Display roles with non display authorizations
Sometimes I come across roles within the SAP system that are setup and assigned as a display role. However, when further analyzing the roles it seems that the roles are not really display roles (any more). The first focus while setting up display roles is probably removing the non display ACTVT values for the corresponding authorization objects. The list of ACTVT values and meaning of the values can be found in table TACT.
No * value and no non-display values should be given to the ACTVT value in a display. This seems logical, but sometimes only the 01 and 02 values are removed and the other critical (*) values are forgotten.
ACTVT is used by many authorizations object. The list of these objects can be found in table TACTZ.
ACTVT however is not the only authorization field that should be changed to display values, there are others as well like PPFCODE, AUTHC in HR and JOBACTION in Basis. Make sure the values that are assigned to the object fields are really only display. And while testing the role, make sure you perform both positive and negative testing.
And last, if you assign multiple roles to one user, make sure the combination of the display role and non display roles gives not broad access rights.
Informative post. Thanks for sharing 🙂
Mj
Hi Meta
Guide me if i am wrong, I think 99% of the tyms display roles should have only 03 activity
for display but not any other value.
There may be very instances , we need few other activities to support the display
Hi Pavan,
For the ACTVT value it is indeed quite clear which values should (and should not) be in. 03- display but sometimes also 04 - print, 08- display change documents,...... it depends on the underlying objects and transactions. However there are some modules that are a bit different then the "standards modules". An example is HR. because of the sensitive data in a HR system I would always recommend to set up seperate HR specific roles, also for display. In HR the object field AUTHC has no number values like ACTVT but letter values instead. Here the letter R is read.
I recommend creating display roles with only real display transactions in it. For example MM03 - display material master data.
Thank Meta 🙂 for the information
Hi Meta,
What about if there are 2 roles that share an authorization object as below:
Role 1 (Display only)
Tcode: VL06
Aut Obj: V_LIKP_VST
ACTVT 03
Role 2 (Update)
Tcodes: others
Aut Obj: V_LIKP_VST
ACTVT 02
User A has both roles so that combination will grant update access to VL06 to the user because both roles share the same authorization object. It means Role 2 makes VL06 tcode from Role 1 as an update Tcode.
Is there a way to avoid Role 1 become an update role with a combination with an authorization object from another role that has activity 02 checked?
I much appreciate your comments.
Thanks.
Daniel.
Hi Daniel,
With the standard SAP way of working there is no way to solve this unfortunately.
Accumulation of access rights is always difficult to tackle.
Kind regards,
Meta
Hi Meta,
I am currently planning to adapt SAP_ALL authorization profile by making a sap_all display-only ROLE because it is a request from the infrastructure team. This will be my first time to do this. Whta recommendations can you give me upon creating this role? Are there limitations, what things should I consider?
Thank you.
Maria
Hi maria,
This indeed can be a difficult task, esp. when this display role will be combined with non display roles. You can start by setting up a display rolw tih only display transactions and authorizations, but even then accumulation of access rights can lead to unwanted access.
Therefore I would recommend to set up the role, and analyze on role level (first) and user level second if accumulation of access rights are occuring.
I hope this helps!
Kind regards,
Meta Hoetjes
<commercial spam removed by moderator>