- SAP Community
- Products and Technology
- Additional Q&A
- Backend AC std roles: Generate in each environment...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Backend AC std roles: Generate in each environment or transport from DEV?
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 09-03-2010 6:01 PM
Hi all,
After installing SAP GRC AC 5.3 application there are standard roles (/VIRSA/*) created in the backend without profile generation
Since such component has been installed in DEV, QA and PROD the different roles (without profiles) are also in the three environment.
Which is the right way to proceed?
1) Should we generate the profile for such roles in DEV and tranport them to QA and PROD?
2) Should we generate the profiles in each R/3 environments?
3) It does not matter to go for 1 or 2?
Many thanks in advance. Best regards,
Imanol
Accepted Solutions (0)
Answers (1)
Answers (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
None of the above, if they are not assigned to users.
Best practice is to create a transport request for them and release it. Then delete them (no standard functionality for that anymore because it created problems, but check OSS for a solution "mass delete roles").
You can then import them again into a client if you really need to. Deleting them will be a performance gain for you from GRC perspective, and you should anyway not generally use the standard roles directly with profiles, but rather copies of them with their own.
Unfortunately there are exceptions to the rules and some standard roles have "personalization keys" for access to WDA applications. In SolMan you should not delete the standard roles without checking the installation guides first...
Cheers,
Julius
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Imanol,
Do not delete any GRC related roles from SAP system. If you don't need them, don't use them. If you want to use them, you can directly use them or create a copy and then use them. Either the roles or the copief of the roles ending with DEFAULT ROLE should be assigned to communication use (the user you define in connector and JCo destination). This roles help CUP to provision an user, assign a role, and RAR to sync users/roles/run risk analysis etc.
Regards,
Alpesh
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Alpesh,
As long as they are not assigned users nor personalization keys you can quite safely delete them to improve performance.
I consider this good "housekeeping" and regularly do it without any problems.
> communication user...
Good housekeeping is also to use SYSTEM type users. Communication types are actually obsolete, but kept for compatability and survival of urban legends
The documentation in SU01 is partly incorrect.
Cheers,
Julius
- Sapphire 2024 user experience and application development sessions in Technology Blogs by SAP
- External System Integration in DMC in Technology Blogs by Members
- Govern SAP APIs living in various API Management gateways in a single place with Azure API Center in Technology Blogs by Members
- SAP BTP, ABAP in the Cloud Custom Code Transformation using abapGit and gCTS in Technology Blogs by Members
- Configuring SAP CI/CD pipeline for Deploying ReactJS application in Cloud Foundry in Technology Q&A
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.