01-09-2014 9:47 AM
We have a composite role Z_RUC_ALL_FICO_PAAKAYTTAJA. It includes dozens of single roles ( Approx: 30 single roles).
We would need to create a new single role which includes all transactions and authorizations from composite Z_RUC_ALL_FICO_PAAKAYTTAJA and some added transactions. Is it possible to merge those single roles in FICO_PAAKAYTTAJA to one new single role? Any best procdure ?
Need to copy all data of 30 single roles into new one single role at one shot to avoid manually work
My option is: Yes possiblity is there
first download all tcode,auth object values,Org values from AGR tables and create one single role and add all these Tcodes,org values etc
Or Create single roles and insert all profiles fo all single roles and maintain Auth data manually by refering AGR tables data.
T&R
S.N.R
01-09-2014 5:26 PM
Hi Nagraju
As mentioned by Sudhir & Naveen you will have to create a new role.
This can be done in two steps.
Step 1 Menu creation
You need to add the transactions from the 30 old roles to the new role (wait with the new transaction until step 2 is done)
In the menu of the new role you can import the menu/transaction from the 30 single roles to new single role
If the menu is not on the composite role then pick the menus up from the single roles to the composite role and import the menus. You can now use the old composite role to copy from.
select the menu/ transactions needed for the new roles menu and transfer them..
Step 2 Authorization generation
If the SU24 is correct you only need to generate the roles authorizations and add the organisational levels.
OK if this is not the case then you need to import the profiles from the single roles into the new role.
Go into the authorization tab and start with change authorizations
Here you have the option for inserting authorizations from existing profiles related to the single roles.
It's still a job to be done, but far from as long as comparing authorizations objects in 30 roles manually in cut&paste mode.
When the role's authorization is generated you can add the new transactions you mentioned and see what SU24 suggest when changing the authorizations again.
Enjoy 🙂
BR Niels Knuzen
01-09-2014 10:08 AM
01-09-2014 10:21 AM
01-09-2014 5:26 PM
Hi Nagraju
As mentioned by Sudhir & Naveen you will have to create a new role.
This can be done in two steps.
Step 1 Menu creation
You need to add the transactions from the 30 old roles to the new role (wait with the new transaction until step 2 is done)
In the menu of the new role you can import the menu/transaction from the 30 single roles to new single role
If the menu is not on the composite role then pick the menus up from the single roles to the composite role and import the menus. You can now use the old composite role to copy from.
select the menu/ transactions needed for the new roles menu and transfer them..
Step 2 Authorization generation
If the SU24 is correct you only need to generate the roles authorizations and add the organisational levels.
OK if this is not the case then you need to import the profiles from the single roles into the new role.
Go into the authorization tab and start with change authorizations
Here you have the option for inserting authorizations from existing profiles related to the single roles.
It's still a job to be done, but far from as long as comparing authorizations objects in 30 roles manually in cut&paste mode.
When the role's authorization is generated you can add the new transactions you mentioned and see what SU24 suggest when changing the authorizations again.
Enjoy 🙂
BR Niels Knuzen
01-11-2014 1:18 PM
Hi Niels,
The option # 2 might not be appropriate as it doesn't get the role menus when you include profiles. So I still recommend option # 1, and while maintaining authorizations, the values can be validated with the AGR_1251 and AGR_1252 tables.
These two SAP Notes might be useful to address issues while importing the menus:
679050 - PFCG: Merging and combining authorizations
1486866 - PFCG: Error when merging composite role menus
Regards,
Raghu Boddu
01-11-2014 5:33 PM
Hi Raghu
It is not two options I described.
You must not separate the two steps from each other.
BR
Niels Knuzen
01-11-2014 11:35 PM
Hi
Inserting profiles (I think) makes the new role a bit of a mess. The profile inserts the objects in a 'manually' state so that the object no longer references any of the transactions it was supporting in the original role. I'm assuming the original role did this.
By the time you mess around with the values you might as well have just created a new single role, corrected SU24 as required and be done with the whole thing.
Plus - this topic is covered many times if tried to use the search...
Kind regards
David
01-13-2014 8:54 AM
Hi David
This is also what I suggest in step 2 and I agree with you about the necessity to have SU24 updated because it helps consultant to reach an aligned result when setting up authorizations in PFCG.
I just don't know the client Nagaraju is working for and whether they have an updated SU24, so I am not able to judge the volumen of the work related to start up with SU24. There is a lot of unanswered IF statements, which needs to be answered before I could make this judgement:
I have in case of limited time used the above steps with success. This is because I first generate the role based on all the transactions included in the roles menu (Step1), which at least will pick up the SU24 standard demands. Then I merged this profile with the old profiles from the single roles and handled the organisational levels.
BR Niels Knuzen