Hi Abhishek,

Thanks!!

I will explain you my senario..

I saw there were some tcodes in master roles say mm01 mm02, i tried executing them in through a test user who has the derrived roles assigned to him but the tcode was not executable.

Hence i pushed the values from master role to derrived role without any changes made in master role.But i found that all the derrived roles which did not have access to mm01 and mm02 have my user id as last changed with a tcode addition.

Regards

Rakesh

Hi Rakesh,

It seems someone has made a mistake earlier, which you have rectified. I think, someone earlier must have added a transaction to the master role(say MM01) and didn't adjust the master and derived roles. Hence, if this step is not done, the derived roles will not have the ability to grant access to MM01. What you have done is have just adjusted the master and derived roles, ( correctly so) and now the derived roles are consistent with the master role.

Regarding time stamp, whenever we adjust the master and derived roles, all the derived roles are generated again, hence, it will show your id as last changed.

So, what you have done is absolutely correct

Let me know if you you are not clear on answer

Abhishek

Rakesh,

Thats right. When you push the generate child roles from master roles it will have your ID in the changed by field for the child roles.

And also the changes will documented against your name in the change documents.

The point is generation of the child roles you do it only in the D box and you transport the roles to the Q and P along with the generated profiles.

So when you actually try to see the change documents for the roles in Q or P it will have the ID which is being used for transport.

Thanks.

Regards,

Muthu Kumaran KG

Hi,

The role is development box only and there is no question of transporting the role.

I thought that there may be some way to know that i have only "pushed" the values and not "updated them" in master role.

Thanks Abhishek and Mutukumaran..

Regards

Rakesh

In adjusting the master and derived role, did you generate the master role too?

Maybe thats the reason it is showing your name as last changed in the master role. If you are concerned about the time stamp of the master role, you can always check the change documents of the master role to see what actual changes you have "not made" 😛

-Abhishek

The thing is when ever we push the authorization from Master role to Derived Role. It shows "I" (inserted) Or "U" (updated). The thing is if any one update directly into the Derived role we are not able to track those changes in Derived Role?

I am not able to understand this?!

Why in the world would someone do a direct non-org level change in a derived role ? All those changes will get flushed whenever the master and derived roles are adjusted.

If someone is doing direct functional restriction changes in the derived roles, then I think more emphases should be put in implementing proper processes in place.

Please let me know if I have misunderstood your question

Abhishek

Hi Abhishek

What you are saying is the Real Time Scenario. But If it happened how we are able to track. That is my doubt. Searching in all the derived role one by one is a tedious job.

Regards

Rakesh

Hi Rakesh,

What version are you on? You should be able to look at change docs for a group of roles (e.g. all the derived roles). Any changes not by yourself would narrow down the scope of what you need ot review.

Hi Rakesh,

It's not as simple as that, the log will show you what has changed in the role but not how it was changed.

If you compare the changes in the child roles against those in the master role, anthing which has been changed in the child will not appear to have been changed in the parent at a similar time. The info you get is not in detail but in the form of:

Role Description

Authorization Data

Organizational Level Value

An Authorisation Data change in your child role which does not match with the same in the parent role will mean someone has edited that child role.

It is feasible to do it manually, you just have to give yourself enough time. Paste the log files for each role into columns in a spreadsheet and you will soon see where the changes don't line up and can target further investigation.

Have you thought of doing a role comparison?

There might even be a way of doing a role comparison against multiple roles??

Cheers,

Julius

Hi Julius

Role comparison is a good idea and does save time when compared to manual comparison.

Cheers

Rakesh.