Merging of derived role to single role

Former Member · ‎03-22-2011

Dear All,

1.User having composite role assigned to multiple users

2.Each composite role having multiple derived roles

3.Each derived role used in multiple composite roles.

Now i would like withdraw set of Tcodes from users.what will be best way to merge roles make user specific role.I have studied the impact almost every derived role is getting modified.

Ramesh.

Former Member · ‎03-22-2011

Hello,

I remember there is a thread about composite role (benefit and drawback.. if i remeber more It was posted By Alex Aayers.

He gave complete info, and even few post by Julius on that thread.

Please have a look into that...

since your request look like more into basic training, rather than real solution.

sorry, but please go through theards, before posting..

Thanks,

PKP

Former Member · ‎03-22-2011

I am not looking for basic training,if know the answer please provide it will be gratful.

Former Member · ‎03-22-2011

If u remove any tcode , u need to do it in master role of that derived role which is there in composite role.

as per my thinking, i would have gone to build a new role and add that in composite .

Thanks,

PKP

arpan_paik · ‎03-22-2011

user specific role? have you consider the impact of that? If a user need additional access then you always have to run from dev to prod with role modification. now how easy is your change management process? I pressume that current derived roles are based on task (process)?? Is it? If so I would never be worried, else would head to do that.

Now to your qtn..know or dont know type.....try executable for user in SUIM.

Edited : Now please don't say how to do that....if you do, then you need basic training.....

Regards,

Arpan Paik

Edited by: P Arpan on Mar 22, 2011 9:22 PM

Former Member · ‎03-24-2011

Please read my subject line "Merge derived roles and make user specific role"

why SUIM is needed? we have 1200 + roles to be modified

I am looking for solution where user should not face authorization issues in running production system and merge roles in to single user specific role.

arpan_paik · ‎03-24-2011

You want to find out the transaction user is using then SUIm will give you the list of txn. Have you try to check that. Or if you just want to merge multiple roles to one the you can import profile. But problem is that object will be manual. Anyway still you are looking for user specific role? good luck

regards,

Arpan Paik

Former Member · ‎03-24-2011

Hi

This sounds like the process is being made more complicated than it really is...

Do you have the facility to 'see' which transactions have been used by each user? If so then you could look at creating a new set of roles based on this information, if not then asking the users may be easier than merging multiple singles into one role via import (it looks a mess anyway).

Are you trying to re-design the authorisation concept?

Cheers

David

Former Member · ‎03-22-2011

Hi Rameshbabu

You wrote

almost every derived role is getting modified

I don't know the reason for these mass changes - my history with these revolves around remdiations requiring lots of little roles to be changed to make a user/user group clean at role and user level, Maybe this is the same for you?

Anyhoo...

Derived roles are generally used to reduced the time required for multiple company/plant org level/release strategy type maintenance. They aren't worth it once in a remediation (MHO), if you have composite roles with these in them you are already realising the pain both of them cause together (I hate derived and - after much consideration composites are clawing their way up my hated list)

If it was me I would copy the derived (not parent) and break the link in the newly created role and re-design outside of a composite and transport/UAt/transport to prod and assign directly. Once you have the user stable again following the other multiple role changes hinted at then possibly consider creating a user group composite (job) and transport the sum of all the production assigned singles for that user. As long as the processes are running smoothly and there aren't constant requests for additional access you may get away with that approach.

Pro - keeps users in a user group to a standardised access

Con - hell on transports if the singles aren't in prd and you have to transport the entire content of the composite repeatedly.

Only a small aspect...

Best wishes

David

Former Member · ‎03-24-2011

3.Each derived role used in multiple composite roles.

I should have stopped reading here...

Really, this is your problem and a learning curve about the survival of derived roles and the cosmetics of composite roles.

The best route 99 times out of 100 is a solid single role with a visible menu which uses "other" (more modern) technologies to take care of some of the "pain points".

Examples are BW AA auths, BO dashboards, hierarchy bases auths, HR based options, a more carefull selection of executable transactions if you can avoid generic ones (flame bad habits for that

I would suggest that you read through the FAQ thread section on authorization design. You will get some very good tips there -but might need to do some homework first to understand the comments based on experience of contributors who actually stick around for long enough after "go live" out here "in the wild"....

Cheers,

Julius

Former Member · ‎03-24-2011

3.Each derived role used in multiple composite roles.

--> Executive summary: This is worst case scenario -- > which can be pretty painted in MS PowerPoint at "sale-time".

If the implementation partner gave you the "basis" singles and small master derived roles and left the composites up to you, then in all honesty I would take legal action against them if I were you.

There is enough evidence and "plaintiffs in the wild" by now that it would hopefully hold in a court of law that it cannot work. Knock-on effect is that developers have no respect for the application authorization concept.....

Actually I spend about 20% of my time fixing this sort of spagetti....

Cheers,

Julius