups.

A common pitfall is that while the authorisations are additive, they are still evaluated as a set. Therefore if you have:

Role1: S_USER_GRP: ACTVT=03 CLASS=*

and

Role2: S_USER_GRP: ACTVT=01,02,03 CLASS=group1

Your user will have display access for all groups, but only create or change for group 1.

1 REPLY 1

Go to solution
Former Member

‎10-16-2007 3:21 PM

0 Kudos

Hi Didier,

SAP will look in the user buffer for any way to satisfy the auth check. That means that the highest level of authorisation that you have assigned will be available.

In your example you have 2 roles:

Role1: S_USER_GRP: ACTVT=01,02,03 CLASS=*

Role2: S_USER_GRP: ACTVT=01,02,03 CLASS=group1

If you combine then SAP will take the highest, therefore the user who has been assigned that composite role (or both single roles) will have admin access to all user groups.

A common pitfall is that while the authorisations are additive, they are still evaluated as a set. Therefore if you have:

Role1: S_USER_GRP: ACTVT=03 CLASS=*

and

Role2: S_USER_GRP: ACTVT=01,02,03 CLASS=group1

Your user will have display access for all groups, but only create or change for group 1.