Show TOC

 Globally Deactivating Authorization ChecksLocate this document in the navigation structure

As of SAP R/3 4.5, you can globally suppress authorization checks for individual authorization objects. If you use this option, the system does not perform any authorization checks at all for the specified objects. If you are using the Profile Generator, the option significantly reduces authorization maintenance. The Profile Generator does not enter any authorization data for deactivated authorization checks in profiles. You also do not have to postprocess the authorization data after an upgrade for transactions for which you have globally deactivated the corresponding authorization objects.

Caution

If you suppress authorization checks, you allow users to perform activities without ensuring that the users have the required authorization. This can have undesired consequences. Consider very carefully before suppressing authorization checks for authorization objects.

To suppress authorization checks for specific authorization objects, set the profile parameter auth/object_disabling_active to the value "Y". You then select the affected authorization objects using transaction SU25 (or transaction AUTH_SWITCH_OBJECTS). [You deactivate authorization objects in the tree display by selecting the checkbox to the left of the object. The deactivated authorization objects are then displayed in red. Then activate your settings (only then are the authorization checks ignored in the system).]

Note that:

  • You cannot suppress authorization checks for authorization objects that belong to Basis components or to Human Resources (HR).
  • You require authorization for the object S_USER_OBJ to be able to suppress authorization checks for authorization objects. We recommend that you assign the relevant activities (saving, activating, or transporting) to different administrators.
  • If you reactivate previously suppressed authorization checks for authorization objects, you must postprocess the authorization data for the relevant roles.

    These authorization objects are not contained in any role. In this case, call transaction PCFG and choose Read old status and compare with the new data on the tab page Authorizations in expert mode to generate profiles. Maintain missing authorization values and then regenerate the profile.

  • When transporting the settings (in transaction AUTH_SWITCH_OBJECTS), for security reasons, the system does not transport the active version of the settings, but rather the saved version. You need to explicitly activate these in the target system (Authorization Objects → Activate Data).
    Note

    To save or activate deactivated authorization checks for authorization objects, you require authorization for the object S_USER_OBJ. For security reasons, you should assign the authorizations for saving and for activating deactivated authorizations checks for authorization objects to different users. It makes sense to deactivate the authorization checks only if at least two people agree on this.