- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Check Indicator Su24 question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Check Indicator Su24 question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2019 2:33 PM
Hello, I have completed reading about Check indicators and authority check and have few doubts.
Assume, we have an auth object V_VTP_LKI and a T-code SLU1
1) If Check indicator is Check and Proposal is Yes in su24 for this auth object AND auth object is not present in authority check of SLU1, will the user be able to access the auth object when he runs SLU1? - Still in doubt
2) If Check indicator is Do not Check and Proposal is No in su24 for this auth object AND auth object is present in authority check of SLU1, will the user be able to access the auth object when he runs SLU1? - According to me, any user will be able to access because it will by-pass the auth object
3) If su24 is empty for SLU1 ( no check indicator and no proposal value) AND auth object is not present in authority check of SLU1, will the user be able to access the auth object when he runs SLU1? - Still in doubt
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2019 12:42 AM
Hi Anirudh
As a general rule: if the code does not contain the authority check (ABAP code of HANA DCL pfcg_aspect) then it doesn't matter what SU24 contains
The exception: SU24 containing a do not check status for the object or SU25 globally deactivating the object across the system (this also has exceptions - do not check doesn't apply to services)
So, with this general rule and exceptions:
1) Code has not authority check: SU24 does nothing for this specific transaction. However, you might find SLU1 has additional functions or menu hops where the check is activated. Also, the risk now is PFCG receives the SU24 proposals when it's not needed by SLU1 but another transaction requires it (cross inheritance)
2) Do Not Check will set Proposal automatically to No. Again, the exception: do not check means user will pass the authorisation check even though they don't have the authorisation. Trace STAUTHRACE will show RC=0 even though they aren't authorised
3) Again no code containing the check so SU24 doesn't matter. However, if SU24 is empty and the code contains the check then no entry in SU24 is the same as check with no proposal
SU24 is all about defaulting consistent values to PFCG
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2019 12:42 AM
Hi Anirudh
As a general rule: if the code does not contain the authority check (ABAP code of HANA DCL pfcg_aspect) then it doesn't matter what SU24 contains
The exception: SU24 containing a do not check status for the object or SU25 globally deactivating the object across the system (this also has exceptions - do not check doesn't apply to services)
So, with this general rule and exceptions:
1) Code has not authority check: SU24 does nothing for this specific transaction. However, you might find SLU1 has additional functions or menu hops where the check is activated. Also, the risk now is PFCG receives the SU24 proposals when it's not needed by SLU1 but another transaction requires it (cross inheritance)
2) Do Not Check will set Proposal automatically to No. Again, the exception: do not check means user will pass the authorisation check even though they don't have the authorisation. Trace STAUTHRACE will show RC=0 even though they aren't authorised
3) Again no code containing the check so SU24 doesn't matter. However, if SU24 is empty and the code contains the check then no entry in SU24 is the same as check with no proposal
SU24 is all about defaulting consistent values to PFCG
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2019 5:48 PM
Thanks Colleen for the details answers.
I have understood it completely now and can make others explain too. God bless you
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2019 6:07 PM
Also, you mean that 'Do not check' in su24 will give the same result as 'If the ABAP code doesnot contain authority check' ??? because both are basically not checking anything in code..so the user can access all the data which SLU1 tcode is meant to display.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-21-2019 8:13 PM
yes - do not check means no specific authority check on that authorisation object for that transaction content. If the user goes to another transaction (e.g. SLU2 - if that exists) which contains the object V_VTP_LKI then and SLU2 has a check status the user will require the object
I rarely find the need to switch an object to status of do not check - normally existing SAP standard proposals are the ones
It's usually as multiple transaction codes touch upon the same code. Authority check is require normally but a do not check is an exception where you need the user to have access without granting the authorisation
- SAP Managed Tags:
- Security
