Skip to Content
Former Member
Apr 10, 2007 at 11:07 AM

How SAP evaluates an authorization object with several instances



I would like to know how SAP evaluates authorizations when the user has several instances of the same authorization object (in my case p_orgin) with different values.

For example: I need that users with this role has only access to infotypes 0001, 0002 y 0006, and only for those employees of personnel area "PA01".

So I add two instances of P_ORGIN object, one filling "personnel area" field with the value "PA01" and the other filling "Infotypes" field with values "0001, 0002 and 0006". The other fields are filled with '*'.

But with this configuration, I have access to all infotypes of employees in area "PA01" and access to all employees in system for infotypes "0001, 0002, 0006"

I know that the best way to solve my probles is merging the two instances into only one. But what I would like to know is how SAP evaluates authorization objects, because if I'm trying to access into infotype 0002 for an employee of area "PA02", it's ok for the second instance of authorization object but not for the first authorization object (because user doesn't have access to personnel area PA02).

I believed that SAP joines all instances and creates a new instance more restrictive (in my case the join of two instances would result in access for infotypes 0001 0002 y 0006 but only for employees of area AP01), but how SAP actually deals with these kind of situations?

thanks in advance