01-07-2009 10:49 AM
can anyone tell me how to manage profiles in autorisation. Are profile created for composite roles?
my task was to remove a transaction from single and composite roles. with single roles it work correctly but with composites roles i had to delete the profiles associated to it.... is it fisible?
thanks
01-07-2009 11:06 AM
Composite roles do not have any profiles in them. The profiles are contained in the single role within the composite roles.
So composite roles do not have any seperate authorizations in them. They carry the authorizations of their single roles.
01-07-2009 11:34 AM
i did get a profile generated for a composite role, when i have assisgned the role to a user in SU01 in the profile tab.... is there any means how to manage this? (i had to delete this profile for the changes to take effect)
01-07-2009 11:43 AM
How can a user execute a tcode which is assigned to a composite role if there are no authorizations for it? I mean there is no S_TCODE in an composite which is the first line of AUTHORITY-CHECK for any tcode.
You remove the tcode from teh single role using PFCG and that should be enough.
01-07-2009 11:43 AM
01-07-2009 12:02 PM
the composite role had 2 single roles. i have remove the transaction f-42 from all the 3 roles. (2 singles and composite role). but still the transaction was being executed!
what i noticed is concerning profiles generated for roles. 3 profiles were generated when i assigned the role to a user in SU01. (1 for each role). i had to delete the profile generated from the composite role for it to work.
is there any other method of doing this apart from deleting the profile.
hope u understand what i mean
thanks.
01-07-2009 12:11 PM
Hi Rakesh,
Hope you have made user compare to composite role , so that the authorization changes get reflected to user master record after tcode removal.
Regards,
Sneha
01-07-2009 12:53 PM
Hi,
It is possible to create a menu for a composite role. It takes the roles and there from a "composite" role menu is created, which you can edit. If you change the role, i.e. you delete a transaction, this will not be corrected in the created composite role menu. You have to update it yourself or create it again. Mostly there will be no created or edited menu, because it is more maintenance and so more expensive and more fault sensitive.
If you did not do this then I agree with the others that a composite role has no profile, are you mixing this up with roles and derived roles? It is possible that the profile generator (PFCG) creates more than one profile from a role, but if you change the role and generate the profile again this will be corrected without your help.
When you have changed your role and authorizations look at the user tab if it is yellow, Yes hit the button user compare.
Look also if you have the settings right when you run the PFCG. You find that when you are "in" the role under utilities--> settings choose the automatic user master adjustment line.
Have fun
Bye Jan van Roest
01-07-2009 1:15 PM
Hi Rakesh,
Firstly- A composite role does not have a profile simply because it does not have any authorizations.
Secondly- The relation between role to profile is not 1:1 it is 1:n. So there can be more than one profile assigend to the role.
Finally-
>i have remove the transaction f-42 from all the 3 roles. (2 singles and composite role). but still the transaction was being executed!
Check all roles again and see the tcode has multiple instances in the menu of teh single roles, use the find option (binocular) on the menu tab, and also check in the object S_TCODE within teh authorizations tab of each single role. Forget the composite role for the time being.
If you ensure that F-42 is not in any of teh above and the user does not have any other role or profile assigend other than the single roles via the composite role that we are testing, you can be assured that the user cannot execute the tcode.
The composite role is nothing but an envelope.
01-07-2009 11:09 AM
Hi rakesh,
If you remove tcode from Single roles associated with composite roles , it will automatically get reflected to composite roles. Composite roles do not have seperate authorizations.
Regards,
Sneha