Skip to Content
author's profile photo Former Member
Former Member

Authorizations: Dynamic roles

Hello everybody,

We are going to migrate our authorizations from 3.x concept to BI-7.

With the new concept we are compelled to respect certain requirements like to include into the single user profile every InfoObject “AuthorizationRelevant” (that are also built-in into the InfoProvider, indented for the future analysis).

- Certain users had only one dynamic role. In such a case we are able to restrict for instance:

o 0CO_AREA = a value;

o every other InfoObject “AuthorizationRelevant” = “*” (every single values)

- Certain users had two or more dynamic roles; in such a case we are supposed to:

o ROLE 1: 0CO_AREA = a value; every other InfoObject “AuthorizationRelevant”, for instance 0COMANY_CODE = “*” (every single values)

o ROLE 2: 0COMANY_CODE = a value; every other InfoObject “AuthorizationRelevant”, for instance 0CO_AREA = “*” (every single values)

In this particular case though we expect that the system will ignore our restrictions because it is adding the two roles in fact:

ROLE 1 is set: 0CO_AREA = a value;

ROLE 2 is set: 0CO_AREA = “*”.

Base on what we just described above, here they are our questions:

1. Does exist a symbol (for instance “:” “>”) that we can assigned to every InfoObject “AuthorizationRelevant” in order to cheat the system making it understand that it is there but not relevant for the authorizations (instead using “*”)?

2. If not can you please suggest us another way to cope with the problem of having for a user more dynamic roles assigned.

Thank you very much

Matteo Mariniello

Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Mar 02, 2007 at 06:49 AM

    Hi,

    you can use 0BIL_ALL in a role (S_RS_AUTH) to allow authorisation for all IO authorization relevant.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Mar 02, 2007 at 06:50 AM

    Hi,

    you can use 0BIL_ALL in a role (S_RS_AUTH) to allow authorisation for all IO authorization relevant.

    hope it help's

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hello,

      I don't have a solution but I think I understood Matteo's goal which is not at all to authorized users to do anything they want to.

      He wants to restrict certain tasks but when it comes for a user to have two or more dynamic roles the addition of them make the restriction useless.

      As he said

      Dynamic Role 1)

      0CO_AREA = a value

      0COMP_CODE= *

      Dynamic Role 2)

      0CO_AREA = *

      0COMP_CODE= A VALUE

      Therefore; the addition of them for ONE user is going to make the restrictions

      0CO_AREA = a value

      0COMP_CODE= a value

      USELESS!!

      Take Care

      Domenico

  • author's profile photo Former Member
    Former Member
    Posted on Mar 02, 2007 at 10:16 AM

    Domenico,

    You've got it!

    Basically. I am forced to use two roles for a user and the restrictions are symmetrically opposite. As a matter of fact the addition of them make the restrictions useless because the "*" is always winning!

    Matteo

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.