12-09-2011 9:06 AM
Hello,
We are trying to place a check to validate and ensure that the child roles are generated using "generate derived role" (CtrlShiftF4) from the parent role. However, i'm not able to find an appropriate function module or table field via which this can be checked.
Are there any options to check this?
Thanks in advance
Vijaya
12-09-2011 10:35 AM
Hi,
Use SUPC. If I remember correctly do a search using the option for profiles to be compared. That will tell you if a child role is out of sync with a parent.
12-09-2011 10:55 AM
Hi Alex,
Thanks for your response. However, SUPC does not help. The closest option was "Roles to be compared" which did not return results as expected. Any other options?
Thanks again
Vijaya
12-09-2011 12:18 PM
Hi Vijaya,
Roles is correct, I wasn't looking at SAP when I wrote it.
What output are you expecting?
12-09-2011 11:53 AM
You can derive childs from the parent role, regenerate the profiles and then stick around close to the helpdesk telephones. That works,
Other than that: I could not find any other way of doing this via reporting either, so plan B is to clone the parent & child roles into copies and then simulate a mass "read old, merge new" against all of them and check the log of the simulation.
If you are brave, you can verify that the parent roles are "up to date" with the merge function and then simulate against the real childs. Prior you must have done what Alex already described, because if the profiles are out of date then the auths will need to trigger a regeneration as well, but they might not.
Cheers,
Julius
12-09-2011 12:36 PM
Hi Vijaya,
One option can be to use SUPC to check that child roles' profiles are generated and then to compare AGR_1251 dump of Master role and Derive role.This will help in ensuring that Master roles and corresponding derive roles are in sync.If they are in sync,then I think it can be concluded that master push is done for child roles.
12-13-2011 9:26 AM
I was expecting that if a particular child role is not generated for derived role it should be flagged or appear in the output. Does not happen (i created test roles without dervided role generation)
Next tried to implement the logic to compare AGR_1251 entries but now i see that "counter" field is a primary key and the objects for the same counter number in Parent and child role are not the same.
Any suggestions?
Thanks
Vijaya
12-13-2011 9:51 AM
Hi Vijaya
As a quick check you can compare s_tcode values in agr_1251 for child roles and their parent. This shall provide you an overview if t-code changes have been pushed to child roles/or if t-codes were added/removed directly in child roles.
Hope this helps
Prashant
12-16-2011 2:22 PM
Hi,
You can find the status of the roles whether the profile is generated or not .. with PFCG only.
PFCG
-> Utilities (M)
-> Overview Status (CtrlShiftF11)
Give the role names (for which you need to know whether they are generated or not)
Tick/select - Only Display Roles with Errors and Warnings
-> Execute
It will display all the role names and profile name and their status green generated, yellow not generated. If you copy all data and paste it in the excel it would be like below...
ZS_ECC_NPR_AFM_TESTING_GL @IC\QSingle Role@ 11/20/2011 12:47:32 VKUMAR @5C\QNo menu exists@ @5D\QCurrent version not generated@ ZNPRAFMTES @5D\QUser master record not completely updated@
ZS_ECC_NPR_DATABASE_ADMIN_GL @IC\QSingle Role@ 08/02/11 18:02:26 MMAKUCH @5C\QNo menu exists@ @5B\QAuthorization profile is generated@ ZNPRDTBADM @5C\QNo users are assigned@
Hope this helps you.
Thanks,
Vinod
12-16-2011 9:48 PM
Hi Vinod
Very nice report, I've been trying to view prod for a month now but without SUPC I didn't think I had a chance!
Blimey...
Cheers
David