AHH YES.

But, why we have the possibity to change values of authorization objets in derived roles??

What is exactly the difference between authorization objets an organization levels in a derived role??

For what we use:

- authorization objets

- organization levels

in derived roles ?

I have same confusion here.

Thank you very match.

> But, why we have the possibity to change values of authorization objets in derived roles??

Not sure, but it can be usefull to build roles using a parent role with derived org roles up to a certain point, and then divorce them from the parent when they reach a level of "maturity" where you want them to survive on their own.

But then you should "retire" the parent role.

People make mistakes as well, which only become apparent later.

Cheers,

Julius

> a. Role contains profile (in 1:1 ratio)

This might not be correct in all the cases. In case of very big role having a lot of transactions, it can have more than 1 profile.

Regards,

Edited by: Lakshmi Venigala on May 12, 2009 8:41 AM

Round 1 goes to Lakshmi...

Round 2 goes to Dipanjan...

It is one profil

Using SE16 you can find various tables that hold Role/ProfileInformation:

AGR_1016: Role to Profile.

AGR_PROF: Role - Profile - Text

PRGN_CUST: Profile Generator customization settings

USOBT_C: Default values for Profile Generator

USOBX_C: Check indicators for Profile Generator

USR11: Profile description

USR04: user profile assignments

UST10C: Composite Profiles

UST10S: Simple Profiles

I have created a simple parent role and I have added to this role the transaction SE11.

I find in this role many authorization objects as S_DEVELOP for ABAP workbench.

In the field ACTVT of this object, there are many values:

01: create or generate

02: change

03: Display

06: delete

07: Avtivate, generate.

Now I can affect this role to an user without problemes.

But Now I want affect to another user the same transaction and authorisations

without possibilties Delete (06) in S_DEVELOP.

So what can I do for that?

I have to create a derived role of this role and disactivate option 06: delete in S_DEVELOP?

Or I have to create organization levels? Or what ??

N.B: I don't have organization levels in this role.

Thanks.

>

> To make you more clear: Please answer me one question: When you generate the Profile of a Role, how many Profile name SAP proposes to you? More than One?

To make it less clear again, when you look in SU02 does that single profile contain all the data or do you have to look in the subsequent generated profiles too?

It seems SAP treats them in 2 ways:

As a single profile (profile creation - simplification is the key to the profile generator)

As multiple profiles (assignment to user & in SU02, probably user buffer population too)

> But Now I want affect to another user the same transaction and authorisations

> without possibilties Delete (06) in S_DEVELOP.

One option is to remove 06 from SU24 as you only want it for the SE11 object types for "special users" - they should not have 06 simply on the grounds of having SE11.

Then either identify a role or transaction from which those "special users" only can derive this authorization value and ensure that it is a proposed value there, or, you could possibly also edit the object for that "special role" which will set the authorization to "Changed" status and SU24 will ignore it in future.

Cheers,

Julius

Thank you for this answer.

So I don't need to create derived role.

But if I change se11 in SU24, it will be changed for all the roles where there is se11??

And if I want to create others roles with others values in this objects, I have to modify

SE11 whenever before to create a role ???

best regards

But if I change se11 in SU24, it will be changed for all the roles where there is se11?? Yes

I don't want to delete this option for all roles, I want do this just for my new role.

So If I understand you Dipanjan Sanpui, I don't need to use su24. I will just copy my role and

change the values witch I need and affect my new role to the user.

Best is to make a general decision about changing SU24 and stick to it.

Using the "least number of roles affected" is tempting, but will confuse you when you see a Changed or Manually authorization.

In my opinion there should be less impact for special users, possibly less roles and certainly more transaction contexts to use for bringing in the special authority.

Try to keep your end user roles clean and maintain SU24 for them, make exceptions for special users only. This also makes it more analyzable (and auditable...).

Cheers,

Julius

This message was moderated.