Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Creating single role by copying profiles from other roles

Go to solution
Former Member

‎10-15-2008 12:55 PM

0 Kudos

HI ,

I am creating a single role from 4 roles. Ihave copied the authorizations of 4 roles and added into the new role. This is done by copying the profiles.

Problems Faced :-->

1. )In table AGR_TCODES i am not able to see the Tcodes for this new single role present in the new role, whereas if i goto object S_TCODE i am able to see tcodes and have that access.

2.) Some of the objects are not copied into this new role. Even from the roles whose all other objects are copied into this role.

Can anybody help me on this and also if someone knows what other problems can be faced by doing this.

<removed_by_moderator>

Thanks,

Rajesh

Edited by: Julius Bussche on Oct 15, 2008 3:55 PM

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎10-15-2008 1:40 PM

0 Kudos

Hi Rajesh,

I think the best way to create a single role copying the authorizations from other roles is as following:

1. Go to AGR_TCODES and fill in the roles you want to copy into the new role. This will output all the Tcodes present in the above roles. Download the tcodes into a spreadsheet.

2. Go to PFCG and create a new role. Add the Tcodes from the spreadsheet into the Menu so that it will be reflected into AGR_TCODES table.

3. Save the new role and go to Authorizations tab. Here you must see all the authorization objects check/maintained to the Tcodes. Fill in the Authorization values, save the new role and then generate the new role.

4. Now if you go to AGR_TCODES and plug in the new role name, you must get all the Tcodes and also if you go to AGR_1251 table you must get all Authorization objects in that new role.

Hope this helps.

Regards,

Kiran Kandepalli.

16 REPLIES 16

Go to solution
Former Member

‎10-15-2008 1:08 PM

0 Kudos

hi,

1. AGR_TCODES only shows the transactions that exists in the menu of the role. Search of S_TCODE checks the authorizations of the role. If you have only copied the authorizations from the four roles the menus have not been copied.

Go to solution
Former Member

‎10-15-2008 1:15 PM

0 Kudos

In table AGR_TCODES i am not able to see the Tcodes for this new single role present in the new role, whereas if i goto object S_TCODE i am able to see tcodes and have that access-

May be some of the tcode are manually entered in S_tcode authorization objects.Check the agr_1251 with authorization object s_tcode.

Go to solution
Former Member

‎10-15-2008 1:40 PM

0 Kudos

Hi Rajesh,

I think the best way to create a single role copying the authorizations from other roles is as following:

1. Go to AGR_TCODES and fill in the roles you want to copy into the new role. This will output all the Tcodes present in the above roles. Download the tcodes into a spreadsheet.

2. Go to PFCG and create a new role. Add the Tcodes from the spreadsheet into the Menu so that it will be reflected into AGR_TCODES table.

3. Save the new role and go to Authorizations tab. Here you must see all the authorization objects check/maintained to the Tcodes. Fill in the Authorization values, save the new role and then generate the new role.

4. Now if you go to AGR_TCODES and plug in the new role name, you must get all the Tcodes and also if you go to AGR_1251 table you must get all Authorization objects in that new role.

Hope this helps.

Regards,

Kiran Kandepalli.

Go to solution
Former Member
In response to Former Member

‎10-15-2008 2:15 PM

0 Kudos

Hi,

Copying profiles, is just working to the wrong direction. Profile authorization is done at the background. SAP has since release R/3 3.1i the profile generator PFCG. In that you describe the role and fill it with the needed values. Then you have to go from the describing part to the generation part, the profiles. So if you want to do it the other way around you get troubles with tables not matching with each other. Do as said in the previous reaction and get your transactions in the PFCG and add your values.

Have fun

Bye Jan van Roest

Go to solution
Former Member
In response to Former Member

‎10-15-2008 9:02 PM

0 Kudos

Hi all,

thanks for your help but i am still not near to my answer.

I have only way for creating a role is by copying the profiles because there are some roles which donot have any tcode and they have only objects. SO the only possible way is by adding authorizations.

Now, tell me if i have created a role by copying authorizations ,is it possible to get Tcodes if yes then how ?

SUIM is one of the option let me know if that is reliable enough ?

My second question THere is one role created by some user I am checking it in AGR_Tcodes and SUIM ....I am finding that the no. of Tcodes in both cases donot match....Can anybody tell where i can look for this and what is the possible reason.

Regards,

Rajesh Nanda.

Go to solution
Former Member
In response to Former Member

‎10-15-2008 9:43 PM

0 Kudos

Hi Rajesh,

If you have created a role by copying authorizations, then it is possible to get the t-codes provided your role contains the auth.obj S_TCODE which you might have copied manually from one or two among the 4 roles.

If S_TCODE exists in your role then you can find out the t-codes belonging to this role through SUIM->Transactions->Executable for Roles-> Insert your role name

or

Go to SE16-> Table AGR_1251->

In the field AGR_NAME, give the role name

In the field OBJECT, enter S_TCODE and then

Execute.

Q.My second question THere is one role created by some user I am checking it in AGR_Tcodes and SUIM ....I am finding that the no. of Tcodes in both cases donot match....Can anybody tell where i can look for this and what is the possible reason.

Possible reasons for this could be that some of the t-codes have been entered into the role manually and not through the menu in PFCG and as mentioned earlie that AGR_TCODES only shows the transactions that exists in the menu of the role.

It could also be that the manually entered t-codes contains wildcards specifying a range of values.

The best option would be to find it out from the AGR_1251 table.

Hope this helps !

Thanks,

Saby..

Go to solution
Former Member
In response to Former Member

‎10-16-2008 5:49 AM

0 Kudos

Hi Friends,

Thanks a lot for your efforts.....One more question what possible problems can be found due to this migration.

Go to solution
Former Member

‎10-16-2008 11:13 AM

0 Kudos

Hi Rajesh,

I have to agree with Jan, take all of the S_TCODE values and add them in at menu level from PFCG. This is a fundamental SAP Security concept. The drawback of this "migration" is that is may cause problems when testing the role still does what its supposed to (and doesnt do what its not). Basically do not be suprised to have to do some SU53 based amendments - but this is normal.

The payoff is that the role will be properly maintained making any future trouble shooting for that role a lot easier, as the role will then contain the correct authirsation objects allowing you to pinpoint authorisation objects for specific transaction code issues; also it will make your roles transparent from an audit / Compliance Calibrator point of view.

There are a whole bunch of threads on this subject if you want more info - you are in the security forum, and the security community would all Im sure STRONGLY ADVISE using PFCG for creating and maintaining SAP Access.

Good Luck

Cheers

Steve

Go to solution
Former Member
In response to Former Member

‎10-17-2008 7:15 PM

0 Kudos

Hi Steve,

Thanks for your response. I accept what you are saying is correct. But I have got limitations ....I am building roles for set of roles where the Tcodes are maintained in a one set of roles. But other set contains the objects and org level values. So i have to build orles frm the combination of these two roles.

So i have only way of doing is copying authorizations.

Now can you please advise me what are the precautionary steps to follow and if there can be soome issue in future while solving any of the authorization issue.

It will be of great help if you explain with an example.

Cheers,

Rajesh

Go to solution
Former Member

‎10-18-2008 7:25 PM

0 Kudos

Hi,

The simple way to create a new role from copying other roles is that:

1. Go to transaction PFCG

2. Type the new role name that you want to created

3. Go to Menu tab

4. Click the option called "From other role"

5. Select the role which you want to copy from

6. This will allow you to even select the specific transaction that you want to brind into new role, in case if you don't want all the transaction to be copied.

7. Save and generate the role by mainitaining the authorization values.

In this way, you can copy the roles and create a new role. If you follow this steps, you must be able to see the transaction under AGR_TCODES for the new role.

Regards

Anandm

Go to solution
Former Member

‎10-21-2008 1:00 PM

0 Kudos

This message was moderated.

Go to solution
Former Member
In response to Former Member

‎10-21-2008 1:05 PM

0 Kudos

This message was moderated.

Go to solution
Former Member
In response to Former Member

‎10-21-2008 2:10 PM

0 Kudos

This message was moderated.

Go to solution
Former Member
In response to Former Member

‎10-21-2008 2:14 PM

0 Kudos

This message was moderated.

Go to solution
Former Member
In response to Former Member

‎10-21-2008 2:27 PM

0 Kudos

This message was moderated.

Go to solution
Former Member
In response to Former Member

‎10-21-2008 2:32 PM

0 Kudos

This message was moderated.