Skip to Content
avatar image
Former Member

create single role copy of composite role in sap security

We have a composite role Z_RUC_ALL_FICO_PAAKAYTTAJA. It includes dozens of single roles ( Approx: 30 single roles).

We would need to create a new single role which includes all transactions and authorizations from composite Z_RUC_ALL_FICO_PAAKAYTTAJA and some added transactions. Is it possible to merge those single roles in FICO_PAAKAYTTAJA to one new single role? Any best procdure ?

Need to copy all data of 30 single roles into new one single role at one shot to avoid manually work

My option is: Yes possiblity is there

first download all tcode,auth object values,Org values from AGR tables and create one single role and add all these Tcodes,org values etc

Or Create single roles and insert all profiles fo all single roles and maintain Auth data manually by refering AGR tables data.

T&R

S.N.R

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

3 Answers

  • avatar image
    Former Member
    Jan 09, 2014 at 05:26 PM

    Hi Nagraju


    As mentioned by Sudhir & Naveen you will have to create a new role.


    This can be done in two steps.


    Step 1 Menu creation

    You need to add the transactions from the 30 old roles to the new role (wait with the new transaction until step 2 is done)


    In the menu of the new role you can import the menu/transaction from the 30 single roles to new single role

    If the menu is not on the composite role then pick the menus up from the single roles to the composite role and import the menus. You can now use the old composite role to copy from.

    select the menu/ transactions needed for the new roles menu and transfer them..


    Step 2 Authorization generation

    If the SU24 is correct you only need to generate the roles authorizations and add the organisational levels.


    OK if this is not the case then you need to import the profiles from the single roles into the new role.


    Go into the authorization tab and start with change authorizations


    Here you have the option for inserting authorizations from existing profiles related to the single roles.

    It's still a job to be done, but far from as long as comparing authorizations objects in 30 roles manually in cut&paste mode.

    When the role's authorization is generated you can add the new transactions you mentioned and see what SU24 suggest when changing the  authorizations again.

    Enjoy :-)

    BR Niels Knuzen

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Former Member

      Hi David

      This is also what I suggest in step 2 and I agree with you about the necessity to have SU24 updated because it helps consultant to reach an aligned result when setting up authorizations in PFCG.

      I just don't know the client Nagaraju is working for and whether they have an updated SU24, so I am not able to judge the volumen of the work related to start up with SU24. There is a lot of unanswered IF statements, which needs to be answered before I could make this judgement:

      • Is it the same organisational levels in the 30 roles which is merged into one role?
      • What is the deadline?
      • Is SU24 all ready maintained or are you starting up from scratch?
      • Does the consultant have the business knowledge related to the 30 roles or at least documentation related to them which can support him in setting up SU24?
      • Has the single roles, which is being merged been created with a lot of manually entries?
      • und so weiter.

      I have in case of limited time used the above steps with success. This is because I first generate the role based on all the transactions included in the roles menu (Step1), which at least will pick up the SU24 standard demands. Then I merged this profile with the old profiles from the single roles and handled the organisational levels.

      BR Niels Knuzen

  • avatar image
    Former Member
    Jan 09, 2014 at 10:08 AM

    Hi Nagaraju,

    Than to make it complex, I think it is better to create a new role of required T-codes and add that role in the complex role.

    Regards

    Sudhir Sadhu

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Jan 09, 2014 at 10:21 AM

    Hi Nagraju,

    I Do agree with above.

    As per your requirement create a new role for the required transactions..

    Regards

    Naveen

    Add comment
    10|10000 characters needed characters exceeded