Hi Sri,

Thanks for your answer.

But I still doubt whether it will not affect the system performance.

the reason for my doubt is... if more roles are created then it will be loaded into buffer whenever a user logs in. so if we increase no of roles it should consume more resourse; I suppose.

If according to you, increase in no. of roles does not affect system performance then why do you not reccomend user-specific roles ( because seeing from other side the authorization level security becomes quite tight if we use user-specific roles. )

Hi Shamish,

They are 2 different things...

1. creating more number of roles.. -- It is always OK.

2. Assigning more roles to a person.-- In this case the buffer issues does comin to the scenario.

If you go for user specifi c roles, then you cannot handle the exceptions very well.

Eg : If u assign Tcode SM30 to one user with some exceptuions, then you need to mionitor who is given what and in what role.

If you go by designation then its lot more easier to handle and maintain...

I told it from maintainence perspective than to Perfrmace...

br,

Sri

Award points for helpful answers

Hello Shamish,

Creating even a single role means your adding some data to database. But the delta is pretty small.

However when you are creating large number of roles the addition to database will also be larger.However really if you have a sturdy database roles should be the last thing you should worry about.

System performance comes into picture only when your are trying to access data. Not just because some data is lying in the database.

Regards.

Ruchit.

Thanks Ruchit.

Can you please suggest any mathematical entity to calculate the memory resource and response time with increase in no. of roles. ( If any )

-

Shamish

Hello Shamish,

I think you did not get my point.

See any performce measurement vis s vis roles can be done only when only when you are doing any operation related to roles.

I mean for example you have 1000 roles are not using them they wont really hamper system performance. They are just present there is database. However even if you are doing some action on even one role then system performance will come into picture.

Now depending on the action you are performing you can calculate the affect on system in terms of memory,response time etc.

I mean for example you are creating a role and want to see what kind of memory usage does it have or what is its response time.

For memory consumption: You may activate trace for memory management in ST01. You can also get the details from ST03N.

For response time: SE30 and ST03N are the options.

Response time can also be found out from your screen. Look out of box shaped icon on the lower right hand side of your screen.

Regards.

Ruchit.

Hi Ruchit,

I did not mean the performance degradation while creating a role.

I will put my question this way.

1. Whenever a user logs in; the profiles attached with his id will get loaded into user buffer ( I suppose ).

2. Now according to my consideration; when he tries to run any transaction and subsequently browses through different screens; everytime the system will cross-check whether he has the particular authorization with reference to his profiles.

3. Now if I have created many roles then, all of them( i mean those all which are assigned to that particular user) will get loaded at a time when he logs in. So the system will have to search through more profiles for each transaction and activity of user. So this will reduce the performance ( I suppose ).

Can you also clear one thing please...

where do all these profile get loaded ... in user buffer or a shared area??

So considering above things I want to decide whther to go for user-specific roles or designation specific roles.

If these roles get loaded in particular user buffer then I think either user-specific role or designation specific role will not matter

And if it gets loaded in some shared area then ofcourse the designation specific roles will be recommended because it will not need more space if two users having same role will log in at a time.

Thanks.

-

Shamish

HI Shamish,

In SU56 you can check the content of user Buffer. Looking at it you would understand that SAP already stores the values of all profiles according to respective authorization objects and hence is easier for it.

Please check OSS Notes 84209 and 75908 for more info on this topic.

also the parameters • Auth/auth_number is decisive in this topic.

This parameter is used to specify which buffers are used to carry out

the authorization check effeciently.

2 authorizations in database table USRBF2 (are updated when user logs

if there is no table entry in USRBF3). First all USRBF2 entries belonging to the logged on user are deleted, and then they are generated.

Authorization values in database table UST12 (are updated when Authorizations are changed).

3 authorizations in database table USRBF2 (are updated when user logs

if there is no table entry in USRBF3). Table contents in USRBF2 are only changed, if changes not available. Authorization values in database table UST12 (are updated when authorizations are changed).

4 authorizations in database table USRBF2.

The authorizations are updated immediately after authorizations, roles or user master or related imports have been changed. Authorization values in database table UST12 (are updated when authorizations are changed)

5 for future enhancememtns.

Ideally we set value As 4 which is more appropriate.

Hope it helps now in your understanding.

Award points accordingly.

Br,

Sri

Hello Shamish,

Now your question is much clearer.

Yes when ever a user logs in his authorization get loaded in user buffer. You can find these details in transaction SM56. Also in table USRBF2.

However this is what happens when a user executes any transaction.

Now when a user executes any transaction then authorization check will be done with USRBF2 table along with UST12 table.

For example in order to execute any transaction say X you need certain values for authorization object Y.

SAP will fetch values from USRBF2

The select statement at SQL level will be something like this :

SELECT from USRBF2 WHERE "MANDT" = <client> AND "BNAME" = <USER ID> AND "OBJCT" = <Authorization object which is being checked>

Now USRBF2 will return value(s) in this format:

USER ID Authorization Object Authorization

Here the value(s) of authorization is critical.

Next the check will be performed with UST12 table:

SELECT FROm UST12 WHERE "MANDT" = <Client> AND "OBJCT" = <Authorization object> AND "AUTH" = <value obtained from USRBF2> AND "AKTPS" = 'A'.

AKTPS is version and its value A symbolises Active.

The output from USR12 will be like this:

Client Object Authorization Version for field Value

where value will be for the fileld.

Now one value of authorization input in UST12 you will get mutiple returns from UST12. So if you give mutiple values of authorization you have obtained from USR12 in as input UST12 the values you will get as output from UST12.

If values from UST12 satisfy the authority check only then will the user be able to execute the action.

Now in case an authorization objects occurs reduntantly in roles only then selections in USRBF2 and UST12 will rise and not just because there are large number of roles.

Also both these tables are buffered so access is not from DB directly but from the buffer.

In order to understand this better I will suggest you this.

Set up SQL trace using ST05 and then execute some transaction say like SU01 and do some dummy action there. You will understand it easily if you have working knoweledge of ABAP or SQL.

Then stop the trace and list it. The output will explain things better to you.

Regards.

Ruchit.

Hi Sri/Ruchit,

It was nice piece of information... infact i think my concept is much clearer now.

Thanks very much.

In case of any more query in this regard.. will come back to you again!!

Cheers!!

---Shamish

Hi Raju,

Thanks for the nice answer.

But in this particular scenario where we have around 170-200 users.... will it affect the performance badly if I create one role per user.

( Because in our case every department has few users who can not be separated designation wise they do a mixed kind of work e.g few transaction of officer role and few from clerk likewise. Hence idf a new requiremnt comes, it is very hard to decide which role to be assigned this transaction to. Because wherever I may add it it is going to authorize somebody else in extra which is not supposed to be.

Is there any rational way to decide this limit and to decide how much roles will affect how much system performance.

Thanks.

-

Shamish