06-15-2010 3:47 PM
Hello all,
recently we upgraded our CRM7.o to a new SP. after the upgrade i ran SU25 and completed all the steps. i haven't seen any major changes in our custom roles. so i changed some roles based on step 2c then regerated all the custom roles and created a transport of customer tables. i have few questions in my mind after doing that.
Q1) once the customer tables are transported to QA will the roles automatically gets regenrated and be identical to the ones in DEV.
Q2) one user did some testing and came with an error saying he is missing some authorization after upgrade, i ran trace and saw a object which is not in our role design, but the object is in SAP_ALL? i clicked on where used and it did not showed any transactions. how can we know if this object exist prior to upgrade or after upgrade.
Q3)what is the purpose or when we should regenerate SAP_ALL? is it necessary to regenrate SAP_ALL after upgrade.
Thanks a lot in Advance,
SS
Edited by: sun on Jun 15, 2010 4:48 PM
06-16-2010 5:08 AM
Sun,
Q1) once the customer tables are transported to QA will the roles automatically gets regenrated and be identical to the ones in DEV.
If you transport the customer tables your upgraded roles need to be transported as well.
While transporting the roles,you will get the message that auth profiles are also transported, just you need to do user comparssion.
Identical to dev : if both the systems are same then roles are identical . (i.e maintaing same su24 values,if you have deactivated any objects in dev,same should be in QA .
Q2) one user did some testing and came with an error saying he is missing some authorization after upgrade, i ran trace and saw a object which is not in our role design, but the object is in SAP_ALL? i clicked on where used and it did not showed any transactions. how can we know if this object exist prior to upgrade or after upgrade.
In old system object was not present, but in new system it might have got added.
In su25 itself it will be shown what are the new tcode & auth objects .
how can we know if this object exist prior to upgrade or after upgrade.
based on the transaction & objects maintained for it.
Q3)what is the purpose or when we should regenerate SAP_ALL? is it necessary to regenrate SAP_ALL after upgrade.
if you want to add any new auth object to SAP_ALL,then you can do it . Su21 -> re generate SAP_ALL.
is it necessary to regenrate SAP_ALL after upgrade
When new objects are added to the pre-upgrade SAP_ALL, it needs to be regenerated: the system first deletes the authorizations of SAP_ALL to regenerate it with all the new ones. However, as RSUSR406 contains authority-checks, you should ensure that you have only a PFCG role authorized for profile generation and not only SAP_ALL when doing this, or alternately use report AGR_REGENERATE_SAP_ALL.
- Transport an object to the system. During import, the system will automatically regenerate SAP_ALL, unless SAP note 439753 is applied (Bernhard recently mentioned that in another thread).
- Implement SAP note 1064621 from a different client.
Thanks,
sri
Thanks a lot in Advance,
SS
06-16-2010 1:02 AM
Hi,
1) I am not sure what exactly you mean by customer tables but here is a quote from tool for mass transport of roles. It might answer your question.
When roles are transported, the associated authorization profiles
are transported as well. In contrast to earlier releases, the
profiles therefore no longer need to be regenerated in transaction
SUPC. However, you do need to perform a user master comparison for
all imported roles after completing the import into the target
system.
2) Don't know but I assume you implemented SP in DEV and QA system first. So if you haven't already moved it to production then you can simply compare two systems.
3) SAP_ALL is a profile which has authorizations to almost all objects (there are some exceptions such as S_RFCACL which is not automatically includes unless you change your config). Hence you need to regenerate SAP_ALL whenever you add new authorization object into your system.
Cheers
06-16-2010 9:30 PM
Thanks a lot for your response Martin, it helped me a lot. customer tables means (USOBT_C and USOBX_C)
Thanks a lot,
SS
06-16-2010 5:08 AM
Sun,
Q1) once the customer tables are transported to QA will the roles automatically gets regenrated and be identical to the ones in DEV.
If you transport the customer tables your upgraded roles need to be transported as well.
While transporting the roles,you will get the message that auth profiles are also transported, just you need to do user comparssion.
Identical to dev : if both the systems are same then roles are identical . (i.e maintaing same su24 values,if you have deactivated any objects in dev,same should be in QA .
Q2) one user did some testing and came with an error saying he is missing some authorization after upgrade, i ran trace and saw a object which is not in our role design, but the object is in SAP_ALL? i clicked on where used and it did not showed any transactions. how can we know if this object exist prior to upgrade or after upgrade.
In old system object was not present, but in new system it might have got added.
In su25 itself it will be shown what are the new tcode & auth objects .
how can we know if this object exist prior to upgrade or after upgrade.
based on the transaction & objects maintained for it.
Q3)what is the purpose or when we should regenerate SAP_ALL? is it necessary to regenrate SAP_ALL after upgrade.
if you want to add any new auth object to SAP_ALL,then you can do it . Su21 -> re generate SAP_ALL.
is it necessary to regenrate SAP_ALL after upgrade
When new objects are added to the pre-upgrade SAP_ALL, it needs to be regenerated: the system first deletes the authorizations of SAP_ALL to regenerate it with all the new ones. However, as RSUSR406 contains authority-checks, you should ensure that you have only a PFCG role authorized for profile generation and not only SAP_ALL when doing this, or alternately use report AGR_REGENERATE_SAP_ALL.
- Transport an object to the system. During import, the system will automatically regenerate SAP_ALL, unless SAP note 439753 is applied (Bernhard recently mentioned that in another thread).
- Implement SAP note 1064621 from a different client.
Thanks,
sri
Thanks a lot in Advance,
SS
06-16-2010 9:32 PM