Priorities of Authorizations to Business Object Types

There are six types of authorizations that relate to BOs: the default right and the five specific authorizations by type, by attribute value, by instance, by relation and for attribute.

The authorization with higher priority always overrides the authorization with lower priority. If there are conflicting authorizations for a particular object, the authorization with the higher priority will apply. If more authorizations by the attribute value exist, their priority is determined by the order in which you added them, which is also represented by the numbers in brackets in the permission list.

We can say the more specific the authorization, the higher the priority. That is, an authorization by instance will always override another priority. The default authorization only applies if no other authorization applies.

The priorities of authorizations (permissions) listed from the lowest priority (most global) to the highest (most specific) are:

Note: The Authorization for Attribute works independently and therefore is not included in the above overview.

Note: A new role initially only has a default authorization. Any other authorizations must be created / customized by the administrators.

Example:  A role has only read default right that prohibits it from updating the data in any business object. However, in the Authorization by attribute value, the same role has a write authorization for the systems that belong to a specific department. Although the default authorization is Read-only, the role is permitted to update the systems because the authorization with the higher priority applies.

NOTE: The "by Attribute Value" authorization types can change their priority order if the "User variable rights to have the priority higher than any attribute value right" and "Multitenancy has the highest priority" check boxes are set to true.

Also see Preventing Conflicting Authorizations and Resolving Conflicting Authorizations topics for further information about conflicting authorizations.

• Priorities of Right Values (when a user is mapped to different roles)

There is another source of conflict between the authorizations in different roles to which a user may be mapped.

Two different roles can have authorization to a particular Business Object (or Technical Object), but one role has Read and the other has Delete.

Again, the priorities of the rights are implemented from the lowest (1) to the highest (4):

Delete is the right with the highest priority. Delete is also the right which is most specific.

For more information see Authorization Rights.