Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Best way to merge lots of roles into one new role

Former Member

‎12-28-2011 1:46 PM

0 Kudos

I am currently working on a rebuild of the current roles and profiles. The users now have lots of large and small roles which also have lots of similar authorisation objects in them. I can create new roles and then import the old profiles into them one by one and then merge the whole lot but would prefer a quicker way if possible i.e. combine lots of roles into one new role in one go. Any suggestions are welcome.

Thom Dijkstra

10 REPLIES 10

Former Member

‎12-28-2011 2:35 PM

0 Kudos

Dear Thom,

You can make composite roles.This is the good way for maintenance purpose as you can assign 2-3 composite roles to end users.

Regards,

Amit Barnawal

Former Member

‎12-28-2011 2:47 PM

0 Kudos

Unfortunately that is not an option. We want to include all authorisations for each single function in one single role. It's not the prettiest option but better for this organisation.

Former Member

‎12-28-2011 3:41 PM

0 Kudos

There are at least three ways to do this, but it depends on how qualitative the mergable singles are in their authorizations and how you want to deal with org. level fields.

You need to provide more infos about that.

Cheers,

Julius

jurjen_heeck
Active Contributor

‎12-28-2011 6:21 PM

0 Kudos

Hi Thom,

I'd say rebuild from the menu. You can import the menus from the other roles and keep those other roles for reference while filling the authorization values.

Maybe you can speed up the initial part (loading all the menus into the new role) with an ECATT script.

Jurjen

Former Member
In response to jurjen_heeck

‎12-28-2011 6:41 PM

0 Kudos

Hey jurjen, thn

Anks for your reply. Unfortunately the roles were not all built with the menu but also by manualky adding t-codes and other objects. A possibility would be to filter all the t-codes from all the roles and then add them inthe new role. I was really looking for a quicker solution

jurjen_heeck
Active Contributor
In response to jurjen_heeck

‎12-28-2011 7:46 PM

0 Kudos

Hi Thom,

Sounds like a messy starting point.

Do you need the role menu's to be structured in any way? If not you should be able to create an ecatt script to enter transactions into the menu tab based on the transaction assignments in AGR_1251 - S_TCODE from the original role sets. Besides that I do not see a quick fix.

Jurjen

P.S. You can always give me a call if you need a hand

Former Member
In response to jurjen_heeck

‎12-28-2011 8:26 PM

0 Kudos

The dirty solution is within the new role --> import the profiles of the various single roles.

However, the auths are all manual regardless of the source status and you have no menu.

That is why you must provide more information.

This is however not a best practice and Jurjen is correct, it is quite possible that starting over is better.

Cheers,

Julius

Former Member

‎01-02-2012 8:47 AM

0 Kudos

ls,

Thanks for the info. i think I have the information that I need, unfortunately it seems there is no easy solution for this (I was kind of expecting this).

Within the organisation there are a lot of things missing for me to be able to do this the right way:

- there are no process- or function descriptions

- there is no person or board who is responsible for or who can indicate what each function should be able to do (and not be allowed to do)

- there is no auditlog (I am working on that but will take time to build up some history)

So, the challenge is that the only thing I have to go on are the current authorisations which is a mix of all kinds of big and small roles with lots of overlapping objects. My idea was to merge all these roles into one role for each function and then go through these to see where there might be control-issues. At least I would have 1 role to work with for each function which would also make it easier for the people doing the usermanagement.

Hope this explains it a bit better.

Former Member
In response to Former Member

‎01-02-2012 9:57 AM

0 Kudos

Again, do the roles have a menu or not?

What is the status of the authorization instances in the roles?

You should consider that starting over is mostly a cleaner way and you can still do user based comparisons between the test system (with new role(s) assigned) and the production system (with the spagetti).

Cheers,

Julius

Former Member

‎01-02-2012 10:58 AM

0 Kudos

@ Julius: sorry missed that remark. Most roles do not have a menu. A lot of transactions have been added manually including their compulsory objects.