Hi Sandhya,

How can i transfer a role that exists in central system to child systems with out manually creating, uploading, or transporting it to the child systems, by distributing it. Is it possible?

I dont think CUA works like that. You dont maintain any Role Data in Central System. Maintain the Roles in the Child Systems and do only Role assignment to the Users via the Central system.

If we want to add missing authorization to the user, say some tcode or an authorisation object and if the users has many roles, how can we decide that this tcode or auth object should be added to this particlar role.

Let the request for adding a tcode come from the Business Users/Process Owners.

If your Security roles are appropriately built then you will know which role this new tcode will go into otherwise you need to consult the Function module experts/Role Owners to suggest you the right role. If this tcode cannot be added to an existing role then you may have to create a new role.

Usually Adding a Missing Authorization object comes when the User is not able to completely run a tcode and where there is an Authorization Failure. Tell the User to do an SU53 screenshot and send it to you to find the missing authorization object and you can add it to the role which contains the tcode that user ran.

Sometimes you may have to switch on the Authorization trace to identify the missing authorization object.

Hope this helps.

Regards,

Kiran Kandepalli.