05-26-2011 11:23 AM
Ladies and gentlemen,
I have a a question for you. I would like to copy a role with menu (structured!) and slightly changed authorizations+values.
Unfortunatelly I am able to acomplish either the first or the second part of the task. So maybe a skillful hacker could help me?
When I copy a role with structured menu, I also get the copy of the old profile. So I would have to be able to hack into the profile and change it after the copy. I am not able to do that. If somebody can do that, it is one of the possible solutions for my problem.
There is an option the other way round. I can create an empty role, then create the profile for it (slightly changed according to my needs) and then copy the menu. But the menu copy function does not keep the structure. That`s unfortunate. The way of copying the menu including the structure would be another way how to solve my problem.
Or maybe there are ways how to parametrize all the operations? I feel that it would be a really huge hack, like forging the global variables of the PRGN package or something like that and I am not ready to do that. I would prefer nice, clean and maintanable development if such thing can be done.
Or if I would be able to change the behavior of the "cleansing" module SUPRN_PROFILE_BATCH, it could also help. I am able to use it for menu "refresh", but it does not work for the profile/ auth data refresh. This function does not care about the auth data changed I performed although it can be used for saving the menu operations data. Weird.
If anybody has any suggestions, I would be grateful.
Thank you for your time and effort,
cheers Otto
05-26-2011 12:29 PM
A hack I've used on few occasions is to download the role to file, make some changes to auth. values with a text editor, and upload it to the system under a new name. The downloaded file basically contains, in plain text, relevant rows from DB tables that hold the role auth. data and menu structure.
Proceed with caution! You should spend some time exploring the structure and contents of the file. Undefined behavior could easily result if you do not modify the file correctly and consistently, and the system fails to catch the resulting inconsistencies.
05-26-2011 12:03 PM
When I copy a role with structured menu, I also get the copy of the old profile. So I would have to be able to hack into the profile and change it after the copy. I am not able to do that
When you are coping a role then you have to generate the profile. Then it should come with a new profile? Am I missing something?
Regards,
Arpan Paik
05-26-2011 12:36 PM
Hi, thanks for the answer,
When I do the "all" copy, I get the menu AND the new profile. But I don`t want it like this. I need to change the profile by the program. If I would need to do that manually, then voila! problem solved. But I need to change the authorizations: objects + values. So I either have to manipulate the menu with structure (then I can create the profile as a separate task) or be able to change the profile from ABAP. If you can suggest how to do one of the tasks, you are my hero.
Thanks Otto
05-26-2011 12:29 PM
A hack I've used on few occasions is to download the role to file, make some changes to auth. values with a text editor, and upload it to the system under a new name. The downloaded file basically contains, in plain text, relevant rows from DB tables that hold the role auth. data and menu structure.
Proceed with caution! You should spend some time exploring the structure and contents of the file. Undefined behavior could easily result if you do not modify the file correctly and consistently, and the system fails to catch the resulting inconsistencies.
05-26-2011 12:37 PM
A hack I've used on few occasions is to download the role to file, make some changes to auth. values with a text editor, and upload it to the system under a new name. The downloaded file basically contains, in plain text, relevant rows from DB tables that hold the role auth. data and menu structure.
Ok, cool. I can try, I will not face any problems with the bad formatting since the program will do everything for me. The only missing piece in this puzzle is if you could name the ABAP function modules that can do the trick for me.
Thanks, Otto
05-26-2011 12:40 PM
I did this manually, therefore I can't point you towards the relevant FM.
Upload/download functionality is available from the "Role" menu in transaction PFCG.
05-26-2011 1:42 PM
Well, this is not a new information for me. I was aware of the functionality. But THANK YOU for the idea of using it for my case.
I must admit that it is obvious that I could use the file interface to do that. It didn`t cross my mind:))
I will wait for some more suggestions, hope I can get some more development related ones, but this one could suffice as a fallback option. Thanks for the idea, I will research it.
Have a nice day,
Otto
05-26-2011 1:49 PM
Hi Otto
I used this download/edit-replace/upload/generate a lot in previous clients - either with the help of an access database or excel and notepad++ but I've vowed never to use it ever again
It's hacking the table entries via standard SAP functionality but it may have some serious un-noticed side-affects which could take a while to spot...
I tried the normal PFCG options in DEV such as merge and insert authorisation from profile (seemed to bring in 'manually' maintained objects???) but I personally would stick to good old fashioned PFCG being updated manually or by LSMW.
Cheers
David
Edited by: David Berry on May 26, 2011 1:49 PM (keyboard-human not connecting
05-26-2011 2:31 PM
Hi David,
I am building a program, so manual options are not an option for me:)) Or is there any hidden secret except that "don`t use file interface" part? I hope I will not be doing mistakes because those files I will upload later will get generated by the program. Ok, my program could be wrong. But that is what the debugging is for? Or am I too bald?
Thanks, Otto
05-26-2011 5:29 PM
Hi Otto
Sounds interesting but, puts authorisations hat on, if the menu is 'imported' and then a series of ABAP statements (sorry if that is the wrong word) then builds the authorisation tab based on a defined procedure will they retain the status that they had in the donor role(s) and all the other little bits of information that came from SU24? Assuming this is part of the build process - define the menu and its structure and run the transactions through SU24, TCDCOUPLES etc and mark the objects as new/standard/mantained?
Anyhoo...
May I ask what is driving this exercise please?
Kind regards
David
Edited by: David Berry on May 26, 2011 5:30 PM - old laptop with dodgy keyboard and an old contractor with dodgy typing
05-27-2011 12:11 AM
Hi,
regarding using file. Somebody has mentioned on this forum that he has developed/seen a solution where big number of simple roles was generating by downloading a template, generating a file using template with different authorization values and uploading these files as new roles. So somebody has already done this before. If you want to know FMs then the easiest solution is to use debugger (it seems to me that you have background in ABAP). For example check program PFCG_MASS_DOWNLOAD.
There is a solution from SAP for defense that generates various roles based on assignment. The main transaction for this is /ISDFPS/ROLE_MANAGER. If you check function group /ISDFPS/ROLE_GEN then you can see SAP does in this trasnaction. You can get some ideas from here how to create a new role as a copy of another role and how to modify values of the new role.
Cheers
05-27-2011 10:47 AM
Hi Martin,
thanks for the suggestions. I have access to that Defense tool, but not sure if it is so simple to reuse the coding. The problem is that me as a partner cannot do what SAP developers are doing all the time. Like using global variables, do direct updates etc. The reasons are obvious: in case I am interested in doing it one day, I am not certifiable and of course such development cannot be stable. I could build the tool for the system I am on now, but am not able to sell it to anybody who has slightly different components in place.
It might be also risky to use the file interface but the good thing about it is that I don`t think SAP will remove the feature of uploading/ downloading roles, so there should be something I can use in other releases as well. Could bring some extra work, but I see no show-stopper on this course.
I am a developer and don`t know all the dialogs and special features of PFCG and associated tools so my only option was to spend hours with the debugger. Funny thing was I found so many nice function modules (ok, they had nice names), but unfortunatelly - not sure if that is on purpose or it`s because this topic is still changing/ less stable than stuff that is covered by BAPI - the development is a big mess. As I mentioned above: global variables, function modules with promising names which only change the global variables, direct updates of the tables in most of the functions etc.
To be able to produce something stable and neat, I need something with the encapsulated functionality. And here the file interface works nicely, at least I think so (didn`t find any use of stuff outside the main two function modules: PRGNUPLOAD and PRGNDOWNLOAD).
I cannot recommend anybody using the "small" function modules, I don`t want to use them myself, but before stopping all the efforts in this direction, I wanted to ask the experts. The file interface looks robust. Are there any other function modules you think are as robust as these? I still hope I am not that good developer and that there are functions I missed and could help me, but am finding no more...
I spent hours searching on ABAP forums and hours debugging, but although it works for SAP, I can`t go their way.
I am afraid this is turning into more philosophical discussion, but hey - all input is welcomed:)))
Thanks for your time and effort, everybody, I appreciate it. A LOT.
Have a nice day,
Otto
p.s.
Somebody has mentioned on this forum that he has developed/seen a solution where big number of simple roles was generating by downloading a template, generating a file using template with different authorization values and uploading these files as new roles. So somebody has already done this before.
Do you remember the thread? Or some keywords? As I said I searched but didn`t find this one. Thanks.
05-31-2011 8:30 AM
Modifing roles automatically makes me remind about CSI Codification Builder. This use Axis database to store the authorization value and based on that generates a text file to upload in the system. So far so good. We had a nice repository. But the problem underlying was the object status. Within years all object status were a mess. As alarm raised by OLD CONTRACTOR
Now when in time of need you will maintain roles manually in PFCG (may be master role) then the problem will be object with status new? Are they yours? Or they are from earlier activity? Now there are many who really do not know/care about these object status. Nightmare? Yes, old good PFCG still sounds good to me.
Regards,
Arpan Paik
05-31-2011 9:00 AM
Hi, thanks for contribution.
I am looking for two things:
a) initial build of new roles
b) doing it in a sustainable way, so it does not blow up when one touches "my role" with PFCG.
Unfortunatelly I cannot imagine all the problems I might be running into. Could you please specify? If I can build a role which survives the "read old, merge new" button, then I don`t see many more problems. Ok, I must build the roles carefuly, I know, but are you suggesting the problems after they come to being? I see no difference between one created by PFCG and one forged by the ABAP program, if it does not use any dirty tricks.
Cheers Otto
05-31-2011 9:52 AM
Hi Otto,
you need to have a beer with your fellow Mentor Julius Bussche.
Hint: the word "rathole" will be mentioned a lot
Frank.
05-31-2011 4:37 PM
My current favourite expressions are "snake pit" and "tree stump".
ps: I already had a beer with Otto recently and discussed this and advised him to ask here - hence no need to comment until you arived.
Cheers,
Julius
06-02-2011 11:20 AM
If I can build a role which survives the "read old, merge new" button, then I don`t see many more problems. Ok, I must build the roles carefuly
That's true. Unfortunately CSI didn't considered that which I had experience with. However it would be great to see such tool in future along with a authorization repository like CSI CB (which I liked). It save time to define values for open authorization field. Provided a robust role segregation is there based on org structure.
Regards,
Arpan Paik
05-31-2011 6:41 PM
Hi Otto
I've never used it in anger (seen a couple of demo's) but there is the GRC component that builds roles based on an end user's requirements. Think it was/is called 'Access Enforcer'? From memory, the user logs into this via a portal and picks some transactions that are then automatically checked for SoD and passed to a security bod using pixie dust for approval. If it passes then the role is automatically 'built' in R3. I've got no idea how it does this at a programming level but, given it's SAP 'standard', would a version of that be a starting point?
Just wondered...
Regards
David
Edited by: David Berry on May 31, 2011 6:41 PM