Solved: Use of Role Distribute function in PFCG?

Former Member · ‎04-22-2009

Hi Gurus,

We have a set of roles that will be of cross system nature. The simplest one is the security user admin, being the same across say BI dev, ECC dev, XI dev... etc.

To maintain the sync between systems on any updates to these roles, I tried to explore the distribute feature in PFCG, distributing the role to another system upon any update.

First thing I noticed, is, I can only mention one RFC, also I cannot maintain multiple entries in SSM_RFC for one variable. Hence, I can only push it to one client.

Second, it only pushes the text and menu information. It does not push the profile. Any tcode added to the menu, is pushed, but the underlying authorization is not. and on any push, we have to go to the target client to generate the role for consistency.

Can anybody tell me, where and why can this feature be used? Am trying to understand it

Thanks

Abhishek

Bernhard_SAP · ‎04-24-2009

Hi Abishek,

press the blue 'I' Button on the menu-tab of pfcg and/or check point 5 of http://help.sap.com/saphelp_nw70/helpdata/EN/52/6714b6439b11d1896f0000e8322d00/frameset.htm

This feature is an old workplace feature, which is still available (menu is available in system a, effective start of transactions of that menu happens in other systems B,C,D,....).

It is normal that only one rfc destination can be used per role. Teh variable is only available to be able to transport the role to another system where this variable could link also to another rfc destination...

b.rgds, Bernhard

Bernhard_SAP · ‎04-24-2009

Hi Abishek,

press the blue 'I' Button on the menu-tab of pfcg and/or check point 5 of http://help.sap.com/saphelp_nw70/helpdata/EN/52/6714b6439b11d1896f0000e8322d00/frameset.htm

This feature is an old workplace feature, which is still available (menu is available in system a, effective start of transactions of that menu happens in other systems B,C,D,....).

It is normal that only one rfc destination can be used per role. Teh variable is only available to be able to transport the role to another system where this variable could link also to another rfc destination...

b.rgds, Bernhard

Former Member · ‎04-24-2009

Hi Bernhard,

Thanks for your reply, it was very helpful for me to understand this feature

This is a very very interesting feature......what I understood is, this feature is not to maintain sync of roles, but infact enables a direct transaction call onto another client using the RFC defined as the target system.

The only problem is, since the profiles are not pushed when we save the role, the role is only capable of making a call, not giving the authorizations.

To have the ability to call to a different client, first a trust relationship needs to be built. Second, a secondary role that gives the authorization needs to be maintained with S_RFCACL maintained for the trusted call.

The only place I think it can be helpful is creating a dashboard in the user menu to centrally call tranasctions to other client by maintaining one role per client. for example solution manager needs a trust relationship with other systems, if those systems are B,C & D. create one role each for B,C & D, and maintain the menu in the role to have a folder describing the destination client. Assign this role to the user in the solution manager client, and ola!

Let me know what you think of this...

Thanks

Abhishek

Bernhard_SAP · ‎04-27-2009

>

 
> To have the ability to call to a different client, first a trust relationship needs to be built. Second, a secondary role that gives the authorization needs to be maintained with S_RFCACL maintained for the trusted call.
> The only place I think it can be helpful is creating a dashboard in the user menu to centrally call tranasctions to other client by maintaining one role per client. for example solution manager needs a trust relationship with other systems, if those systems are B,C & D. create one role each for B,C & D, and maintain the menu in the role to have a folder describing the destination client. Assign this role to the user in the solution manager client, and ola! 
>

Hi Abishek,

that was the idea behind this feature. Users needed to log on only once to the Workplace system and could

execute transactions in the target systems without having to log on there explicitely.

As you mentioned, the technical preconditions (RFC-accessability) have to be set up seperately. Please be careful when allowing the systemaccess through (trusted) RFC for the users.

b.rgds, Bernhard

Former Member · ‎04-27-2009

Thanks Bernhard. I really appreciate the useful info you have provided.

I might not implement it right now, however, its always good to know this feature is out there

Private_Member_119218 · ‎04-24-2009

Slightly off topic, but have you considered the use of CUA in you SAP landscape?

Former Member · ‎04-24-2009

What is wrong with the "old" transport mechanism??

Former Member · ‎04-24-2009

Hi Martinsh, thanks for your reply. Yes, we do have CUA implemented, however that is for centralized user administration. I am not sure how this applies to the roles.... let me know if I missed anything

Thanks..

Abhishek

Former Member · ‎04-24-2009

Hi Auke, I dont know if this question was for me?

However, right now I am following the conventional method, was just curious about this feature as I have never seen it being used.

Thanks

Abhishek