Profile generation in child role

Similar Messages

• Role Profile Generation in BW

  Hi,
    I created a Role in PFCG with some Authorization Objects like S_RS_COMP1,S_RS_HIER ,S_RS_ICUBE & S_RS_IOBJu2026etc
    I generated the profile and tested the role everything is working as expected.
    Now I raised a transport for this role and imported that to Test system successfully.
    In the Test system the profile which I generated and active in Dev is became inactiveu2026.I re-generated it again and working again
  Question is why the Profile is becoming inactive any transported and do I need to Re generate in each system when I import the transport.
  Thanks

  Question:
  > Do I need to generate profile seperately for child and parent  or only for parent is enough ??
  Answer:
  > For me , the properties are not getting reflected when i do it only for parent ??
  Well done. You just found an easter egg
  => Take a look at transaction SUPC. There is also a menu path to it in PFCG when you have completed the parent role. Look for "Mass Profile Generation".
  Cheers,
  Julius

• Error in generating Profile for Child Role

  Hi Experts,
  My requirement is to chnage profile for child roles created. I'm using FM 'PRGN_AUTO_GENERATE_PROFILE_NEW' to generate the Profile for child role. However it gives an error saying "Open authorizations or org. levels in role & => no profile generated"
  when I execute it.  Infact the same error occurs when i run it for parent role also.
  But prior to attaching the child role to parent role, profile gets generated with no issues.
  Kindly help.
  Regards,
  Anjali

  Hello All/Experts,
  I am also getting same error. how to resolve this?
  regards
  A

• Role Expert Profile generation error

  Hi All,
  I am getting the following error in Role Expert Profile Generation tab.
  When i click Generate tab, I am geting "Name or Password is incorrect(Repeat Login)" Can any body explain what user id is generally triggered when generate profile using role expert?
  Thanks,
  Chandra

  Hi there,
  to be more precise. You have to use the password from the account which you use to maintain the roles in the system you want to generate the role.
  Kind regards,
  Richard

• Profile for a composite role

  Hello Experts,
  We are having a problem dealing with a composite role.
  Whenever we add the composite role to a user master; a profile appears for each of the single roles (which is normal) BUT we also get a profile for the composite role.
  We verified in the table AGR_1016  and found that there is a profile asocited to the composite role.
  We tried the clean-up option of the transaction PFUD which did not work in our case.
  We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Any answer is most welcome!
  Thanks & Reagards

  > We were thinking that may be the role was firstly created as a single role with its profile; and then it mayhave been changed to a composite role without deleteing its profile. Is it possible ?
  Sounds to me as if there has been an import of a composite role overwriting a single role with the same name. The pfcg import facility has very few checks in them so something unwantend could have happened. I think it is not possible to change a role from single to composite with the PFCG or other tools. What does table AGR_PROF say about this role?
  I would suggest to copy the composite to a new name (without copying the singles) and see how that looks. If it is OK you can delete the corrupted role, check wether it is completely gone and copy the new role back to it's original name.

• Insert multiple profiles in a single role

  Hi People,
  I am trying to insert more then 500 profiles in a new single role.
  The one solution I have is to insert manually each profile by going to EDIT - Insert Authorisations - From profiles option.
  Since I have more then 500 profiles  - can some one give me a easier way to complete this at ease.
  Thanks & regards,
  LAL

  >
  Amit Lal wrote:
  > Hi People,
  >
  > I am trying to insert more then 500 profiles in a new single role.
  > The one solution I have is to insert manually each profile by going to EDIT - Insert Authorisations - From profiles option.
  > Since I have more then 500 profiles  - can some one give me a easier way to complete this at ease.
  >
  >
  >
  > Thanks & regards,
  > LAL
  Hi Amit,
  Quick questions ....are these profiles manually created profiles having no corresponding roles ?
  If No : - Which means there are roles corresponding to each profile then ...Why don't you create a composite role with all these roles.
  If Yes :- Which means they are manually created profiles ...then use t-code SU02 to create a composite profile with all these 500 profiles of yours and then add this composite profile to your single role through the method you mentioned  
  EDIT - Insert Authorisations - From profiles option.
  Hope that helps and as Jurjen said...I am intrested too why do you want to insert these many profiles in a single role.
  Edited by: Nishant Sourabh on Feb 8, 2009 6:51 PM

• Mass generation of Derived Roles

  Hello,
  SUPC helps me in Mass generation of Master Roles. But how do I generate Derived roles in a lot?
  Thanks.

  Hello,
  we also missed this function when we started using derivation of roles. I developed some years ago a program which does this, also possible to start it in background mode. It runs daily (in front of  PFCG_TIME_DEPENDENCY) and adjust derived roles from updated parent roles (which came into the system via transport request).
  Because I developed the program in my working time it's owned by my company, therefore I can not post the source. Just a few hints:
  - parent roles and derived roles: you will find them in table AGR_DEFINE
  - roles imported into the system: with function module TMS_TM_GET_TRLIST you can get yesterday's imported transport requests, you can read the object list with function module TMS_WBO_READ_REQUEST (those with R3TR ACGR have roles in it).
  - build up an internal table of parent roles (consider the derivation level: first process the top level role, then it's derived roles, and then their derived roles and so on).
  - use function module SUPRN_TRANSFER_AUTH_DATA for adjusting the derived roles of a parent role.
  HTH and kind regards
  Jens Hoetger

• Users have more than one profile for the same role

  Hello,
  As I said in my earlier post I'm rather new to SAP.
  I'm doing now the security audit of my SAP system. In particular, I'm checking whether business users have access to DEBUG functionality.
  I have run report 'Users by complex selection criteria' and found certain number of such users. Then I looked further and discover that all these users have role X assigned to them. The profile P2 of the role X displayed in PFCG has DEBUG functionality deactivated. After second look I discovered that all these users have earlier profile P1 for the same role X assigned to these users. This profile P1 contains the functionality in question.
  I solved the issue by revoking the role X from the users and assigning it again. Both P1 and P2 profiles were removed from the users and only P2 was reassigned again.
  I used to think that role may have only the profile that is displayed in PFCG? Also, I used to think that if the role profie is regenerated the newly generated profile automatically replace the old one assigned to users. Am I wrong?

  Hi Pavel
  In simple and short ..
  Role contains authorization objects..
  Maximum limit of authorization objects for a role is 150 .
  So a role can accommodate 150 authorization objects.
  New Profile ABC is created , when ever you create a new role. 1-1 relation.
  But if a role has more than 150 authorization objects .. then automatically a new profile ABC01 will be created and it will also be aligned to that role .
  if role has 400 auth objects, then profiles will be ABC ,ABC01 ,and ABC02
  i hope this helps you
  Cheers
  Pavan M

• Function module to assign a parent role to a child role

  Hi All,
  Is there any function module that can be used to assign a parent role to a child role.
  I have tried to debug the PFCG transaciton but was not successful in find one.
  Please help me out.
  Thanks,
  Hari.

  Hello Hari
  It would be more logic to create a child role from a parent role yet there may be demands for the other way around. I would like to add that you assign not just a but the parent role since a child role can have only a single parent role.
  The parent role is defined by AGR_DEFINE-PARENT_AGR. Thus, you could try to use the following function modules:
  PRGN_STRU_LOAD_DEFINITION
  PRGN_STRU_SAVE_DEFINITION
  Obviously there are additional steps required in order to create a fully functional child role.
  Regards,
    Uwe

• PFUD - profiles are removed, but role is in

  Hello,
  I am testing background job based on report RHAUTUPD_NEW.  I assign role to a user via SU01 and time-limit it.  When limit expires I check user's record via SU01.  I see that the profile is being removed from the user's record, but role's assignment still shows in the user's record.  Is this a correct behavior?  Is there a way to remove role from the user's master record as well?
  Thanks
  Galina

  That is indeed interesting question.
  If might make sense to agree on an approach with them.
  If your provisioning of access support model and infrastructure supports it, then removing the role is a better option in my opinion. SAP seems to be going that way as well, since IdM also without deleting the user ID which is usefull.
  It helps a lot if you do not have too many (sets of) roles and the tools interogate their validity.
  It is without a doubt a very usefull control to set the date of expiry when assigning the access. At that point in time you know most about the user and their request for access!
  Cheers,
  Julius
  Edited by: Julius Bussche on Mar 30, 2010 12:14 AM

• Generation of derived roles when transported

  Hello Everyone,
  We are on ECC6.0 and I've come across a scenario where I've created certain number of derived roles from a parent role and generated the parent and derived one's from the parent role in PFCG and created a transport request. But,
  When I got them imported (SCC1) to a different client on the same box I can see that the authorization tab is still in yellow in all these derived roles,they do contain the same profile name in the authorization tab in PFCG as from the original client they were created in and I would like to know the reason why these roles under the auth.tab are in YELLOW and need a regeneration of profile? I remember doing it previously where I did not regenerate the profiles for the roles when they are imported/transported to a different client.
  And the status text in SUPC says " no current profile".
  Any ideas/inputs are much appreciated.
  Regards,
  Raj

  Hi,
  There may be more that one cases.
  What are the roles you included into the Transport request? You should include all the Derive roles along with the parent roles ideally. Also, I hope you have checked the authorization data for the derived roles in the development before transport.
  Other option could be the system change options for appending data in the target system.
  Please provide more information and also try to search for SAP Notes if there any with this kind of issues.
  Regards,
  Dipanjan

• AGR_1016: More than one profile linked to a role

  Hi,
  We have a role wich contains several profiles in table AGR_1016. The name of such profiles are sequential number based on the original profile (XXXXXX1, XXXXXX2, XXXXX3 etc).
  Why is the reason for having many profiles linked to a unique role? Which action in the system generated the different entries in table AGR_1016?
  We do know that the princial / original profile is inserted once we generate the role in PFCG. But what about the sequential entries?
  Many thanks in advance. Best regards,
    Imanol

  imanol,
  Yes this is possible with large roles. When the number of authorizations exceeds a set number , profile generator will create additional profiles. You will notice that there is a sequential number at the end of the profile name for the additional roles.
  Maximum no. of profile that can be assigned is 312.
  Max of 150 auth can fit into a profile. if there are more than 150 auth, an additional profile is generated. It has the same profile name (first 10 charaters) last digits are used as counter (0 to 99)
  Thanks,
  Sri
  Edited by: sri on Jul 16, 2010 5:00 AM

• SAP Basis Query Related to profile generation.

  Hi,
    When we add a tcode to any role or make any authorization changes then how many times the profile gets generated and where does it have its effect in tables?
  Regards,
  Milind

  Hi
  When ever we create a new role we need to generate a new profile and when ever we makes any changes to a role by adding any new tcode to any existing role or any authorization changes to that role then each and every time any changes are made we need to generate a profile which will add that particular changes to the previous profile so we can say that as many changes we made we need(must) generate a profile .
  Tables affected in creating a role or making any changes in authorization are many and that depends on what kind of a role(like if we generate a composite role the the table is AGR_AGRS,..etc profiles of each role is stored in AGR_PROF..etc..) if we make any changes to any authorization values then diff tables are effected(if u make any changes in org values the table effected is AGR_1252...etc)

• Profile Generation

  After maintaining authorization fields, we save and generate the profile. But it prompts for the profile name right when we click on 'Save' icon. So what exactly is the difference between 'Save' and 'Generate' icons?

  In layman's term, I would rather explain you by taking the example of a java program.
  When you write a java code and save it, it doesn't start working until you compile it and generate the .class files.
  Now, you may again need to modify the same code. After that you again need to compile the program to regenerate the class files.
  Similar concept is used for roles. Just creating and saving a role solves little or no purpose. You need to generate them for using them. After generating the roles, profiles are created which contain authorizations.
  Hope it helps!
  Award points if it helped.
  Thanks!!!

• Partner profile generation

  Hi,
    while generating the partner profile it is askimg for partner no but i don't have any partner system is there any option to configure the same system as seneder and receiver , if it is possible tell me the procedure how can we do that.
  Thanks in advance,
  Sasi.

  u can use a business service as sender as well as reciever.
  click on the business service->give the outbound  message interface name in Outbound  + (below) give the inbound message interface name....so during reciever determination u can give the sender service as the reciever.