Solved: Is there a report that shows OPEN Authorization af...

Former Member · ‎03-12-2009

I'm currently upgrading from ECC4.6C to 6.0, with unicode conversion.

I have run SU25 and found that step 2C generates a list of 3000 roles that needs to be changed.

Q1) Is there other report (other than using SU25) that shows the 3000 roles with open authorizations?

Q2) How do I find out which auth objects are new?

e.g In ECC6.0 SU24, txn LI21 proposed default values for F_BKPF_KOA. This is not the case for 4.6C.

Is there a report that generate a list of such cases?

My plan is to download USOBT_C from 4.6C and 6.0C to do a comparison. Is there other method?

-

After changing the these roles DEV, it would be transported to QA system for testing.

Q3) Do I need to run SU25 in QA system again?

Thanks in advance

Former Member · ‎03-20-2009

Sorry to be a "smart-ass" in your moment of need, but I cannot resist pointing out that less roles built at a higher level and using the SU24 to derive the authority for them does make your life much easier in the long run, or if you apply regular Support Packs then even in the short run...

But to answer your question:

1) Tables to use for new tcodes are PRGN_CORR*.

2) Make sure you delete SAP_NEW after each SP, then you will see the completely new and extended objects there.

3) You should never make changes with SU22 - otherwise it behaves like SU24...

4) If you have an intact SU22 in new and old version... then there is a nifty tool from Microsoft called "windiff" which will help you further to see what SU25 will find, before it tells you which roles are affected. That way you can prioritize the objects and the number of roles they will hit.

Not using composite roles and only using derived roles when you are sure that they will remain the same in their task at a lower level than the "job" and sufficiently scalable to make sense also helps... long before the upgrade...

This is why upgrades are a great opportunity to start over again and stick some "leasons learnt" feathers in your hat...

Cheers and good luck,

Julius

l_borsboom · ‎03-20-2009

You should be able to make your selection with SE16:

in table AGR_1251 the field AGR_1251-NEU is checked ('X') if it is a newly added object.

Kind regards,

Lodewijk Borsboom

Former Member · ‎03-31-2009

When I compared TOBJ table in 4.6C and ECC6.0, there are auth objects in 6.0 which are not found in 4.6C.

I was expecting these objects to be flagged as 'N' in AGR_1251 table in 6.0 but they are flagged as 'O' instead!

Former Member · ‎03-20-2009

Hi Dominick,

1) One quick way to list open authorizations in roles is to filter on AGR_1251 with explicit blank on low field excluding deleted objects.

2) Possibly this is the best way out. Download and compare USOBT_C, maybe you will have to push it in a database , create a concatenation key and run a both side compare

3) Would not be needed

Former Member · ‎03-31-2009

Yes, we can list out all open authorizations (objects with blank fields). But these blank fields won't appear until I generate all the 3000 roles listed by SU25.

Is there a report or table that will show me what auth objects that will be added, but without me generating the roles yet?

Former Member · ‎03-20-2009