Tuesday, 11 June 2013

Precaution when adding or removing TCODE in roles - authorization conflict

As Basis, you're trying to fine-tune the user roles and unexpected result occur:

Scenario: 
Users having access to 2 companies access with the same TCODE  in 2 different roles where one for display and one for modification.

Role A with TCODE: FS00, Object: F_SKA1_KTP, Activity: 02, 08 Value: *
Role B with TCODE: FS00, Object: F_SKA1_KTP, Activity: 03, Value: TGGA, TGRP

You have removed the TCODE: FS00 in Role A and expect user will only able to perform display feature only with Role B but end-up the user still manage to perform display and modification features on the 2 relevant companies which happen to be unexpected authorization / conflict.

Reason:
Even TCODE been removed from the role menu or S_TCODE object value in the single role but the customize object value still remain in it and causing the authorization conflict to be appear.

Role A: object "F_SKA1_KTP" for display only

Role B: object "F_SKA1_KTP"

Solution:
1) Be-careful when removing TCODE from roles to ensure all overlap object value are remove completely.
2) To create a customize object (require some ABAP programming .. sample solution will be post soon ... )

No comments:

Post a comment