The authorization for object B_USERSTAT (set/delete user status) is only checked if a user status is set or deleted MANUALLY. If the user status is set as a follow-up action of an activity, the system does not check this authorization.
The authorization for carrying out this activity should be defined by an application-specific activity authorization. Someone who is authorized to carry out an activity should not be prevented from carrying out an activity because he/she does not have the authorization for changing a next status manually. Authorization object B_USERSTAT is only meant for the manual change of a user status. On the other hand, a suitable activity authorization is missing in many application which enables the user, for example, to restrict the group of persons who has the authorization to release (complete, ...) a certain object.
In Release 4.6C, there will be a new authorization object B_USERST_T which is checked during the automatica setting or deletion of user statuses by activities. In previous releases, you can achieve this system response with the help of a MODIFICATION (see Note 60522).
Application-specific activity authorizations are offered as of Release 4.70. For more information on this, see Note 486765.