Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SAP Security - User Buffer Behavior

Go to solution
former_member993829
Member

‎2018 Oct 13 12:52 AM

0 Likes
2,481

I am trying to determine what auth object values will be checked for a user with multiple roles and authorizations assigned to them. I have an example below;

User JDOE has the following example access roles and authorizations.

Role 1:

T-Code: SM30

Auth Object: S_TABU_DIS

Activity: 02

Auth Group: ABC

Role 2:

T-Code: SM30

Auth Object: S_TABU_DIS

Activity: 03

Auth Group: *

Question - When this user JDOE executes SM30, will they have Activity 02 over ALL Auth Groups or just 02 over Auth Group ABC?

I would greatly appreciate a response.

Thank You!

1 ACCEPTED SOLUTION
Read only

Go to solution
Colleen
Product and Topic Expert
Product and Topic Expert

‎2018 Oct 13 8:35 AM

1,773

they will only have ACTVT 02 to the Auth Group ABC. SAP doesn't merge the fields together in the buffer. User buffer does not care which role the authorisation comes from but it does evaluate each authorisations as a whole.

3 REPLIES 3
Read only

Go to solution
Colleen
Product and Topic Expert
Product and Topic Expert

‎2018 Oct 13 8:35 AM

1,774

they will only have ACTVT 02 to the Auth Group ABC. SAP doesn't merge the fields together in the buffer. User buffer does not care which role the authorisation comes from but it does evaluate each authorisations as a whole.

Read only

Go to solution
Bernhard_SAP
Product and Topic Expert
Product and Topic Expert
In response to Colleen

‎2018 Dec 04 10:55 AM

1,773

So it is important to understand, what is meant by 'authorization'. When users/admins talk about authorizations, they often mean something different compared to what the system means....

Technically speaking (from the codumentation):

quote

Entry in the user master record as part of an authorization profile . An authorization consists of fully specified or generic values for the authorization fields of an authorization object. The combination defines which activities a user can use to access which data. Authorizations are generated using the profile generator from role management tool (transaction PFCG) and can also be displayed using transaction code SU03.

unquote

Therefore - as Colleen has stated: each assigned 'authorization' is treated seperately and the authority-check checks the assigned authorizations for an object one by one with the values provided in the abap coding, until a positive result is found or all assigned authorizations have been checked w/o success (failed authority-check)

brgds, Bernhard

Read only

Go to solution
sri_g4
Explorer

‎2018 Oct 26 6:34 PM

0 Likes
1,773

These are 2 separate instances of S_TABU_DIS and would not merge