on 11-02-2007 10:59 AM
Hi All,
I have a role containing basis administration object (BC_A). It has some authorizations, some of them are :
S_USER_AGR
S_USER_AUT
S_USER_GRP
S_USER_SAS
Then, I have 2 groups of role, for example ROLEA and ROLEB, and also 2 user group, GRP_A and GRP_B. I already limited the value of those authorizations value to GRPA* for S_USER_GRP , and also ROLEA set in S_USER_AGR and others respective authorizations point to A only, it can display, change, assign, etc. I assign the role to an user.
When i logon using the respective user, I able change the roles via tcode PFCG only if the roles contains ROLEA, as I expected. And I able change the user via tcode SU01 only if user included in GRP_A, as I also expected.
The problem is, I able to assign any role to user included in GRP_A, though the role is not in ROLEA*, which doesn't expected. At authorizations S_USER_SAS, I already limited the role name by ROLEA and the user group GRP_A. But this thing still happen. Any suggestion ?
Thanks
Casper
Hello Casper,
We have the same working model and it works very well for us. Infact we have 15 role groups and 15 user groups.
You mentioned: I<i><b> already limited the value of those authorizations value to GRPA* for S_USER_GRP , and also ROLEA set in S_USER_AGR. </b></i>
On this I have a question. It mighht sound weird but it might very well be the reason.
In S_USER_AGR the values you have given are the prefixed by a <b>*</b> ?
I mean is the value something like ROLEA or only ROLEA*.
ROLEA is wrong because SAP understands it as <b>*</b>.
It is just not for this authorization object but for all of them.
Please comment on this so that we have more clarity.
Regards.
Ruchit Khushu
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ruchit,
<b>ROLEA is wrong because SAP understands it as *. </b>
Is that so ?
Since my role is always end with "KOD", so I should specify it by *KOD.
I don't think your statement is right, since, if i search a role by KOD, the result is ok, i mean i get all role end with "KOD" word, it means that SAP still consider KOD as KOD, not as *. Right ?
Hello Casper,
Yes if you search with KOD you will get the correct values but once put in the role SAP assumes it as *.I Last week only I was facing the same issue with role changes for around 20000 roles (for another authorization object) and after a good amount of testing I have been able to establish that any value in authorization object fields prefixed by * is taken as * only. Well if you roles end with KOD then you have a problem here. In my case all common roles (part of one group) start with a common prefix so it works fantastically well for us.
If you are not convinced create a couple of test roles with common prefix and then adjust the values of S_USER_AGR and find out yourself.
Regards.
Ruchit Khushu
User | Count |
---|---|
87 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.