Importing T-Codes to Menu from Excel Spreadsheet i...

Former Member · ‎04-27-2010

I'd like to create a role (e.g., in BW 7.0) that has a menu with all currently available transactions, except for transactions that I want to assign only to administrators (e.g., to DBAs, Basis Admins, Security Admin). I started by importing the standard SAP menu, then finding & eliminating all of the administrative t-codes; but the resulting role provided access to only a fraction of all of the available transactions. So, I downloaded an Excel spreadsheet from SAP containing all transactions included in SAP_ALL, edited that spreadsheet, & naively tried to upload the resulting list of transctions into the role's menu using the "import from file" feature. When it didn't work, I searched the internet & found (in official SAP websites, as well as non-SAP websites) that a number of others had tried to do this too. I downloaded SAP Note 389675, but have no idea from it how to actually convert my spreadsheet into a txt format that PCFG will accept. Manually, I think I can add these transactions to my role menu 17 at a time, but I don't think it is reasonable to spend days doing this 17 transactions at a time. My goal is to create a role that I could assign to developers that would give them nearly unliimited access (e.g., in a sandbox or development environment, or even in production under management-approved firecall conditions) yet not give them access to restricted administrative transactions. Can you help me figure out how to convert an Excel spreadsheet into the required format, or point me to an alternative means of accomplishing my goal (e.g., do I really need to use eCATT)?

Former Member · ‎04-27-2010

Ronald,

There are various ways to create roles, you mentioned that adding transactions 17 at a time, build more granular roles and include them in composites (you will see overlaps of transactions/authorizations from Development/BASIS/Security/etc), or you could maintain ranges within S_TCODE authorizations excluding critical transactions and ensuiring that critual authorizaton objects/values are given to correct groups.

Based on your last statement of granting a massive role with broad access is to exclude critical authorization objects and transactions as opposed to including.

I have combined all 3 types of builds through the various systems in the landscape (SBX/DEV/QAS/PROD).

Thanks,

Matt

Former Member · ‎04-27-2010

I am familiar with techniques like copying and then editing profiles (e.g., SAP_ALL) to create a broad role; however when you use a method other than creating a menu in PFCG, you are not able to take advantage of the real functionality of the profile generator to bring in all of the authorization objects that are associated with the various transactions.

Creating lots of smaller roles then assigning them as part of a composite role doesn't eliminate any of the work - it just means you have to enter the transactions in multiple roles rather than a single role.

Former Member · ‎04-27-2010

Ron,

Is there a reason why you want to "leverage" that functionality by using the role menu in a Non-Production enviroment's roles? If you secure the authorization objects that are critical and only relevant to the audience of the receivers of the role, you should be fine. I have taken this approach many times as it gives the broad access to the functioncal/technical teams they require but I still can manage the security risks of the system.

For production I dont have "broad" roles defined and taking the role menu approach is much more manageble.

Hoping this helps.

Matt

Former Member · ‎04-27-2010

Thanks for your replies. This is perhaps a rather extreme example, but I can think of lots of times that I'd like to upload a list of specific transactions from an Excel spreadsheet into the menu of a role in PFCG. It seems to me like this would be a very convenient feature.

I have recently completed a series of negotiations with the other administrators outlining the set of transactions they need to have exclusive access to across the landscape, and management has approved the results. Therefore, I can enforce the exclusivity so developers cannot even start these transactions by building a role that only has S_TCODE values for everything else. The everything else probably includes lots of transactions that the developers will never use, even in a sandbox environment; however, putting these transactions explicitly into a role's menu will ensure that the profile draws in only the authorization objects that are relevant to those transactions from the USOBX_C & USOBT_C tables. When I edit the resulting profile, I can look at any sensitive authorization objects/values that have been brought in by PFCG and track them back to the transactions - I may want to add some of these to my admin-exclusive list and remove them from the role's menu.

And if future patches or upgrades involve changes to the USOBX or USOBT tables by SAP to the transactions that I leave in the broad role, I'll be able to upgrade the role via routine SU25 processing. Of course, I'll also have to review any new t-codes that are introduced by the patches or upgrades to see if I want to add them to the role.

SAP makes it easy to download as set of transactions that are authorized by a given role or profile into an Excel spreadsheet; I was surprised that it was so difficult to upload transactions from Excel into PFCG.

Former Member · ‎04-27-2010

SAP makes it easy to download as set of transactions that are authorized by a given role or profile into an Excel spreadsheet; I was surprised that it was so difficult to upload transactions from Excel into PFCG.

Yup but they left us the tools. Perhaps a LSMW or eCATT script will do the trick for you. Should be rather simple to create.

- Matt

Bernhard_SAP · ‎04-28-2010

upload to menu has been handled already several times. for instance:

b.rgds, Bernhard

Former Member · ‎04-28-2010

Yes, I had seen the earlier messages on this topic - they confirmed that I'm not alone in wanting to be able to import transaction codes from Excel into a role's menu. Up to the time of the previous postings, it appeared to me that the folks who posted the questions eventually just came to the conclusion that there was no straightforward way to do this. I hoped that by now, someone may have figured out how to convert an Excel spreadsheet into FORMAT 1.2B as specified in SAP Note 389675. I guess not.

Former Member · ‎04-28-2010

I just downloaded the file from attachments of the note and saved with .txt format and imported. No changes been made from the note text (just copy, paste and saved as .txt). Need to cusotmize my own and check.

I have checked in ECC 6.0

Continued to test and had the below text in the file. It worked fine.


FORMAT              1.2B
NODE                000030000100002FOLDER
TEXT                00003ENTest Folder
NODE                000060000300003TRANSACTION         PFCG
TEXT                00003EN
NODE                000070000300003TRANSACTION         SU01
TEXT                00003EN
NODE                000080000300003TRANSACTION         SUPC
TEXT                00003EN
NODE                000090000300003TRANSACTION         SU01D
TEXT                00003EN

Pros: You can add any number of transactions at a time.

Cons: No transaction text , I coudn't make it work with text added Time taken for formatting is more than just copying and pasting 17 at a time

Regards,

Gowrinadh

Edited by: Gowrinadh Challagundla on Apr 28, 2010 5:12 PM

Bernhard_SAP · ‎04-29-2010

I just can tell you inofficially, that enhencements to the menu maintenance are in the pipe. Among others also some upload functions are planned....

b.rgds, Bernhard

Former Member · ‎04-29-2010

That's what I've been hoping to hear. I look forward to these enhancements.

Former Member · ‎04-07-2011

Last April, the "inofficial" word was that an enhancement addressing this issue was "in the pipe." At last year's SAPPHIRE/ASUG meeting, the Security SIG I attended highlighted the need for such an enhancement --- I was certainly not the only SAP customer who had run into this need. Has a solution been incorporated into the SAP software by now? If it has, what patch level do you need to be at in ECC 6.0, CRM 7.0, and BW 7.0 in order to take advantage of this new functionality? If it hasn't, any idea when it will be??? Thanks. Ron

former_member613441 · ‎08-05-2011

hello

I have the same problem

Unable to import transaction list from csv file and paste limited to 17 ligns in PFCG

Still no solution?

Jean-Michel

Former Member · ‎08-05-2011

News was SAP note 1599732.

Cheers,

Julius

jurjen_heeck · ‎08-05-2011

Are you sure that applies to the menu tab as well?

Former Member · ‎08-06-2011

I was really hoping that you would be wrong... ;-(((

Looks like it is only the org fields and value popup with the clipboard and paste function keys.

Anyway... what I have done in the past is create a master template role for the menu containing all tcodes in actual use and create a general structure for all menu folders about 3 levels deep. You can then mass delete what you do not want to use in a new (set of) roles and it makes it easier to keep to a general menu structure for redundancy compression.

This is easier than adding each time, but still lots of manual work to maintain the "golden template" first.

Cheers,

Julius

Importing T-Codes to Menu from Excel Spreadsheet in PFCG