cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Authorization problem

Former Member

on ‎11-02-2007 10:59 AM

0 Kudos

Hi All,

I have a role containing basis administration object (BC_A). It has some authorizations, some of them are :

S_USER_AGR

S_USER_AUT

S_USER_GRP

S_USER_SAS

Then, I have 2 groups of role, for example ROLEA and ROLEB, and also 2 user group, GRP_A and GRP_B. I already limited the value of those authorizations value to GRPA* for S_USER_GRP , and also ROLEA set in S_USER_AGR and others respective authorizations point to A only, it can display, change, assign, etc. I assign the role to an user.

When i logon using the respective user, I able change the roles via tcode PFCG only if the roles contains ROLEA, as I expected. And I able change the user via tcode SU01 only if user included in GRP_A, as I also expected.

The problem is, I able to assign any role to user included in GRP_A, though the role is not in ROLEA*, which doesn't expected. At authorizations S_USER_SAS, I already limited the role name by ROLEA and the user group GRP_A. But this thing still happen. Any suggestion ?

Thanks

Casper

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎11-02-2007 11:10 AM
0 Kudos

Hello Casper,

We have the same working model and it works very well for us. Infact we have 15 role groups and 15 user groups.

You mentioned: I<i><b> already limited the value of those authorizations value to GRPA* for S_USER_GRP , and also ROLEA set in S_USER_AGR. </b></i>

On this I have a question. It mighht sound weird but it might very well be the reason.

In S_USER_AGR the values you have given are the prefixed by a <b>*</b> ?

I mean is the value something like ROLEA or only ROLEA*.

ROLEA is wrong because SAP understands it as <b>*</b>.

It is just not for this authorization object but for all of them.

Please comment on this so that we have more clarity.

Regards.

Ruchit Khushu

Show replies
Show replies
Former Member
‎11-02-2007 11:50 AM
0 Kudos

Hi Ruchit,

<b>ROLEA is wrong because SAP understands it as *. </b>

Is that so ?

Since my role is always end with "KOD", so I should specify it by *KOD.

I don't think your statement is right, since, if i search a role by KOD, the result is ok, i mean i get all role end with "KOD" word, it means that SAP still consider KOD as KOD, not as *. Right ?

Former Member
‎11-02-2007 12:03 PM
0 Kudos

Hello Casper,

Yes if you search with KOD you will get the correct values but once put in the role SAP assumes it as *.I Last week only I was facing the same issue with role changes for around 20000 roles (for another authorization object) and after a good amount of testing I have been able to establish that any value in authorization object fields prefixed by * is taken as * only. Well if you roles end with KOD then you have a problem here. In my case all common roles (part of one group) start with a common prefix so it works fantastically well for us.

If you are not convinced create a couple of test roles with common prefix and then adjust the values of S_USER_AGR and find out yourself.

Regards.

Ruchit Khushu

Former Member
‎11-02-2007 12:16 PM
0 Kudos

Hi Ruchit,

Yes you're right. I already tried some test.

So, you have any idea how to solve this? Since changes all my roles to ROLEA* is kind of "brute" solution.

Thanks in advance.

Casper

Former Member
‎11-02-2007 12:42 PM
0 Kudos

Hello Casper,

Well it sounds brute but it is one of the solutions.

However there is a better solution:

Combine the common roles in once composite role and try to assign that role. In this case the composite role should start with <b>KOD</b> and not end with KOD.

Regards.

Ruchit Khushu

Ask a Question