cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

best practice roles activation

Former Member

on ‎04-27-2012 3:24 PM

0 Kudos

Hi all

We have installed Italian Baseline on our system and facing some problems with authorization profile generation.

Baseline is delivered with a set of roles empty (with menu, but without authorization object).

I found how to create authorization for that, but each authorization node ask me for a lot of data (for example.. stge location, order type and so on), as usual in role handling.

But it was our understanding, that with baseline, most of these data where taken automatically by customizing (that we have done).

I think that I am missing the correct baseline profile generation procedure. I cannot find help in baseline guidelines that send me to help.sap.com Identity Management for more information.. but also here I did not find anything.

Can anyone please make clear on Best Practice Roles Activation / Profile Generation please?

Thanks in advance

Gabriele

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎04-27-2012 5:16 PM
0 Kudos

Hi, this is taken from the SAP IdM config guide

Automatic profile generation must be enabled on the AS ABAP so that changes to role assignments are automatically reflected in a user’s profile.  You can check this using table maintenance (for example, transaction SM30). Maintain the table PRGN_CUST. Make sure an entry with the name AUTO_USERCOMPARE exists in the table and that it contains the value YES.


If you do not activate AUTO_USERCOMPARE, then run the report PFCG_TIME_DEPENDENCY after executing any provisioning steps.

Show replies
Show replies
Former Member
‎05-02-2012 9:18 AM
0 Kudos

Hi

thanks for your reply.

I didn't understand your answer. I think I've not been clear in problem explanation.

We understood that with baseline and best practice, fast start solution will help installation of roles creating all authorization object automatically. My question is how can we do that? We already find a way to do it (as usual) but, in this way I am asked for each kind of data regarding authorization (not only organization data: order type, storage location, document type and so on). Following "normal" way I have to fill all these fields in authorization entry. But there are a lot of this for each roles.. We understood that there is a way to read customizing present automatically for creating profiles.

For (simplified) example: in my installation I create sales order type YPO1 and YPO2 ...

Authorization object regarding sales order have field "sales order type". There, automatically would be YPO1 and YPO2.

Former Member
‎05-02-2012 2:42 PM
0 Kudos

Creation of authorization objects and profiles will continue to be done in your ABAP system.  All Identity Management does is consume the name (pointer) to the role and profile after it has already been created in the end system.  Take a look at the initial import job from the ABAP system.  You don't create the roles/profiles in Identity Management, you import(consume) them.  After that, you can them in business roles/assign to users, etc.

Hope that answers your question.

Ask a Question