cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Update authorization roles after Support Pack upgrade

Go to solution
vervinckt_joyca
Active Contributor

on ‎07-24-2013 4:58 PM

0 Kudos

Hello,

Can anyone help me to clarify some things regarding Support Pack upgrades and authorizations please.

With each support pack, most of the time some authorization roles are updated. For example, from SP6 to SP7; the role SAP_SUPPDESK_PROCESS gained access to KNAR transaction type in objects CM_ORD_LP and CM_ORD_PR.

This update is obviously only done in the standard SAP role. But I already have my own ZSAP_SUPPDESK_PROCESS, in which I have added the authorization for my Z-transaction types, such as ZMIN and ZMPR.

Now I wonder how I can get the update for the KNAR transaction type in my Z-authorization role, in an automated way. In this case, it is not a lot of work to add KNAR manually, but this is not the only update.

I am aware that after a SP upgrade, you need to redo some steps in SOLMAN_SETUP. One of them is for ITSM, Step 2.5: create template users. This step had a yellow exclamation mark, meaning it needed an update.

It indicated that the SAP_SUPPDESK_PROCESS role needed an update:

However, executing this update has a serious drawback: this step actually OVERWRITES my ZSAP_SUPPDESK_PROCESS completely. Meaning that now it does give access to KNAR, but no longer to ZMIN and ZMPR…

I also read the Security Guide, which mentions that you need to use transaction SU25 after an upgrade. However, when I look at ZSAP_SUPPDESK_PROCESS in step 2C of SU25, it does not suggest to add KNAR like I expected it to.

I figured that SU25 does not compare SAP_SUPPDESK_PROCESS to ZSAP_SUPPDESK_PROCESS, but it just looks at the transactions in the Menu of ZSAP_SUPPDESK_PROCESS and checks the data from SU24 against it. And the adding of KNAR is nowhere in these data.

So, does anyone know what the correct procedure is to update Z-roles after a support pack upgrade? Or do all these updates need to be added manually to the Z-roles?

Kind regards,

Joyca

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

divyanshu_srivastava3
Active Contributor
‎07-24-2013 6:37 PM
0 Kudos

Hi Joyca,

Not sure.. but I think we have to do this manually using expert mode of profile generation.

OR, Let it copy the updated role in a new Z role like ZSAP_SUPPDESK_PROCESS2. Then you would be having both those roles on same user ID. The master record will have all required authorizations.

Regards,

Divyanshu

Show replies
Show replies
vervinckt_joyca
Active Contributor
‎07-25-2013 9:57 AM
0 Kudos

Hi Divyanshu,

Your suggestion to copy the updated role in a new Z-role sounds interesting.

In that way, I would still need to make the user assignments to the new Z-role, but that seems better than to change all roles manually.

I just wonder, won't I have the problem of creating double menus then? If the user has both roles Z1 and Z2, I think his user menu will contain the (same) menu from Z1 and Z2 as well?

I was also wondering if there is an easy way to know which roles have been updated in a specific Support Pack. Most of the time it is indicated in the Security Guide, but for example for SP07 on ITSM it only sais: "Additional transaction type KNAR added to relevant roles."

But which roles are these "relevant roles" then...

I tried searching table AGR_DEFINE on changed by SAP and change date between the dates of two support packs, but then I get a list of too many roles that I am not using.

Only in the Long Text of PFCG it sais "Last changed SAP Solution Manager 7.1 SP07" but I can't find out how to search on that.

Kind regards,

Joyca

divyanshu_srivastava3
Active Contributor
‎07-25-2013 1:30 PM
0 Kudos

Ji Joyca,

Use table AGR_TEXTS to get the description. Sort it and you would get the required information.

BTW, in general, we should always maintains zobjects ztransactions in a custom role and attach this with the master role, like copy of SAP_SUPPDESK_PROCESS.

Manually add and maintain objects so that they are not affect by upgrades.

Regards,

Divyanshu

vervinckt_joyca
Active Contributor
‎07-25-2013 2:26 PM
0 Kudos

Hi Divyanshu,

The long text is not in table AGR_TEXTS, only the short description is there.

I'm talking about the part highlighted in the screenshot:

F1 help doesn't work on this field so I can't figure out where it's stored.

Kind regards,

Joyca

Message was edited by: Joyca Vervinckt

Sorry, I see now that this text does appear in AGR_TEXTS, my search example was just bad! Thanks!

Answers (1)

Answers (1)

vervinckt_joyca
Active Contributor
‎09-26-2013 10:12 AM

I found an answer in the Security Guide (page 60):

(context: test users created in SOLMAN_SETUP)


Update Existing Users/Roles

When you update a user with new SAP roles, for instance if adapted roles are shipped with a new

Support Package, the system indicates which roles need to be updated. Technically, when updating a role, the existing copied role is deleted and a new copy of the SAP role is created by the system.

Therefore, if you have manually changed any authorization values for authorization objects in your copied roles, you need to be aware of this.

When roles need to be updated, you must at least run transaction SU25 points 2a) and 2b) .

Alternatively, follow SAP Note 368496.

Caution

In addition, in case you have manually created a role in the Z name space, such as

ZSAP_SUPPDESK_CREATE, the system will not update the role as it detects that the copied role had been created manually.

Show replies
Show replies
Ask a Question