Understanding authorization objects superposition


Role 1

Transaction VA02

object  V_VBAK_AAT

fields ACTVT 03 “view”

         AUART Z491 “document type”

Role 2

Transaction VA02

object  V_VBAK_AAT

fields ACTVT 02 “modify”

          AUART * “document type”

Below is the access of the user when he has the role 1 and 2.

Transaction VA02

object  V_VBAK_AAT

fields ACTVT 02 03

          AUART *

In this case the user can modify the document Z491 even when only have the activity 3 in the role 1, because in the role 2 the user have permission to modify all kinds of documents through the ACTVT *

To report this post you need to login first.

1 Comment

You must be Logged on to comment or reply to a post.

  1. Julius von dem Bussche

    The same applies to several objects. The ability to change, overrides the missing access to display. Particularly in the search helps there are no checks to select anyway, and then you can navigate directly into change mode -> so why confuse the F4 from the list output? Makes sense..

    In the same way, the ability to change an object generally (actvt 02) is more powerful than create (01) or delete (06) as you can change it to anything you want to -> S_TABU* objects.

    But there are a few exceptions to the rule, as usual..  😉

    Cheers,

    Julius

    (0) 

Leave a Reply