01-19-2011 1:36 PM
Hi Experts,
I came across an interesting case in my current upgrade project.
Few roles, changed/generated in DEV(ECC 6.0 Version) system, are missing field values for some authorization objects which were present in role earlier. This I got to know when I compared those roles with current PRO(4.7 Version) system.
I generated all the roles using Expert Mode with 3rd option "Read old status and merge with old data".
I am still clueless about that. Do anyone have any idea why did that happen?
Thanks in advance.
Regards,
Mohit
01-19-2011 2:35 PM
Status Change for roles suppose to be different from production. Anyway see the last change date for authorization in both system. If this is same for both the system then only you have problem. If this is diff then it is likely that some1 modified that role in dev.
regards,
Arpan Paik
01-19-2011 8:09 PM
Hi,
When you generate roles in expert mode of PFCG using the 3rd option, SU24 check indicator values are re-read for all menu transactions and merged in the existing authorization objects in the role. Only authorization object with maintainance status "Standard" or " Maintained" are affected.
Please see Note 113290 - PFCG: Merge process when maintaining authorization data for examples of various scenerios during PFCG merge.
Since you have upgraded the system, USOBT table now has new default SAP values for all auth objects which are "check/maintained" for tcodes in SU24 and hence existing values of the standard/maintained objects in the role might be replaced with the new defaults during expert mode generation in PFCG. Hence the missing values.
Thanks
Sandipan
01-20-2011 7:27 AM
Hi Sandipan,
I agree with you that all Standard and Maintained Objects get affected due to new SU24 values.
But system shouldn't replace the old values, it should add new values or objects.
And that's what I need to confirm.
Thanks,
Mohit
01-20-2011 8:30 AM
Mohit wrote:
But system shouldn't replace the old values, it should add new values or objects
This is true, new standard authorizations are not inserted in the roles only when your exisiting 'maintained' object has identical values to the new SAP default values for standard fields or atleast it contains the new SAP default values for the standard fields.
Example from the note i referred earlier:
Maintained Old Standard New default values
Field 1 A, B, C Standard A, B, C Standard
Field 2 C, D Standard C, D Standard
Field 3 1, 2, 3 Maint. (empty earlier) (empty) Standard
the first two fields are filled with default values ("Standard" status) and the maintained authorization contains the default values of the standard authorization.
But a new Standard authorization object could be added with different field values (as in your case) when the new SAP default values for standard fields (Field 2 in below example) has more values than in the 'maintained object'
Maintained Old Standard New default values
Field 1 A, B, C Standard A Standard
Field 2 C, D Standard C, D, E Standard
Field 3 1, 2, 3 Maint. (empty) Standard
...because its authorization default value contains more values in the second field than the maintained value.
Also, a new standard authorization is added if new default values are suggested for a field which was empty previously
Maintained Old Standard New
Field 1 A, B, C Standard A, B, C Standard
Field 2 C, D Standard C, D Standard
Field 3 1, 2, 3 Maint. 1, 2, 3 Standard
...because the third field also contains default values in the standard authorization; this field was originally empty in the maintained authorization. This shows that the standard values of both authorizations originate from different transactions.
You may read the note (#113290) for understanding all the scenerios as illustrated by examples.
Hope this helps
Sandipan
Edited by: Sandipan Choudhury on Jan 20, 2011 2:08 PM
01-20-2011 9:26 AM