if the SID is correctly named and there is a golden dev client for roles

I'm not sure - the profile (trunk) names are in roughly the same numbers ranges - i.e T-X123456790 in DEV QAS and PRD.

Creation and generation of roles appears to have been the norm with roles being created in DEV and uploaded to PRD and generated. I found a small number of collisions when I started to clean up the derived roles which had profiles at 'to be adjusted' in PRD. The reason for my locking down updates to PRD and QAS.

Looking at the previous posts regarding 50,000 number ranges between them ~I think this hasn't been considered but I'm not sure how to check the SID's at the moment.

Sorry for being stupid..

Cheers

David

Edited by: David Berry on Jul 22, 2011 11:49 PM

T-X123456790

"T-" is a constant (see the FAQ thread to change it).

"X" 1st character of the SID.

"1" 3rd character of the SID..... so 2nd character is not considered, hence use the first character in the naming and tell basis not to create nor transport roles from client 000... (I can write a book about that, if you can spot the confusion aspect in client 000 of the SIDs ...).

"234567" is a sequencial number client specific from table AGR_NUM_2, however take note that same SIDs (1st and 3rd) can collide).

"90" is the authorization instance number in the role. "90" is quite an achievment.... which object is it?

Cheers,

Julius

T-C is the current format for DEV, QAS and PRD

The next number in all is 1 and the number ranges are not set outside of a 50K spread which is why the process of DL UL to QAS (and also to in PRD for some roles) worries me

I've usually seen T-D, T-Q and T-P for other clients which is making this a little more difficult to spot the 'where were you built?'

Edit

"90" is the authorization instance number in the role. "90" is quite an achievment.... which object is it?

I'll have a further dig into this aspect!

D'Oh.This one's not relevant - I should have stopped at a shorter number as an example

Edit

been a long week ...

This is why I want to lock down the QAS and PRD to 'ZTEST' for the role and profile.

Cheers

David

Edited by: David Berry on Jul 23, 2011 12:26 AM

Edited by: David Berry on Jul 23, 2011 12:33 AM

>> The next number in all is 1

Then you should reset the number ranges and perform a clean up, because transports will collide (typically from basis folks but they soon resort to SAP_ALL because their role attempts dont work...and "up stream" profile generation will reserve profile names) .

A clean up between the role data and the profile data seems to be needed. To be honest you might have to test everything if it has been going on for a while....in which case it is an opportunity to start from scratch.

If the customer has been using LSMW and ecatts then it is typically even worse.

I have even seen some resorting to DB field triggers....

Real pity...

--> Build solid single roles and transport them for testing. Only cheat in QAS if you are disciplined enough for parrellel maintainance.

Cheers,

Julius

Well...

Merely an outsider watching the accident - wish a little "minority report" to save the day was available.

Isn't there a check list that should be followed during these processes so that everything is done correctly?

Edited by: David Berry on Jul 24, 2011 12:49 AM

I'm guessing that the check list is optional and based on user's own experience.

There is also a BADI function in the STMS which

I haven't dealt with these as far as I know...the simplest option is to stop bad practice befor having to resort to stuff I don't understand

There is a program which checks for collisions, but it is in the import events of the STMS.

The problem with the STMS release BADI is that although it would be triggered before something goes wrong, the collision information is in the remote target systems where the role is heading toward. Unfortunately the TMSADM cannot read this information, and having many logon screens popup is not user-friendly either, and generally having system user RFC calls from DEV to QAS and PROD is not advisable.

I would go to AGR_PROF and USH10 in the systems and manually work out how many collisions there are and show the folks the risk of this with examples of collisions which have already happened (and that the users actually have the wrong access).

Cheers and good luck,

Julius

I did the AGR_PROF checks after the first error came back and found 7 which would have caused further issues for my transports but I haven't heard of USH10 - I''ll check that on Tuesday!

Note that on higher releases the historyof profiles was moved from USH10 to CDHDR. If you use report RSUSR101 you should be fine as it would consider this.

Take any created profiles from QAS and PRD as well as all clients other than your "golden DEV client for roles" and if they exist in AGR_PROF there then they will collide sooner or later.

Cheers,

Julius

Hi Julius

Thankyou for the advice which is,as always - much appreciated.

I'll have a look at the CDHDR table to see how that relates to the AGR_PROF table I used in DEV, QAS and PRD. After the access was increased I saw around 50 new roles created in DEV and then in QAS with different (but not by enough) profile numbers.

I suspect that the client won't listen anyway..

Cheers

David

We have a (verbal) agreement...

The number ranges need checking and then the SID's also need checking and then I can carry out a proper clean-up of the profile trunks.

Amen

Cheers

David

Edited by: David Berry on Jul 25, 2011 11:03 PM