cancel
Showing results for 
Search instead for 
Did you mean: 

Manual addition of Authorization object in pfcg

bimal_nayak
Discoverer
0 Kudos

What is the use of maintaining the Authorization object in SU24 rather than in PFCG ? As we are adding the missing Authorization objects manually in pfcg then what is the need of maintaining that in SU24 ? And if we delete a tcode from the role after adding an Authorization object to the role , then what will be the impact of the Authorization object to the role from security perspective ?? Please answer it's urgent

Benefits of SU24

- If you reuse/add the same transaction in another role you will have to remember and add all the objects again in the new role. And if you don't then there will be more UAT failures. If you update it through SU24, automatically your authorization object for that tcode becomes consistent across all the roles(upon role menu update or expert mode). Thus, Fewer or no UAT failures.

- It helps in Risk analysis in GRC simulation.

If we delete say tcode 1 from the role then the corresponding auth object/field values will be removed from the role. If some other say tcode 2 is also using the same auth object/field value for which SU24 is not updated then that user will not be able to use tcode 2 as it will not have the object/value that is removed because of tcode1.

Accepted Solutions (0)

Answers (1)

Answers (1)

bimal_nayak
Discoverer
0 Kudos

If I maintain additional Authorization object in SU24 to a certain t-code , then the T-code will updated throughout the system with added authorization Objects , but it can be a risk for all the roles that are associated with particular T-code ? isn't it ?

If we maintain that authorization object in the PFCG then it will only affect to the role, not the whole system . If we delete the T-code in the role then the added authorization object will be available in the role , in that case what should we do ? Because its not possible to remember all the authorization objects that we have added manually because we are deleting the T-code in the role , not the object associated in the role . So what should a security consultant do in this type of particular case ?