Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Version Control for Roles

Former Member
0 Kudos

Does anyone know of any good tools (3rd party or SAP) that allow version control of roles?

The issue we're facing is the ability to go back to a previous version of a given role (from 2 months or more ago).

My background is a developer (Microsoft toolset not SAP) turned SAP security admin and I'm missing the toolsets that used to be second nature for a developer. It appears that the ABAP development environment in SAP has similar types of functionality, but this functionality is missing for security roles.

5 REPLIES 5

former_member248712
Active Participant
0 Kudos

You can use the Change Logs to see the history of changes if its for few roles and revert back the changes. But if its for a ton of roles do a Download of the roles to save the version. And when ever you want the older version from a certain time period delete the existing role and upload the Downloaded version from that time period.

AB.

Former Member
0 Kudos

>

> Does anyone know of any good tools (3rd party or SAP) that allow version control of roles?

>

> The issue we're facing is the ability to go back to a previous version of a given role (from 2 months or more ago).

>

> My background is a developer (Microsoft toolset not SAP) turned SAP security admin and I'm missing the toolsets that used to be second nature for a developer. It appears that the ABAP development environment in SAP has similar types of functionality, but this functionality is missing for security roles.

Ed,

You are absolutely correct the version control is missing on security roles.

This is our work around. Part of our checklist process of changing roles is to first download the role to a share drive. In the event we need to restore from the old role we will simple upload and regenerate.

Another solution is possible setting a security role backup client. Roles will be transported to this client before changes are made.

Good Luck!

Former Member
0 Kudos

The functionality you are looking for is available -- indirectly -- for roles. All you need to do to go back to prior "version" of a role is import old transport again. Of course, you need 1 transport per role so as not to bring in other unintentional objects. You won't be able to re-import it in development system because this ideally will be your system of origin for original transport. So you may have to re-import in say, a sandbox system and then download/upload into dev and then move ahead with a brand new transport.

That being said, there are several reasons (audits, security governance, controls, ... to name a few) why one should NOT be switching back to older "version" of roles. Instead you would be better off changing the roles manually in development system and then transporting it up your landscape. This will maintain the sanctity of roles.

You mentioned that you are a developer turned SAP Security Admin. It is but natural then that you seek tools such as these. Give it some time and as your experience in use of SAP security grows, you may realize that it is probably intentional that version control for roles is absent.

Welcome to the world of security!

Regards.

Ashutosh

Former Member
0 Kudos

A few of the suggestions provided are good and will be helpful.

1) Downloading / Archiving the role before making any changes - Good concept and provides for some level of version control, but is a manual step the must be followed by everyone to ensure consistency.

2) Importing prior transport into SBX system - Good concept and we already do one transport / role so this is a workable option. Something I hadn't thought of.

3) Change logs - Good for indentifying who / when a change was made, but after doing security for 2.5 years it's very apparent that the change logs don't do a good job of telling the before / after picture. Anyone that uses this on a regular basis realizes that these entries aren't very good for addition of auth objects because they don't tell you what the initial values are in these cases.

The primary use of a versioning tool isn't necessarily to roll back to a prior version (i.e. over-writing the current version), but to look at a prior version and see exactly how it was at a certain point in time. Change logs can be reverse engineered to some degree to work back into a past point in time, but having the snapshot in time tells you exactly and doesn't require the reverse engineering.

Former Member
0 Kudos

Solved (kind of)