12-26-2007 1:43 PM
If I had a user who had Auth object F_BKPF_BUK with Activity 01 and Company Code 1200 and also Auth Object F_BKPF_BUK with Activity 03 and Company Code 1300, would the user have 01 and 03 for both Company Code 1200 and 1300 or would the user be restricted to 01 for 1200 and 03 for 1300?
12-26-2007 4:02 PM
Hi tracy,
In this case act 01 will be for CC 1200 only and act 03 will be for 1300 only. This is assuming you have given this via two different roles or at least in different instances for the same authorization object.
Regards,
Sanju.
12-26-2007 2:26 PM
Hi Layman,
user will have access to both the plants for 01 and 03 also
because BUKRS field is maintaind at org level in PFCG not at object level
please let me know if you have any queries on this
thanks
kishore
12-26-2007 4:02 PM
Hi tracy,
In this case act 01 will be for CC 1200 only and act 03 will be for 1300 only. This is assuming you have given this via two different roles or at least in different instances for the same authorization object.
Regards,
Sanju.
12-26-2007 7:06 PM
Thanks. I set up a test ID and role in a development system and tested. The results I came up with match your comments. The restrictions do not bleed togther.
12-26-2007 6:07 PM
It depends on the object and how the result of the authority-check is "built".
For the result of a single authority-check Sanju is correct.
It would not make sense to attempt to display something (retrieving the value from the record) which has not been created yet (checking the value in the entry screen).
However the opposite can be true for authority-checks within arguments:
- IF weak_check_failed "user is not authorized...
- THEN perform strong_check "permit everything if passes...
- ELSE return_to_... "Go back to list...
However, in many cases this weaker : stronger check is against different objects.
Other transactions will completely bypass the one object and only use a stronger one.
F_BKPF_BUK should be okay for transactions FB01 and FB03, for example.
Cheers,
Julius