Solved: Regenerate PFCG profiles after support package upg...

Sandra_Rossi · ‎06-11-2015

Hi,

After an upgrade SAPKB73108 in our SAP development system, we have roles SAP_BC_WEBSERVICE_ADMIN* with the status "Current version not generated" (status for the generated authorization profile), and we can see that the profile has different authorizations than the ones defined for the role, for instance S_SRT_CF_C has ACTVT=03 for the role, but * for the profile. I'm not sure, but I guess these roles were previously correct i.e. the profiles were coherent, at least sometime in the past.

I think that we have to run the mass generation for "roles with profiles not current" (transaction SUPC) after an upgrade, but I can't find any documentation which confirms that. Could you confirm that and provide some reference documentations?

Thanks a lot!

Sandra

PS: I couldn't find answers in the forum for words SPAM, post upgrade activities, profile generation, role, etc. Closest topics:

Former Member · ‎06-11-2015

You should not use SAP standard roles (with the exception of a few J2EE UME roles for UME groups, which do not need generated profiles). SAP will overwrite the authorization data with upgrades (as they have done here).

You should copy the role if you want to use it as a template.

Cheers,

Julius

Former Member · ‎06-11-2015

You should not use SAP standard roles (with the exception of a few J2EE UME roles for UME groups, which do not need generated profiles). SAP will overwrite the authorization data with upgrades (as they have done here).

You should copy the role if you want to use it as a template.

Cheers,

Julius

Sandra_Rossi · ‎06-11-2015

Thanks Julius.

I thought they were standard, but I don't know how to be sure. I see in client 000 that this role has authorization ACTVT=03 for S_SRT_CF_C object, so you may be right, the * value could be custom. How to be sure?

Do you know, if they were standard, the profiles would be automatically regenerated (and set to the right status "Generated")?

Former Member · ‎06-11-2015

It certainly is a SAP role if it's name starts with SAP. They are updated at will by SAP as templates and are always sent without profiles. If a SAP role has a profile, then the customer must have generated it.

Via the change documents for roles you can find out who changed the value and generated the profile - but that does not really matter much, as you should not use them in the first place for this exact reason that SAP must have a way to send template updates to customers.

Another reason why you should not use them is because from a qualitative perspective they are often terrible (I think that is fair to say with a straight face even here on SAP's own website... 🙂

Cheers,

Julius

Sandra_Rossi · ‎06-12-2015

Julius,

I understood what probably happened: as you said, we changed the roles (but I can't find them in the Change Documents because they were probably archived/deleted): some time before 2013, we changed the role by replacing the standard "generated profile" (T_BA...) by a new one (T-H6...), and changed the role. Note: you say the profile is not delivered by SAP, are you sure? I see many other roles with standard profile names (T_...)

As far as I understand now, an upgrade on a role (i.e. any transport request) changes both the "role authorization definitions" (those we can see in PFCG, tables AGR_125*) and the authorizations in the standard associated profile, which is T_BA... So, the profiles are not to be regenerated as they are supplied, as long as we did not replace the standard associated profile! Notes: the generated profiles contain the actual authorizations checked (tables UST* + USRBF2 for the buffer); the concept of PFCG "generation" is to transfer the "role authorization definitions" to the profile.

So, in my case, as we changed the standard T_BA... profile to a custom T-H6... profile, the latter has not changed during the upgrade, and is now different from the role, so the T-H6... profile has got status "Current version not generated".

So, it's a mess now as PFCG doesn't show the actual authorizations, we need absolutely to merge the standard versus custom authorizations and get the status "Generated" so that PFCG = actual authorizations. Of course, as you say, we should have never changed these standard roles! I know what to do.I'll try to set the situation back to the normal.

Regards

Sandra

PS: while using SUIM, I was mistaken by searching for authorization values *, because it doesn't look for * but for any authorization value (it returns values 03 for instance). To search the authorization value * we must search for '*' (* enclosed by two single quotes).

Former Member · ‎06-12-2015

SAP might deliver the profile names with the PFCG role data (AGR_PROFS), but they are not generated. You are just looking at the surface and that is all that SAP sends you.

You must copy the entire role SAP_xxx to your own namespace ZSAP_xxx for example. Then it (and it's generated profiles) are yours, based on the template delivered by SAP (as you chose to use it). When SAP upgrades the SAP roles again, you can compare your ZSAP to the new version of SAP role in transaction SUIM.

At least, that is the intended process... 😉

Cheers,

Julius

Sandra_Rossi · ‎06-12-2015



SAP might deliver the profile names with the PFCG role data (AGR_PROFS), but they are not generated. You are just looking at the surface and that is all that SAP sends you.

Okay, I understand now Thanks!

Regenerate PFCG profiles after support package upgrade