If you aren't going to take the time to go through the new objects one by one and see the effects on your roles, you me be better off, just using the SAP_NEW profile to build a temporary "upgrade" role containing the objects that are new to your environment. You'll have to have a look at SAP_NEW and pull out the objects that are really new (the delta between your existing version and the version you are upgrading to) as I believe SAP_NEW just gets objects added to it cumulatively as each release occurs so it may contain objects that you have already accounted for in your current environment.

Hi,

I am with Julius and Alex, although number of roles are more however, it would be a good idea if you go through the impact of having the values as "" and then update the values accordingly rather than having "" maintained for everything that came new in upgrade.

Regards,

Zaheer

Hi,

I think there are no standard menthod for adding * value to all new objects while upgrading to new system. You have to rethink about giving * value to all new authorization objects becuase it contains lots of business risk.

Sometime in upgrade it is also giving the old authorization objects as new , if we have deleted these authorization objects in old systems( not maintained in new). Giving * value can give all access( create , change, delete ) to users. If you want to give all accesses temporarily , then u can remove all profiles from users and add SAP_NEW profile. After that u can upgrade the roles as per business approval for all fields of authorization objects.

Giving * value is not advisable in any case.

If anyway u want to give * value to unmaintained fields, then by just clicking one option u can give it. Just go one by one role and in the authorizations tab , if you got to the expert tab and on the top of the all authorization objects after the role name where it shows the all signals (red, green,yellow) if you click on that , then for all new authorization tabs * value get added.

I think this is the only way to do it.

Do let me know if you need any further help.

I guess I'll clarify my point. I'm not saying that SAP_NEW is the way to go. Obviously, in an ideal world, you'll do an analysis and testing of your roles during the upgrade testing phase, identify the objects/values that are needed in your environment and deal with them then. I was just pointing out that instead of going through all 4000 of your roles and just adding *'s everywhere, it's probably much easier to use SAP_NEW. You can do some pretty quick and easy analysis of the objects in your pre-upgrade roles vs what's in SAP_NEW and create a new role with the delta.This should ensure that you don't knowingly break any of your pre-upgrade security concept, but does open you up for the unknown. I think it's probably a bit easier to go through the objects in this one role and merge them into your security concept post-upgrade then it is to put *'s in all of your existing roles, then go back and change all 4000 of them.