Skip to Content

Transporting Roles - Best Practices?

Dear All,

I have been practicing SAP Security for almost 4 years now. I want to know if you have any SAP-provided documents or SAP Notes which tells the proper and best way in transporting roles in ABAP based system. Common on what I am doing right now is based on what specific security change you are doing. I am citing few example:

1. Addition of transaction codes to roles - I include all the derivatives including the parent role in the transport request.

2. Addition of Organizational Values to Organizational Units - I still include all the derivatives and the parent role in the transport request.

I came to a colleague of mine and working in a separate engagement and tell me that in example no. 2 you should only transport the role you have modified in the transport request.

Hoping for anyone to share anything about transporting roles, providing SAP provided documents would be a big help! 😊

Thanks in advance.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    author's profile photo Former Member
    Former Member
    Posted on Jul 22, 2014 at 11:04 AM

    Best Practices for Roles Transport in AS ABAP system

    Guidelines for role transports

    1. 1. Single role

    For Single role change transport in standard way.

    1. 2. Parent and Child roles.

    For parent and child roles different scenarios are:

    Scenario-1. Addition of T-code and Authorization Object

    We are adding T-code in parent role and distributing to all child roles, In this case we will create a transport for Parent and all Child roles. (If we are putting all child roles, parent role get added automatically).

    Scenario-2. Addition of Org Level in Child Role.

    Child role as per mechanism is only for Org level maintenance, so when we are making changes in org level of any child role we can transport only that child role. Again that child role will call parent role in transport automatically.

    Imp Note: To avoid confusion and misbehavior in case of large no. of role changes of nature parent and child roles we should include all child roles in transport.

    1. 3. Composite and Single roles

    For Single and composite roles different scenarios are:

    Scenario-1. Addition of T-code and Authorization Object.

    Addition of T-code, authorization object in Single role which is part of composite role can add individually in transport.

    Scenario-2. Creation of new single role and adding to existing composite role.

    We have created a new role and added that as a part of composite role; In this case we need to add single role and also composite role in transport without checking the option Also Transport Single Roles from Composite Roles.

    Scenario-3. Creation of new composite and all its new single role.

    We have created a new role and added that as a part of composite role, in this case we need to add composite role in transport without checking the option Also Transport Single Roles from Composite Roles. This option will take all its single roles.

    Scenario-4. Adding or deleting existing single role in composite role.

    In this case we need to add only composite role without checking the check box of Also Transport Single Roles from Composite Roles.

    Scenario-5. Composite roles of BW system

    In BW system Composite roles need to move always without checking the check box of Also Transport Single Roles from Composite Roles as in BW there are roles which are suppose to be allowed to edit by query designer and administrator directly in production. They are adding new queries in role menu on daily basis which they are not maintaining in Dev and Test and the composite with option checked Also Transport Single Roles from Composite Roles will spoil the roles.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 22, 2014 at 05:11 AM

    Hi Santi,

    You can transport the authorization components, roles and user master records between the SAP systems or between clients within an SAP system.

    Please have a look at Transporting and Distributing Roles - Identity Management - SAP Library document for more information.

    If you want to transport manually created profiles, then Transporting Manually-Created Profiles - Identity Management - SAP Library document would be helpful. For transporting manually created roles, check Transporting Manually-Created Authorizations - Identity Management - SAP Library document.

    There are also some other useful documents in the library: Role Administration Functions - Identity Management - SAP Library.

    BR,

    Alper Somuncu

    Add a comment
    10|10000 characters needed characters exceeded

    • Hi,

      There are pros and cons to both approaches. I take the view that it is dependent on the change & you'll struggle to find an authoritative documented source on it.

      As you are using derived roles then absolutely transport everything if you add/remove a transaction or change an auth field value. If you don't your derived roles will get out of sync and you'll start getting error flags.

      If you are just changing an org level then you are not affecting any of the other roles that belong to that parent. Transporting the single role is more than acceptable. Your current process won't cause any harm but it will take longer time & depending on your release there may be user compare shenanigans required.

      Cheers

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.