Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Authorization problem

Hi All,

I have a role containing basis administration object (BC_A). It has some authorizations, some of them are :

S_USER_AGR

S_USER_AUT

S_USER_GRP

S_USER_SAS

Then, I have 2 groups of role, for example ROLEA and ROLEB, and also 2 user group, GRP_A and GRP_B. I already limited the value of those authorizations value to GRPA* for S_USER_GRP , and also ROLEA set in S_USER_AGR and others respective authorizations point to A only, it can display, change, assign, etc. I assign the role to an user.

When i logon using the respective user, I able change the roles via tcode PFCG only if the roles contains ROLEA, as I expected. And I able change the user via tcode SU01 only if user included in GRP_A, as I also expected.

The problem is, I able to assign any role to user included in GRP_A, though the role is not in ROLEA*, which doesn't expected. At authorizations S_USER_SAS, I already limited the role name by ROLEA and the user group GRP_A. But this thing still happen. Any suggestion ?

Thanks

Casper

Former Member

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question