Solved: Security upgrade question

Former Member · ‎09-23-2008

Hello there, we have just gone through some new installations and upgrades (support pack level.. etc.). We've encountered few problems after this, could anyone of you kindly advise.

After running the program PFCG_TIME_DEPENDENCY in SA38, we received the following warning messages:

"Authorisation profile for role SAP_XXXXX does not exist", and

"Role SAP_XXXXX does not contain a profile or authorisations"

When I further select the message, it navigates me to another message that says "Messages for SU22 and the Profile Generator".

I checked these roles (all are SAP standard roles) in PFCG, and those that do not contain authorisation profile is because the organizational level is not maintained.

Now my question is, do I need to separately go though all these hundreds of roles one by one to maintain the organizational level for them, or is there way to mass-maintain?

Or.. does this have anything to do with SAP_ALL profile regenerate, will that help?

Thank you for answering!

Former Member · ‎09-23-2008

You will probably have PFCG_TIME_DEPENDENCY scheduled as a job already with a variant.

Run it from SA38 via that variant (e.g. all roles "not equal to" SAP* naming convention, etc) if you want to do it manually.

Cheers,

Julius

PS: It might still be interesting to compare the SAP* role menu between the old and the new. Generally, the access changes with SU22 (SAP does this, and you perform the SU25 steps => SU24), but the menu could change as well.

Former Member · ‎09-23-2008

The profiles for the standard delivered SAP roles are not generated - this is the reason for the error message. You can, in your selection criteria - just select Z* roles to run the "user compare" program.

Edited by: JC on Sep 23, 2008 4:07 PM

jabella · ‎09-23-2008

Hello Theoz,

There is no need to modify any of the SAP* roles. Those are just delivered as a help for the administrators to create there own versions of the roles. They are commonly delivered without a profile o not generated. Just ignore them and only take care of your customize roles.

Regards, Jose.

Former Member · ‎09-23-2008

You will probably have PFCG_TIME_DEPENDENCY scheduled as a job already with a variant.

Run it from SA38 via that variant (e.g. all roles "not equal to" SAP* naming convention, etc) if you want to do it manually.

Cheers,

Julius

PS: It might still be interesting to compare the SAP* role menu between the old and the new. Generally, the access changes with SU22 (SAP does this, and you perform the SU25 steps => SU24), but the menu could change as well.

Former Member · ‎09-24-2008

Hey guys, thanks for the quick response.

If I don't generate those standard roles without authoristions or a profile.. will this affect those users who are assigned to SAP_ALL?

p/s besides, we've encountered another issue while running PFCG_TIME_DEPENDECY, I will post it out in a separate message.

Thanks and best regards

Former Member · ‎09-24-2008

> If I don't generate those standard roles without authoristions or a profile.. will this affect those users who are assigned to SAP_ALL?

No. You (re)generate SAP_ALL via other means (SU21, RSUSR406, etc).

Cheers,

Julius

Former Member · ‎09-24-2008

> p/s besides, we've encountered another issue while running PFCG_TIME_DEPENDECY, I will post it out in a separate message.

Just a guess from me now: You are using composite roles which have the same single roles in them a multiple of times but with different validity dates? If so, the answer is PRGN_COMPRESS_TIMES.

(just a guess in the dark)

Cheers,

Julius

Former Member · ‎09-24-2008

Julius, I've now created a new meesage called "Another security upgrade question". Can you check my problem details and see if that's the same issue as you described?

Appreciate it, thank you!

Former Member · ‎09-24-2008

No, that sounds like a different topic - not related to roles assigned a multiple of times to the same user ID.

Cheers,

Julius