Role Build?

Former Member · ‎03-31-2008

Hi All,

I have received the authorization matrix for a module.

It contains field values for auth. objects.

What should be approach during Role build phase?

How do i decide whether to maintain values in su24 or pfcg?

Thankyou ,

Ajit

Former Member · ‎03-31-2008

Use PFCG while creating the role, Choose "do not select templates". Then click on "Manually" and add the auth.obj given to you and later enter the values as specified.

Former Member · ‎03-31-2008

You could look in SU24 and make some suggestions back to them regarding which authorizations are included in the matrix, which are not included in the default start SU24 proposals. For those it is typically recommended to maintain SU24, but for some other scenarios it does not make sence.

You might also want to make some recommendations where the combination of the authorizations and the transactions might not make sense, or need to be analyzed closer. For example, an authorization for an object is included in the matrix and at the same time the same object is deactivated from an authority-check (No check) for a transaction which is also included in the role.

Cheers,

Julius

Former Member · ‎04-01-2008

To maintain values in fields of auth objects you can use only PFCG.

While su24 is used only to specify or check which auth objects are checked or not checked (along with field vaules) during executions of a perticular tcode.

So pfcg and su24 both have very diffrent funtionalities.

Former Member · ‎04-01-2008

Hi All..

For SU24 values I have followed following procedure:

If the transaction is only contained in one role, maintain ALL values within SU24 and use Expert mode for PFCG so that the values are fetched directly

(thus USOBT_C is adjusted).

If the transaction is duplicated across many roles, then update the values in SU24 to be "blank". Then update the values directly in PFCG

I hope this is rational way to do SU24 updates...!!!

Rakesh

Former Member · ‎04-02-2008

Hi Rakesh,

I agree that it is a rational way to perform SU24 updates.

Former Member · ‎04-02-2008

>

> While su24 is used only to specify or check which auth objects are checked or not checked (along with field vaules) during executions of a perticular tcode.

Only the ABAP controls what auth objects are checked or not checked. SU24 can have some influence but you cannot add checks via SU24 or inactivate checks for a range of auth objects.

Even outside the ABAP code, some checks are performed by the kernel e.g. S_TCODE, S_DATASET

Former Member · ‎04-02-2008

Yip, that sounds rational.

2 possible things you might want to consider non-the-less:

- When deciding to add the transaction to a second role at a later stage, wanting different values, you might have to undo the SU24 values again, particularly if you add values for fields which are not "activity related".

- Ensure not only that the transaction is not included in any other role (menu), but also check that object S_TCODE with that value for field TCD is not in any "Check/Maintain" position for other transactions which you might have in other roles.

Cheers,

Julius

Former Member · ‎04-03-2008

Alex and Julius I agree on that!!!

Maintaining values in Su24 is used in rare scenarios depending on the well maitained role to transaction matrix.

I would love to use Su24 for Tcodes like MIGO(which calls other tcodes).It should be fine having only the auth objects required for MIGO and you do not necessarily have to have the associated objects included with those called transactions.S_Tcode takes care of it as it is hard coded and does the check asking for the "Called" transactions.

Rakesh