Skip to Content
avatar image
Former Member

Authorization Object Clarification

Hi guys,

I have two questions regarding Authorization objects, my first question is, why we canu2019t execute any transaction if we have access to all the authorization objects that has linked to those t-codes for example:

(SA38 or SE38) bringing S_Develop, S_DATASET, and S_PROGRAM if I assign all these authorization objects into the role manually I still don't have access to sa38 or se38. So how come we always say everything is control by authorization object. We always need T-codes in the role either by menu or manually. Is that true?

My second question:

We always say don't assign S_Develop in Production, but we need to assign one general role which should have SU53 and by SAP standard SU53 bringing S_Develop authorization object which is very dangers for Production. How come SAP standard conflicting rule not to assign S_Develop in Production?

Please kindly give your feedback and thoughts

Thanks

Faisal

Edited by: Faisal on Aug 6, 2009 3:39 PM

Edited by: Faisal on Aug 6, 2009 3:39 PM

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • Best Answer
    avatar image
    Former Member
    Aug 06, 2009 at 01:42 PM

    > (SA38 or SE38) bringing S_Develop, S_DATASET, and S_PROGRAM if I assign all these authorization objects into the role manually I still don't have access to sa38 or se38. So how come we always say everything is control by authorization object. We always need T-codes in the role either by menu or manually. Is that true?

    Yes, the S_TCODE check is the first line of defense. This check is done for every transaction start and cannot be switched off.

    > We always say don't assign S_Develop in Production, but we need to assign one general role which should have SU53 and by SAP standard SU53 bringing S_Develop authorization object which is very dangers for Production. How come SAP standard conflicting rule not to assign S_Develop in Production?

    SU53 does not need S_DEVELOP for its normal use.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Yes, I would ask the basis team who did the installation about why SU25 steps are not run and why there are these non-standard values in SU22.

      Good luck,

      Julius

  • avatar image
    Former Member
    Aug 06, 2009 at 02:15 PM

    Adding few points with Jurjen:

    > I have two questions regarding Authorization objects, my first question is, why we canu2019t execute any transaction if we have access to all the authorization objects that has linked to those t-codes for example:

    >

    > (SA38 or SE38) bringing S_Develop, S_DATASET, and S_PROGRAM if I assign all these authorization objects into the role manually I still don't have access to sa38 or se38. So how come we always say everything is control by authorization object. We always need T-codes in the role either by menu or manually. Is that true?

    >

    The series of Checks while you are trying to execute some TCode/Report is like below:

    1. Check whether the TCode is existing in the system (TSTC, TSTCT, TSTCA, TSTCP etc.) tables. If this check fails, you will get an error message and system will not go for further checks i.e. Authorization checks against the available authorization instances in User's Buffer content.

    2. The first level of Authorization check for any TCode is done against the Object S_TCode.

    3. After passing through the point 2, the authorization checks for other Objects take place with an AND operator.

    > My second question:

    >

    > We always say don't assign S_Develop in Production, but we need to assign one general role which should have SU53 and by SAP standard SU53 bringing S_Develop authorization object which is very dangers for Production. How come SAP standard conflicting rule not to assign S_Develop in Production?

    >

    > Please kindly give your feedback and thoughts

    >

    SU53 doesn't require S_DEVELOP for any user action. Please go through the documentation of S_DEVELOP and available notes to understand the necessity of these critical objects.

    Regards,

    Dipanjan

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Aug 06, 2009 at 09:14 PM

    I think We need S_DEVELOP (03) on SUSO to look at the details of the Auth. object in the error message. SAP Note:- 968915.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      2nd attempt... 😊

      Hi Keerti,

      No problem with "Bussche". Some people just say "Hey, you!!" to me... 😊

      I agree that the Check flag is correct (the transaction has the capability) but the "Proposal = YES" is illogical and even stupid.

      It is not included in the standard system SU22 (except for Faisal's...) and does not make any sense to me if it did.

      The navigation from SU53 is checking DUMMY values for the fields of S_DEVELOP (other than ACTVT and OBJTYPE).

      Okay, one could maintain all the package names, program names, etc but that is not included either, which encourages authorizations with "Changed" status.

      This is in my opinion worse than "Manually" and would cause hundreds of "Inactive" authorizations as the SU53 user should obtain their S_DEVELOP access from somewhere else to be able to use this navigation....

      ... or cause a big mess for all users, as we have seen here.

      Cheers,

      Julius