Solved: How to get all the auth objects into a role which ...

Former Member · ‎09-03-2014

Hi Team,

I have a requirement that, create a role with all the authorization objects which belongs to FI module.

So in FI authorization class we have total 247 authorization objects. Now how I should get these authorization objects into a role directly ? (without using Manually option because it consumes lots of time). Please help me out to solve the issue.

Thanks in advance.

Colleen · ‎09-05-2014

Hi BNR B

You could probably look at building a template via SU24 with all of the objects. You might be able to create via XLS and upload. If possible to do that you can then copy the objects from TOBJ table (might be easier to download existing template first to see the format).

After that you can then go into PFCG and import the objects from the template. I haven't tried it to see how easy it is to create your own authorisation templates.

Regards

Colleen

Former Member · ‎09-04-2014

Hi

you can create one Composite Role and put all standard FI Roles in the composite role.

in this way you can all the objects of FI in one role and you can assign that composite role to user.

Regards

Dishant.

Former Member · ‎09-04-2014

Hi Dishant,

Thanks for the reply... as u suggested I have seen all the FI standard roles in the system. But I did not find the correct role which include all 247 auth objects related to FI. Can you please guide me?

former_member82556 · ‎09-05-2014

Instead of adding them manually, you could add them a bit quicker by using "Selection Criteria" (Edit-> Insert Authorization Objects-> Selection Criteria) , and then hit the + sign on all the FI auth objects you need. It still is a bit of clicking though.

Former Member · ‎09-05-2014

Hi

i want you to create one composite role and add all FI single roles to it.

and assign that Composite role to user not FI single role.

Regards

Colleen · ‎09-05-2014

why?

Former Member · ‎09-05-2014

Yeah i found this way and though it is clicking we can follow. But is there any alternative way for this???

Colleen · ‎09-05-2014

Hi BNR B

You could probably look at building a template via SU24 with all of the objects. You might be able to create via XLS and upload. If possible to do that you can then copy the objects from TOBJ table (might be easier to download existing template first to see the format).

After that you can then go into PFCG and import the objects from the template. I haven't tried it to see how easy it is to create your own authorisation templates.

Regards

Colleen

Former Member · ‎09-05-2014

Hi Colleen Lee,

I tried to build a template for all FI related objects. But here also same problem I am facing how should i import all 247 FI objects into that template at a time? There I did not find any import button also? Am I following you? If there is anyway exists please let me know...

Colleen · ‎09-05-2014

Okay if there is no import option you could always build pfcg role by importing sap_all. Download the role and in xls or notepad delete all non if object, save file and the. Upload the role. You will the. Need to generate the profile but will only have those.

I do wonder why you need to build such a role

Former Member · ‎09-05-2014

Hello,

I would do this as following:

1. Pull out list of all auth objs from TOBJ

2. Automate addition of objects to the role, try automation using GUI scripting and it would be quick enough to complete the task.

Please try and let us know how it goes.

Thanks,

Brahmeshwar.

Former Member · ‎09-05-2014

Hi,

Step1 is fine

Step2: What is automate addition of objects to roles and GUI scripting? Can please explain me in detail?

So that I can try it.

Former Member · ‎09-05-2014

Step 2: GUI scripting is record and playback option in SAP. This has two parts

1. Record one instance of object addition in the role.

2. Use excel VBA to iterate the steps for other objects. This requires little bit of coding skills in VBA.

If you are not comfortable with excel, you can try using SECATT as well. There are good number of documents on how to use SECATT for scripting over the internet.

Thanks,

Brahmeshwar

Former Member · ‎09-07-2014

Hi

What is the purpose for this FI authorisation object role? Does the user it is intended for already have FI transactions? Without the t-codes what is the point of the objects?

Why don't you just insert from the menu and see what SU24 brings in and then set about building a fully tested (EAM?) role.

Regards

David

Former Member · ‎09-07-2014

I am also watching this discussion and eating popcorn... 🙂

Use of such an FI class role will need a considerable amount of access from other classes to be usable, at least in display mode. This can only possibly be a "bolt on" to other roles with too much access but none-the-less still missing some FI access.

Or MM bolt-on role for the FI folks in emergencies?

It is possible to import objects by class in PFCG, but an FI_ALL role + necessary friends in other classes can only be done via SU24 -> so only via menu based roles with "where-used-lists" and not manual inserts.

Cheers,

Julius

OttoGold · ‎09-08-2014

Hi David,

you've probably built a couple of these roles in the past as well, no? Well all have

This approach is called "I don't know what they want but I must give them something". I can see it around quite often. The less communication or even understanding of security the more requirements for such roles

cheers Otto

harsha_artani · ‎09-09-2014

Hi,

You can create role from pfcg and then in menu option then goto from SAP menu option and then select accounting and select all . Then save it and then create the profile normally. It will work for you.

Thanks

Harsha

Former Member · ‎09-09-2014

Thanks to all for your replies...

How to get all the auth objects into a role which are belong to specific auth class