11-15-2023 1:21 PM
Hi experts,
If you add a transaction in pfcg role, you will get an authorization object list which was from SU22 transaction.
I am wondering which value should be maintained in pfcg role authorization and which should be done in SU22.
As far as I understand, SU22 is a template and pfcg role is a customizing.
I have checked some existing ones, some authorization objects in SU22 were set status with "Check with no values", I think the authorization should be maintained in pfcg role. And some other objects have locked fields, saying they are maintained in org level, I don't quite understand about this.
Can someone explain these for me? Thank you.
Regards,
Eric
11-15-2023 7:03 PM
As you can see in the official documentation and in the forum, SU22 is to indicate the authorizations used in any transaction code, which must correspond to what has been done by the developer in that transaction code (whatever it's standard or custom), to help maintaining the authorizations.
As you can see in the official documentation and in the forum, organization level is about the values which are common to many authorizations, like the company code a role is assigned to, etc.
You "don't quite understand about this." No need to repeat what is said in the official documentation and in the forum, what do you understand and what is your question?
11-16-2023 1:55 AM
Thank you for the reply. Regarding SU22, in PFCG role you can add a transaction and maintain the authorization, what I am asking for is the difference between authorization objects that maintained in SU22 and PFCG role.
11-16-2023 6:16 AM
What you maintain in SU22 = authorizations proposed by default in PFCG when you add a transaction code.
Just try it = fast learning.
11-16-2023 6:20 AM
I have tried technically, but I am not clear about what kind of data should be maintained by default (in SU22) and what should be maintained in PFCG role? Could you give an example?
11-16-2023 8:44 AM
If you create the transaction code ZTRAN, and in the corresponding program you always do AUTHORITY-CHECK OBJECT 'ZSUSO' ID 'ACTVT' FIELD '01', then you should define in SU22 that ZTRAN has ZSUSO with ACTVT = '01'. You then go to PFCG, create or maintain an existing role, add ZTRAN, you then maintain the authorizations of the role and you'll see that it has proposed ZSUSO with ACTVT = '01'.
11-17-2023 4:24 PM
Read first some documentation such as From the Programmed Authorization Check to a Role
Basically the developer provides the administrator the informations required to add the transaction to a role with some default values.