Solved: Automated Role Copying, incl. Change of Authorizat...

Former Member · ‎10-21-2010

Dear all,

Due to special restrictions within our authorization concept, I am forced to copy certain roles again & again, making only small changes to certain authorization object values.

Example:

We have the role Z:SAP_SUPPDESK_PROCESS.

- this must be copied to Z:SAP_SUPPDESK_PROCESS_PRJ_A with Authorization Object S_PROJECT-PROJECT_ID = PRJ_A

- it will then be copied to Z:SAP_SUPPDESK_PROCESS_PRJ_B with Authorization Object S_PROJECT-PROJECT_ID = PRJ_B

- next will be copied to Z:SAP_SUPPDESK_PROCESS_PRJ_C with Authorization Object S_PROJECT-PROJECT_ID = PRJ_C

- (guess what's next....)

This must be applied to at least 10 roles, at most to 40 roles...so I'm looking for help.

Is there any way to automate that?

Either internally (transaction, ABAP, Bapi/BaDI) or externally (Java, VB, C++)?

Doing it manually is simply a pain and will result in errors.

Any hints are welcome.

Thanks,

Jan

Former Member · ‎10-21-2010

Hello ,

In the PFCG u2013 Menu tab you have option for copying the menus from another role you can copy and then change the required values and generate.

Or authorization tab u2013Edit u2013insert authorization and add the authorization from other roles or profiles.

For automation you can create SCATT scripts.

Thanks

Former Member · ‎10-21-2010

Hello ,

In the PFCG u2013 Menu tab you have option for copying the menus from another role you can copy and then change the required values and generate.

Or authorization tab u2013Edit u2013insert authorization and add the authorization from other roles or profiles.

For automation you can create SCATT scripts.

Thanks

jurjen_heeck · ‎10-21-2010

Hello Jan,

If you create the copies using ECATT you can download the copied roles from PFCG and edit the downloaded text file, upload and generate again.

Do take care not to corrupt the file, it is fixed record length and the import checks in PFCG will allow for a lot of garbage (personally experienced). As long as the old/new object values do not differ in length it wil be some kind of search and replace.

Jurjen

Former Member · ‎10-21-2010

If you have SAP 4.7 EE or older versions, use SCAT transaction code. Else, you have to use SECATT.

Rgds,

Raghu

Former Member · ‎10-21-2010

Jan,

pls contact your ABAP team.

yes they can do custom development for this. it will not take much time.

in my last organization we use to upload template (excel sheet) with values and 200 - 300 child roles were automatically created.

however copying and changing 40 role is not such a big task ...... since i remember to have created and changed 300 role per day.

if frequency of such work is high (say 300 roles per month) only then you should go for automation, else automation of this will be wastage of resources

regards,

Surpreet

Former Member · ‎10-21-2010


> in my last organization we use to upload template (excel sheet) with values and 200 - 300 child roles were automatically created.

I was waiting for this comment from someone. How many change documents did this program create?

PFCG does not have any (external) API functions, so you can only "safely" using scripting tools of sorts (such as eCATT) or direct tables updates (which are not recommended at all...).

Believe me I have looked very hard into this topic (see ...) and there are only two unsupported approaches to use yourself in ABAP, but it is not easy (except making mistakes in how you call functions which are not even released internally within SAP). This was for 5000 roles each with many org. level values.

But for 40 roles I am sure that Jan will have finished the task manually already by now...

Cheers,

Julius

Former Member · ‎10-21-2010

>


> PFCG does not have any (external) API functions, so you can only "safely" using scripting tools of sorts (such as eCATT) or >direct tables updates (which are not recommended at all...).
> Julius

Having seen the results of this (direct updates, not eCATTs) I can only echo that it's not a recommended approach.

Former Member · ‎10-21-2010

Hi Alex and Julius

I am now hanging my head in shame for downloading/editing/uploading roles if this is actually causing mass change documents/pixie dust to be created in DEV.

I'll stick to the good old manual or LSMW approach if that is better for the system (ignorance is bliss and a little knowledge is dangerous).

Cheers

David

Former Member · ‎10-21-2010

I only meant that direct table updates bypass the change documents.

@ Dipanjan: you still need to prepare the data and test the scripts. For 40 roles I can't see this flying...

For many small task roles as singles one could agrue the case, but that also implies composite roles with cross-polination of singles, which all knowledgable people (in my books) try to avoid.

The only use case for it which I found was for the old CO-concept with K_REPO_CCA and in the new conceot with K_CCA when the cost centers need to be controlled "retentively"...

For me, that is the only exception which such tools are usefull for and then I would go the additional step further to program it in ABAP and run it automatically in the background.

PFCG does not have a business object in the BOR repository. There is no MASS maintenance interface for it.

All attempts to do so always involve risks.

Cheers,

Julius

ps: For 40 roles there is a 3rd acceptable option worth considering (addition to manual, eCatt and program): Create a Dummy composite role and assign the first 5 singles to it. Then copy the composite dummy and select "Yes" in the popup. Then copy 10. Then 20. Total = 40...

Cheers,

Julius

sdipanjan · ‎10-21-2010

> ps: For 40 roles there is a 3rd acceptable option worth considering (addition to manual, eCatt and program): Create a Dummy composite role and assign the first 5 singles to it. Then copy the composite dummy and select "Yes" in the popup. Then copy 10. Then 20. Total = 40...

>

Thought out of the box.. indeed

Regards,

Dipanjan

Former Member · ‎10-22-2010

Julius,

yes you are right

hence we use to document are changes separate in a sheet and upload to share folder (LN DB)

however one extra step we did was generate all roles once againin SUPC (this don't create change log)

did all these changes in DEV box and transported to PRD

it is BEST method if it saves 10 man hr dialy

and we were required to create /change 200 - 300 roles daily.

regards,

Surpreet

Former Member · ‎10-22-2010

Hi Supreet,

I can understand the temptation and sometimes have these requirements as well, but 200 changes per day is probably a symptom of some other "root cause" problem which might be worth looking into.

Anyway, I know that many customers do this and have also been several of them run into problems as a result, particularly with org.level fields.

 it is BEST method if it saves 10 man hr dialy

[SAP Note 7 - Error caused by customer modification/development|https://service.sap.com/sap/support/notes/7] can be quite expensive as well...

Cheers,

Julius

krzysztof_kalinowski2 · ‎10-22-2010

Hi

For this type of job I would use the transaction SHDB (check in your version of SAP is available.) This task is really trivial. First you have to prepare a record of what is to be done in PFCG. In your case it will be copied from the master role and changes in the new role in the facility for the selected fields. Selected fields from what I see are always changing so they will be variables(this is importan in mail merge). Then save this recording to a text file and copy the example to Word and use for exmple Word mail merge. Previously, of course, preparing the appropriate sheet in Exel. When you use the mail merge fields of type variable (such as name and description of the new role entry in the field). Save the result as a text file and import into SAP through SHDB. Important options for recording, ie uncheck the default size. When processing data, use background processing option, uncheck the default size, and select the conf. after commit.

Documents change, of course, will generate too.

Edit:

When You are making new recording and u are creating a new role don't generate a profile. SUPC will be u'r friend later.

Edited by: Krzysztof Kalinowski on Oct 22, 2010 4:39 PM

sdipanjan · ‎10-21-2010

Hi,

As I am not aware of the requirement which lead to such segregation. Generally, you should grant authorization according to the principle "As loose as possible and As restrictive as necessary". It is agreed that the unauthorized parties (those who are not supposed to) should not (or better say must not be allowed) get access to respective data. In this regard you (or business owners) need to identify critical and non-critical data and determine what kind of security approach is applicable.

Unnecessary segregation or restriction complicates the day to day activities and leads to painful maintenance cycle.

I am totally sure the above paragraph is not at all helping your need, though I wanted to say this here as this kind of unnecessary restriction happens often.

As you have already been told, SECATT would be helpful to for you for a set of roles which are equivalent to each other but differs in values for same Authorization fields. You can make the e-CATT script more generic by adding the Authorization Object(s) manually in the role so that you will get option to use that script in multiple set of roles where Object will an input value.

An example of using SECATT can be found [here|http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/5082df83-6fbe-2d10-c3b7-9064cecae513].

Regards,

Dipanjan

Former Member · ‎10-26-2010

Hi Dipanjan,

You are right, that first part did not help me at all.

Even worse - I totally agree with you.

But the business wants a solution for their problem and that's what we found as solution...

Regards,

jan

Automated Role Copying, incl. Change of Authorization Object Value??