- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Order of authorization check within a program
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Order of authorization check within a program
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2008 12:41 PM
The following scenario is observed in ECC5.0 only.
The user is executing SNUM for maintaining number range for an object and is facing an authorization issue under the following circumstances:
1) Value ' ' maintained for object S_NUMBER field NROBJ in one role and * for the same object/field in another single role within the composite
2) Only Value ' ' maintained for object S_NUMBER field NROBJ in one role
3) Within a single role if Value ' ' maintained for object S_NUMBER field NROBJ is maintained first and same object with value * maintained second.
The authorization check is OK if:
1) Only * is maintained as value for NROBJ
2) Within a single role if Value * maintained for object S_NUMBER field NROBJ is maintained first and same object with value ' ' maintained second.
Is there some order in which the check is being carried out, Is it a bug in the standard program as this is observed only in ECC5.0.
We have checked the same in ECC6.0 and R/3 4.7 and there is no such issue.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2008 4:09 PM
I would first check whether you really need to enter the ' ' at all, considering that it is accompanied by a * anyway...
So the problem is observed when in the same role, the object field has 2 manual entries and the first of these is ' '. In the opposite order, the ' ' does not matter as the check will be satisfied by the * already. Is that correct?
Try enter space twice between the apostrophe's, like '<space><space>'?
Does it then reach the * and pass an authority-check?
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-01-2008 4:09 PM
I would first check whether you really need to enter the ' ' at all, considering that it is accompanied by a * anyway...
So the problem is observed when in the same role, the object field has 2 manual entries and the first of these is ' '. In the opposite order, the ' ' does not matter as the check will be satisfied by the * already. Is that correct?
Try enter space twice between the apostrophe's, like '<space><space>'?
Does it then reach the * and pass an authority-check?
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2008 6:26 AM
Hi Julius,
I am not sure if there can be any problem in removing the ' '. But the problem is that this is an technical role for customizer and is maintained in a composite format across all system landscapes. Any change would mean we have to replicate it across the landscape which is not appreciated by the client.
And yes you are right if the ' ' is mantained first and * second manually in the role it does not consider *
We also have tried your suggesting by giving 2 spaces between ' ' but the result is the same.
Most astonishing part is that this same role is used across all systems comprising of 4.6C, 5.0 & 6.0 but the problem is faced only in release 5.0.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2008 7:38 AM
Hi Subramaniam,
If this sequence of the values is in one single role, and is causing problems when the user does not have stronger access from another single role, then either change just this one role (no need to touch the composite role nor the user assignment as a composite does not have any authorization data itself)...
or
Give in to the temptation to create a tiny little single role with just this object in it with the correct sequence and add it to the composite which the other problematic role is in. Of course this is ugly and someone else down the line might hate you for it, but it does work....
> Most astonishing part is that this same role is used across all systems comprising of 4.6C, 5.0 & 6.0 but the problem is faced only in release 5.0.
Is there anything different about this ECC 5.0 system or recently changed? Perhaps Unicode enablement?
What happens which you enter a normal ASCII character between the ' ' like 'A' or '1'?
I think I can get hold of such a system and will take a look later.
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2008 8:33 AM
Hi Julius,
Thats what we have done now is to create a single tiny role with the object and assigned it to the user directly without disturbing the composite role as we are very strict about maintaining the role integrity across the system landscape.
We could do this now since the user is using the transaction for testing purpose in the quality system. Once he wants the changes to be done in the production system, we guess we would have to make changes to the role directly and we would have no other option left.
We have put across a request to the client for changing the role and are awaiting approvals.
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-08-2011 1:13 PM
