Hi Fredrik,

Though take note that this is the authorization group of the table access (S_TABU_DIS). Not a natural candidate for an org. level combined with derived roles....

Though mind you, some folks promote S_RFC RFC_NAME to an org. level.

Some people also believe in aliens and spooks...

Anyway, what you might want to keep an eye out for is a new tool from SAP called the "Role Generator". It is an extention of PFCG designed exactly to ease this org.level problem and merge seperately built single roles into one big one.

Again here, I doubt it will help much for S_TABU_DIS.

Cheers,

Julius

Julius, I understand your concerning and points concerning changing a lot of objects (not org level). But in my opinion the answer is not so straight.

When companies start they develop an authorizaiotn concept (lot's of times quite some years ago). In that concept they decide how it must work and there is no thought about maintaining proposals for objects etc. After a few years and, lots of roles in maintenance, the view of the organization changes concerning authorizations and the acces of some information (for example) tables. Another example is the Cost Center (KOSTL). Indeed you can "promote" it to an organizational level but SAP gives (what is already mentioned) no standard solution for organization level maintenance.

In my opinion don't create an org level of the S_TABU_DIS and maining the roles is the master of Authorization Group. I think an ABAP can help you a lot. What are your concerns about creating an ABAP except time?

Actually, SAP does provide a solution to promote and demote fields to org. levels. There are reports for this (use them and not the table maintenance transactions!) because they automatically adjust your roles as well - otherwise you end up with inconsistencies.

But I agree with you, that org-levels is not a natural solution for this specific problem and although retrofitting security is the most expensive option, one cannot foresee all requirements from the start and Go-Live project pressure can be a factor as well to use * values for fields which on their own appear to be harmless...

You could try to write an adjustment tool for PFCG, but with "only" 120 roles I think you will be faster and safer with doing it manually. I think that less than 1 day's work should fix it. However, if you are willing to invest 2 or 3 days more, you can also consider restoring the values from the SU24 proposals. Particularly if one group of transactions are in many of the roles and you can isolate the common transaction (the "guilty one...) then you can do it more centrally in future as well.

However if you have not used the "Read old merge new" function in PFCG's expert mode, then you should be carefull with this as other objects might "correct" themselves as well. Particularly if you have been deleting standard authorizations in roles! (Why that button even exists, I don't know. No good can come of it...

Cheers,

Julius

Julius, I know there is a report to promote a field to an organization level. But the maintanance of organizational levels in roles is also time comsuming (maybe with the new tool you mentioned it is less work).

I totaly agree about deleting standard authorizations objects and the problems you get from it.

This sort of dissuccions are very entertaining and I think somethink like this must be mentioned in SAP Courses. But not the ADM940 the everybody will stop will SAP Authorizations

Edited by: Juul Beckers on Oct 13, 2009 2:19 PM

> Let's say that I have 120 roles, in all of which I want to change the value of field Y of authorization object X.

If you had started on the 13th of October, then I am sure you would have been finished already...

> Is this part of a specific function module or does it reside in the transaction itself? Any hints or tips to point our developer in the right direction would be great.

I am not aware of any released function module for you to use in a stable way, but if you take a closer look at how some of SAP's own applications work to maintain role data from external applications (external to PFCG) then you will find the RFC function module.

Have you considered the "Role Generator" mentioned above yet? Efectively what it does is a role merge. If the field is not an org.level and you want it's value to be the same, you could maintain one central role for it and mass merge withthe 120 org.level roles to create 120 updated roles.

Cheers,

Julius

Julius, I tried taking a look at the Role Generator, but I understand from SAP Help this is only available in a certain business add in (Defense Forces & Public Security)? Is there any other way to access this transaction?

That is where I found the documentation as well (DFPS) but to my knowledge it was shipped to ECC 6.0 with one of the enhancement packs, but I don't have the details of which one.

I will try to find out as well...

>

> We are currently developing a tool for mass maintenance of organisational levels and authorization objects.

Be very careful with this. I've seen (and used) a few of these tools and they can cause more trouble than they are worth. They can also save lots of time if developed well and used carefully. One example I can think of deleted entire table contents due to some sloppy code. Another example updated a field value but if the input file was too great for the field, it populated the values in the value fields for the next auth object in alphabetical series.