Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

create single role copy of composite role in sap security

Former Member
0 Kudos

We have a composite role Z_RUC_ALL_FICO_PAAKAYTTAJA. It includes dozens of single roles ( Approx: 30 single roles).

We would need to create a new single role which includes all transactions and authorizations from composite Z_RUC_ALL_FICO_PAAKAYTTAJA and some added transactions. Is it possible to merge those single roles in FICO_PAAKAYTTAJA to one new single role? Any best procdure ?

Need to copy all data of 30 single roles into new one single role at one shot to avoid manually work

My option is: Yes possiblity is there

first download all tcode,auth object values,Org values from AGR tables and create one single role and add all these Tcodes,org values etc

Or Create single roles and insert all profiles fo all single roles and maintain Auth data manually by refering AGR tables data.

T&R

S.N.R

1 ACCEPTED SOLUTION

Former Member

Hi Nagraju


As mentioned by Sudhir & Naveen you will have to create a new role.


This can be done in two steps.


Step 1 Menu creation

You need to add the transactions from the 30 old roles to the new role (wait with the new transaction until step 2 is done)


In the menu of the new role you can import the menu/transaction from the 30 single roles to new single role

If the menu is not on the composite role then pick the menus up from the single roles to the composite role and import the menus. You can now use the old composite role to copy from.

select the menu/ transactions needed for the new roles menu and transfer them..


Step 2 Authorization generation

If the SU24 is correct you only need to generate the roles authorizations and add the organisational levels.


OK if this is not the case then you need to import the profiles from the single roles into the new role.


Go into the authorization tab and start with change authorizations


Here you have the option for inserting authorizations from existing profiles related to the single roles.

It's still a job to be done, but far from as long as comparing authorizations objects in 30 roles manually in cut&paste mode.

When the role's authorization is generated you can add the new transactions you mentioned and see what SU24 suggest when changing the  authorizations again.

Enjoy 🙂

BR Niels Knuzen

7 REPLIES 7

Former Member

Hi Nagaraju,

Than to make it complex, I think it is better to create a new role of required T-codes and add that role in the complex role.

Regards

Sudhir Sadhu

Former Member

Hi Nagraju,

I Do agree with above.

As per your requirement create a new role for the required transactions..

Regards

Naveen

Former Member

Hi Nagraju


As mentioned by Sudhir & Naveen you will have to create a new role.


This can be done in two steps.


Step 1 Menu creation

You need to add the transactions from the 30 old roles to the new role (wait with the new transaction until step 2 is done)


In the menu of the new role you can import the menu/transaction from the 30 single roles to new single role

If the menu is not on the composite role then pick the menus up from the single roles to the composite role and import the menus. You can now use the old composite role to copy from.

select the menu/ transactions needed for the new roles menu and transfer them..


Step 2 Authorization generation

If the SU24 is correct you only need to generate the roles authorizations and add the organisational levels.


OK if this is not the case then you need to import the profiles from the single roles into the new role.


Go into the authorization tab and start with change authorizations


Here you have the option for inserting authorizations from existing profiles related to the single roles.

It's still a job to be done, but far from as long as comparing authorizations objects in 30 roles manually in cut&paste mode.

When the role's authorization is generated you can add the new transactions you mentioned and see what SU24 suggest when changing the  authorizations again.

Enjoy 🙂

BR Niels Knuzen

0 Kudos

Hi Niels,

The option # 2 might not be appropriate as it doesn't get the role menus when you include profiles. So I still recommend option # 1, and while maintaining authorizations, the values can be validated with the AGR_1251 and AGR_1252 tables.

These two SAP Notes might be useful to address issues while importing the menus:

679050 - PFCG: Merging and combining authorizations

1486866 - PFCG: Error when merging composite role menus

Regards,

Raghu Boddu

0 Kudos

Hi Raghu

It is not two options I described.

You must not separate the two steps from each other.

BR

Niels Knuzen

0 Kudos

Hi

Inserting profiles (I think) makes the new role a bit of a mess. The profile inserts the objects in a 'manually' state so that the object no longer references any of the transactions it was supporting in the original role. I'm assuming the original role did this.

By the time you mess around with the values you might as well have just created a new single role, corrected SU24 as required and be done with the whole thing.

Plus - this topic is covered many times if tried to use the search...

Kind regards

David

0 Kudos

Hi David

This is also what I suggest in step 2 and I agree with you about the necessity to have SU24 updated because it helps consultant to reach an aligned result when setting up authorizations in PFCG.

I just don't know the client Nagaraju is working for and whether they have an updated SU24, so I am not able to judge the volumen of the work related to start up with SU24. There is a lot of unanswered IF statements, which needs to be answered before I could make this judgement:

  • Is it the same organisational levels in the 30 roles which is merged into one role?
  • What is the deadline?
  • Is SU24 all ready maintained or are you starting up from scratch?
  • Does the consultant have the business knowledge related to the 30 roles or at least documentation related to them which can support him in setting up SU24?
  • Has the single roles, which is being merged been created with a lot of manually entries?
  • und so weiter.

I have in case of limited time used the above steps with success. This is because I first generate the role based on all the transactions included in the roles menu (Step1), which at least will pick up the SU24 standard demands. Then I merged this profile with the old profiles from the single roles and handled the organisational levels.

BR Niels Knuzen