Search This Blog

Tuesday, March 15, 2011

Globally Deactivating Authorization Checks


You can globally deactivate authorization checks with Transaction AUTH_SWITCH_OBJECTS. The system does not execute any authorization checks for deactivated authorization objects.

You deactivate authorization objects in the tree display by selecting the checkbox to the left of the object. The deactivated authorization objects are then displayed in red. The authorization checks are not ignored in the system until you save your settings.

You cannot globally deactivate authorization objects that begin with "S_" (Basis) or "P_" (HR) in Transaction AUTH_SWITCH_OBJECTS.

Globally deactivating authorization checks considerably reduces authorization maintenance. The system does not insert any authorization data in the Profile Generator for deactivated authorization objects. With Release upgrades, transactions whose authorization data is to be postprocessed are not displayed for postprocessing if the corresponding authorization object is globally deactivated.

If you activate authorization objects that were previously deactivated, note that you may have to postprocess the authorization data for many roles.

If you reactivate authorization objects, these objects are not contained in any roles. In this case, call Transaction PCFG and choose Read old status and compare with the new data in the tab Authorizations in expert mode to generate profiles. Maintain any authorization values that are missing and then regenerate the profile.

You can transport the settings in Transaction AUTH_SWITCH_OBJECTS. During the transport, for reasons of security the system transports the inactive (saved) version of the deactivated authorization objects. You activate the deactivated authorization objects by choosing Authorization objects ® Activate data.

To save or activate deactivated authorization objects, you require authorization for object S_USER_OBJ. For reasons of security, you should assign authorizations for saving and activating the deactivated authorization objects for various users. It makes sense to deactivate the authorization checks only if at least two people agree on this.

The option to globally deactivate authorization checks is controlled by system parameter auth/object_disabling_active. This parameter is set by default.


No comments:

Post a Comment