I have a role containing basis administration object (BC_A). It has some authorizations, some of them are :
Then, I have 2 groups of role, for example ROLEA and ROLEB, and also 2 user group, GRP_A and GRP_B. I already limited the value of those authorizations value to GRPA* for S_USER_GRP , and also ROLEA set in S_USER_AGR and others respective authorizations point to A only, it can display, change, assign, etc. I assign the role to an user.
When i logon using the respective user, I able change the roles via tcode PFCG only if the roles contains ROLEA, as I expected. And I able change the user via tcode SU01 only if user included in GRP_A, as I also expected.
The problem is, I able to assign any role to user included in GRP_A, though the role is not in ROLEA*, which doesn't expected. At authorizations S_USER_SAS, I already limited the role name by ROLEA and the user group GRP_A. But this thing still happen. Any suggestion ?