03-06-2008 9:05 PM
I have pushed the values form the master role to the derrived role i noticed that the master role and all the derrived role has my user id as last changed.
How to track whtr i have updated the values and pushed or only pushed the values into the derrived roles.
Regards
Rakesh
03-06-2008 10:07 PM
Hi Rakesh,
Thats the primary concept of Master-derived. You should only maintain the functional restrictions in the master roles. Whatever update you do, be it adding a transaction or changing values of objects will be pushed to the derived roles, on adjustment, updating and generating the derived roles with its time-stamp.
The ORG values do not get pushed to the derived roles, we have to maintain it manually here.
Regarding tracking: track the functional updates in the master role and the ORG updates in the derived roles.
Hope that clarifies your question
Abhishek
03-06-2008 10:18 PM
Hi Abhishek,
Thanks!!
I will explain you my senario..
I saw there were some tcodes in master roles say mm01 mm02, i tried executing them in through a test user who has the derrived roles assigned to him but the tcode was not executable.
Hence i pushed the values from master role to derrived role without any changes made in master role.But i found that all the derrived roles which did not have access to mm01 and mm02 have my user id as last changed with a tcode addition.
Regards
Rakesh
03-06-2008 10:26 PM
Hi Rakesh,
It seems someone has made a mistake earlier, which you have rectified. I think, someone earlier must have added a transaction to the master role(say MM01) and didn't adjust the master and derived roles. Hence, if this step is not done, the derived roles will not have the ability to grant access to MM01. What you have done is have just adjusted the master and derived roles, ( correctly so) and now the derived roles are consistent with the master role.
Regarding time stamp, whenever we adjust the master and derived roles, all the derived roles are generated again, hence, it will show your id as last changed.
So, what you have done is absolutely correct
Let me know if you you are not clear on answer
Abhishek
03-06-2008 10:31 PM
Rakesh,
Thats right. When you push the generate child roles from master roles it will have your ID in the changed by field for the child roles.
And also the changes will documented against your name in the change documents.
The point is generation of the child roles you do it only in the D box and you transport the roles to the Q and P along with the generated profiles.
So when you actually try to see the change documents for the roles in Q or P it will have the ID which is being used for transport.
Thanks.
Regards,
Muthu Kumaran KG
03-06-2008 11:05 PM
I thought that there may be some way to know that i have only "pushed" the values and not "updated them" in master role.
Thanks Abhishek and Manjunath..
Regards
Rakesh
03-06-2008 11:15 PM
Hi,
The role is development box only and there is no question of transporting the role.
I thought that there may be some way to know that i have only "pushed" the values and not "updated them" in master role.
Thanks Abhishek and Mutukumaran..
Regards
Rakesh
03-06-2008 11:16 PM
In adjusting the master and derived role, did you generate the master role too?
Maybe thats the reason it is showing your name as last changed in the master role. If you are concerned about the time stamp of the master role, you can always check the change documents of the master role to see what actual changes you have "not made" 😛
-Abhishek
03-06-2008 11:36 PM
The thing is when ever we push the authorization from Master role to Derived Role. It shows "I" (inserted) Or "U" (updated). The thing is if any one update directly into the Derived role we are not able to track those changes in Derived Role?
03-07-2008 12:07 AM
I am not able to understand this?!
Why in the world would someone do a direct non-org level change in a derived role ? All those changes will get flushed whenever the master and derived roles are adjusted.
If someone is doing direct functional restriction changes in the derived roles, then I think more emphases should be put in implementing proper processes in place.
Please let me know if I have misunderstood your question
Abhishek
03-07-2008 12:28 AM
Hi Abhishek
What you are saying is the Real Time Scenario. But If it happened how we are able to track. That is my doubt. Searching in all the derived role one by one is a tedious job.
Regards
Rakesh
03-07-2008 8:50 AM
Hi Rakesh,
What version are you on? You should be able to look at change docs for a group of roles (e.g. all the derived roles). Any changes not by yourself would narrow down the scope of what you need ot review.
03-07-2008 12:20 PM
I am operating on SAP ECC 5.0.
Alex please let me know how the track results are shown
1. When i only push the values into the derrived role(it must show only "U" in SUIM)
2. When i directly update the derrived roles, does they show the same result like "I"(inserted) and "U"(updated) in SUIM.
Regards
Rakesh.
03-07-2008 12:51 PM
Hi Rakesh,
It's not as simple as that, the log will show you what has changed in the role but not how it was changed.
If you compare the changes in the child roles against those in the master role, anthing which has been changed in the child will not appear to have been changed in the parent at a similar time. The info you get is not in detail but in the form of:
Role Description
Authorization Data
Organizational Level Value
An Authorisation Data change in your child role which does not match with the same in the parent role will mean someone has edited that child role.
03-07-2008 3:45 PM
03-07-2008 6:38 PM
Hi,
What if there are many derrived roles andin that case its not feasible to have the log of all derrived role and compare it with master role.
Regards
Rakesh
03-07-2008 6:40 PM
Hi,
What if there are many derrived roles, its not feasible to have the log of all derrived role and then compare them with master role.
Regards
Rakesh.
03-07-2008 10:27 PM
It is feasible to do it manually, you just have to give yourself enough time. Paste the log files for each role into columns in a spreadsheet and you will soon see where the changes don't line up and can target further investigation.
03-08-2008 6:09 AM
Have you thought of doing a role comparison?
There might even be a way of doing a role comparison against multiple roles??
Cheers,
Julius
03-10-2008 6:07 PM
Hi Julius
Role comparison is a good idea and does save time when compared to manual comparison.
Cheers
Rakesh.
03-10-2008 6:18 PM
Hi,
I agree on role comparison.
Can we know the inconsistencies in the derrived roles through SUIM or is there any table involved in this.
Regards
Rakesh
03-10-2008 6:26 PM
>
> Can we know the inconsistencies in the derrived roles through SUIM or is there any table involved in this.
Derived roles and their parent should have identical values in tables AGR_1251 and AGR_TCODES.
03-10-2008 7:06 PM
Hi Jurjen
I agree on that point.
Comparing the tables for master role and derrived role will solve the problem. Even though its manual work but does help when we compare them on excel sheet to know Inconsistencies.
Cheers
Rakesh