Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Missing standard authorization roles in ERP

Go to solution
former_member598543
Explorer

‎12-09-2014 7:53 AM

0 Kudos


Hi,

I am going to implement authorization roles in SAP ECC 6.0 system, software component release 702. Only a few standard roles (starting with SAP_)can been seen in PFCG.

From where can I get standard roles for various modules? Did not yet find anywhere to download them from SAP net yet.

Or is it possible to switch on a certain business function to activate them?

Or any other way to get them?

BR,

Kjell

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎12-09-2014 9:39 PM

This message was moderated.

13 REPLIES 13

Go to solution
srinivasan_vinayagam
Active Contributor

‎12-09-2014 8:29 AM

0 Kudos

Hi Kjell,

All standard roles are available your ECC system.

We never download from anywhere.

Roles and Authorizations Concept - SAP ERP Central Component Security Guide - SAP Library

Regards,

V Srinivasan

Go to solution
former_member74904
Contributor

‎12-09-2014 9:05 AM

0 Kudos

Hi Kjell,

Are you by any chance searching for composite SAP_* roles? In my system there are only 145 of them available. But if you search for single roles instead there are a whopping 2865 of them.

Good luck!

Go to solution
former_member598543
Explorer
In response to former_member74904

‎12-09-2014 11:02 AM

0 Kudos

Hi D. van Heumen,

I have searched for both and found only 25 Composite and 139 Single standard roles starting with SAP_. Is there an option to include or exclude standard roles during installation?


Go to solution
Colleen
Advisor
Advisor

‎12-09-2014 10:20 AM

0 Kudos

Is there a chance they were deleted by admin as not required? If so, they should be in client 000 to reimport

Go to solution
former_member185447
Active Contributor
In response to Colleen

‎12-09-2014 10:46 AM

0 Kudos

Hello KJell,

As Van Heumen mentioned, there is a chance that you might be searching composite roles instead of single roles. please make sure in the top, the tab is single role

Also, Execute the report RSUSR070 -> in Role maintain SAP_* and Select Single Roles and click on execute to find the number of roles you have in the system.

Let me know if this helps you out.

Regards

Deepak M

Go to solution
former_member598543
Explorer
In response to Colleen

‎12-09-2014 11:04 AM

0 Kudos

Hi Colleen Lee,

That is possible. I will have a basis guy check. Do you have other options?

Go to solution
former_member598543
Explorer
In response to Colleen

‎12-09-2014 11:06 AM

0 Kudos

Hi Deepak,

See my response to Van Heumen above. I also in report RSUSR070.

Go to solution
Colleen
Advisor
Advisor
In response to Colleen

‎12-09-2014 11:16 AM

0 Kudos

Hi Kjell

Not sure how you are checking. End of the day table AGR_DEFINE would store the SAP_* roles.

If there aren't there then someone got rid of them. You can confirm if they were deleted locally by checking SUIM change documents for roles. Not sure if this is your DEV system or another... you might need to check if there was a deletion transport.

Regards

Colleen

Go to solution
Former Member

‎12-09-2014 4:23 PM

0 Kudos

Not sure why you aren't seeing the roles when you search, but I advise against copying SAP roles with the purpose of assigning to users.  The SAP roles are loaded with segregation of duties violations and do not follow a consistent design approach.  for example, they are not task-based nor do they distinguish display vs change ability consistently, and they make frequent use of composite roles but again, not consistently.  Auths are also manually inserted in many cases making ongoing support a big hassle over time.

SAP roles can be a good reference to see, for example "what functional area or job or other tcodes is a tcode intended for".  Other than that, don't use SAP roles or copies of them productively.

Go to solution
Former Member

‎12-09-2014 9:39 PM

This message was moderated.

Go to solution
former_member598543
Explorer
In response to Former Member

‎12-10-2014 7:37 AM

0 Kudos

Hi AP,  Colleen, and everyone else contributed,

I am a hired consultant here and found out that they have received a carve-out of a bought-up company after installing SAP. I think the original standard roles are overwritten in that process. I have not yet checked client 000. I have checked client 100 in all systems.

Then, how to get back the original standard roles as they are going to implement a new authorization concept.

Kjell

Go to solution
Colleen
Advisor
Advisor
In response to Former Member

‎12-10-2014 8:21 AM

0 Kudos

Hi Kjell

Then, how to get back the original standard roles as they are going to implement a new authorization concept.

Do you really need the SAP standard roles? Most times they are there for reference. You need to get Basis to look at client 000 to check if they are there. If there are use PFCG mass download and upload them to client 100.

If they aren't in 000 either (would be strange) then you might have to reach out to SAP for assistance via Marketplace.

Regards

Colleen

Go to solution
former_member598543
Explorer
In response to Former Member

‎12-10-2014 8:32 AM

0 Kudos

Thanks!