2023 Nov 15 1:21 PM
Hi experts,
If you add a transaction in pfcg role, you will get an authorization object list which was from SU22 transaction.
I am wondering which value should be maintained in pfcg role authorization and which should be done in SU22.
As far as I understand, SU22 is a template and pfcg role is a customizing.
I have checked some existing ones, some authorization objects in SU22 were set status with "Check with no values", I think the authorization should be maintained in pfcg role. And some other objects have locked fields, saying they are maintained in org level, I don't quite understand about this.
Can someone explain these for me? Thank you.
Regards,
Eric
2023 Nov 15 7:03 PM
As you can see in the official documentation and in the forum, SU22 is to indicate the authorizations used in any transaction code, which must correspond to what has been done by the developer in that transaction code (whatever it's standard or custom), to help maintaining the authorizations.
As you can see in the official documentation and in the forum, organization level is about the values which are common to many authorizations, like the company code a role is assigned to, etc.
You "don't quite understand about this." No need to repeat what is said in the official documentation and in the forum, what do you understand and what is your question?
2023 Nov 16 1:55 AM
Thank you for the reply. Regarding SU22, in PFCG role you can add a transaction and maintain the authorization, what I am asking for is the difference between authorization objects that maintained in SU22 and PFCG role.
2023 Nov 16 6:16 AM
What you maintain in SU22 = authorizations proposed by default in PFCG when you add a transaction code.
Just try it = fast learning.
2023 Nov 16 6:20 AM
I have tried technically, but I am not clear about what kind of data should be maintained by default (in SU22) and what should be maintained in PFCG role? Could you give an example?
2023 Nov 16 8:44 AM
If you create the transaction code ZTRAN, and in the corresponding program you always do AUTHORITY-CHECK OBJECT 'ZSUSO' ID 'ACTVT' FIELD '01', then you should define in SU22 that ZTRAN has ZSUSO with ACTVT = '01'. You then go to PFCG, create or maintain an existing role, add ZTRAN, you then maintain the authorizations of the role and you'll see that it has proposed ZSUSO with ACTVT = '01'.
2023 Nov 17 4:24 PM
Read first some documentation such as From the Programmed Authorization Check to a Role
Basically the developer provides the administrator the informations required to add the transaction to a role with some default values.