In case of RED status,what to do

Hi Pinaki,

You can read the status text for it.

Yellow- No current profile ( changes made in the auth data but profile not generated)

Green- Profile generated

Red- No Auth Data ( If you go into role and check , it won't contain any auth data in it )

Hope this helps.

Regards,

Manisha

We are able to generate this uploaded roles one by one using pfcg though the status of this roles are red.but we are unable to mass generate this uploaded roles.

Hi Pinaki,

As long as the role does not contain any active authorization( Status Red) , you won't be able to generate the profile, be it through pfcg one by one or in mass by SUPC.

Regards,

Manisha

Hi Manisha,

This is the issue that i can not mass generate those roles using SUPC.Its showing "Choose At least one role"

Reagard

Pinaki

Hi Pinaki,

All the roles with status red do not contain any authorization data in them so how will the profiles be generated. You need to first maintain something in them , then generate the profile. What is the point of generating the profiles if these roles are empty.

Regards,

Manisha

Hi,

If the roles are directly uploaded to a system and not transported , the profiles will have a " yellow" status in the target system and not the "red" one which Pinaki is getting right now , simply because the roles are empty with no authorization data in them.

Regards,

Manisha

Hi Manisha,

If you can do the testing yourself, then try downloading derived roles in huge numbers ( say: 400) and then upload them in SAP system. you might get to see an issue that the drived roles are uploaded without any profiles i.e "Red" in SAP.

Hi,

I think I just forgot the derived roles part . You are right, if the red status is for derived roles, it has to be because of direct upload to the system.

Thanks and Regards

Manisha

Hi Pinaki

May I ask how you solved the problem please?

Many thanks

David

Edited by: David Berry on Jan 13, 2011 5:37 PM

Hi Pinaki ,

Can you please tell us what is the alternative solution you found .

Thanks

Rakesh

Pinaki seems to have gone AWOL

There is a report but I cannot remember the exact name, it is however in the PFCG packages somewhere. What it does is that it deletes all the profiles and profile data of the roles withou touching the AGR* tables (ie. the data which you see when opening the authorizations tab in PFCG). Org. levels also remain intact.

You can then mass generate from SUPC again.

It is usefull for renaming generated profiles to the sequential numbered ones when clowns decided that they should have the same names as the lots of little roles they built, albeit 16 characters shorter...

I faintly suspect that your question may infact be related to incomplete upgrade steps (in SU25) and you are trying to use SUPC to help here. You can use it for parts of step 2C, but you must first be 100% sure of what you have done on 2B and that your roles are super sexy standard authorization instances... --> then it works like a charm

Hope that helps you,

Julius

Hey julius,

This is because of data incosintency.. if lesser role ,you can just edit status of role in PFCG, and generate profile.

This normally happens Either you have done EHP upgrade or system Upgrade..

thats As per my thinking..

Thanks,

PKP

Hi PKP

We removed the ability to generate in production after restricting S_USER_SAS, if there is a problem during transports which leaves PRD with 'to adjust' etc and DEV, QAS are fine then (to me anyway) fixing directly in prod and saying 'that'll do' seems to be asking for trouble at the next transport?

Derived roles are more trouble than they are worth.

Cheers

David

Hi Julius

I think we looked at this a while ago and it related to transports of one set of derived without also including the other sets of derived? As they move through the landscape they lose the generated profile. At least one we found was due to an unsupported object which was never proven.

The fiddle of making the profile the samish as the role name has been replicated in my current client until they realised that their 30 character roles couldn't be handled as easily as the 10 character role names from a previous client (there appears to have been a few converstaions between each companies auth consultants offering advice which didn't work/was not compatible but was fun to see)

Cheers

David

Hi,

You cannot execute mass generation when you select 'All Roles' in the first screen of transaction SUPC.

You need to select 'Roles with Current Profiles for New Generation' in the first screen of transaction SUPC to enable the mass generation.

Best regards,

Akira

Hi Akira

Yes but I was wondering if the OP had found a work-around to this.

Regards

David

A brave route is to delete the profiles on mass and then mass regenerate. You can even do this in PROD to improve transport performance, but you must be sure that SU24 is perfect.

But as mentioned before, you have to be very sure about what is going to happen and who is changing roles, otherwise all hell breaks loose.

Opening roles in "Edit old status" and then transporting them as a habit in role maintenance is not a good symptom to use this approach - as an example.

If you have used SU24 and do keep the role proposals intact, then it works very nicely and you can upgrade all your roles in about 1 day - max 1 week.

If you want to do a lot of checks against historic Excel lists and manual regression testing (with manual / changed authorizations which are divorced from the menus) then you are looking at between 1 month and forever to upgrade the roles...

For me, the concept of "forever maintenance" means start over from scratch in the design.

Cheers,

Julius

Edited by: Julius Bussche on Apr 29, 2011 12:06 AM

If you ensure that your roles can all be opened in expert mode with merge new before the upgrade, then you can invest time in step 2b such that you know what you want in 2c.

Then, instead of 2c use SUPC.

Building bigger and better single roles via menus with carefull su24 proposals does work, and you can complete the security upgrade tasks in about 2 or 3 days for a large system.

One of my customers has 16 million users in SU01. We upgraded SU25 in 2 days because the roles where all standard authorizations.

Cheers,

Julius