Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Role Comparisons

Go to solution
former_member608463
Discoverer

‎07-22-2013 10:42 AM

0 Kudos

Hello Everyone,

We are in a process of cleaning up Roles since we have a separate role for a transaction so far, which literally screwed up the process.

As a part of this activity now I have to combine the content of say for eg : 50 roles (with one Tcode each) to a Single role. After creating this new role, I would like to compare the content of this new role with the old roles to ensure that I have not missed any objects(added manually).

But I have no idea how can I compare my new role with 50 other roles in One go.(at least in few steps is OK.. But not in 50 steps).

Please advise.

Thanks in advance.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎07-27-2013 10:07 AM

0 Kudos

You could use Excel, concatenate and vlookup to run some comparisons on the AGR_1251 data for your old and new roles. But all you would be doing is replacing 50 small bad roles with 1 big bad role.

You've come across this requirement because the original roles were built badly, and effectively you're having to carry out a role redesign. In which case, the correct solution would be to:

1) Use ST01 traces to re-check what authorizations are required for each transaction - this way you know for sure that you know you are only adding relevant authorizations.

2) Update SU24 with the correct authorization proposals for those transactions. That way you have a link between each tcode and auths that it needs.

3) Add your transactions to the role menu so that the relevant auth objects and values are pulled through automatically. You will still have some open fields to maintain, but you'll know what values are needed from the trace files.

This will take you longer initially, but it is a more robust, longer lasting solution. There is no point in replacing one bad role design with another.

6 REPLIES 6

Go to solution
Former Member

‎07-27-2013 10:07 AM

0 Kudos

You could use Excel, concatenate and vlookup to run some comparisons on the AGR_1251 data for your old and new roles. But all you would be doing is replacing 50 small bad roles with 1 big bad role.

You've come across this requirement because the original roles were built badly, and effectively you're having to carry out a role redesign. In which case, the correct solution would be to:

1) Use ST01 traces to re-check what authorizations are required for each transaction - this way you know for sure that you know you are only adding relevant authorizations.

2) Update SU24 with the correct authorization proposals for those transactions. That way you have a link between each tcode and auths that it needs.

3) Add your transactions to the role menu so that the relevant auth objects and values are pulled through automatically. You will still have some open fields to maintain, but you'll know what values are needed from the trace files.

This will take you longer initially, but it is a more robust, longer lasting solution. There is no point in replacing one bad role design with another.

Go to solution
Former Member
In response to Former Member

‎08-01-2013 10:22 AM

0 Kudos

Can't agree more with this approach.. been there done that.. there are ways to merge as suggested by  Jurjen ( in the later posts) but I won't recommend going there. If you are doing it, do it right at the first time to avoid someone else posting the same question in future

Cheers !!
Zaheer Kazi

Go to solution
Former Member

‎07-30-2013 3:03 PM

0 Kudos

Hi Sunder

It is quite simple just goto table AGR_1251 and put only these 50 roles .You will get all the auth objects with values for these roles export it into a excel .Now in the excel delete everything except the auth object with values columns.Now add in another column auth objects and values of your new role.Now do a vlookup and you will get your difference if any.

Hope this helps

Regards

Pradeep

Go to solution
Former Member
In response to Former Member

‎08-01-2013 10:20 AM

0 Kudos

While doing this approach make sure that you club the instance of authorization object together, say document type * with activity 03 and document type ZPRI with activity 01.

You don't want to end up creating small bad roles !!

Cheers !!
Zaheer Kazi

Go to solution
jurjen_heeck
Active Contributor

‎07-31-2013 2:09 PM

0 Kudos

You could also consider building the new role based on the old profiles' content.

If you are in the authorization tab for your new role you can enter authorizations directly fromother profiles. See menu 'edit' -> 'Insert authorizations' -> 'from profile'.

Once finished choose 'merge authorizations' from the 'Utilities' menu and you should have everything.

Jurjen

P.S., the first bit (inserting the profiles) can be automated with SECATT.

Go to solution
Former Member
In response to jurjen_heeck

‎08-01-2013 8:37 PM

0 Kudos

Hi

Inserting profiles from the original roles produces a role with authorisation objects set to "manually" unless there is a further option which I have so far missed over the last few years?

Plus... it depends on the way the original roles were maintained (edit old, manually added)

I would, personally, ask if there is a business process master list to work from, and try to build the new roles (this sounds like a role re-design) based on them and the initial SU24 values and then built up from serious testing. Serious testing being 'this is what the user WILL do and not we ran the tcode fine and then backed out straight away or 'we tried all the options' and these were the errors!

Kind regards

David