Solved: SAP Security Report for single and composite roles

Former Member · ‎08-13-2009

Hi

I have a requirement to create a cutomize report in SAP Security.

I have to display Composite roles,corresponding single roles,the tcodes assigned to those single roles and the description of t- codes. The selection screen has composite roles,single role and T-code which are optional.User can enter selection in any of the selection critreria.How should I go on this?If user gives only composite roles on the selection for e.g 'TEST'. for this role I get suppose 3 child roles 'TEST1' 'TEST2' 'TEST3' from table AGR_AGRS.Now to get the tcodes i go to table 'AR_1251' and I get the tcodes.

But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.for e.g, 'TEST' 'SAP1' 'SAP2' etc..Now if go to get the tcodes for this single role in AGR_1251,I will ceatainly get the tcodes for eg MM01,FB01,etc.But then how would I know whether MM01 belongs to composite role 'TEST' SAP1' or SAP2' for the single role 'TEST2'.

Please advise.

Thanks

Edited by: Julius Bussche on Aug 13, 2009 4:52 PM

Subject title improved

jurjen_heeck · ‎08-14-2009

The tcode description may be a bit tricky as you cannot join tables AGR_1251 and TSTCT on the relevant fields but the general join will be AGR_AGRS and AGR_1251 joined by AGR_AGRS-CHILD_AGR and AGR_1251-AGR_NAME.

You can test this bit in SQVI to see if it suits your needs. Filter AGR_1251 on OBJECT=S_TCODE and DELETED<>X.

Former Member · ‎08-13-2009

The system does not care whether the tcode is in a single assigned or via a composite assigned role, so why should you?

If you did care, then you wouldn't use composites which solves the problem by itself...

Cheers,

Julius

Former Member · ‎08-13-2009

Hi Julius

Thanks for your prompt reply.Could you please advise me on how I should go with this report in context with data selection part.

Thanks

Former Member · ‎08-13-2009

I though of seperate selection options for singles and composites, but you also said:

> But if user give only single role on the selection for eg 'TEST2' ,for this single role 'TEST2' there would be multiple composite roles.

My suggestion would be to build better single roles, but that is just me...

Cheers,

Julius

jurjen_heeck · ‎08-14-2009

> My suggestion would be to build better single roles, but that is just me...

As I read it, if you select a single, you may find it occurs in multiple composites and that doesn't seem a problem to me...

Former Member · ‎08-14-2009

For me, the sanity check is whether one can have an ownership of the role - because otherwise the security admin (or some basis guy) has to make the decisions.

When you have a singe role assigned to a multiple of composites, then this becomes more difficult and error prone.

Cheers,

Julius

jurjen_heeck · ‎08-14-2009

> When you have a singe role assigned to a multiple of composites, then this becomes more difficult and error prone.

Unless all those composites share the same owner. Understood. Good point.

jurjen_heeck · ‎08-14-2009

The tcode description may be a bit tricky as you cannot join tables AGR_1251 and TSTCT on the relevant fields but the general join will be AGR_AGRS and AGR_1251 joined by AGR_AGRS-CHILD_AGR and AGR_1251-AGR_NAME.

You can test this bit in SQVI to see if it suits your needs. Filter AGR_1251 on OBJECT=S_TCODE and DELETED<>X.