Automatically generate roles at midnight - any kno...

Former Member · ‎05-31-2010

Dear gurus,

We have built a little tool to generate several thousand small roles with in one go. The roles each only have 3 authorization objects and one field value which is different in each of them for individual cost centers in an ERP system (ECC 6.0 7.00 Ehp 3).

Based on the available KOSTL in SAP, it maps the BUKRS and generates a file which is conform with the PFCG upload format, and then we upload it. Voila.

This works fine, but the KOSTL are more "alive" than what we had hoped for so are looking into a way to do this as a batch job at midnight (i.e. no SAPGui or Julius around at that time of day...

I could not find any standard utility within the ERP system to do this, and was wondering whether anyone knows a good solution to this?

Current plans are to either change the current tool into a report which can do this in the background, or to look around for some commercially available tool for it which is reasonably respectfull of the fact that there are no released APIs for the PFCG...

Any thoughts or positive experiences?

Cheers,

Julius

Former Member · ‎06-01-2010

Hi Julius,

I'm not aware of any such tool. The last time I came across such a requirement, an enhancement was implemented that turned treated KOSTL as a variable fed by attributes from the UMR. Not a particularly nice solution but gave flexibility in an area that there is a lot of change.

Former Member · ‎06-01-2010

Thanks Alex.

The closest thing I could find to it so far was the [Role Generator|http://help.sap.com/saphelp_erp60_sp/helpdata/en/7a/547416fc86473299c60df157a1e4f6/frameset.htm] but here the link between the user and the org. management is closer than the org. values and unique roles.

As the assignment of the roles is for the moment manual (--> out of scope) and want the option to provision from IdM later, our task is "just" to generate the roles to make them available in the ERP system. The BW AA auths design got their foot in the door first to use the ERP data from AGR_1251/2 and AGR_USERS as their external source.

Best option so far looks like a tweak of SU25 step 6 and export an external datasource to it to generate the roles from a structure, instead of a set of profiles. This works nicely, but the downside is that this "migration" needs to export all data from the source each time and this generates a huge number of change documents.

Still digging though..

Cheers,

Julius

Former Member · ‎06-01-2010

Julius, I believe that the cure for all of your problems is the "Child Role Creator for SAP". No need to thank me

Former Member · ‎06-01-2010

No, no... We will avoid that via a BUKRS per KOSTL set and a KOSTL per BUKRS set and Divisional fatcat

3000 KOSTL fit into one role easily, but 3000 roles into one user does not.

Yes, there is some risk and the interface was extended between release 7.00 and 7.01 as well as new "types" for the fields (SU25 is not obsolete.. so we can make it sy-saprl dependent.

By checking first via the profit center hierarchy whether something changed and any new KOSTL or BUKRS we can bottle down the change document fiasco to a large extent.

The restraint was mainly the suppression of dialogs which PFCG is very fond of

I will leave the thread open for a while still if someome knows a better way or existing stable tool on the ABAP stack.

Cheers,

Julius

Edited by: Julius Bussche on Jun 1, 2010 8:29 PM

Former Member · ‎06-09-2010

We solved this via a custom development.

Tip: Beware of alpha-numeric KOSTL values if you try this. They might allign on the right side of the field with leading zeros if you use the wrong field typing...! (between 7.00 and 7.01 the import field types changed for "external data" so you need to call the SU25 step 6 function release dependently at your own risk).

Cheers,

Julius

Edited by: Julius Bussche on Jun 9, 2010 10:01 PM

Automatically generate roles at midnight - any known tools?