09-26-2006 5:55 PM
I am getting a difference in number of transactions for a role that I compare throug Table AGR_Tcodes and SUIM report (Transactions executable for a role).Any suggestions please.
Thanks.
09-26-2006 9:21 PM
Hi,
If a Tcode is added via the Menu during role creation, then they are available in both the places. If a Tcode is added manually in the auth object S_Tcode then they form the difference delta.
we experienced the same a few times and i think SUIM misses such Tcodes entered manually.
Br,
sri
09-27-2006 10:49 AM
Hi Mirza,
As rightly pointed out by raghu it is because the missing transaction codes would be the ones that are added tov the role through authorization object s_tcode and not through role menu. This is normal because agr_tcodes will only show data for transaction added in role menu. it will not show transactions not present in role menu.
You must check in SUIM for role tranaction mappings.
Please award points if this anwer was ueful for you.
Regards.
Ruchit.
09-27-2006 1:10 PM
Hi,
correct. If you want to get all, you can as well use the "Complex search criteria" and use object S_TCODE. Then you get both: standard and manually added.
However, you might want to consider removing manually added S_TCODEs anyway. It leads to manually added other objects. Which leads to roles that you will find hard to maintain soon. Please try to insert transactions to the role menu and use SU24 to maintain the authorizations required for the transactions. In a best practice scenario you would end up with only "standard" and "maintained" objects.
Cheers,
Christian
09-27-2006 1:15 PM
Hi,
As already pointed out, if you run the SUIM report - RSUSR070 - this will show you tcodes that have been set up via the menu of PFCG. Tcodes can be entered manually through the authorization tab in S_TCODE or there can be a range entered here. Table AGR_1251 will show you the tcodes values that are entered into the S_TCODE manually. Table AGR_HIER will show you the values entered into the PFCG menu tab.
Regards, JC
12-12-2006 4:20 AM
Hi,
Could you please clarify..
For example - If I wanted <b>complete</b> list of Roles having SU01. What should I do?
Should use SUIM and query Roles based on SU01 Tcode? Will querying AGR_HEIR will give same result?
Should use AGR_1251 / AGR_TCODES table? Will this table list all Tcodes in the S_TCODE ? or <b> only</b> Manually entered one?
Need a complete list of Roles having SU01...Please help!!
Thanks !!!
12-12-2006 4:35 AM
If you wanted to find out all roles that can start the transaction SU01 you can either:
SUIM: Roles -> by Authorization values and enter in S_TCODE TCD=SU01 or
Tables AGR_1251: Object = S_TCODE, Low=SU01
If you wanted to find out all of the roles that have SU01 in the role menu then:
SUIM: Roles -> by transaction and enter in SU01 or
Tables AGR_TCODES: TCODE = SU01
Note, that the second option will not list roles that have had SU01 manually inserted into the S_TCODE authorisation object. So, it depends on whether or not you are looking for roles that have SU01 in by design, or roles that have SU01 regardless of design (for an audit for example).
Also note, that this doesn't include the fact that a role may be able to execute SU01 due to wildcards or ranges such as TCD = SU* or TCD=PFCG to ZABC