Question:
Good Morning,
I hope this question isn't too dumb, it concerns what happens when a user has an AuthObject in 2 different roles, and how those 2 AuthObjects influence each other. So for example (I hope this makes sense with made up names):
AuthObj A_OBJ has 2 fields, Activity and something else
Role S_A has A_OBJ (brought in by Transaction TRAN1) with activitiy 02 and the other field has "VAL1" in it.
The user is given a new role, S_B which has also calls A_OBJ, and it's been brought in by a different transaction, TRAN22; in this role A_OBJ has Activities 02 and 03 with a * for the other field.
Will the introduction of the second role S_B mean that when TRAN1 checks it's A_OBJ authorisations it will find, from S_B, 02 with a "*" and "wrongly" give authorisation to the transaction ?
Any guidance gratefully received, regards, Alan.
Answer:
The authorisations are always additive.
In your example:
Will the introduction of the second role S_B mean that when TRAN1 checks it's A_OBJ authorisations it will find, from S_B, 02 with a "*" and "wrongly" give authorisation to the transaction ?
The answer is yes.
The auths are buffered and when the auth check is performed it is looking for an authset which fulfills it's requirements.
In this case there will be 2 authsets
A_OBJ from role1
A_OBJ from role2
and SAP will pick whichever fulfills it's requirements.
What it won't do is merge auths
e.g.
A_OBJ ACTVT 01 BUKRS 200
A_OBJ ACTVT 02 BUKRS 300
will not give you a combined A_OBJ ACTVT 01,02 BUKRS 200,300
I hope that makes sense
Answer:
Hello,
Giving only some values in a field,
simply means that the user can execute ONLY for those conditions,
but it does NOT mean that he CANNOT execute for other values.
If other values are given in other role, then, the user can run for those values.
So, just as the previous post states, if the value is given at atleast one place through the same object in different roles, then it allows the user to execute for it.
_________________
Suril
A conclusion is simply the place where you got tired of thinking.