Skip to Content
avatar image
Former Member

weird issue: auth check ignoring asterisk

A user in BW 3.5 is assigned one role that has a few auth objects including S_RS_COMP.   He is getting an auth failure that we can see in ST01 trace.  But the role gives all values seen in the ST01 error....the user master is compared, and the role is generated and green status.  This user should NOT get an auth failure, he definitely has all values seen in the failure.   Here is the weird thing, when I  edit the role to remove the asterisk in RSZCOMPTP and replace with explicit values (OWZ, REP), it works.   I can't explain it.   If I put it back to *, it fails.   Is this a bug?  Has anyone else seen something like this?

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Apr 17, 2012 at 08:27 AM

    Hi,

    Can you please perform a RSSM trace and let us know if you find anything new ? You can also check if the specific values are hard coded within the ABAP code or not. If yes, then the authorization check will ignore the asterix(*).

    Regards,

    Dipesh.

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Alex Ayers

      Thank you Alex.  It is reassuring to know that a knowledgeable person like yourself has observed something similar.  I was tempted to raise an OSS Message about it, but since this is BW 3.5 I doubt SAP would give attention to it, especially since I have a "solution".  

  • avatar image
    Former Member
    Apr 17, 2012 at 07:32 AM

    Hi,

    I wonder what will happen if you give the user sap_all.

    bye Jan van Roest

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Apr 21, 2012 at 08:49 PM

    Another possible explanation is that the developer reverse engineered the check -> he first read the values in the authorizations (expecting explicit ones) and then used the authorized values to filter the selected ones and only return that which the user is authorized for.

    The correct way would be to perform an authority-check on what was selected, filter that which the user is not authorized for (and possibly tell then how many records were not displayed).

    It should authorize on the value * and not go looking for a * in the check table...

    If you still have the trace, then please post the coding (double-click the line item and use the "Go to source" button).

    Cheers,

    Julius

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi,

      I have faced the same kind of issue on R/3 system while doing the Upgrade.  What we observed in the same situation, the user had assigned with 2 different roles(say, Role A & Role B) with the same required auth. object is present in both roles.  In Role A, that auth Object with restricted values and in Role B, the same auth. object with value "*".  In that case, if the user assigned with both roles user is facing the missing authorization.  When we tried on trial and error by removing the Role B with auth. obj., it is giving missing auth error as there is no required value and when removing Role A its working.  So we conclude that, on the user buffer ifself, the checks are giving priority to extent for the same object with different values from different roles assigned.

      I hope this way it can give you some clue for your workaround.

      Thanks,

      Venkat