01-14-2009 2:43 PM
Hello experts !
I have one question regarding transactions : How many transactions can we add in one role ? is there a limit ?
I have a display role with a * and i want instead to add all the transactions manually , except those one that are defined as Critical (814) . Total number of transactions in our system is around 80000. I will use a cat script to add these transactions in the role . I am quite sure allthough that not all Transactions are used, but this a solution of a minimum risk , succeding the expected results in a short amount of time .
Thanks for your help
david
01-14-2009 4:17 PM
Hi David
Why don't you take a different approach. Analyse the the transaction usage in ST03n - switiching to expert mode will allow you to see wha'ts has been run in the past by month, week, day.
Export the list of used transactions to a spreadsheet and do a comparision using a vlookup formula between against your list of 80,000 and the list extracted from ST03n - that way you get only the transactions used. I know that what you want a quick solution but does it really make sense including redundant transactions in your role. Do you intend to test these redundant transactions? - do you know what data the redundant transactions give access to? In my experience, auditors have made recommendations for all redundant transactions to be removed.
But to answer your question
How many transactions can we add in one role ? is there a limit ?
No I dont believe there is but I have never tried to find out
Regards
Charmaine
01-14-2009 4:17 PM
Hi David
Why don't you take a different approach. Analyse the the transaction usage in ST03n - switiching to expert mode will allow you to see wha'ts has been run in the past by month, week, day.
Export the list of used transactions to a spreadsheet and do a comparision using a vlookup formula between against your list of 80,000 and the list extracted from ST03n - that way you get only the transactions used. I know that what you want a quick solution but does it really make sense including redundant transactions in your role. Do you intend to test these redundant transactions? - do you know what data the redundant transactions give access to? In my experience, auditors have made recommendations for all redundant transactions to be removed.
But to answer your question
How many transactions can we add in one role ? is there a limit ?
No I dont believe there is but I have never tried to find out
Regards
Charmaine
01-14-2009 9:32 PM
>
How many transactions can we add in one role ? is there a limit ?
>
> No I dont believe there is but I have never tried to find out
It depends on the length of the names of the transactions.
The 'VON' field of an authorization does not go on forever...
So the system generated new authorizations with corresponding single profiles, but it will reach a limit there as well.
My advice would be to give the users single transaction values which are "core transactions" and make sure they have the correct authority to use them (which is different to just starting a transaction code...)
Chances are good that many of these "core transactions" which make the correct checks, are included in the list of 814 critical ones.
Chances are even better that the remainder do not make granular checks or any checks at all even in some cases, as they were never intended to be submitted on their own.
Is this for some sort of "Display All" role?
Cheers,
Julius
01-15-2009 6:47 AM
>It depends on the length of the names of the transactions.
>The 'VON' field of an authorization does not go on forever...
>So the system generated new authorizations with corresponding single profiles, but it will reach a limit there as well.
Hi Julius,
Please can you give provide more clarification on this?
Thanks & Regards,
Subbu
01-15-2009 7:07 AM
Hi Charmaine ,
thank you very much for your useful information . I will try this approach you described , because just adding so many transactions doesnt make sense after giving some thought. I suppose the objects that will be added in the role , if it would be technically possible , would take enormous amount of time ..so your solution is more kinda logical
@ Julius: I suppose by saing core transactions you mean the ones that can have others linked..depending on the functionality of the transaction ? This is also a good way to eliminate the large number i exported. And yes its a sort of a display all Role , mostly for the IT people and SAP CCC.
I will check now over ST03n which transactions have been used in the last month..
Thank you all for your time
Cheers ,
David
01-15-2009 9:14 AM
Hi Subbu,
please refer to [SAP Note 410993|https://service.sap.com/sap/support/notes/410993] for more details.
Combining the calculation of point 2 and 3 you will also get a rough number of transactions which can be added into one role (regarding the object S_TCODE).
In general the use of intervals can override such limitiations, but as already mentioned in some other threads, this has also disadvantages.
b.rgds,
Bernhard
01-15-2009 9:40 AM
Hi Subbu
So the system generated new authorizations with corresponding single profiles, but it will reach a limit there as well.
Check out OSS Note 410993 and 841612 to answer the above. You should find the answer in these notes.
Regards
Charmaine
01-15-2009 9:47 AM
Hi
please refer to SAP Note 410993 for more details
Opps - this was already posted.
Apologies.
Charmaine
01-15-2009 11:10 AM
I guess you got your answer, otherwise see SAP Note 410993 ...
Cheers,
Julius
01-15-2009 11:11 AM
> @ Julius: I suppose by saing core transactions you mean the ones that can have others linked..depending on the functionality of the transaction ? This is also a good way to eliminate the large number i exported. And yes its a sort of a display all Role , mostly for the IT people and SAP CCC.
I mean transactions such as SM30, or MIGO, or (because you are going to ask sooner or later anyway...) SPRO.
Cheers,
Julius
01-15-2009 12:12 PM
Hi Bernard/Charmaine,
Thank you very much...I am now able to understand the logic.
So, the flow would be maximum number of authorization values per authorization which is 3750.
If this value is exceeded for a single field object like S_TCODE in our case PFCG will generate another authorization maximum upto 150 authorizations after which a new profile will get auto-generated.
So, now the question is what would be the maximum number of profiles that a role can contain. This will probably now depict the maximum number of transactions that can be added to a role. Please correct me if I am wrong...and if I am right then what's the answer:-)
01-15-2009 3:09 PM
> ...and if I am right then what's the answer:-)
Search the forum for "312" and keep an eye out for Jurjen and Bernhard
Cheers,
Julius
01-16-2009 9:18 AM
Hi Julius,
I tried searching the forum for"312" but could not find any thread that would answer the question. Please can you send me the link.
Regards,
Subbu
01-16-2009 9:59 AM
Hi Subbu,
It is mentions in the same SAP note above, and also in .
Cheers,
Julius
01-16-2009 1:30 PM
Hello Julius,
I was going through this thread and, out of interest, i wonder, as per the thread discussion, there is no cap on the maximum number of roles but a cap on the profiles i.e 312....
My question is, what would happen if there are more than 312 profiles for a user because of the roles assigned?
1. Would the system throw an exception (pop up dialog), or
2. would it just not take into consideration, the authorizations from the profiles exceeding the limit
Point number 2 came to my mind because an year ago i was working on 3.1I Security administration (using Profiles[SU02] instead of roles [PFCG]) and i cam accross a case where a user has authorization for a particular object but he kept getting an error for that object. On checking, i found in SU56 buffer for the user that, the system was truncating a large number of authorizations, obviously from profiles assigned over the limit.
So, does a trucate happen or an exception.
Regards,
Prashant
01-16-2009 3:38 PM
Hi Prashanth,
SU01 will throw a message at you:
CALL FUNCTION 'SUSR_USER_PROFS_BUFFER_TO_DB'
EXCEPTIONS
too_many_profiles = 1
others = 2.
IF sy-subrc = 1.
* Maximum number of profiles exceeded for user &
MESSAGE i263 WITH user_name.
=> Maximum number of profiles for user & exceeded.
But as you mentioned, using SU02 or possibly even subsequent increases to the profile number of a role already assigned, this might be possible.
In earlier releases, you will probably have reached the limits of the DB table some time soon after anyway.
Now, I think eventually you will reach the performance tollerance limits for an authority-check in a system with such a concept in place.
It would need to be renamed "the user buffer for slow logons"
Cheers and enjoy the weekend,
Julius
01-16-2009 6:14 PM