Understanding authorization objects superposition
Understanding authorization objects superposition
Role 1
Transaction VA02
object V_VBAK_AAT
fields ACTVT 03 “view”
AUART Z491 “document type”
Role 2
Transaction VA02
object V_VBAK_AAT
fields ACTVT 02 “modify”
AUART * “document type”
Below is the access of the user when he has the role 1 and 2.
Transaction VA02
object V_VBAK_AAT
fields ACTVT 02 03
AUART *
In this case the user can modify the document Z491 even when only have the activity 3 in the role 1, because in the role 2 the user have permission to modify all kinds of documents through the ACTVT *
The same applies to several objects. The ability to change, overrides the missing access to display. Particularly in the search helps there are no checks to select anyway, and then you can navigate directly into change mode -> so why confuse the F4 from the list output? Makes sense..
In the same way, the ability to change an object generally (actvt 02) is more powerful than create (01) or delete (06) as you can change it to anything you want to -> S_TABU* objects.
But there are a few exceptions to the rule, as usual.. 😉
Cheers,
Julius