* Full Authorization! Pitfalls.
What is the first thing that comes to your mind when you found this subject 😛 Quite unique 😉 .
I guess my number of views will be less this time due to the uniqueness of the title 🙁
“*” is quite often used term in CRM UI to make a wild search. We use “*” when we are searching in F4 in SAP GUI or CRM Web UI Search.
But the asterisk what I am going to talk about is the one which we put in PFCG authorization 😀
Across my SAP experience I found people easily giving full authorization to authorization object. The reason behind such practice is as follows:
- Lack of knowledge
- Avoidance of unexpected errors that might occur
- Effort required to find those objects
- Making testing task easier, etc…..
In CRM perspective, if we follow such method then we are trying to control navigation via Business role. The UIU component linked to the business role does not restrict access data but let the menu in PFCG role to control navigation.
❗ Pitfalls of such approach
Using the * to all the objects is like disabling the authority check to work. Giving unwanted access to users which they are not suppose to use it, leading to a major business impact and security concerns.
So it is recommended to give specific set of values for authorization object in the beginning itself, rather getting into trouble later.
Below is some of the illustration of blunders that one might do 😯
Example 1 – UIU component authorization objects
Example 2 – Non UIU component authorization objects
To my surprise some might give all the parameters full authorization as the one above. Giving such authorization demeans the usage of the authorization concept.
ℹ Nonetheless there can be some authorization objects we can give full authorization “*” . For example a developer role. The whole point is look before you give such authorizations rather than recklessly giving full authorizations to all the authorizations objects in a PFCG Role.