Hello Martin, thank you for the suggestion

if you open a role in PFCG you can see which authorization objects were added manually to the role and which have modified values from default SU24 values (see documentation)

This is the easy part. I can read everything about the role.

What I cannot read from DB (I am a developer so obsessed with tables and views) is how would the role look like without those modifications. How can I do that?

I`d rather avoid reading the change documents for example. Not nice.

Removing parts which are changed does not help, I don`t know if part was added manually, changed after being ivolved by the generation process and this way I cannot process those items which were removed completely, can I?

Thank you anyway,

Otto

Hi Otto,

please have a look at FM SUPRN_AUTH_DATA_IN_EXP_MODE coming with note 1441463.

You can read the authorization data depending on the value of parameter EXPERT_MODE:

'N', Delete and recreate (-->from scratch as per SU24 values)

'D', Edit old status (-->current existing values)

'M'. Read old and merge (-->what would be the result of an actual merge )

if you compare the results for isntance of 'N' and 'D' you propably are a step nearer to the required result....

Just a thought....

b.rgds, Bernhard

Hello Bernhard

please have a look at FM SUPRN_AUTH_DATA_IN_EXP_MODE coming with note 1441463.

This might be it, but I am not sure what do I see. I spend some time playing with the function module, but still could use a hint.

a) how do you explain what you see when comparing the results for N and D?

b) can you name attributes of the role which could work as a nice example? I am afraid I am not getting all the depth here because using it on roles that cannot show much...

Thank you very much,

I can smell the success now:))

cheers Otto

Not to ask stupid questions, I started tests from scratch. And I found something I can use nicely as well, FM: PRGN_ACTIVITY_PROF_INTERN_READ which returns the entries from the role menu. Sub-objective completed.

Hi,

N means that you just added all transactions and additional stuff to user's menu in PFCG and you open authorizations for that role for the first time. So it takes all values from SU24 but you still need to enter values for all fields which don't have any proposed value in SU24. So it's really hard to tell what ideal role looks like. D means that it reads current authorizations for that role. So you can compare results. So you can have some extra authorizations in second results. These are manually added objects. You can have some extra authorizations in the first result. These should be deleted authorizations. Your problem will be with merged authorizations (it's impossible to split them).

BTW PRGN_ACTIVITY_PROF_INTERN_READ is used by SUPRN_AUTH_DATA_IN)_EXP_MODE and this FM is basically really similar to FM SUPRN_PROFILE_GENERATOR which is used in PFCG.

Cheers

Hello Martin,

what I spotted was that when I launch the FM with parameter D, then I receive the old values and the new ones. So I see no point in comparing N and D output. But I might be missing something, otherwise you would not suggest it, right. So you think that I can get something more out of the FM than launching it for D and looking for the "change" flags?

Could you please describe an example where one can see a difference in the output of those two calls?

About that ideal role. I know that the generated role might (most likely will) be "incomplete", but "incomplete" standard is still better than a role that was manually changed by somebody who was "not sure about all he was doing", hm? I am trying to learn how much are the roles (roles generally) changed manually, so how much does the admin/ role builder using SU24 or if he is driven by the wind direction.

Thanks,

Otto

Hi,

that mode just goes through current values in SU24 and checks if that authorization is in the role. If not then it inserts it and flag it as new. It does not touch manually added objects. So you need to think if that's what you want. You can interpret it as if there is object flagged as new than somebody modified proposed authorizations. Don't forget that you might get false positive when there were changes in SU24. You also need to check if there are any manually added objects.

Using those two modes allow you to do comparison in both ways. Not only from SU24 to current role values.

Cheers

Hello Kamal,

one of us does not understand. If it is me, then I would like to ask you for more elaboration.

Table AGR_HIER, field 'extended name' (=SERVICE) OR Reporttype not equals to TR can give where Tcode is added as Service.

If this should answer the part of my question about RFC function modules for example, then I don`t see your point. I can get all the information about the tcodes used in the role menu. I want to be able to read the information about other menu "tems" on the same level of detail. And from your answer I feel that you`re helping me with transactions. The only part i can do myself.

Thanks for your time and effort,

have a nice day,

Otto