Security & Authorizations

Why use SU24

When maintaining the authorization object values in SU24, these values are populated to the role and profile when using PFCG and adding the transaction, this means that when you are checking the authorization objects in the role, you can see which transaction brought in the object and with which value.

This also means that when you remove the transaction from the role, the values brought in with the transaction will also be removed again, in that way you will always be sure that any objects in there, are in fact related to a transaction in the role.

Authorization object status in roles

Standard:

As described above, authorization objects can come in to roles by maintaining the SU24 values for the transaction – if all values for the object is maintained then the object will come in to the role with the status standard.

Maintained:

This is almost the same as standard, except in SU24 the values have not been maintained, this could be because in some roles you want the 01 Create access, where in other roles you want 03 Display access, it is then in the role design you determine what the value should be. You will still be able to see which transaction brought the authorization object into the role, if you remove the transaction from the role the authorization object will also be removed.

Changed:

Here you have changed the standard values in the role, for instance the transaction brought in 03 Display, but you have decided that 08 Display change documents should also be in the role and then changed the standard value to 03 and 08.

Be very careful with changing the standard values as you will no longer be able to see which transaction brought the object into the role and the object will remain in the role even though you remove the transaction.

It might seem like a good idea at the moment to quickly fix an issue, but a couple of years from now can you then remember why you did it ? Unless you to thorough documentation it is quite unlikely.

What should you do instead ?

Quite often there is in fact a transaction that can bring in the objects in the correct way. For instance MM03 is for display materials, if you want to allow users the possibility to view change documents as well then add MM04, it can take a little extra time to find these transactions as users most likely won’t know them because they only click “view change documents”.

Manual:

Here you have added the authorization object manually and can also only be removed manually. There can be good reasons for this, like when making support roles where supports should have access to many objects in a certain area.

I would also here say that you should be very carefull and document properly.