08-22-2008 9:50 PM
In the last month we have encountered unsual problem with our transport of roles with Z tcodes (custom transaction). The transaction were created from "report painter or screen painter".
This was an example from last night.
ZFM02 was created and added to a role. ZFM02 required a few authorization objects, one of them was G_800_GRP. In SU24 G_800_GRP was added to tcode ZFM02. The role was regenerated using Expert Mode->Read old status and merge with new data. I verified the role has auth object G_800_GRP with an activity of 3.
It tested OK in DEV.
We transported it to QA (Overwrite Setting) and ZFM02 failed, it was looking for G_800_GRP activity 3. In QA, I went to PFCG and regenerated the roles without any changes. ZFM02 started to work.
We transported it to PROD. We encountered the same problem, I have to regenerate the role in PROD, in spite of auth object G_800_GRP activity 3 existing on the role.
I went to SAP market place and could not find this issue. I thought I'll give the forum a shot before I open a SAP message.
OK experts, solve this issue and I'll buy you a beer on the upcoming SAP Tech Ed in Las Vegas.
Thanks!
08-25-2008 8:37 AM
Hi,
did the import finish with RC=0?
Are the transaction definitions consistent through your system landscape? And also the SU24-settings? did you select to transport the profiles as well together with the role?
b.rgds, Bernhard
08-23-2008 6:54 AM
08-25-2008 5:36 PM
>
> Hi John,
>
> It seems that some changes were made to the role after transport creation.
> Please refer to the following thread and some useful comments by Bernhard Hochreiter :
>
>
> I feel that you need to recreate the transport in Dev and transport the roles to Q and P.
Not the case. No changes to roles after transport. This problem just started, we have been doing the same security transport for 3 years. Thanks the suggestion.
08-25-2008 8:37 AM
Hi,
did the import finish with RC=0?
Are the transaction definitions consistent through your system landscape? And also the SU24-settings? did you select to transport the profiles as well together with the role?
b.rgds, Bernhard
08-25-2008 5:37 PM
>
> Hi,
>
> did the import finish with RC=0?
>
> Are the transaction definitions consistent through your system landscape? And also the SU24-settings? did you select to transport the profiles as well together with the role?
>
>
> b.rgds, Bernhard
Yes, it is RC=0. Transport was set to overwrite.
08-25-2008 10:46 PM
Hi John,
First you should transport the SU24 table D to P, after that you should transport the role from D to P. No need to regenerated in QUA & PROD.
I think this solution will help you.
Thanks
Purna
Edited by: Purnachandrarao Paruchuri on Aug 25, 2008 11:46 PM
08-26-2008 12:23 AM
>
> Hi John,
>
> First you should transport the SU24 table D to P, after that you should transport the role from D to P. No need to regenerated in QUA & PROD.
>
> I think this solution will help you.
>
> Thanks
> Purna
>
> Edited by: Purnachandrarao Paruchuri on Aug 25, 2008 11:46 PM
This is something we haven't done by design for 3 years and had no problems until now. I'll test this, if it fixes the problem our process needs to change. This is one of my worst fears but probably unavoidable.
I'll keep everybody posted.
08-26-2008 5:59 AM
Hi John,
if you don't find the clue, simply open a message at SAP (I hope the release your systems are on are current...). System access by support will be necessary, pls prepare an example, which support may transport to reproduce the problem and analyze it.
b.rgds, Bernhard
08-26-2008 12:37 PM
I've seen this, unfortunately without finding the explanation. Seems like the roles themselves are tranported, but not the related profiles. What we did was start using specific names when generating profiles, not relying on the automatic SAP proposals. Also, schedule re-generation of profiles to run at specific intervals (hourly if needed).
08-26-2008 4:13 PM
>
> Also, schedule re-generation of profiles to run at specific intervals (hourly if needed).
It looks like you had it worst.
08-26-2008 4:17 PM
>
> >
> > Hi John,
> >
> > First you should transport the SU24 table D to P, after that you should transport the role from D to P. No need to regenerated in QUA & PROD.
> >
> > I think this solution will help you.
> >
> > Thanks
> > Purna
> >
> > Edited by: Purnachandrarao Paruchuri on Aug 25, 2008 11:46 PM
>
> This is something we haven't done by design for 3 years and had no problems until now. I'll test this, if it fixes the problem our process needs to change. This is one of my worst fears but probably unavoidable.
>
> I'll keep everybody posted.
Transporting the auth object created from SU24 prior to the role did not work. I will be opening an SAP message to have this resolve.
Re-generation of a role in QA or PROD is an issue for me, I always want my roles from DEV through PROD to be consistent on the date and time it was generated.
Thank you all for your replies.
08-26-2008 4:21 PM
>
> Re-generation of a role in QA or PROD is an issue for me, I always want my roles from DEV through PROD to be consistent on the date and time it was generated.
>
> Thank you all for your replies.
I understand your concern. Regardless of consistency, it was a pain in the neck in old versions having to run SUPC after every import!
I've seen non-generated roles after a transport but only rarely and then only when transporting thousands of roles at a time in very frequent transports (despite tpt's not flagged with errors).
I've never got to the bottom of it but it sounds very different to your situation. Good luck!
08-27-2008 12:47 PM
Hi,
Have you taken a look at note 571276? It mentions some errors occurring if a user compare with cleanups is running when the import of the role is performed.
Regards
08-27-2008 6:40 PM
>
> Hi,
>
> Have you taken a look at note 571276? It mentions some errors occurring if a user compare with cleanups is running when the import of the role is performed.
>
> Regards
Awesome!
I think the following is relevant from the SAP Note. This is something I can test when we encounter the problem.
SAP Note: 571276
a) Changing the authorization data for the role
Every time you change the authorization data of a role and regenerate the profile, you must create a new transport request. This is also the case if the role is part of older requests that have not yet been released. Otherwise, the transported profiles are not current.
You can also transport the roles without profiles (see above). In this case you must regenerate them in the target system after every import.
08-28-2008 1:53 PM
SAP Note: 571276
a) Changing the authorization data for the role
Every time you change the authorization data of a role and regenerate the profile, you must create a new transport request. This is also the case if the role is part of older requests that have not yet been released. Otherwise, the transported profiles are not current.
You can also transport the roles without profiles (see above). In this case you must regenerate them in the target system after every import.
That is what I meant you to go through when I gave you the link in my previous post
08-28-2008 4:08 PM
>
>
SAP Note: 571276
> That is what I meant you to go through when I gave you the link in my previous post 😉
Sorry I misread your reply.