i did get a profile generated for a composite role, when i have assisgned the role to a user in SU01 in the profile tab.... is there any means how to manage this? (i had to delete this profile for the changes to take effect)

How can a user execute a tcode which is assigned to a composite role if there are no authorizations for it? I mean there is no S_TCODE in an composite which is the first line of AUTHORITY-CHECK for any tcode.

You remove the tcode from teh single role using PFCG and that should be enough.

>

> i did get a profile generated for a composite role...

No you didn't.

the composite role had 2 single roles. i have remove the transaction f-42 from all the 3 roles. (2 singles and composite role). but still the transaction was being executed!

what i noticed is concerning profiles generated for roles. 3 profiles were generated when i assigned the role to a user in SU01. (1 for each role). i had to delete the profile generated from the composite role for it to work.

is there any other method of doing this apart from deleting the profile.

hope u understand what i mean

thanks.

Hi Rakesh,

Hope you have made user compare to composite role , so that the authorization changes get reflected to user master record after tcode removal.

Regards,

Sneha

Hi,

It is possible to create a menu for a composite role. It takes the roles and there from a "composite" role menu is created, which you can edit. If you change the role, i.e. you delete a transaction, this will not be corrected in the created composite role menu. You have to update it yourself or create it again. Mostly there will be no created or edited menu, because it is more maintenance and so more expensive and more fault sensitive.

If you did not do this then I agree with the others that a composite role has no profile, are you mixing this up with roles and derived roles? It is possible that the profile generator (PFCG) creates more than one profile from a role, but if you change the role and generate the profile again this will be corrected without your help.

When you have changed your role and authorizations look at the user tab if it is yellow, Yes hit the button user compare.

Look also if you have the settings right when you run the PFCG. You find that when you are "in" the role under utilities--> settings choose the automatic user master adjustment line.

Have fun

Bye Jan van Roest

Hi Rakesh,

Firstly- A composite role does not have a profile simply because it does not have any authorizations.

Secondly- The relation between role to profile is not 1:1 it is 1:n. So there can be more than one profile assigend to the role.

Finally-

>i have remove the transaction f-42 from all the 3 roles. (2 singles and composite role). but still the transaction was being executed!

Check all roles again and see the tcode has multiple instances in the menu of teh single roles, use the find option (binocular) on the menu tab, and also check in the object S_TCODE within teh authorizations tab of each single role. Forget the composite role for the time being.

If you ensure that F-42 is not in any of teh above and the user does not have any other role or profile assigend other than the single roles via the composite role that we are testing, you can be assured that the user cannot execute the tcode.

The composite role is nothing but an envelope.