05-26-2010 7:36 AM
Dear All,
I am unable to generate mass profile for customize roles in SUPC.After pressing Generate button its showing "Choose at least One role".
05-26-2010 7:40 AM
Hi Pinaki,
What are the selections that you have made in SUPC for mass-generation?
Once you have made the selections in SUPC and pressed on execute, you will get a list of roles.
You will need to select the profiles in the list , you want to be generated. The one's with " yelow" status are not generated.
After you have made this selection, you need to press generate.
Regards,
Manisha
Edited by: Manisha Nadir on May 26, 2010 12:11 PM
05-26-2010 7:49 AM
05-26-2010 8:09 AM
Hi Pinaki,
You can read the status text for it.
Yellow- No current profile ( changes made in the auth data but profile not generated)
Green- Profile generated
Red- No Auth Data ( If you go into role and check , it won't contain any auth data in it )
Hope this helps.
Regards,
Manisha
05-26-2010 8:22 AM
We are able to generate this uploaded roles one by one using pfcg though the status of this roles are red.but we are unable to mass generate this uploaded roles.
05-26-2010 8:28 AM
Hi Pinaki,
As long as the role does not contain any active authorization( Status Red) , you won't be able to generate the profile, be it through pfcg one by one or in mass by SUPC.
Regards,
Manisha
05-26-2010 8:34 AM
Hi Manisha,
This is the issue that i can not mass generate those roles using SUPC.Its showing "Choose At least one role"
Reagard
Pinaki
05-26-2010 8:48 AM
Hi Pinaki,
All the roles with status red do not contain any authorization data in them so how will the profiles be generated. You need to first maintain something in them , then generate the profile. What is the point of generating the profiles if these roles are empty.
Regards,
Manisha
05-26-2010 9:16 AM
Hi Pinaki,
This issue is very common and thats the reason its always advisable to transport the roles from one system to the other instead of using upload/download option. If the number of roles is less then you can use upload/download option.
Also if you do not want to go with the transport option either then you can try creating a CAT/Ecatt script to mass generate the roles. This will reduce your manual effort. Search for "How to create an Ecatt script" if you want to know the same.
05-26-2010 9:21 AM
Hi,
If the roles are directly uploaded to a system and not transported , the profiles will have a " yellow" status in the target system and not the "red" one which Pinaki is getting right now , simply because the roles are empty with no authorization data in them.
Regards,
Manisha
05-26-2010 9:58 AM
Hi Manisha,
If you can do the testing yourself, then try downloading derived roles in huge numbers ( say: 400) and then upload them in SAP system. you might get to see an issue that the drived roles are uploaded without any profiles i.e "Red" in SAP.
05-26-2010 10:16 AM
Hi,
I think I just forgot the derived roles part . You are right, if the red status is for derived roles, it has to be because of direct upload to the system.
Thanks and Regards
Manisha
05-26-2010 12:01 PM
Hi Pinaki
If you have done a download of roles. Did you take care of the following points while downloading the roles.
" To prevent inconsistent data, all roles from which this role is derived
are also downloaded to the file.
When downloading composite roles, all the single roles contained in the
composite roles are downloaded as well."
If yes your roles should not have a red status once uploaded.
Red status of the roles in trxn SUPC is because of 2 reasons.
1. Roles does not contain any auth object(Shell role)
2. One or more org level values of the role is not maintained
In the second case you need to maintain the org level values in the role before it is generated.
Hope this helps.
Thanks.
Anjan
01-13-2011 5:05 PM
Hi all,
Thanks for reply.After doing some rnd i get alternate option.
Regards,
Pinaki
01-13-2011 5:37 PM
Hi Pinaki
May I ask how you solved the problem please?
Many thanks
David
Edited by: David Berry on Jan 13, 2011 5:37 PM
03-21-2011 9:22 PM
Hi Pinaki ,
Can you please tell us what is the alternative solution you found .
Thanks
Rakesh
03-21-2011 9:40 PM
Pinaki seems to have gone AWOL
There is a report but I cannot remember the exact name, it is however in the PFCG packages somewhere. What it does is that it deletes all the profiles and profile data of the roles withou touching the AGR* tables (ie. the data which you see when opening the authorizations tab in PFCG). Org. levels also remain intact.
You can then mass generate from SUPC again.
It is usefull for renaming generated profiles to the sequential numbered ones when clowns decided that they should have the same names as the lots of little roles they built, albeit 16 characters shorter...
I faintly suspect that your question may infact be related to incomplete upgrade steps (in SU25) and you are trying to use SUPC to help here. You can use it for parts of step 2C, but you must first be 100% sure of what you have done on 2B and that your roles are super sexy standard authorization instances... --> then it works like a charm
Hope that helps you,
Julius
03-22-2011 12:47 PM
Hey julius,
This is because of data incosintency.. if lesser role ,you can just edit status of role in PFCG, and generate profile.
This normally happens Either you have done EHP upgrade or system Upgrade..
thats As per my thinking..
Thanks,
PKP
03-22-2011 6:39 PM
Hi PKP
We removed the ability to generate in production after restricting S_USER_SAS, if there is a problem during transports which leaves PRD with 'to adjust' etc and DEV, QAS are fine then (to me anyway) fixing directly in prod and saying 'that'll do' seems to be asking for trouble at the next transport?
Derived roles are more trouble than they are worth.
Cheers
David
03-22-2011 6:46 PM
Hi Julius
I think we looked at this a while ago and it related to transports of one set of derived without also including the other sets of derived? As they move through the landscape they lose the generated profile. At least one we found was due to an unsupported object which was never proven.
The fiddle of making the profile the samish as the role name has been replicated in my current client until they realised that their 30 character roles couldn't be handled as easily as the 10 character role names from a previous client (there appears to have been a few converstaions between each companies auth consultants offering advice which didn't work/was not compatible but was fun to see)
Cheers
David
04-27-2011 5:46 AM
Hi,
You cannot execute mass generation when you select 'All Roles' in the first screen of transaction SUPC.
You need to select 'Roles with Current Profiles for New Generation' in the first screen of transaction SUPC to enable the mass generation.
Best regards,
Akira
04-28-2011 10:51 PM
Hi Akira
Yes but I was wondering if the OP had found a work-around to this.
Regards
David
04-28-2011 11:05 PM
A brave route is to delete the profiles on mass and then mass regenerate. You can even do this in PROD to improve transport performance, but you must be sure that SU24 is perfect.
But as mentioned before, you have to be very sure about what is going to happen and who is changing roles, otherwise all hell breaks loose.
Opening roles in "Edit old status" and then transporting them as a habit in role maintenance is not a good symptom to use this approach - as an example.
If you have used SU24 and do keep the role proposals intact, then it works very nicely and you can upgrade all your roles in about 1 day - max 1 week.
If you want to do a lot of checks against historic Excel lists and manual regression testing (with manual / changed authorizations which are divorced from the menus) then you are looking at between 1 month and forever to upgrade the roles...
For me, the concept of "forever maintenance" means start over from scratch in the design.
Cheers,
Julius
Edited by: Julius Bussche on Apr 29, 2011 12:06 AM
03-25-2011 4:59 PM
I've been through this before and it was exactly how Julius mentioned. After an upgrade and got to 2C of SU25 and all my roles were changed. Wanted to mass generate profiles on many but when attempting only received "choose at least one role". Couldnt figure out why I couldnt mass generate so ended up going into each and generating. It was a pain in the arse. Please tell me if anyone figured out way around this exact issue.
03-25-2011 7:21 PM
If you ensure that your roles can all be opened in expert mode with merge new before the upgrade, then you can invest time in step 2b such that you know what you want in 2c.
Then, instead of 2c use SUPC.
Building bigger and better single roles via menus with carefull su24 proposals does work, and you can complete the security upgrade tasks in about 2 or 3 days for a large system.
One of my customers has 16 million users in SU01. We upgraded SU25 in 2 days because the roles where all standard authorizations.
Cheers,
Julius
11-13-2015 12:39 PM
Check next SAP note
2152512 - SUPC: Incorrect system message after unsuitable role selection
08-10-2022 3:14 PM
Is it S4HANA? or GUI 7.6 use Control button on keyboard to select multiple roles