Skip to Content
avatar image
Former Member

Automated Role Copying, incl. Change of Authorization Object Value??

Dear all,

Due to special restrictions within our authorization concept, I am forced to copy certain roles again & again, making only small changes to certain authorization object values.


We have the role Z:SAP_SUPPDESK_PROCESS.

- this must be copied to Z:SAP_SUPPDESK_PROCESS_PRJ_A with Authorization Object S_PROJECT-PROJECT_ID = PRJ_A

- it will then be copied to Z:SAP_SUPPDESK_PROCESS_PRJ_B with Authorization Object S_PROJECT-PROJECT_ID = PRJ_B

- next will be copied to Z:SAP_SUPPDESK_PROCESS_PRJ_C with Authorization Object S_PROJECT-PROJECT_ID = PRJ_C

- (guess what's next....)

This must be applied to at least 10 roles, at most to 40 I'm looking for help.

Is there any way to automate that?

Either internally (transaction, ABAP, Bapi/BaDI) or externally (Java, VB, C++)?

Doing it manually is simply a pain and will result in errors.

Any hints are welcome.



Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 21, 2010 at 11:39 AM

    Hello ,

    In the PFCG u2013 Menu tab you have option for copying the menus from another role you can copy and then change the required values and generate.

    Or authorization tab u2013Edit u2013insert authorization and add the authorization from other roles or profiles.

    For automation you can create SCATT scripts.


    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 21, 2010 at 12:11 PM

    Hello Jan,

    If you create the copies using ECATT you can download the copied roles from PFCG and edit the downloaded text file, upload and generate again.

    Do take care not to corrupt the file, it is fixed record length and the import checks in PFCG will allow for a lot of garbage (personally experienced). As long as the old/new object values do not differ in length it wil be some kind of search and replace.


    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 21, 2010 at 12:46 PM


    pls contact your ABAP team.

    yes they can do custom development for this. it will not take much time.

    in my last organization we use to upload template (excel sheet) with values and 200 - 300 child roles were automatically created.

    however copying and changing 40 role is not such a big task ...... since i remember to have created and changed 300 role per day.

    if frequency of such work is high (say 300 roles per month) only then you should go for automation, else automation of this will be wastage of resources 😊



    Add comment
    10|10000 characters needed characters exceeded

    • Hi

      For this type of job I would use the transaction SHDB (check in your version of SAP is available.) This task is really trivial. First you have to prepare a record of what is to be done in PFCG. In your case it will be copied from the master role and changes in the new role in the facility for the selected fields. Selected fields from what I see are always changing so they will be variables(this is importan in mail merge). Then save this recording to a text file and copy the example to Word and use for exmple Word mail merge. Previously, of course, preparing the appropriate sheet in Exel. When you use the mail merge fields of type variable (such as name and description of the new role entry in the field). Save the result as a text file and import into SAP through SHDB. Important options for recording, ie uncheck the default size. When processing data, use background processing option, uncheck the default size, and select the conf. after commit.

      Documents change, of course, will generate too.


      When You are making new recording and u are creating a new role don't generate a profile. SUPC will be u'r friend later.

      Edited by: Krzysztof Kalinowski on Oct 22, 2010 4:39 PM

  • avatar image
    Former Member
    Oct 21, 2010 at 12:22 PM

    If you have SAP 4.7 EE or older versions, use SCAT transaction code. Else, you have to use SECATT.



    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Oct 21, 2010 at 07:04 PM


    As I am not aware of the requirement which lead to such segregation. Generally, you should grant authorization according to the principle "As loose as possible and As restrictive as necessary". It is agreed that the unauthorized parties (those who are not supposed to) should not (or better say must not be allowed) get access to respective data. In this regard you (or business owners) need to identify critical and non-critical data and determine what kind of security approach is applicable.

    Unnecessary segregation or restriction complicates the day to day activities and leads to painful maintenance cycle.

    I am totally sure the above paragraph is not at all helping your need, though I wanted to say this here as this kind of unnecessary restriction happens often.

    As you have already been told, SECATT would be helpful to for you for a set of roles which are equivalent to each other but differs in values for same Authorization fields. You can make the e-CATT script more generic by adding the Authorization Object(s) manually in the role so that you will get option to use that script in multiple set of roles where Object will an input value.

    An example of using SECATT can be found [here|].



    Add comment
    10|10000 characters needed characters exceeded

    • Former Member

      Hi Dipanjan,

      You are right, that first part did not help me at all.

      Even worse - I totally agree with you. 😊

      But the business wants a solution for their problem and that's what we found as solution...