Composite menu regeneration from single roles
Hello,
When I have to maintain (add or remove tcodes) and transport a "single" role that is part of a composite role, the role menu for the composite is out of synch with the single role's transaction content.
The manual fix for this is to go into the composite role via PFCG in the destination system and push the Read Menu button. This will read the latest menus of the single roles.
I would like to know if there is a job that I can schedule that can synchonize the composite role to the single roles assigned to it, or basically a refresh of the composite menus. Is there any function that can do a mass menu update for a selection of composite roles?
The only other way I can think of doing this is writing an LSMW or CATT script to do this, but I would like to find a better way of doing this if available.
Thanks,
Ryan
I don't think this is a feasible approach because 1 single role change can be linked to many composites (as designed) in our environment. I would not want to change every composite and transport them together with the single role. Also, it seems that composite transports take a lot of time to import, so I don't think our basis guys would be happy with us doing that. I have found that the menus can be re-imported in the production system w/o the need for transport, etc. I just think that manually refreshing the menus is going to be a maintenance struggle, especially since we have around 200 designed composite roles in our production environment.
Thanks,
Ryan
Similar Messages
-
Insert multiple profiles in a single role
Hi People,
I am trying to insert more then 500 profiles in a new single role.
The one solution I have is to insert manually each profile by going to EDIT - Insert Authorisations - From profiles option.
Since I have more then 500 profiles - can some one give me a easier way to complete this at ease.
Thanks & regards,
LAL>
Amit Lal wrote:
> Hi People,
>
> I am trying to insert more then 500 profiles in a new single role.
> The one solution I have is to insert manually each profile by going to EDIT - Insert Authorisations - From profiles option.
> Since I have more then 500 profiles - can some one give me a easier way to complete this at ease.
>
>
>
> Thanks & regards,
> LAL
Hi Amit,
Quick questions ....are these profiles manually created profiles having no corresponding roles ?
If No : - Which means there are roles corresponding to each profile then ...Why don't you create a composite role with all these roles.
If Yes :- Which means they are manually created profiles ...then use t-code SU02 to create a composite profile with all these 500 profiles of yours and then add this composite profile to your single role through the method you mentioned
EDIT - Insert Authorisations - From profiles option.
Hope that helps and as Jurjen said...I am intrested too why do you want to insert these many profiles in a single role.
Edited by: Nishant Sourabh on Feb 8, 2009 6:51 PM -
ECATT to mass delete singles roles from a composite
Hi,
I am creating an eCATT to delete singles roles from multiples Composites roles. The eCATT takes the same position of the single role for each composite. And of course the single role may differ per role.
Could someone help?
Thank you in advance,
YolandaHI Garcia,
I didnot quite get your example as I am not familiar with the roles tables or transactions.
But, if I understood ur requirement, you want to delete all those single roles (some specific role) from a list of roles.
I am not sure how the transaction looks here, but a standard way of doing it is to record one execution of deleting the role using TCD or SAPGUI using the position button when available, entering the role name, selecting the delete button on the screen and then save.
Now, when you check the database table for the number of occurances that this type of role is present, collect the count of the table into a local parameter and execute the earlier script of deleting multiple times using DO command.
Select count from <tabname> where <role field> is <value> into <Local parameter>.
and use the earlier script with in
DO (<local parameter>).
SCRIPT
ENDDO.
This ideally works. You can come back if u need any additional inputs.
Best regards,
Harsha -
Assign single role to composite role with alternate logsys assignments
Dear gurus,
In a moment of weakness I created a composite role (shame on me) and then noticed something about them which I had not noticed before... -> I was in a CUA master system and in the composite role I noticed that on the (single) roles tab of it, there was a field called "logical system". But it is greyed out.
Now composite roles from the child logical systems are known to the CUA master system and have a logical system assigned by the text comparison. Assigning the composite in the master system will assign the composite in the child system and that assigns the local single roles in the child system as well -> so far so good and by the book.
But is there some way to assign a composite role to a user in the master system which is assigned also to the master system, but the single roles of that composite have logical systems which differ from the logical system of the master system? So basically the field is not greyed out in the central composite roles and this composite role then represents an assignment beyond logical system boundaries - much like a "business role" in IDM.
Has anyone ever done that before and survived? Any pros and cons? Is it at all possible what I am seeing here before my eyes (bar that the field is greyed out)?
Cheers,
JuliusHi Martin and others,
I experimented a bit further with this, albeit rather unsuccessfully from the view of useful results.
While the "target system" field is intended for navigation to the corresponding trusted RFC connection, it is also possible to turn the user menus off. So such a remote role is not going to go anywhere in navigation. If additionally the CUA is active and you create all the target system single roles in the CUA master system as well and assign them to the "target" they are intended for... then the single role menu is transferred to the child system which the role has as a target. But only the menu, and leaves the role in the target as status red. That also means it is only useful for component neutral roles.
Now comes the hack: If you create a composite role in the master system with local single roles as well but the single roles are assigned to "targets destinations", then when assigning the user to the composite role in the master system, then it also assigns the single roles in the target systems to the user as well as the local system (the master as a child of itself). So it is in fact a halfway business role in the IDM sense, with some naming convention strings attached.
You also dont see this in the code of SU01, as the USERCLONE Idoc processing seems to be the guilty one to also send aditional Idocs for these single roles with targets assigned to the roles and not the user.
There is only one major show-stopper in the design of the thing: You can only assign 1 target RFC connection to a single role in the central CUA master system but have to maintain the roles in the target logical system still. That means that roles must be maintained logical system specifically. That also means that you have to maintain the roles directly in production and have a completely different set for development and never transport any roles. They are as unique as their CUA master system "target destination" value and that is the logical system name as well.
That is a bit of a bummer because it means that you also cannot ever test anything...
Did anyone ever try to actually use this?
Cheers,
Julius -
Add a single role to different composite roles in one step
Hello everybody,
I am working on SAP authorizations, and we often have the situation that a new Tcode is developed and a new role for this Tcode needs to be created.
Than this new role needs to be added to many different composite roles (sometimes more than 100). At the moment I enter the single role to the composite role and regenerate the menu and this one by one. After that I add them with PFCG_MASS_TRANSPORT to my transport request.
I don't want to believe that there is no easier way. Any ideas?
Thank you
FloHi Soma,
great to find a place to be welcome..Thanks
What you wrote definitely makes sense, but we agreed that every user only gets one composite role assigned and this composite role contains all single roles needed for his job. We do not assign single roles to users.
The requirement is that every finance guy should get access to it (by the way, it is a report) unfortunately we have many different sites and may different composite roles for the different positions in the finance area.
And I did not identify a role which is part of every composite role in the finance area, so I would either have to add it to the most common role present in these composite roles and additionally create a new role which gets assigned to the composite roles where I add the T-Code to is not present.
-> In this example I would add one T-Code to two roles. Which our security manager disallowed me...
or make this role available in all finance composite roles, which will give these employees access to other T-Codes which are part of the role but which they should not receive.
-> Which again... our security manager disallowed me...
So the only solution I imagined was to create a new role which contains this T-Code and to add this role one by one to every composite role.
And at the end, your concept is also taken into account because the design of this role is open and if we get a new reporting T-Codes which again need to be added to all Finance guys, I definitely add it to this role
Comments?
Cheers
Florian -
Creating single role by copying profiles from other roles
HI ,
I am creating a single role from 4 roles. Ihave copied the authorizations of 4 roles and added into the new role. This is done by copying the profiles.
Problems Faced :-->
1. )In table AGR_TCODES i am not able to see the Tcodes for this new single role present in the new role, whereas if i goto object S_TCODE i am able to see tcodes and have that access.
2.) Some of the objects are not copied into this new role. Even from the roles whose all other objects are copied into this role.
Can anybody help me on this and also if someone knows what other problems can be faced by doing this.
<removed_by_moderator>
Thanks,
Rajesh
Edited by: Julius Bussche on Oct 15, 2008 3:55 PMHi Rajesh,
If you have created a role by copying authorizations, then it is possible to get the t-codes provided your role contains the auth.obj S_TCODE which you might have copied manually from one or two among the 4 roles.
If S_TCODE exists in your role then you can find out the t-codes belonging to this role through SUIM->Transactions->Executable for Roles-> Insert your role name
or
Go to SE16-> Table AGR_1251->
In the field AGR_NAME, give the role name
In the field OBJECT, enter S_TCODE and then
Execute.
Q.My second question THere is one role created by some user I am checking it in AGR_Tcodes and SUIM ....I am finding that the no. of Tcodes in both cases donot match....Can anybody tell where i can look for this and what is the possible reason.
Possible reasons for this could be that some of the t-codes have been entered into the role manually and not through the menu in PFCG and as mentioned earlie that AGR_TCODES only shows the transactions that exists in the menu of the role.
It could also be that the manually entered t-codes contains wildcards specifying a range of values.
The best option would be to find it out from the AGR_1251 table.
Hope this helps !
Thanks,
Saby.. -
How to find the T-codes that's in a Single Role & Composite Role??
Hi all,
Some of the user have authorization to particular t-codes. However single roles are not created for them.
Now I need to assign authorization to that particular t-code to a new employee.
Since the single role is not there, I do not know how to find if it is inside a composite role.
Which table should I find all the t-codes that are assigned to a single role / composite role?
pls help.
Regards,
PriRakesh Kulkarni wrote:>
> Table AGRS_TCODES give the roles with their tcode assignment.
Beware of AGR_TCODES, it only reports transactions entered into the role menu. If you query table AGR_1251 filtered on object S_TCODE you get the actual transaction authorizations.
Besides that, authorizations are always in single roles, so if you cannot find them there there's no point in searching through the composites. -
Creating Single Role from Many Roles
Hi,
Can we created a single role(not composite) from many roles?? i.e. all the authorisations of n roles being copied into a single new role??You can create a composite role in PFCG and just include the other roles within it. But there is no functionality to merge roles into one another.
If you need more detail, the I suggest you ask your question in the Security Forum.
Hope that helps.
J. Haynes
Denver CO US -
How to add/delete single role to/from CUA
Hi All,
I want to add/delete single role from CUA system. I found one FM to change roles i.e BAPI_USER_LOCACTGROUPS_ASSIGN , In function module documentation said that it will overwrites all existing roles with the roles in the table parameter.I dont want to do that. I need a FM to add/delete role to CUA system. Please help me with your suggestions.
Thanks,
SumanI am not aware of another BAPI based way to do it. You will need to get the details of the Roles AND manual profiles assigned, and then re-assign the new set in the call.
Cheers,
Julius -
Role prefix for XI custom composite/single roles
We have XI custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain XI role naming standard at the composite and single role levels due to Java authorizations?
Thanks,
BradJust transport it rather than upload it. The generated profiles will be carried through with their existing convention.
If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily. If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually. 60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc. -
Role prefix for custom composite/single roles
We have custom composite roles which start with TI_XI_* and contain single SAP roles (SAP_) and single custom roles (AAW:). Are we forced to use a certain role naming standard at the composite and single role levels due to Java authorizations?
Thanks,
BradJust transport it rather than upload it. The generated profiles will be carried through with their existing convention.
If you need to have different profile names due to the naming constraints then LSMW or SECATT will let you do this easily. If you are not familiar with the tools then 1. Take time to learn one of them (they are very useful) or 2. Do it manually. 60 profiles can be named in 30 minutes or less if you already have created the profile names in a spreadsheet, text file etc. -
S_TABU_LIN from multiple roles to single user
Hi everybody
There is such situation:
We are restricting the values of infoobject using S_TABU_LIN
Everything is working fine if the user has authorization assigned only
by one role.
If the user has more then one role assigned then user has only values
authorized that are included in the first role. All authorizations from
other roles are not available
For example:
We have authorizations in 3 roles
Role1
Activity 03 ACTVT
Organization criterion for key /BIC/ZMINISTRY ORG_CRIT
Org. crit. attribute 1 * ORG_FIELD1
Org. crit. attribute 2 04 ORG_FIELD2
Org. crit. attribute 3 * ORG_FIELD3
Org. crit. attribute 4 * ORG_FIELD4
Org. crit. attribute 5 * ORG_FIELD5
Org. crit. attribute 6 * ORG_FIELD6
Org. crit. attribute 7 * ORG_FIELD7
Org. crit. attribute 8 * ORG_FIELD8
Role2
Activity 03 ACTVT
Organization criterion for key /BIC/ZMINISTRY ORG_CRIT
Org. crit. attribute 1 * ORG_FIELD1
Org. crit. attribute 2 06 ORG_FIELD2
Org. crit. attribute 3 * ORG_FIELD3
Org. crit. attribute 4 * ORG_FIELD4
Org. crit. attribute 5 * ORG_FIELD5
Org. crit. attribute 6 * ORG_FIELD6
Org. crit. attribute 7 * ORG_FIELD7
Org. crit. attribute 8 * ORG_FIELD8
Role3
Activity 03 ACTVT
Organization criterion for key /BIC/ZMINISTRY ORG_CRIT
Org. crit. attribute 1 * ORG_FIELD1
Org. crit. attribute 2 08 ORG_FIELD2
Org. crit. attribute 3 * ORG_FIELD3
Org. crit. attribute 4 * ORG_FIELD4
Org. crit. attribute 5 * ORG_FIELD5
Org. crit. attribute 6 * ORG_FIELD6
Org. crit. attribute 7 * ORG_FIELD7
Org. crit. attribute 8 * ORG_FIELD8
All of the roles are assigned to single user
The problem is that user can get only that values from /BIC/ZMINISTRY
that are authorized in role1
Values authorized in role2 and role3 are not available.
What could be a problem???Are you using BI7 as authorization?
please check the link below regarding combining authorizations for BI7
http://help.sap.com/saphelp_nw04s/helpdata/en/46/98cd87f37d19ace10000000a11466f/content.htm -
FM Assigning of Single Roles to Composite Roles
Hello everybody,
I spend the whole day to a find a solution using any source I know and I couldn't find an solution. So sorry if this question has been asked before.
My Question is:
Can you tell me a Function Module which assigns/removes a Single PFCG Role to a Composite PFCG Role.
Regards MaxHi,
You can add the as many single roles but you cannot add the Composite Roles in Composite Role. -
SOX report containing only composite, without single roles.
Hello SAP experts.
I have a question regarding SOX report. Would it be possible to somehow set/filter the report to only display COMPOSITE roles but not the generated single roles?
For example role ZHRFIC_EMPLOYEE has a generated role ZHRFIS_EMPLOYEE. When i run SOX, both of the roles are displayed, which is what i do not want. Only ZHRFIC_EMPLOYEE is what i want to be displayed and afterward to be put in the excel.
Thanks for replies in advance.Hi,
I am actually doing this throug SUIM > USER > By complex selection criteria. Then i fill User Group field with the needed user group and execute.
A bunch of users comes out with all of their profiles / roles and if the user has any composite role then also the single roles appear in the report. Is there any option to disable displaying of generated single roles?
Thanks in advance! -
Dear all,
I am checking the possibility to separate roles in order I have in one role a menu structure and another associated role for the authorizations.
I found out 2 standard SAP roles having something similar
SAP_AUDITOR_BA_FI_APMD
SAP_AUDITOR_BA_FI_APMD_A
Checking SAP_AUDITOR_BA_FI_APMD I realize here is a menu structure with "transactions" inside but on the authorization tab there is nothing.
How could do that if I would like to create my own roles? I mean when I add a transaction on the menu the authorization part will be updated automatically.
I will appreciate any suggestion to do that.
Thanks
FedeXNote that the PFCG also now also offers "Authorization Defaults", which is basically the same thing, but within the same single role. This is a very good thing.
This gives you the option of pulling proposals from SU24 without them being visible (or executable...) via the menu navigation.
I agree with you that it is ideal to derive the authority from the menu tab (whether visible or not) and build roles at a higher level, and less of them too.
But try explain that to an auditor who wants to run a report in his check-list?
Actually, I heard auditors recently recommending composite roles for this reason to reduce the access of the end users to less profiles...
Unfortunately they turn up on a Monday morning without invitation and want access... It is more secure to hash up a menu for them and know what access they have behind it (test and transport that one!) than dish out SA33 etc and SE16 etc.
If they are IT auditors (as is often the case) then they will want to display some development objects. Forget about S_TCODE from that point onwards.... use the authorizations role values.
Hope that helps,
Julius
Maybe you are looking for
-
I want to use: The SSD and enclosure to replace the optical drive with the new HDD So basically, I want to use the SSD in the link above. I want to set this up as either preferrably a fusion drive. If not the smoothest most stable configuration. I ha
-
Hello: I did the OB transfer from another database. I transferred all the invoices by due date. After the transfer I tried to run an aging report. The aging report does not show the AR by age. I just see the total. Any help to resolve this will be mu
-
How to view the MissingFields Form in Sun Identity Manager
Hi All, In the Tabbed User Form [in the Sun Identity Manager's administrative interface], there's this tab called Attributes. This is referring to a form called MissingFields. I want to read this form and understand it's working logic. But I am not a
-
Hello ! I'm trying to build a redirection between IBM WebSphere Application server and Sun ONE Web Server. The purpose is that all requests coming from client are received by Sun ONE Web Server and then redirected to WebSphere and vice versa. The cli
-
I had an account before an I just want to find it
I wanna find my old account I wanna find my old account