Question:
Hi,
su24 for transaction ik11 (create a measurement document) reveals that the following auth objects (amoung others) are checked:
I_IWERK - Planning Plant
I_SWERK - Maintenance Plant
The check ID in su24 for both of these is 'C' (Authorization object checked under transaction)
Doing a search for AUTHORITY_CHECK in the program for ik11 indicates that both of these auth objects are not checked.
When I create a role and include ik11 (and nothing else) the objects I_IWERK and I_SWERK do not appear in the <Authorisation> tab.
When I assign the role (and nothing else) to a user, the user is able to create measurement documents (via ik11) in any plant.
Where am I going wrong: I was expected that I could have restricted ik11 by either planning plant or maintenance plant !
Am I able to restricted ik11 by either planning plant or maintenance plant !
_________________
apc
4.7 (release 620)
Answer:
The info in SU24 has little resemblence to what is actually checked. It has been configured with approximate values hence needing to change it to reflect what is being checked in your setup.
There are a few things you can try
1. Perform an authorisation trace on the transaction using ST01
If the objects are not picked up then
2. Change objects to CM status and re-trace
then
3. Speak to the config teams to see if there are any auth switches in config
Answer:
Thanks Al.
Auth trace reveals no check on plant.
No config exists for switching on additional checks for measurement documents.
Changed the check indicator for I_IWERK and I_SWERK ik11 to 'CM' (the field values picked up the corresponding org levels $IWERK and $SWERK).
Changed my role: removed ik11 from the menu, added it back in --> checked the <Authorisation> tab to see that the new auth objects appeared. They did. I set the org levels to just one plant. Did a complete user compare. Log off/logon the dummy test user, and again the user could created measurement documents for any plant. Ran an auth trace, and still not checking plants.
So, I'm thinking:
. the program behind transaction ik11 has no AUTHORITY_CHECK for plants
. fiddling with su24 for the transaction has no impact if the program doesn't check it (I already knew this)
So, my question:
why did su24 include I_IWERK and I_SWERK in the first place for ik11 if its not checked ?
_________________
apc
4.7 (release 620)
Answer:
Thanks Al.
Auth trace reveals no check on plant.
So, I'm thinking:
. the program behind transaction ik11 has no AUTHORITY_CHECK for plants
. fiddling with su24 for the transaction has no impact if the program doesn't check it (I already knew this)
So, my question:
why did su24 include I_IWERK and I_SWERK in the first place for ik11 if its not checked ?
I think you are correct in your thinking.
Unfortunately SAP has loaded SU24 with a fair bit of rubbish so I am not surprised to see something like this happen.
Answer:
SU24 is full of authorization objects that are in the CODE but has not bearing on the PATH the code takes. If you dig deep enough you can find almost all the authorization objects in the code as represented in SU24, the problem is SU24 cannot tell you the PATH the tcode will take or how config can effect it.
Working as designed. SU24 is not more than a config table for PFCG to tell which object to bring in when you enter the tcode in the menu in PFCG. If the code actually CHECKS the oject then the "pass regardless feature"(column 'N') can be used. other than that it means NOTHING.
Answer:
thanks for the response guys
_________________
apc
4.7 (release 620)