Skip to Content
author's profile photo Former Member
Former Member

Version Control for Roles

Does anyone know of any good tools (3rd party or SAP) that allow version control of roles?

The issue we're facing is the ability to go back to a previous version of a given role (from 2 months or more ago).

My background is a developer (Microsoft toolset not SAP) turned SAP security admin and I'm missing the toolsets that used to be second nature for a developer. It appears that the ABAP development environment in SAP has similar types of functionality, but this functionality is missing for security roles.

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

5 Answers

  • Posted on Sep 18, 2008 at 04:27 PM

    You can use the Change Logs to see the history of changes if its for few roles and revert back the changes. But if its for a ton of roles do a Download of the roles to save the version. And when ever you want the older version from a certain time period delete the existing role and upload the Downloaded version from that time period.

    AB.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 18, 2008 at 05:05 PM

    >

    > Does anyone know of any good tools (3rd party or SAP) that allow version control of roles?

    >

    > The issue we're facing is the ability to go back to a previous version of a given role (from 2 months or more ago).

    >

    > My background is a developer (Microsoft toolset not SAP) turned SAP security admin and I'm missing the toolsets that used to be second nature for a developer. It appears that the ABAP development environment in SAP has similar types of functionality, but this functionality is missing for security roles.

    Ed,

    You are absolutely correct the version control is missing on security roles.

    This is our work around. Part of our checklist process of changing roles is to first download the role to a share drive. In the event we need to restore from the old role we will simple upload and regenerate.

    Another solution is possible setting a security role backup client. Roles will be transported to this client before changes are made.

    Good Luck!

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 18, 2008 at 09:04 PM

    The functionality you are looking for is available -- indirectly -- for roles. All you need to do to go back to prior "version" of a role is import old transport again. Of course, you need 1 transport per role so as not to bring in other unintentional objects. You won't be able to re-import it in development system because this ideally will be your system of origin for original transport. So you may have to re-import in say, a sandbox system and then download/upload into dev and then move ahead with a brand new transport.

    That being said, there are several reasons (audits, security governance, controls, ... to name a few) why one should NOT be switching back to older "version" of roles. Instead you would be better off changing the roles manually in development system and then transporting it up your landscape. This will maintain the sanctity of roles.

    You mentioned that you are a developer turned SAP Security Admin. It is but natural then that you seek tools such as these. Give it some time and as your experience in use of SAP security grows, you may realize that it is probably intentional that version control for roles is absent.

    Welcome to the world of security!

    Regards.

    Ashutosh

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 22, 2008 at 12:28 PM

    A few of the suggestions provided are good and will be helpful.

    1) Downloading / Archiving the role before making any changes - Good concept and provides for some level of version control, but is a manual step the must be followed by everyone to ensure consistency.

    2) Importing prior transport into SBX system - Good concept and we already do one transport / role so this is a workable option. Something I hadn't thought of.

    3) Change logs - Good for indentifying who / when a change was made, but after doing security for 2.5 years it's very apparent that the change logs don't do a good job of telling the before / after picture. Anyone that uses this on a regular basis realizes that these entries aren't very good for addition of auth objects because they don't tell you what the initial values are in these cases.

    The primary use of a versioning tool isn't necessarily to roll back to a prior version (i.e. over-writing the current version), but to look at a prior version and see exactly how it was at a certain point in time. Change logs can be reverse engineered to some degree to work back into a past point in time, but having the snapshot in time tells you exactly and doesn't require the reverse engineering.

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Sep 22, 2008 at 12:29 PM

    Solved (kind of)

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.