https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140810#M1620253 <HTML><HEAD></HEAD><BODY><P>Hi Ashish,</P><P></P><P>Yes, He will get the merged Authorizations for his access !</P><P></P><P>During authorization check, Authorization fields are always checked in an AND relationship for each authorization object instance within role(s).</P><P>Regards,</P><P>Raichand</P></BODY></HTML> Fri, 16 Sep 2011 18:06:14 GMT Former Member 2011-09-16T18:06:14Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140808#M1620251 <HTML><HEAD></HEAD><BODY><P>Hello friends,</P><P></P><P>I have a question..(may be silly one <SPAN __jive_emoticon_name="grin"></SPAN>)</P><P></P><P>If i have a auth object say S_DATASET available in 2 roles with different values.</P><P></P><P>S_DATASET</P><P>Activity 33, 34 ACTVT</P><P>Physical file name /transfer/C11/order/aus FILENAME</P><P>Program Name with Search Help * PROGRAM</P><P></P><P>S_DATASET</P><P>Activity 33, 34, A6, A7 ACTVT</P><P>Physical file name * FILENAME</P><P>Program Name with Search Help ZP1, ZP2, ZP3 PROGRAM</P><P></P><P>Now what happens when both roles are assigned to a single user. Does he get S_DATASET with activity merged ?? means will he have auth lieke this :</P><P>S_DATASET</P><P>Activity 33, 34, A6, A7 ACTVT</P><P>Physical file name * FILENAME</P><P>Program Name with Search Help * PROGRAM</P><P></P><P>thanks</P><P>ashish</P></BODY></HTML> Fri, 16 Sep 2011 12:45:22 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140808#M1620251 Former Member 2011-09-16T12:45:22Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140809#M1620252 <HTML><HEAD></HEAD><BODY><P>Nope, authorizations do not merge.</P></BODY></HTML> Fri, 16 Sep 2011 13:03:25 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140809#M1620252 jurjen_heeck 2011-09-16T13:03:25Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140810#M1620253 <HTML><HEAD></HEAD><BODY><P>Hi Ashish,</P><P></P><P>Yes, He will get the merged Authorizations for his access !</P><P></P><P>During authorization check, Authorization fields are always checked in an AND relationship for each authorization object instance within role(s).</P><P>Regards,</P><P>Raichand</P></BODY></HTML> Fri, 16 Sep 2011 18:06:14 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140810#M1620253 Former Member 2011-09-16T18:06:14Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140811#M1620254 <HTML><HEAD></HEAD><BODY><P>From an academic perspective they could however be merged by program ZP1, ZP2 or ZP3 using actvt A7, because this permits operating system commands to any file system location. At the operating system level you could then do almost anything (such as merging the two roles into one in a transport request, adding it to the tp buffer and importing it).</P><P></P><P>Your first priorities should be to restrict the program name and the A* actvties and maintain su24 with the; then restrict / validate what the programs are capable of doing.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Fri, 16 Sep 2011 18:10:35 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140811#M1620254 Former Member 2011-09-16T18:10:35Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140812#M1620255 <HTML><HEAD></HEAD><BODY><P>thanks for reply.</P><P></P><P>Edited by: ashish vikas on Sep 16, 2011 8:12 PM</P></BODY></HTML> Fri, 16 Sep 2011 18:11:47 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140812#M1620255 Former Member 2011-09-16T18:11:47Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140813#M1620256 <HTML><HEAD></HEAD><BODY><P>Jurjen Heeck is correct, but Actvt A7 with program * is critical for the operating system. Not a good idea and seldom needed.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Fri, 16 Sep 2011 18:17:33 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140813#M1620256 Former Member 2011-09-16T18:17:33Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140814#M1620257 <HTML><HEAD></HEAD><BODY><P>Hi Julius,</P><P></P><P>but in Role 2, I am not giving * for Program. it has only 3 programs ZP1, ZP2, ZP3 with Activity A7.</P><P></P><P>thanks</P><P>ashish</P></BODY></HTML> Fri, 16 Sep 2011 18:22:42 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140814#M1620257 Former Member 2011-09-16T18:22:42Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140815#M1620258 <HTML><HEAD></HEAD><BODY><P>Yes you are correct, but it does depend on what those 3 programs do and which import parameters / selection screens they have. </P><P></P><P>Why do you want to put * into the program name of the first role though?</P><P></P><P>Can the user create a file in the order directory with the name permitted, then use ZP1 to move it to a different directory and rename it and execute it?</P><P></P><P>The mix seems suspect to me because of the combined access from building roles using different techniques, but they are not merged!</P><P></P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Fri, 16 Sep 2011 18:33:18 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140815#M1620258 Former Member 2011-09-16T18:33:18Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140816#M1620259 <HTML><HEAD></HEAD><BODY><P>Wait, to be clear....</P><P></P><P>The reason why "auths don't merge" in OP's case... is because ACTVT, FILENAME, and PROGRAM are unique in the two profiles, correct? But if the situation was like below instead, then you could think about it as "auths merging" even though technically that doesn't happen.</P><P></P><P>so if it was:</P><P></P><P>S_DATASET</P><P>Activity 33, 34 ACTVT</P><P>Physical file name /transfer/C11/order/aus FILENAME</P><P>Program Name with Search Help ZP1, ZP2, ZP3 PROGRAM</P><P></P><P>S_DATASET</P><P>Activity 33, 34 ACTVT</P><P>Physical file name * FILENAME</P><P>Program Name with Search Help ZP1, ZP2, ZP3 PROGRAM</P><P></P><P>Then the FILENAME restriction from 1st role would be ignored because of the * in the 2nd role. But if we added ACTVT A6 to the 1st role, then this role would not be overriden the 2en, because the auths don't match, meaning in this case, the user would have ACTVT A6 for filename transfer/C11/order/aus and nothing else. Correct?</P></BODY></HTML> Fri, 30 Sep 2011 19:02:33 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140816#M1620259 Former Member 2011-09-30T19:02:33Z https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140817#M1620260 <HTML><HEAD></HEAD><BODY><P>Having added A6 would have kept the merge appart, but that is no reason to keep the merge appart from a cosmetic perspective. The access is the same if all other fields are identical.</P><P></P><P>I sometimes use "banana" values to avoid merging so that I can later keep them appart. But this is only because there is not unmerge function to split them appart again.</P><P></P><P>Yes, you could achieve actvt A6 for the first authorization's other fields by adding it first, but if A6 is not needed then it would add not value...</P><P></P><P>--&gt; ZP1, ZP2 etc will anyway read and write to /TRANSFER/C11/... etc and does not need A6.</P><P></P><P>But okay, they are two seperate authorization instances assigned to the same user and they look different.... if that is your goal <SPAN __jive_emoticon_name="wink"></SPAN></P><P></P><P>Using transaction FILE and SPTH you could however achieve more granularity (beyond the "file name"),</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Fri, 30 Sep 2011 22:37:05 GMT https://community.sap.com/t5/application-development-and-automation-discussions/authorization-object-s-dataset/m-p/8140817#M1620260 Former Member 2011-09-30T22:37:05Z