Skip to Content
author's profile photo
Otto Gold

Real role and ideal role comparison

Posted on Apr 29, 2011 at 09:02 AM 11 Views

Hello, ladies and gentlemen,

I would like to write an experimental program that would help me understand how some weird and big roles, I have here, were created. I feel that some parts of the roles come from the SU24 suggestions and some were obviously changed/ added manually.

Here is what I would like to compare

a) the ideal role, if it would be generated only (no manual changes) based on the SU24 suggestions for the "objects" listed in the role menu

The premise here is that I can generate a reasonable and usable role based on the SU24 entries only. If you think this is crazy, let me know, but also let/ help me build the report so I can learn myself:))

b) a real role - the one that exists in the system

I can get a list of the auth objects that are parts of the role easily (tab AGR_1251).

I can also get a list of SU24 suggestions for various objects I can use in the role menu.

The last step to be able to build the comparison is that I don`t know how to connect role menu entries with the role. Or better: I can easily get a list of transactions used in the menu. That`s fine. But I can also add a function module into the menu (for example) but see this one as a SERVICE in tables only, without the additional details (FM name would be nice).

So I am not able to use this "SERVICE" to go to USOBX_C and get the SU24 suggestions for the function module.

Can anybody suggest a way, how can I get a whole list of objects used in a role menu, not only the transactions?

Thanks,

Otto

Security
Add comment
10|10000 characters needed characters exceeded

2 Answers

  • Best Answer
    author's profile photo
    Martin Voros
    Posted on Apr 30, 2011 at 12:33 AM

    Hi,

    if you open a role in PFCG you can see which authorization objects were added manually to the role and which have modified values from default SU24 values (see [documentation|http://help.sap.com/saphelp_nw04/helpdata/en/5c/deaa77d3d411d3970a0000e82de14a/frameset.htm]). I don't have access to any system right now but you should be able to figure out what logic is used in PFCG. You might be able just to reuse internal function module.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

    • Martin Voros Otto Gold
      May 06, 2011 at 12:49 AM

      Hi,

      that mode just goes through current values in SU24 and checks if that authorization is in the role. If not then it inserts it and flag it as new. It does not touch manually added objects. So you need to think if that's what you want. You can interpret it as if there is object flagged as new than somebody modified proposed authorizations. Don't forget that you might get false positive when there were changes in SU24. You also need to check if there are any manually added objects.

      Using those two modes allow you to do comparison in both ways. Not only from SU24 to current role values.

      Cheers

  • author's profile photo
    Former Member
    Posted on May 02, 2011 at 08:47 AM

    Hi Otto,

    Should the 'MODIFIED' field in table AGR_1251 help here.

    Table AGR_HIER, field 'extended name' (=SERVICE) OR Reporttype not equals to TR can give where Tcode is added as Service.

    The comparision,of course is not so quick, specially if you have big implementation. May xls or access be also helpful here (analysing data from agr_1251, USOBT_C, AGR_TCODES, AGR_HIER).

    --Kamal

    Add comment
    10|10000 characters needed characters exceeded

    • Otto Gold
      May 02, 2011 at 01:05 PM

      Hello Kamal,

      one of us does not understand. If it is me, then I would like to ask you for more elaboration.

      Table AGR_HIER, field 'extended name' (=SERVICE) OR Reporttype not equals to TR can give where Tcode is added as Service.

      If this should answer the part of my question about RFC function modules for example, then I don`t see your point. I can get all the information about the tcodes used in the role menu. I want to be able to read the information about other menu "tems" on the same level of detail. And from your answer I feel that you`re helping me with transactions. The only part i can do myself.

      Thanks for your time and effort,

      have a nice day,

      Otto