Solved: Roles with Active Object having Inactive Fields

madhusap · ‎12-08-2014

Hi All,

We have found a wierd scenario in some of our roles.

Issue is that a field within a object in inactive.

Example:

We have object I_KOSTL with below fields

1. KOKRS (Controlling Area)

2. KOSTL (Cost Center)

3. TCD (Transaction Code)

In the above 3 fields KOKRS (Controlling Area) field is inactive.

Basically this issue happened because of a program which customer IT team used while adding/removing tcodes from a role

Now I wanted to find out the list of all authorization objects in a role with any fields being inactive.

Since manually it is not possible to deactivate a field with in a object in PFCG and the above issue happened because of a program, Is there a way I can pull the report with Roles having objects

with inactive fields?

From AGR_1251 I am able to pull the objects with Inactive Fields, but it pulls all the objects with inactive fields. But my scenario is very specific where I need to pull the fields where object

is active and any field within that object is inactive.

Experts please advise

Regards,

Madhu.

Colleen · ‎12-08-2014

Hi Madhu

Basically this issue happened because of a program which customer IT team used while adding/removing tcodes from a role

Hope you are doing something about the custom program

To get a report you would need to join to table AGR_1250 which is the authorisation header table. Match the role, object, authorisation (cover multiple) against the AGR_1251 values. Then you can filter where AGR_1250 has DELETED <> X (Active) whilst AGR_1251 has DELETED = X (Inactive)

If you get a result, then you have an issue.

Regards

Colleen

Colleen · ‎12-08-2014

Hi Madhu

Basically this issue happened because of a program which customer IT team used while adding/removing tcodes from a role

Hope you are doing something about the custom program

To get a report you would need to join to table AGR_1250 which is the authorisation header table. Match the role, object, authorisation (cover multiple) against the AGR_1251 values. Then you can filter where AGR_1250 has DELETED <> X (Active) whilst AGR_1251 has DELETED = X (Inactive)

If you get a result, then you have an issue.

Regards

Colleen

madhusap · ‎12-08-2014

Hi Colleen,

Thanks for the details. I will try to fetch the data in the way you suggested and update you.

As far as the custom program is concerned, now the IT team stopped using it as they found some issues with it . Since there are many roles which got affected by the program, we are trying to pull out the roles with issues to decided on how to correct them.

Regards,

Madhu.

jurjen_heeck · ‎12-08-2014

Haha! I now see we've been typing the same solution

Colleen · ‎12-08-2014

Hey it might give Madhu confidence that two different people came up with same solution to identify impacts

madhusap · ‎12-09-2014

Thanks a lot Colleen

We are able to identify the roles with issues and now need to discuss on how to proceed with the changes.

Regards,

Madhu.

Colleen · ‎12-09-2014

If you never transported the corrupted roles to Production you might be able to download the previous versions and re-import

That, or see when roles were last transported and see if Basis can re-apply the transports to DEV?

Regards

Colleen

madhusap · ‎12-09-2014

Hi Colleen,

The situation is more worse as actually those corrupted roles were in production from past 5 years

Now I recently joined this project and when some users raised an issue we found that few roles are corrupted. Hence we wanted to identify the root cause for the issue and found that it has happened because of a custom program.

So, now since we got the list of roles, we will analyze and then we just need to discuss with IT team and then need to follow accordingly

Regards,

Madhu.

Colleen · ‎12-09-2014

Hey Madhu

those corrupted roles were in production from past 5 years

Ouch....If you have a heap of roles it might be easier to recommend a redesign and build of security. It does sound like the program must never be run again (more than like it doesn't call the BAPIs but is doing direct table updates).

I recommend you have a search through security space as your system won't be the only one in this situation.

Also, if it's taken 5 years to get to the bottom of this you can only image other build issues that are a problem

Good luck on resolving. Looks like you have a nice challenge.

Regards

Colleen

madhusap · ‎12-09-2014

Hi Colleen,

Thanks Colleen for your insights into our issue.

Exactly..that is our first proposal to the client but they didn't agree for it but discussions going on.

Parallely we are trying to show them the amount of work that would be involved in modifying the existing roles as there are nearly 20000 roles. So, we are preparing the root cause analysis and reports with all the role details.

Hopefully we should be able to convince the client

Regards,

Madhu.

jurjen_heeck · ‎12-08-2014

Hi Madhu,

I think you need to link AGR_1250 and AGR_1251 for this purpose.

Select & download all lines from AGR_1250 where DELETED<>"X" and all lines from AGR_1251 where DELETED = "X" for your roleset. If you match those two lists on fields OBJECT & AUTH you should have the set of objects with one or more deleted fields where the object itself isn't deleted entirely.

Hope this helps,

Jurjen

Former Member · ‎12-08-2014

Madhu

Send me the screenshot where the field values are showing u in a de-active condition,So we can check whether the authorization are any missing

Pavan Kumar