Use of Role Distribute function in PFCG?
We have a set of roles that will be of cross system nature. The simplest one is the security user admin, being the same across say BI dev, ECC dev, XI dev... etc.
To maintain the sync between systems on any updates to these roles, I tried to explore the distribute feature in PFCG, distributing the role to another system upon any update.
First thing I noticed, is, I can only mention one RFC, also I cannot maintain multiple entries in SSM_RFC for one variable. Hence, I can only push it to one client.
Second, it only pushes the text and menu information. It does not push the profile. Any tcode added to the menu, is pushed, but the underlying authorization is not. and on any push, we have to go to the target client to generate the role for consistency.
Can anybody tell me, where and why can this feature be used? Am trying to understand it
Bernhard Hochreiter replied
> To have the ability to call to a different client, first a trust relationship needs to be built. Second, a secondary role that gives the authorization needs to be maintained with S_RFCACL maintained for the trusted call.
> The only place I think it can be helpful is creating a dashboard in the user menu to centrally call tranasctions to other client by maintaining one role per client. for example solution manager needs a trust relationship with other systems, if those systems are B,C & D. create one role each for B,C & D, and maintain the menu in the role to have a folder describing the destination client. Assign this role to the user in the solution manager client, and ola!
that was the idea behind this feature. Users needed to log on only once to the Workplace system and could
execute transactions in the target systems without having to log on there explicitely.
As you mentioned, the technical preconditions (RFC-accessability) have to be set up seperately. Please be careful when allowing the systemaccess through (trusted) RFC for the users.