Question:
Hi all-
Here is a very stupid question about security, that is How does SAP check user's authorization? for example transaction and other object such as shipping point etc... Any ABAP code for this checking ?
Can any one give me a satisfied answer?
Thanks in advanced
Answer:
Suril - not all security people are BASIS folk by any means!
Answer:
Thanks suril2031,
When i display my profile via t-code SU01 there only display my profile while no activity group. How do i know what authorizations i have through the profile? For example how do i know if i have SE16 authorization?
And what is the process of SAP checking if i have SE16 authoriztion?
Could you please advise?
Thanks
Bluesky
Answer:
Hi,
Yes Guest, u are correct that not all Security persons are Basis folk!!
When did i oppose??!!!!
Well yes, Bluesky,
See the basic concept of assigning authorization in SAP is thru diff. types of objects that SAP has made.
There are auth. classes which contain auth. objects which in turn contain auth. fields which are assigned values.
The auth. classes are like.... hmm... u can take them as the diff. modules provided by SAP such as Basis or SD or MM etc. ( U can check it out in tcode SU21)
Auth. objects of same module or same kind are grouped in one class.
Then these objects contain multiple fields and values. (Fields are assigned values)
So this activity u say is just a field in one of the auth. objects (Mostly activity field exists in all of the auth. objects)
To see what u have been assigned, as i said earlier, use tcode SM56 that is the user buffer, which contain the auth. objects which u have been assigned.
To display the fields and values also in the object, click on the button
'Display with Values' and there u will find it.
That will not exactly give u a clear look unless u are habituated with auth. objects as most of Basis people are,
so as u have checked already, u can use SU01 and see what roles and profiles u have been assigned (if u have been assigned profile SAP_ALL then u have full rights in the system)
Then note the roles u have been assigned and then goto tcode
PFCG , there type the role name, then in the displayed screen goto Tab
Menu and see the tcodes assigned.
Or goto Tab Authorizations and click on display Authorization data.
Then in the screen, access the search utility and there type in the field Auth. object 'S_TCODE'.
As the search is found, u see what tcodes have been assigned to u.
(Well i have shown u a lengthy task!!!! but all Basis people do it!!!!!)
By all this, i hope u may get what u want to know.
However, u may get a better understanding if u approach ur Basis personnel!!!!!
Hope u get it!!!
Rgds
suril2031
Answer:
(if u have been assigned profile SAP_ALL then u have full rights in the system)
Technically, this statement is incorrect.
SAP has built in some special booby-traps so that Basis people who "cannot work without SAP_ALL" think that they have all authorizations for the SAP system, but in actual fact they don't.
Tarr
Answer:
dear tarr,
what you are telling may be wrong sap has shiped the role sap_all for the complete authorization. but you even have other role sap_new which is for newly developed objects.
so when u say sap_all this is authorization for all sap objects
Answer:
Hi,
I agree with y_s_80.
However, Tarr, if you have any knowledge which profile makes people seem that they are working with full rights but not actually, then please tell me.
And if this is the case with SAP_ALL, then, you tell how and what?
Awaiting your reply...
_________________
Suril
A conclusion is simply the place where you got tired of thinking.
Answer:
dear tarr,
what you are telling may be wrong sap has shiped the role sap_all for the complete authorization. but you even have other role sap_new which is for newly developed objects.
so when u say sap_all this is authorization for all sap objects
Tarr is correct, I can't remember where they are but I have read about specific checks in some code which require more than SAP_ALL/SAP_NEW. IIFC an example is hardcoded checks for SY-UNAME=SAP* or user group SUPER. There are more but I forget them at the moment.
Answer:
Hi,
Yes Guest, u are correct that not all Security persons are Basis folk!!
When did i oppose??!!!!
hmmm.. perhaps before you edited your post:
Last edited by suril2031 on Mon Jun 06, 2005 7:27 am; edited 1 time in total
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified
Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759
Answer:
Oh...
Snowy, why do you want to let me down everywhere..
Its ok till the General Discussion, please dont extend it everywhere..
However..
You are the moderator, you can see what was there before i edited it.
_________________
Suril
A conclusion is simply the place where you got tired of thinking.
Answer:
Oh...
Snowy, why do you want to let me down everywhere..
Its ok till the General Discussion, please dont extend it everywhere..
However..
You are the moderator, you can see what was there before i edited it.
Snowy was just pointing out that you addressed Basis people & changed your mind after denying it! it is nothing personal on his part. Security is much more than a Basis add-on if you want to do it properly, you will soon see when you are not so new to security