Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

TR import error 'Invalid object Z_ZZ_ZZZZ in role SAP_ABC_ABCDEFGH deleted'

Go to solution
Former Member

‎09-11-2015 8:27 AM

0 Kudos

I would request please help to resolve issue regarding transport request import error.

When a TR is imported from development to quality system, it returns with error RC=4 and with statement 'Invalid object Z_ZZ_ZZZZ in role SAP_ABC_ABCDEFGH deleted'.


We have one global development system (assume name 'DevGlobal') and child development systems (assume names 'Dev1', 'Dev2', 'Dev3') and quality systems (assume names 'Q1', 'Q2', 'Q3').


We perform the role changes in 'DevGlobal' system and push the changes to respective development (Dev1, Dev2, Dev3) and quality (Q1, Q2, Q3) child systems.

When a TR is imported, it returns with error RC=4 and with statement 'Invalid object Z_ZZ_ZZZZ in role SAP_ABC_ABCDEFGH deleted'.

The actual issue here is that auth object Z_ZZ_ZZZZ does not exists in all child systems.


E.g.


1. Auth object Z_ZZ_ZZZZ exists only in Dev1/Q1 child systems. Hence the role gets imported to respective Dev1/Q1 child systems without any error.

2. However object Z_ZZ_ZZZZ does not exists in other child systems (Dev2/Q2 and Dev3/Q3). Here also the role gets imported to respective Dev2/Q2       and Dev3/Q3 child systems, however authorization tab becomes yellow and again we have to generate the profile in Dev2,Dev3, Q2, Q3 systems.

Note: It is not recommended by client to push the objects in the other child systems, where object does not exists.


If anyone is aware of the similar issue, then I would request to please share the solution or any SAP note.

1 ACCEPTED SOLUTION

Go to solution
Former Member

‎09-11-2015 9:57 AM

0 Kudos

Hi Nadeem,

In such situation, we need to ensure that the new authorization object is imported first by development (or any other team who has created it) to all the DEV and Q systems to that this issue can not occur while importing the role.

Otherwise, if auto-import is not enable for TRs then you can import the transport request selectively to those system which has that authorization object.

Hope this helps

Thanks

10 REPLIES 10

Go to solution
Former Member

‎09-11-2015 9:57 AM

0 Kudos

Hi Nadeem,

In such situation, we need to ensure that the new authorization object is imported first by development (or any other team who has created it) to all the DEV and Q systems to that this issue can not occur while importing the role.

Otherwise, if auto-import is not enable for TRs then you can import the transport request selectively to those system which has that authorization object.

Hope this helps

Thanks

Go to solution
Former Member
In response to Former Member

‎09-11-2015 11:01 AM

0 Kudos

Hi Santosh,

Thank you. I really appreciate your prompt response

In such situation, we follow the similar import method as you have mentioned in second point.

We have one global Dev system (DevGlobal) and other child systems. The child systems are divided based on the geographical region.

e.g. Dev1/ Q1 for EMEA, Dev2/Q2 for APAC, Dev3/Q3 for America.

The custom auth objects are created for particular child system/ region (say for Dev1/ Q1 - EMEA).

Hence it is not recommended by client to push the auth object in the other child systems/ regions (say Dev2/Q2 - APAC, Dev3/Q3 - America).

Normally, we perform role change in 'DevGlobal' system and push the changes to child D and Q systems.

However if we get error occurs due to missing object in any particular system, then we import the roles selectively from Dev child system (Dev1, Dev2, Dev3) to respective Q system (Q1, Q2, Q3).

However we are searching for any solution or SAP note, by which we can import the roles from Global Dev system to respective child Dev and Q systems, without getting any error.

Go to solution
niteshgupta87
Active Participant
In response to Former Member

‎09-16-2015 12:14 PM

0 Kudos

Hi Nadeem,

I believe you are using global dev system because you have consistent security architecture across all child systems (APAC, Americas, EMEA etc). So I don't see a reason why if an auth object is accepted in one region, it wouldn't be accepted in another region.

Also I would assume that this new auth object is added to the role because you added a new tcode to the role. So would suggest below2 options:

1. If the new tcode is needed for all regions, bring the new auth object into all child systems. Then you would be able to import role without any error.

2. If the new tcode is specific to only EMEA, then don't add it to existing role. Instead create a new role for tcode, or add it to another role which is suitable for this tcode and is used for only EMEA. Then import this role to only EMEA systems.

Thanks

Go to solution
Colleen
Advisor
Advisor
In response to Former Member

‎09-17-2015 1:03 AM

0 Kudos

Hi Nadeem

I have worked in a similar complex landscape before

If you are going to have a custom object and want it in a role that goes to all systems then you will need to move the object or accept the warning in transports

Where i worked previously we had two 'sources' of truth for development. Global changes (all regions) were perform in the master dev under a role name convention. All regions specific changes were built in the regional dev.

Therefore, if you worked in a similar environment, the custom object would be defined in either system but only added to a security role for the regional box.

My comment is similar to Nitesh's advise.

The bigger question here - what is the risk to the othe regions in allowing the object to be transported even though it's not used?

If you aren't allowed, the next question is RC=4 is a warning - did the custom object get removed (not in AGR_1250/1251/1252 tables or visible in PFCG and therefore not in generated profile)? If so, you can disregard the transport warning.

There is no note to apply as the system is not broken.

Regards

Colleen

Go to solution
Former Member
In response to Former Member

‎09-18-2015 8:30 AM

0 Kudos

Hi Nitish,

Thank you very much for your help

Go to solution
Former Member
In response to Former Member

‎09-18-2015 8:31 AM

0 Kudos

Hi Colleen,

Yes. the custom objects gets removed.

Thank you very much for your help

Go to solution
Former Member

‎09-22-2015 2:16 PM

0 Kudos

Hi Nadeem,

would you pls check if the 'auth object Class' for object z_zz_zzzz too is available (transported) in target box ?

Go to solution
Former Member
In response to Former Member

‎10-08-2015 1:11 PM

0 Kudos

Hi,

Sorry for the late response on your query.

Some of the custom auth objects are created under standard object class and some are created under custom object class.

The standard object class exists in the target system. However the custom object class does not exists.

In any case, whether object class is standard or custom, the auth objects gets deleted in target system.

Go to solution
Former Member
In response to Former Member

‎10-08-2015 1:49 PM

0 Kudos

Pls transport the relevant Class too till target, then the see if transporting the role works too as desired.

Go to solution
Former Member
In response to Former Member

‎10-09-2015 10:31 AM

0 Kudos

Ok. I will check. Thank you