Yes ! the maintainence box is same as development box.

before the refresh , the basis team is extracting the user master data through SCC8 using the profile sap_user . Once the refersh of th M box from P is done , they are importing back the user master data which was extracted from the M box . doing this we are still are having the old security profiles and roles which are not on synch with Production.

Is there a way to fix this .

Thanks !

Strange, were there any updates done to those roles directly in prod?

Well, anyway, to focus on the solution, if you have changes to roles that are different in production and dev, then you will have to do some analysis of the roles. If you have the list of roles that you want to be replaced in dev, then you can mass download the roles form prod and upload it into dev. Just be careful because this will replace the role in dev. Mass generate it again.

Ensure to transport the roles again to get them all in sync...

If you do not want to replace a set of roles, then you will have to manually add the changes to the dev box by SUIM compares and/or comparing agr_1251 / 2 tables of them.

Make sure you backup all the roles of dev in a different client to have a reference copy...

Hope this helps...

Abhishek

Hi Abhishek

Thanks for the info , we do not generate anything in production , but i dont know how the things have got messed up in the M box.

We need to sync up all the roles in the systems which is about 2600 roles . Not sure if the download , upload and generating option will be feasible ,

The point is how to get the M system users with the latest security after the sync up

Regards

jayu

For this one-time activity ask the Basis team to set up a transport route from Production to your security development client. Raise the required transports to flush everything back into the development system.

> ...but i dont know how the things have got messed up in the M box.

Prossibly the downloading from foreign systems and uploading into your "M-box" etc caused the mess in the first place.

> We need to sync up all the roles in the systems which is about 2600 roles . Not sure if the download , upload and generating option will be feasible ,

The download does not include Inactive authorizations, but these are important to let the system know that you have decided that the proposals from SU24 should, for this role, be ignored. When you upload it without inactive authorizations, the system again thinks that you do know what you are doing in SU24 and have done nothing to interfer in PFCG - so it will bring in the standard authorizations again.

Compare the Manual authorizations and Changed authorizations and possible Inactive authorizations of the role data between your systems. If you have many and they are different, then this might be the cause.

> we do not generate anything in production

If your Su24 and other PFCG config is consistent, then this does not make a big difference.

Another possibility is that the sequence of your transport request imports has caused inconsistencies?

Cheers,

Julius

>

> > The download does not include Inactive authorizations
> 
> I think this information is outdated. 
> 

That is some good news. I will test it again next week, but suspect that it might also have been my error because some of the authorizations in the role were "Manually" imported and then set Inactive.

Cheers,

Julius

helo phaneendra,

Thanks for the info, i did think of this profile use in prod , but need to check with basis team if they can get the approval.

But in case we do this export from P using profile SAP_prof and import it into M , how do we put back the users with the asigned roles in M (before refresh they are using SAP_user and extracting the user master data with authorizations , after the refresh they are importing back )

the users in M and P box may be different

Regards

Jayu