Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

New security roles in ECC 6.0 Check VS Proposal

Former Member
0 Kudos

Hello All,

We are currently working on a new implementation in ECC 6.0.

We are facing the challenge of authirization object being check but not proposed in SU24. Which means that you can give a transaction to a user, green all the object and still the transaction will fail because some object where not imported in PFCG.

Does anyone has experience in this? any methods we should apply?

One option is to test every single transaction - but right now we do not have the bandwith to do that. Any suggestion?

Thank you

Gilles

9 REPLIES 9

Former Member
0 Kudos

Gilles,

I suggest you test every transaction otherwise you will run into issues--guaranteed. The underlying tables that pull in the needed objects into the roles are not 100% accurate to say the least.

From experience I recommend role/transaction testing and configuring SU24 appropriately or you will be in for a lot of fun come go-live.

Cheers,

Ben

morten_nielsen
Active Contributor
0 Kudos

Hi

If your new implementation is an upgrade, you should run through the upgrade transaction SU25, it will fill your SU24 with the new values, - but still - test <b>all</b> transactions

Regards

Morten Nielsen

Former Member
0 Kudos

Yes our implementation is a new one - so no SU25. I guess my issue is that to have 100% security I should test all the role for every transaction - with about 80 different functional role, and 1600 tcode in scope the volume of testing is just amazing.

We are thinking of a short cut: we will create a composite per functional area and test it - so basically we will have one SD one QM one FI one CO and two or 3 for OPS and we will test them against the transaction included in the composite - our goal will be to identify missing object -

Do you have any comment about this approach?

0 Kudos

My comment is it's better than nothing. You will catch a good deal of objects, but how will you know what role to put them in? Map it back to the transaction at issue and add it to all the roles with that tcode?

The best way would be have security ready in in place for when the functional testing is happing, but in the real world this is not always the case.

Cheers,

Ben

ps please award points if helpful

0 Kudos

Gilles,

Your short-cut will cause you to miss a lot of missing authorization objects. When you test all the CO roles together as one composite role, the transactions that are missing Auth Object will pick the Auth Object from other Transactions, so when you assign a single CO role, you will realize you are still missing the Auth Objects.

I am speaking based on my past experience. You will be better off to test all 80 functional roles. Just asked for enough functional resources for the test!

Thanks,

Lye

Former Member
0 Kudos

Our option will be to fix the tcode with SU24 and regenerate the role and test again. The reel issue is the standard setting in SU24 do not reflect what object are checked.

I hope i make sens - but i think you have to be in 6.0 to really have this challenge.

Gilles

0 Kudos

Gilles,

I'm in a ECC 6.0 system right now. This has been an issue ever since the usobt and usobx tables have been used to populate authorization values.

Fixing SU24 and regenerating the affected roles is your best option.

Cheers,

Ben

0 Kudos

Hi Gilles,

As per my understanding you are asking for activating an Auth object in SU24.

The following are the steps needed to actiavet a Auth Object in SU24 ECC 6.0 :

1)Execute the transaction SU24

2)Enter the TCODE in which you want to activate the Authorization Object and choose execute option

3)An other screen appears showing the details of the Auth Obj and its status in the present Tcode. Now go to the change mode

4)Now select the Add Authorization Object, enter the Authorization Object you want to activate in the present Tcode and select continue

5)The object gets added and you can maintain the values for the Auth Object. These values get automatically updated as when you add a Tcode to a role. <b><u>But the visibility of these Auth Obj in PFCG screen depends on the Proposal Value.

If the Proposal Value is YS then the values get pulled into the PFCG where you can further maintain them, otherwise they are added without the maintaining capability in the PFCG.</u></b>

The Proposal is similar to the following:

Check analogous to Activating the Object with proposal set to No

Check Maintain analogous to Activating with Proposal set to YS

6)Now set the Proposal to YS, and save the changes.

Please award points if it is useful.

Thanks & Regards

Santosh

manohar_kappala2
Contributor
0 Kudos

Hi Gilles,

There are two options available to solve this.

The first one is to add the Auth Object manually to the role and maintain the values for which the check is failing.

That should be able to resolve the error you are encountering.

Second method:

If you feel that this Auth Obj is a must for every time this transaction is encountered or used then you can Modify the SU24 accordingly and set the proposal to yes then in PFCG go to authorizations in Expert mode "Read Old Status and merge with new data"

so that the required auth object gets pulled into the role for this Tcode in Question.

Now the method you opt depends on the criticality of the Auth Obj for this transaction so if you feel the Tcodes access is of not much use without Auth Obj in question go for 1st method else go for the other..

For eg the access to SA38 doesnt make any sense with out access to Auth Obj S_PROGRAM.

So SA38 has S_PROGRAM always with checked with Proposal set to yes

Hope it helps

Cheers

Manohar