Solved: SAP roles : How to compare a role between 2 enviro...

Former Member · ‎05-03-2012

Hi.

http://scn.sap.com/thread/1577724

While reviewing a new customer environment,

i found that few roles are different in production - compared to development environment.

Although the practice seems to be to import from DEV --> QA --> Production.

I looked at SUIM \Comparision\from roles : It is asking for RFC destination environment A / Environment B.

I do not have details of whether RFC is maintained or not between DEV & Production.

In my opinion, RFC should be there, otherwise transports would not happen between 3 environments ?

Can anyone guide me further on this please.

I have a thousands of roles to really look at and compare between dev and production systems of a particular customer.

Thanks

indu

Former Member · ‎05-03-2012

Hi Indu,

RFC would be there, but you might need to provide ID and password to connect. When you have to compare thousands of roles forget about this procedure.

My suggestion:

1. Identify the roles from AGR_DEFINE based on naming convention.

2. Take the role authorization timestamps on roles from Dev and Prod.

3. Compare both lists, only ones with difference have to be compared ( As they are out of sync)

4. Now download the agr_1251 and agr_1252 tables on both Dev and Prod, compare respectively to find difference.

Regards,

Ajesh.

Former Member · ‎05-03-2012

Hi Indu,

You are correct here, comparison of roles across 2 systems is done using SUIM->Comparisons->From Roles.

You would need to define a RFC destination between the 2 systems for comparison. The TMSADM@* RFC's used for connection between the systems in the transport domain will not work here as it would be connecting to the client 000.

Regards,

R

Former Member · ‎05-03-2012

Hi Indu,

RFC would be there, but you might need to provide ID and password to connect. When you have to compare thousands of roles forget about this procedure.

My suggestion:

1. Identify the roles from AGR_DEFINE based on naming convention.

2. Take the role authorization timestamps on roles from Dev and Prod.

3. Compare both lists, only ones with difference have to be compared ( As they are out of sync)

4. Now download the agr_1251 and agr_1252 tables on both Dev and Prod, compare respectively to find difference.

Regards,

Ajesh.

Former Member · ‎05-04-2012

As has been mentioned, if there is a transport path active, it's likely there are already RFC destinations in place, but as RN said, they normally use client 000. SM59 define a new ABAP connection or verify a non-TMS tied to the client you seek. This is used in the reports you seek as well as cross system table/config compares.

Former Member · ‎05-04-2012

Hi Indu,

1. The first procedure is compare roles across systems using, here client do follow the same naming convention of what we used in as SID. If you system A name is ERP you will have RFC named ERP and system B is PRN you will have PRN. just input these credentials you will have the output.

but if you want to compare thousand roles this is a big process and you might crawl into mistakes. so as ajesh said use tables but what I suggest you is to use SQVI table join, using this combine AGR_DEFINE, AGR_1251 and AGR_1252. this procedure really helps you and gives you accurate report.

hope this answer is helpful, please reply if you want to know further

kanth

Former Member · ‎05-07-2012

Hi Kanth.

That table join gave a lot of useful info.

Thanks

indu

Bernhard_SAP · ‎05-04-2012

Hello Indu,

if you have no possibility to use RFC-connections, here is a simple workaround:

1.rename the role in DEV (by copying it)

2.download the role from prd

3. upload this PRD-role to DEV (therefore you need to have a copy of the original in DEV->step 1)

4. now you can compare the 2 roles locally in DEV.

5. Decide, which version you want to keep (for instance delete the uploaded PRD-role and copy the original DEV-role back to its original name and retransport it then to PRD

b.rgds, Bernhard

Former Member · ‎05-04-2012

Hi All,

RN/Ajesh/Edward/Kanth/Bernhard - thanks a lot for all your suggestions.

I shall try these next week and see where i could reach.

@Bernhard - I love that work around.. and i really wish i could do that... !!! BUT... what would you do in a situation, if environments are not maintained on same patch levels. ???? .. The world of SAP which i am exploring, is not as simple as it appears to be... . Thanks.

Will update you.

REgards

indu

Former Member · ‎05-04-2012

From what I've seen in security since V 3.1, only major version upgrades have seen much in the way of differences like that. The biggest change was at 4.5 or 4.6, and I can't really note much different in the 60x versions, so as long as the systems are within a few patches of each other, it should not matter. I doubt SAP introduced any security model changes with patches, more likely anything new (new objects to hit if anything...) are in EHP's and sometimes patches. But I'm sure there are others here who could speak further to that. I would not worry, but I can't imagine not being able to use RFC either! That should be your preferred approach.

Former Member · ‎05-05-2012

Hi Edward.

Thank you very much for the suggestions. I shall try and check how each one works.

There are thousands of roles more than 40k. For hardly 11k users. It looks like since inception those systems have not been touched for probably more than 8 years. And too much of customisation on sap and too many roles. I think creating a system new and putting things in the right perspective is much more easier than looking at an existing system clean up?

So, Before comparing, First exercise i did was to look at agr_users - took a list, and we identified some 231 roles to be removed from users as not required.

I have been trying to see whether i could get a list which says...this transaction requires this licence. Even with USMM i was not able to find that detail.

Thanks again. In case i need more help. Shall check again.

Regards

indu

Former Member · ‎05-07-2012

Hi Indu,

If you are unsure of RFC Connections, Transaction SM59 can help. You can open the ABAP Connections tree to check all the connections.

To Compare, Leave the 'RFC Destination for System A' blank and give the RFC name for the system with which you need to compare. Give the roles in the second section and execute.

Once you receive the results you can double-click on the Auth objects to check the field values.

However I agree that it would be chore for a mass amount of role...

Thanks,

FP

Former Member · ‎05-07-2012

Ouch - best of luck to you. Sounds like someone was trying to be very granular, and probably didn't use any derived or composite roles.

I would agree, at this stage, creating a new clean version with all new roles would be best in the long run. I'm sure there is some logic or table somewhere that equates the license with a TCODE, but in user measurement (for most customers) only the production system is counted against the measurement. For test and dev, the accounts only need to relate to a valid PRD account. But in the end, it licensing is all about the contract and which type is included.

Regards

Former Member · ‎05-08-2012

Hi Edward.

Thanks. Somehow.. meandered through, and came down to a list for comparing some 2000 roles. Which are exclusively Z Roles. Yes, the exercise has been to identify and clean up the systems. Even in this 2k roles many are redundant and not used. So, atleast the initial work has been a bit ok.

As regards licencing : am still curious to know how it really works.

I agree regarding the contract.

But still there would be some document, for understanding that these TCODES are high transaction codes requiring say a professional licence. Am not really getting to read such information. May be those understanding comes with practice ??

Thanks to all for the help and suggestions.

Regards

indu

SAP roles : How to compare a role between 2 environments ?