Check status for Derived role generation

Former Member · ‎12-09-2011

Hello,

We are trying to place a check to validate and ensure that the child roles are generated using "generate derived role" (CtrlShiftF4) from the parent role. However, i'm not able to find an appropriate function module or table field via which this can be checked.

Are there any options to check this?

Thanks in advance

Vijaya

Former Member · ‎12-09-2011

Hi,

Use SUPC. If I remember correctly do a search using the option for profiles to be compared. That will tell you if a child role is out of sync with a parent.

Former Member · ‎12-09-2011

Hi Alex,

Thanks for your response. However, SUPC does not help. The closest option was "Roles to be compared" which did not return results as expected. Any other options?

Thanks again

Vijaya

Former Member · ‎12-09-2011

Hi Vijaya,

Roles is correct, I wasn't looking at SAP when I wrote it.

What output are you expecting?

Former Member · ‎12-09-2011

You can derive childs from the parent role, regenerate the profiles and then stick around close to the helpdesk telephones. That works,

Other than that: I could not find any other way of doing this via reporting either, so plan B is to clone the parent & child roles into copies and then simulate a mass "read old, merge new" against all of them and check the log of the simulation.

If you are brave, you can verify that the parent roles are "up to date" with the merge function and then simulate against the real childs. Prior you must have done what Alex already described, because if the profiles are out of date then the auths will need to trigger a regeneration as well, but they might not.

Cheers,

Julius

former_member230681 · ‎12-09-2011

Hi Vijaya,

One option can be to use SUPC to check that child roles' profiles are generated and then to compare AGR_1251 dump of Master role and Derive role.This will help in ensuring that Master roles and corresponding derive roles are in sync.If they are in sync,then I think it can be concluded that master push is done for child roles.

Former Member · ‎12-13-2011

I was expecting that if a particular child role is not generated for derived role it should be flagged or appear in the output. Does not happen (i created test roles without dervided role generation)

Next tried to implement the logic to compare AGR_1251 entries but now i see that "counter" field is a primary key and the objects for the same counter number in Parent and child role are not the same.

Any suggestions?

Thanks

Vijaya

former_member204634 · ‎12-13-2011

Hi Vijaya

As a quick check you can compare s_tcode values in agr_1251 for child roles and their parent. This shall provide you an overview if t-code changes have been pushed to child roles/or if t-codes were added/removed directly in child roles.

Hope this helps

Prashant

Former Member · ‎12-16-2011

Hi,

You can find the status of the roles whether the profile is generated or not .. with PFCG only.

PFCG

-> Utilities (M)

-> Overview Status (CtrlShiftF11)

Give the role names (for which you need to know whether they are generated or not)

Tick/select - Only Display Roles with Errors and Warnings

-> Execute

It will display all the role names and profile name and their status green generated, yellow not generated. If you copy all data and paste it in the excel it would be like below...

ZS_ECC_NPR_AFM_TESTING_GL @IC\QSingle Role@ 11/20/2011 12:47:32 VKUMAR @5C\QNo menu exists@ @5D\QCurrent version not generated@ ZNPRAFMTES @5D\QUser master record not completely updated@

ZS_ECC_NPR_DATABASE_ADMIN_GL @IC\QSingle Role@ 08/02/11 18:02:26 MMAKUCH @5C\QNo menu exists@ @5B\QAuthorization profile is generated@ ZNPRDTBADM @5C\QNo users are assigned@

Hope this helps you.

Thanks,

Vinod

Former Member · ‎12-16-2011

Hi Vinod

Very nice report, I've been trying to view prod for a month now but without SUPC I didn't think I had a chance!

Blimey...

Cheers

David