07-22-2013 10:42 AM
Hello Everyone,
We are in a process of cleaning up Roles since we have a separate role for a transaction so far, which literally screwed up the process.
As a part of this activity now I have to combine the content of say for eg : 50 roles (with one Tcode each) to a Single role. After creating this new role, I would like to compare the content of this new role with the old roles to ensure that I have not missed any objects(added manually).
But I have no idea how can I compare my new role with 50 other roles in One go.(at least in few steps is OK.. But not in 50 steps).
Please advise.
Thanks in advance.
07-27-2013 10:07 AM
You could use Excel, concatenate and vlookup to run some comparisons on the AGR_1251 data for your old and new roles. But all you would be doing is replacing 50 small bad roles with 1 big bad role.
You've come across this requirement because the original roles were built badly, and effectively you're having to carry out a role redesign. In which case, the correct solution would be to:
1) Use ST01 traces to re-check what authorizations are required for each transaction - this way you know for sure that you know you are only adding relevant authorizations.
2) Update SU24 with the correct authorization proposals for those transactions. That way you have a link between each tcode and auths that it needs.
3) Add your transactions to the role menu so that the relevant auth objects and values are pulled through automatically. You will still have some open fields to maintain, but you'll know what values are needed from the trace files.
This will take you longer initially, but it is a more robust, longer lasting solution. There is no point in replacing one bad role design with another.
07-27-2013 10:07 AM
You could use Excel, concatenate and vlookup to run some comparisons on the AGR_1251 data for your old and new roles. But all you would be doing is replacing 50 small bad roles with 1 big bad role.
You've come across this requirement because the original roles were built badly, and effectively you're having to carry out a role redesign. In which case, the correct solution would be to:
1) Use ST01 traces to re-check what authorizations are required for each transaction - this way you know for sure that you know you are only adding relevant authorizations.
2) Update SU24 with the correct authorization proposals for those transactions. That way you have a link between each tcode and auths that it needs.
3) Add your transactions to the role menu so that the relevant auth objects and values are pulled through automatically. You will still have some open fields to maintain, but you'll know what values are needed from the trace files.
This will take you longer initially, but it is a more robust, longer lasting solution. There is no point in replacing one bad role design with another.
08-01-2013 10:22 AM
Can't agree more with this approach.. been there done that.. there are ways to merge as suggested by Jurjen ( in the later posts) but I won't recommend going there. If you are doing it, do it right at the first time to avoid someone else posting the same question in future
Cheers !!
Zaheer Kazi
07-30-2013 3:03 PM
Hi Sunder
It is quite simple just goto table AGR_1251 and put only these 50 roles .You will get all the auth objects with values for these roles export it into a excel .Now in the excel delete everything except the auth object with values columns.Now add in another column auth objects and values of your new role.Now do a vlookup and you will get your difference if any.
Hope this helps
Regards
Pradeep
08-01-2013 10:20 AM
While doing this approach make sure that you club the instance of authorization object together, say document type * with activity 03 and document type ZPRI with activity 01.
You don't want to end up creating small bad roles !!
Cheers !!
Zaheer Kazi
07-31-2013 2:09 PM
You could also consider building the new role based on the old profiles' content.
If you are in the authorization tab for your new role you can enter authorizations directly fromother profiles. See menu 'edit' -> 'Insert authorizations' -> 'from profile'.
Once finished choose 'merge authorizations' from the 'Utilities' menu and you should have everything.
Jurjen
P.S., the first bit (inserting the profiles) can be automated with SECATT.
08-01-2013 8:37 PM
Hi
Inserting profiles from the original roles produces a role with authorisation objects set to "manually" unless there is a further option which I have so far missed over the last few years?
Plus... it depends on the way the original roles were maintained (edit old, manually added)
I would, personally, ask if there is a business process master list to work from, and try to build the new roles (this sounds like a role re-design) based on them and the initial SU24 values and then built up from serious testing. Serious testing being 'this is what the user WILL do and not we ran the tcode fine and then backed out straight away or 'we tried all the options' and these were the errors!
Kind regards
David