03-11-2008 7:41 AM
Hi there,
I have created an authorisation object with eight fields. The fields control which parts of my application are accessible to the user. (Each field is one category, each category has several subcategories).
What I want to do is the following:
There shall be a custom authorization dialog, wherein the system administrator can configure the access of the application for a specific user.
In plain text: I want to develop an interface which makes it possible to assign authorisation objects with specific values to a user or to an already existing role.
Is there any functionality, that allows me to perform this assignment and regenerate the users profile?
I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
Thank you very much,
Gregor
Edited by: Gregor Bender on Mar 11, 2008 8:41 AM
03-11-2008 7:53 AM
>
> I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values.
Nope, sorry, it's not the connection but only one of the many.... Roles and profiles are stored in quite a lot of different tables so manipulating one table directly will hardly ever get you the desired situation. It may even lead to problems due to inconsistencies.
For mass regenerating profiles there's transaction SUPC.
For manipulating the contents of roles/profiles have a look at scripting with SECATT or LSMW in combination with PFCG.
If you want to write code to add objects to roles you have to look at least in tables AGR_1250, AG_1251 and AGR_1252. The UST* tables are updated when generating profiles and/or comparing users.
03-11-2008 10:59 AM
> I already discovered, that the table UST12 contains the connection between the authorization profile of a role and an authorization object, as well as the assigned values. Anyhow, just to write new values to that table has no affect to the authorization when calling "authority-check object" in an ABAP report.
You have misinterpreted the meaning of the table and the fields. Your statement indicates that you have already updated the table directly. Appart from the generally frowned upon practice of updating SAP tables, you obviously don't know what you are doing - so rather steer well clear of doing that (sorry, just being honest).
> Does anyone know, whether there are standard functions in the ERP System, that support the changing of authorization objects and the regeneration of roles?
Yip: Transaction PFCG to open the roles: add the object (various techniques) and maintain the fields there.
Cheers,
Julius
03-11-2008 11:34 AM
There is nothing as standard which will do this & I would not programmatically add objects (org levels are far simpler). Apparently the next release of Role Expert (which has now been renamed) will have the ability to do this. I'm still waiting to see it do that though.