Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP-Authorization Revamp

Go to solution
Former Member

‎01-20-2015 2:12 AM

0 Kudos

Hi,

There is a activity planned (in planning stage) for ECC PRD system Authorization revamp for all the users (approx. 950 users).

The activity planned is to streamline all the authorization a users is having from multiple roles into 1 single role.

So require details with respect to Org-Values, how we can extract these Org-values from multiple roles for the single user,

(e.g. as while creating a new role for a single user, who have 200+ roles, where Org-value may vary from role-to-role)

& other limitations if any with respect to limitation of Profiles can be assigned to a user, total objects in roles/profiles, single/derive role, GRC limits etc..

So please suggest the plan to extract the users/roles/t codes/Object_values.

Regards,

Shaik Maideen A

1 ACCEPTED SOLUTION

Go to solution
magexposito
Active Participant

‎01-20-2015 8:29 AM

0 Kudos

Hello Shaik,

You can use table AGR_1251 to check the Org-Values for specific roles. You just have to write the role name (AGR_NAME) and the Org-Value object (FIELD) on the selection screen and you will get the Org-Values on the field 'LOW'.

Best regards.

2 REPLIES 2

Go to solution
magexposito
Active Participant

‎01-20-2015 8:29 AM

0 Kudos

Hello Shaik,

You can use table AGR_1251 to check the Org-Values for specific roles. You just have to write the role name (AGR_NAME) and the Org-Value object (FIELD) on the selection screen and you will get the Org-Values on the field 'LOW'.

Best regards.

Go to solution
Colleen
Advisor
Advisor

‎01-20-2015 12:19 PM

0 Kudos

Hi Shaik

This is not a simple to determine. Yes it is technical to map user through to org value by tables:

  • AGR_USERS is user to roles but the user might have composite roles (could exclude them) based on the role type and confirm with AGR_AGRS table)
  • AGR_1252 - Org Values
  • AGR_1251 - Obtain the Org Fields where inheritance may be broken

The problem with joining these two tables is that organisational values depend entirely on the authorisation they are part of. Really the join is AGR_1251 to AGR_1252 to include that context.

What it means when you remove the authorisation is that you are getting all potential org values the user has but not how they are restricted. This means you might have situations such as:

  • Display all data roles - asterisk or all potential values entered in the role
  • Modify roles (posting/master data) - limit to specific org values
  • Potentially broken inheritance (you'll need the AGR_1251 table for that)
  • Modify roles that are not restricted on a specific org value that other roles would

And I'm sure I haven't covered all the scenarios. But what will happen is they will all be merged together and you'll lose the context in your analysis of how much access to the org data the user truly has.

The examples I list are potential situations if you mention the need to rebuild security. If you are at the stage of performing a massive clean up and rationalising design then there is a good chance you will have other technical issues in the build the further skews your analysis.

If you had managed to use a role convention and build and provisioning rules to limit users to certain areas of the business, then you might be able to rely on this analysis to an extent.

Regards

Colleen