https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742741#M35524 <P>These are 2 separate instances of S_TABU_DIS and would not merge</P> Fri, 26 Oct 2018 17:34:50 GMT sri_g4 2018-10-26T17:34:50Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742739#M35522 <P>I am trying to determine what auth object values will be checked for a user with multiple roles and authorizations assigned to them. I have an example below;</P> <P>User JDOE has the following example access roles and authorizations.</P> <P><STRONG>Role 1:</STRONG></P> <P>T-Code: SM30</P> <P>Auth Object: S_TABU_DIS</P> <P>Activity: 02</P> <P>Auth Group: ABC</P> <P><STRONG>Role 2:</STRONG></P> <P>T-Code: SM30</P> <P>Auth Object: S_TABU_DIS</P> <P>Activity: 03</P> <P>Auth Group: *</P> <P><STRONG>Question -</STRONG> When this user JDOE executes SM30, will they have Activity 02 over ALL Auth Groups or just 02 over Auth Group ABC?</P> <P>I would greatly appreciate a response.</P> <P>Thank You!</P> Fri, 12 Oct 2018 23:52:39 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742739#M35522 former_member993829 2018-10-12T23:52:39Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742740#M35523 <P>they will only have ACTVT 02 to the Auth Group ABC. SAP doesn't merge the fields together in the buffer. User buffer does not care which role the authorisation comes from but it does evaluate each authorisations as a whole.</P> Sat, 13 Oct 2018 07:35:54 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742740#M35523 Colleen 2018-10-13T07:35:54Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742741#M35524 <P>These are 2 separate instances of S_TABU_DIS and would not merge</P> Fri, 26 Oct 2018 17:34:50 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742741#M35524 sri_g4 2018-10-26T17:34:50Z https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742742#M35525 <P>So it is important to understand, what is meant by 'authorization'. When users/admins talk about authorizations, they often mean something different compared to what the system means....<BR /><BR />Technically speaking (from the codumentation):</P><P>quote</P><P>Entry in the user master record as part of an authorization profile . An authorization consists of fully specified or generic values for the authorization fields of an authorization object. The combination defines which activities a user can use to access which data. Authorizations are generated using the profile generator from role management tool (transaction PFCG) and can also be displayed using transaction code SU03.</P><P>unquote</P><P>Therefore - as Colleen has stated: each assigned 'authorization' is treated seperately and the authority-check checks the assigned authorizations for an object one by one with the values provided in the abap coding, until a positive result is found or all assigned authorizations have been checked w/o success (failed authority-check)</P><P>brgds, Bernhard</P> Tue, 04 Dec 2018 10:55:56 GMT https://community.sap.com/t5/application-development-and-automation-discussions/sap-security-user-buffer-behavior/m-p/742742#M35525 Bernhard_SAP 2018-12-04T10:55:56Z