I'm not sure 'downloading' does save the target-system in the role (but then: i never tried this way). When assigning roles from systems 'outside' the cua-master i do it using RFC. Anyway: check that the field 'taget-system' AGR_HIER-TARGET_SYS is filled in the composite role and also me RFCDES-RFCDEST in each single role with the data of the system / client where it belongs.

after saving do as Kantikiran suggested. You might want to use report SUSR_ZBV_GET_RECEIVER_PROFILES instead of the function you can call from tx. PFCG herewith avoiding to repeat the function for every new role created.

Thanks for the suggestions. Sadly, no luck with either.

I've looked at AGR_HIER table and the "target_sys" field is empty. It's populated in the source CUA master system (which makes sense).

Text comparison, either from SU01 or via the program mentioned, completes successfully with green lights for all child systems but does not update the target system. I tried it with, and without, selecting the "delete invalid assignments" check box - same result either way. Even tried running PFUD for one child-system role but, while that recognised there was no auth data, it didn't update agr_hier-target_sys.

I don't understand the comment "...and also <i><b>me</b></i> RFCDES-RFCDEST in each single role with the data...". The desired target (child) system is correctly defined in the RFCDES table. <u>Remember</u>, I have been able to create users in these systems from the CUA master and I can assigne roles to the users. The problem is that the roles which SHOULD have a child system as their location do not - they think they belong to the CUA master system.

I did try reloading one role via RFC. To try to understand what's happening I tried two experiments. First, I reloaded the role from it's correct child system and then I reloaded it from the old CUA master.

When I reloaded the role from the child system, I was warned that it already existed and would be overwritten but the import log finally showed a red traffic light meaning the role was not imported.

When I reloaded it from the old CUA master it worked but, unfortunately, it set the destination system to the old CUA master, not the child system.

Message was edited by:

Murray Nicholas

Thanks for continuing to work with me here.

I believe I understand the basics of composite and single roles and the relevant system assignment for each. The problem is that I can't find a viable means of remapping the child systems' roles to their correct systems. There are some test results below which may start to give a clue.

Perhaps if I can safely delete all the single roles (which should live in and be assigned to the child systems) without corrupting the composite roles in the CUA master, then I can do a full RFC read from each child in turn?

The following test has been conducted on all child systems:

1 - create single role with authorisations and generate profile in child system

2 - read role to CUA via RFC

3 - distribute manually via button on PFCG menu tab from CUA

APO/SCM, CRM, BI, WMS children

- read via RFC assigned the destination but did not distribute

- manual distribution works

HR child

- read via RFC does not assign a destination

- manually assigned and distributed the destination without error

ECC6 child

- read via RFC assigns a destination but distribution is not complete

- manual distribution fails with the "Error creating RFC link in system xxxxxxx" pop-up in CUA and a short dump for a missing PRGN_SAVE_ROLE_MENU

- NOTE NOTE NOTE: PFCG in the ECC6 child system shows that the role has been updated (the created column is blank but the changed column is filled with the CUA administration userid and the time stamp is consistent.)

A text comparison still does not fix the imported role assignment. The CUA administration userid in the child system needed access to SMTR_AGRS and PRGN function groups in the S_RFC auth object.

Hmmmm!

It gets curiouser and curiouser but better too.

My security analyst colleague got frustrated with my questions and test and tried a marginally different approach...

We have used transaction SM30_SSM_RFC to supply variable names for the child systems in our composite roles. This transaction maps the variable name to an RFC destination in table SSM_RFC.

For example, if I have a role structure like the following:

Composite role Z_COMP

contains Z_ECC6_ROLE1 assigned to ECC6 child (via variable "MYECC")

and Z_APO_ROLE1 assigned to the APO/SCM child (via variable "MYAPO")

And table SSM_RFC maps the VARIABLE MYECC to an RFC destination (e.g., ECCCLNT100) pointing to the ECC6 system, and VARIABLE MYAPO does likewise for the APO/SCM (e.g., APOCLNT001) system.

Then, if I read the Z_ECC6_ROLE1 via RFC and specify either ECCCLNT100 or MYECC in the RFC field, the system assignment does not happen. If, however, I choose the pull down menu to select the RFC destination and then choose the VARIABLE radio button and choose MYECC from the listed options, the system assignment does work!

So far I have tested this successfully for my APO/SCM, BI, CRM, HR. Next test is the ECC6 system but I think, despite the other error messages, it may well work since there was one role I successfully imported and assigned but I can't remember exactly how I did that in all the other testing and trying...