Skip to Content
avatar image
Former Member

Creating single role by copying profiles from other roles

HI ,

I am creating a single role from 4 roles. Ihave copied the authorizations of 4 roles and added into the new role. This is done by copying the profiles.

Problems Faced :-->

1. )In table AGR_TCODES i am not able to see the Tcodes for this new single role present in the new role, whereas if i goto object S_TCODE i am able to see tcodes and have that access.

2.) Some of the objects are not copied into this new role. Even from the roles whose all other objects are copied into this role.

Can anybody help me on this and also if someone knows what other problems can be faced by doing this.

<removed_by_moderator>

Thanks,

Rajesh

Edited by: Julius Bussche on Oct 15, 2008 3:55 PM

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

6 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 15, 2008 at 12:40 PM

    Hi Rajesh,

    I think the best way to create a single role copying the authorizations from other roles is as following:

    1. Go to AGR_TCODES and fill in the roles you want to copy into the new role. This will output all the Tcodes present in the above roles. Download the tcodes into a spreadsheet.

    2. Go to PFCG and create a new role. Add the Tcodes from the spreadsheet into the Menu so that it will be reflected into AGR_TCODES table.

    3. Save the new role and go to Authorizations tab. Here you must see all the authorization objects check/maintained to the Tcodes. Fill in the Authorization values, save the new role and then generate the new role.

    4. Now if you go to AGR_TCODES and plug in the new role name, you must get all the Tcodes and also if you go to AGR_1251 table you must get all Authorization objects in that new role.

    Hope this helps.

    Regards,

    Kiran Kandepalli.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 16, 2008 at 10:13 AM

    Hi Rajesh,

    I have to agree with Jan, take all of the S_TCODE values and add them in at menu level from PFCG. This is a fundamental SAP Security concept. The drawback of this "migration" is that is may cause problems when testing the role still does what its supposed to (and doesnt do what its not). Basically do not be suprised to have to do some SU53 based amendments - but this is normal.

    The payoff is that the role will be properly maintained making any future trouble shooting for that role a lot easier, as the role will then contain the correct authirsation objects allowing you to pinpoint authorisation objects for specific transaction code issues; also it will make your roles transparent from an audit / Compliance Calibrator point of view.

    There are a whole bunch of threads on this subject if you want more info - you are in the security forum, and the security community would all Im sure STRONGLY ADVISE using PFCG for creating and maintaining SAP Access.

    Good Luck

    Cheers

    Steve

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Steve,

      Thanks for your response. I accept what you are saying is correct. But I have got limitations ....I am building roles for set of roles where the Tcodes are maintained in a one set of roles. But other set contains the objects and org level values. So i have to build orles frm the combination of these two roles.

      So i have only way of doing is copying authorizations.

      Now can you please advise me what are the precautionary steps to follow and if there can be soome issue in future while solving any of the authorization issue.

      It will be of great help if you explain with an example.

      Cheers,

      Rajesh

  • avatar image
    Former Member
    Oct 18, 2008 at 06:25 PM

    Hi,

    The simple way to create a new role from copying other roles is that:

    1. Go to transaction PFCG

    2. Type the new role name that you want to created

    3. Go to Menu tab

    4. Click the option called "From other role"

    5. Select the role which you want to copy from

    6. This will allow you to even select the specific transaction that you want to brind into new role, in case if you don't want all the transaction to be copied.

    7. Save and generate the role by mainitaining the authorization values.

    In this way, you can copy the roles and create a new role. If you follow this steps, you must be able to see the transaction under AGR_TCODES for the new role.

    Regards

    Anandm

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 15, 2008 at 12:08 PM

    hi,

    1. AGR_TCODES only shows the transactions that exists in the menu of the role. Search of S_TCODE checks the authorizations of the role. If you have only copied the authorizations from the four roles the menus have not been copied.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 15, 2008 at 12:15 PM

    In table AGR_TCODES i am not able to see the Tcodes for this new single role present in the new role, whereas if i goto object S_TCODE i am able to see tcodes and have that access-

    May be some of the tcode are manually entered in S_tcode authorization objects.Check the agr_1251 with authorization object s_tcode.

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 21, 2008 at 12:00 PM

    This message was moderated.

    Add comment
    10|10000 characters needed characters exceeded