Hi, thanks for the answer,

When I do the "all" copy, I get the menu AND the new profile. But I don`t want it like this. I need to change the profile by the program. If I would need to do that manually, then voila! problem solved. But I need to change the authorizations: objects + values. So I either have to manipulate the menu with structure (then I can create the profile as a separate task) or be able to change the profile from ABAP. If you can suggest how to do one of the tasks, you are my hero.

Thanks Otto

A hack I've used on few occasions is to download the role to file, make some changes to auth. values with a text editor, and upload it to the system under a new name. The downloaded file basically contains, in plain text, relevant rows from DB tables that hold the role auth. data and menu structure.

Ok, cool. I can try, I will not face any problems with the bad formatting since the program will do everything for me. The only missing piece in this puzzle is if you could name the ABAP function modules that can do the trick for me.

Thanks, Otto

I did this manually, therefore I can't point you towards the relevant FM.

Upload/download functionality is available from the "Role" menu in transaction PFCG.

Well, this is not a new information for me. I was aware of the functionality. But THANK YOU for the idea of using it for my case.

I must admit that it is obvious that I could use the file interface to do that. It didn`t cross my mind:))

I will wait for some more suggestions, hope I can get some more development related ones, but this one could suffice as a fallback option. Thanks for the idea, I will research it.

Have a nice day,

Otto

Hi David,

I am building a program, so manual options are not an option for me:)) Or is there any hidden secret except that "don`t use file interface" part? I hope I will not be doing mistakes because those files I will upload later will get generated by the program. Ok, my program could be wrong. But that is what the debugging is for? Or am I too bald?

Thanks, Otto

Hi Martin,

thanks for the suggestions. I have access to that Defense tool, but not sure if it is so simple to reuse the coding. The problem is that me as a partner cannot do what SAP developers are doing all the time. Like using global variables, do direct updates etc. The reasons are obvious: in case I am interested in doing it one day, I am not certifiable and of course such development cannot be stable. I could build the tool for the system I am on now, but am not able to sell it to anybody who has slightly different components in place.

It might be also risky to use the file interface but the good thing about it is that I don`t think SAP will remove the feature of uploading/ downloading roles, so there should be something I can use in other releases as well. Could bring some extra work, but I see no show-stopper on this course.

I am a developer and don`t know all the dialogs and special features of PFCG and associated tools so my only option was to spend hours with the debugger. Funny thing was I found so many nice function modules (ok, they had nice names), but unfortunatelly - not sure if that is on purpose or it`s because this topic is still changing/ less stable than stuff that is covered by BAPI - the development is a big mess. As I mentioned above: global variables, function modules with promising names which only change the global variables, direct updates of the tables in most of the functions etc.

To be able to produce something stable and neat, I need something with the encapsulated functionality. And here the file interface works nicely, at least I think so (didn`t find any use of stuff outside the main two function modules: PRGNUPLOAD and PRGNDOWNLOAD).

I cannot recommend anybody using the "small" function modules, I don`t want to use them myself, but before stopping all the efforts in this direction, I wanted to ask the experts. The file interface looks robust. Are there any other function modules you think are as robust as these? I still hope I am not that good developer and that there are functions I missed and could help me, but am finding no more...

I spent hours searching on ABAP forums and hours debugging, but although it works for SAP, I can`t go their way.

I am afraid this is turning into more philosophical discussion, but hey - all input is welcomed:)))

Thanks for your time and effort, everybody, I appreciate it. A LOT.

Have a nice day,

Otto

p.s.

Somebody has mentioned on this forum that he has developed/seen a solution where big number of simple roles was generating by downloading a template, generating a file using template with different authorization values and uploading these files as new roles. So somebody has already done this before.

Do you remember the thread? Or some keywords? As I said I searched but didn`t find this one. Thanks.

Modifing roles automatically makes me remind about CSI Codification Builder. This use Axis database to store the authorization value and based on that generates a text file to upload in the system. So far so good. We had a nice repository. But the problem underlying was the object status. Within years all object status were a mess. As alarm raised by OLD CONTRACTOR

Now when in time of need you will maintain roles manually in PFCG (may be master role) then the problem will be object with status new? Are they yours? Or they are from earlier activity? Now there are many who really do not know/care about these object status. Nightmare? Yes, old good PFCG still sounds good to me.

Regards,

Arpan Paik

Hi, thanks for contribution.

I am looking for two things:

a) initial build of new roles

b) doing it in a sustainable way, so it does not blow up when one touches "my role" with PFCG.

Unfortunatelly I cannot imagine all the problems I might be running into. Could you please specify? If I can build a role which survives the "read old, merge new" button, then I don`t see many more problems. Ok, I must build the roles carefuly, I know, but are you suggesting the problems after they come to being? I see no difference between one created by PFCG and one forged by the ABAP program, if it does not use any dirty tricks.

Cheers Otto

Hi Otto,

you need to have a beer with your fellow Mentor Julius Bussche.

Hint: the word "rathole" will be mentioned a lot

Frank.

 If I can build a role which survives the "read old, merge new" button, then I don`t see many more problems. Ok, I must build the roles carefuly 

That's true. Unfortunately CSI didn't considered that which I had experience with. However it would be great to see such tool in future along with a authorization repository like CSI CB (which I liked). It save time to define values for open authorization field. Provided a robust role segregation is there based on org structure.

Regards,

Arpan Paik