In our Production enviroment, few master data characteristics were made as reportable. And roles were created to restrict all users except one for performing 'Manage' option on these master data characteristics.
But still, few of the users (and not all) are able to 'right-click' on these characterisitics and select 'Manage' option.
I also do not have authorization to do 'Manage'. So I compared my roles with these users (who still can do) and found that they have only couple of extra roles more than mine. But all these extra roles are just reporting roles.
My doubt is, which authorization object lets users to perform 'Manage' activity on master data objects made as reportable.... is it S_RS_IOMAD ?
Confusion is... their IDs also get same message in SU53 as mine... about authorization check failure !!
Any idea... what is still giving them authorization to view/manage master data.