12-09-2014 7:53 AM
Hi,
I am going to implement authorization roles in SAP ECC 6.0 system, software component release 702. Only a few standard roles (starting with SAP_)can been seen in PFCG.
From where can I get standard roles for various modules? Did not yet find anywhere to download them from SAP net yet.
Or is it possible to switch on a certain business function to activate them?
Or any other way to get them?
BR,
Kjell
12-09-2014 9:39 PM
12-09-2014 8:29 AM
Hi Kjell,
All standard roles are available your ECC system.
We never download from anywhere.
Roles and Authorizations Concept - SAP ERP Central Component Security Guide - SAP Library
Regards,
V Srinivasan
12-09-2014 9:05 AM
Hi Kjell,
Are you by any chance searching for composite SAP_* roles? In my system there are only 145 of them available. But if you search for single roles instead there are a whopping 2865 of them.
Good luck!
12-09-2014 11:02 AM
Hi D. van Heumen,
I have searched for both and found only 25 Composite and 139 Single standard roles starting with SAP_. Is there an option to include or exclude standard roles during installation?
12-09-2014 10:20 AM
Is there a chance they were deleted by admin as not required? If so, they should be in client 000 to reimport
12-09-2014 10:46 AM
Hello KJell,
As Van Heumen mentioned, there is a chance that you might be searching composite roles instead of single roles. please make sure in the top, the tab is single role
Also, Execute the report RSUSR070 -> in Role maintain SAP_* and Select Single Roles and click on execute to find the number of roles you have in the system.
Let me know if this helps you out.
Regards
Deepak M
12-09-2014 11:04 AM
Hi Colleen Lee,
That is possible. I will have a basis guy check. Do you have other options?
12-09-2014 11:06 AM
Hi Deepak,
See my response to Van Heumen above. I also in report RSUSR070.
12-09-2014 11:16 AM
Hi Kjell
Not sure how you are checking. End of the day table AGR_DEFINE would store the SAP_* roles.
If there aren't there then someone got rid of them. You can confirm if they were deleted locally by checking SUIM change documents for roles. Not sure if this is your DEV system or another... you might need to check if there was a deletion transport.
Regards
Colleen
12-09-2014 4:23 PM
Not sure why you aren't seeing the roles when you search, but I advise against copying SAP roles with the purpose of assigning to users. The SAP roles are loaded with segregation of duties violations and do not follow a consistent design approach. for example, they are not task-based nor do they distinguish display vs change ability consistently, and they make frequent use of composite roles but again, not consistently. Auths are also manually inserted in many cases making ongoing support a big hassle over time.
SAP roles can be a good reference to see, for example "what functional area or job or other tcodes is a tcode intended for". Other than that, don't use SAP roles or copies of them productively.
12-09-2014 9:39 PM
12-10-2014 7:37 AM
Hi AP, Colleen, and everyone else contributed,
I am a hired consultant here and found out that they have received a carve-out of a bought-up company after installing SAP. I think the original standard roles are overwritten in that process. I have not yet checked client 000. I have checked client 100 in all systems.
Then, how to get back the original standard roles as they are going to implement a new authorization concept.
Kjell
12-10-2014 8:21 AM
Hi Kjell
Then, how to get back the original standard roles as they are going to implement a new authorization concept.
Do you really need the SAP standard roles? Most times they are there for reference. You need to get Basis to look at client 000 to check if they are there. If there are use PFCG mass download and upload them to client 100.
If they aren't in 000 either (would be strange) then you might have to reach out to SAP for assistance via Marketplace.
Regards
Colleen
12-10-2014 8:32 AM