IDEA of minimum solution:
when user is allowed to read (but only misses write access) an object
then do not log anything - just simply open in R/O mode
IDEA of optimal solution:
In addition to "minimum": Allow users to open an object in an explicit "read-only" mode ("show" instead of "edit") to avoid blocking
Background: current situation
-- logging --
currently 2 types of messages exist and are logged (4505+4506), where in both situations the user were allowed to read:
U00004505 Access violation: User: 'M.../...' Object: 'P29_...' Access type: 'W' Reason: prohibition in authorization profile: 'ADMIN_...'.
U00004519 Access violation details: Used filter: 'JOBS/P29_.../P29_HOSTG...//P29_LOGIN_...///' .
--> 4505 is already logged when only selecting the object in explorer view - even without opening
U00004506 Access violation: User: 'VISITOR_SAP_.../...' Object: 'UC4_SAP_...' Access: 'W' Reason: No right found in authorization group '3'.
U00004519 Access violation details: Used filter: 'JOBS/UC4_SAP_.../<UNIX>/////' .
-- open object --
if user has the necessary auth. then an object is always opened in modification mode and the object is locked (blocked againts other users) -
but sometimes user has no update intention and only wants to read/check/monitor, so object blocking is not needed