04-09-2011 8:57 AM
Hi
In PFCG I would like to set up intervals for eg. S_DEVELOP, like A-B, D-Z
I order to make sure that I cover special characters and numbers, I would like to know how they are handled.
Does / come before A, does _ come after Z or how is it? What about numbers? What is the "first" and the "last" special character?
Hope you understand my question. Can anyone help please?
Kind regards
Morten Ellgaard
04-09-2011 11:24 AM
Hello Morten,
Please check SAP note 136647, specially this paragraph:
"If an authorization value contains other characters after an asterisk, the kernel ignores these characters during the authorization check. For example: The value AB is actually interpreted as A*."
So I'm afraid this approach is not valid.
Regards,
Désiré
04-09-2011 11:24 AM
Hello Morten,
Please check SAP note 136647, specially this paragraph:
"If an authorization value contains other characters after an asterisk, the kernel ignores these characters during the authorization check. For example: The value AB is actually interpreted as A*."
So I'm afraid this approach is not valid.
Regards,
Désiré
04-10-2011 9:21 AM
Avoid ranges, as you will always have the risk of not knowing what is or will be included into the interval.
Masking the name with a wildcard is slightly better.
Anyway, if you enter an invalid range into the interval, PFCG will complain. It follows the ASCII character set so some special characters are at the beginning, others are in the middle (numeric operators such as += etc) and others at the end (such as curly brackets).
Note that a few special fields are case sensitive, such as the rfcdest name, so these are also seperate and have special characters between them and the upper case characters.
Lots of room for mistakes in these intervals...
Rather avoid it!
Cheers,
Julius
04-10-2011 7:01 PM
Thanks for you replies.
I would like to avoid intervals, but when fx creating a role for an emergency user that is allowed to do almost everything, but not everything, I find it hard to avoid. If I fx want to restict debug-replace, S_DEVELOP should look something like A->DEBUF and DEBUH->Z* but apparently this is not sufficient.
If the authorization followes ASCII then it should actually be !->DEBUF and DEBUH->~. Is that the way to do it or is it sufficient with /->DEBUF and DEBUH->Z?
The question also goes for other objects like fx S_TABU_DIS, so I am looking for a standard "formula" for including everything.
Kind regards
Morten Ellgaard
04-10-2011 10:08 PM
This is an understandable use-case on object type as S_DEVELOP is generally taboo and the object types restrict the programmer in their technique.
Ranging around DEBUG is one of the about 600 other object type values and reasonable for excluding (which is well known because of the consequences) from an emergency role.
Solution: I would use the F4 search help to start with and end with what the documented domain value ranges are.
If there are undocumented object types, the syntax should ideally not permit them anyway... so you should be okay using F4 in this case.
Generally... F4 is the best approach, using explicit values.
Cheers,
Julius
04-12-2011 2:23 PM
As julius pointed, F4 is the right option. I have only 564 entries in my system. And the only value which is out of number and alpahbetical range is $TM.
For S_TABU_DIS, I would recommend to check with respective applicaiton managers if it is okay to display their tables. Some times people say only HR data which is senstive However, there are other confidentical data like pricing and etc.
Edited by: Gowrinadh Challagundla on Apr 12, 2011 4:03 PM