Authorization: How to create a mass roles transport request
using PFCG
To deploy roles from DEV to QAS server, the administrator could
create the transport request in TCODE: PFCG for each role
individually or with the mass transport option to combine multiple
roles in one transport request.
In this sample we'll show the usage of the mass transport
options:
1) Execute TCODE: PFCG
2) Select "Utilities" -> "Mass transport"
3) Insert all the roles that need to create the transport
request
4) Select the "tick" button
5) Select the "tick" button
6) Select the "tick" button by using the default selection
7) Enter the required details for the new transport request
8) Take note on the request created and select the "tick"
button
9) The list of the request that contains all the roles including
any master or derived roles that relevant to the roles inserted
previously.
How to enforce of authorization in Adhoc query
Scenario:Read/write access to certain employee group for Basic
Pay infotype has been restricted in user authorization profiles but
the user was able to generate the pay information that should be
filtered when performing an execution of adhoc query with output
fields of Basic pay infotype.
Example:User only authorizes to generate a query for only
"non-clerical, clerical and senior clerical" but the query is
showing information that suppose to be restricted (query containing
information of "manager" group).
The correct query that suppose to be generate:(ex: for clerical,
non-clerical and senior clerical group only)
But query generated contains additional data that need to be
restrict according to user authorization:
Solution:Ensure the authorization object "P_ABAP" be set to
value "1" for ABAP program: SAPDBPNP
The incorrect settings:
The correct settings:
How to display authorization objects for specific TCODE
Having difficulty totroubleshoot authorization issues for
certain TCODE?An easy way to debug the required authorization
objects with the use of TCODE: SU24.
Example:
1) Execute TCODE: SU24 -> enter the TCODE to be analyse ->
Click the "Execute" button
2) Double click on the list of TCODE on the left side to view
the relevant authorization objects.
3) Continue the authorization checking/resolution with these
information.
Precaution when adding or removing TCODE in roles -
authorization conflict
As Basis, you're trying to fine-tune the user roles and
unexpected result occur:
Scenario:Users having access to 2 companies access with the same
TCODE in 2 different roles where one for display and one for
modification.
Role A with TCODE: FS00, Object: F_SKA1_KTP, Activity: 02, 08
Value: *Role B with TCODE: FS00, Object: F_SKA1_KTP, Activity: 03,
Value: TGGA, TGRP
You have removed the TCODE: FS00 inRole Aand expect user will
only able to perform display feature only withRole Bbut end-up the
user still manage to perform display and modification features on
the 2 relevant companies which happen to be unexpected
authorization / conflict.
Reason:Even TCODE been removed from the role menu or S_TCODE
object value in the single role but the customize object value
still remain in it and causing the authorization conflict to be
appear.
Role A: object "F_SKA1_KTP" for display only
Role B: object "F_SKA1_KTP"
Solution:1) Be-careful when removing TCODE from roles to ensure
all overlap object value are remove completely.2) To create a
customize object (require some ABAP programming .. sample solution
will be post soon ... )
Authorization: Comparing role between different systems
There might be time where the same role in different systems
contains different TCODE or object values. The fastest way locate
such different could be achieve with the use of cross system role
comparison.
Assumptions:Execute the comparison of role in DEV against
QAS
Steps:1) Execute TCODE: SUIM -> Comparisons -> From
Roles
2) Click the "Across systems"
3) Enter the RFC for both systems and the role to be compare
4) System will prompt for QAS login
5) Results of the role comparison between system
5) Double click on the relevant row and the details will be
shown (in this example the TCODE in both role are different
uthorization: Comparing role between different systems
There might be time where the same role in different systems
contains different TCODE or object values. The fastest way locate
such different could be achieve with the use of cross system role
comparison.
Assumptions:Execute the comparison of role in DEV against
QAS
Steps:1) Execute TCODE: SUIM -> Comparisons -> From
Roles
2) Click the "Across systems"
3) Enter the RFC for both systems and the role to be compare
4) System will prompt for QAS login
5) Results of the role comparison between system
5) Double click on the relevant row and the details will be
shown (in this example the TCODE in both role are different
Creating Master and Derived Roles
Are you looking for a way to create or maintain roles more
efficiently?
Example: to manage multiple roles which are common in term of
TCODE, authorization object value but different appear in companies
code / organization level in FICO modules.
Steps to create master and child roles:
1) Execute "PFCG" and create a new master role (Z_MASTER_ROLE_1)
and assign value for the pending object (*) and leave the "Org
Level" empty
2) Create a new child role (Z_MASTER_ROLE_CHILD_1) and derive it
from the master role created earlier
3) Click "Yes"
4) Ensure the correct master role been selected and save the
child role for now
5) Back to the master role and click the "Generate Derived Role"
button to refresh all the object value for child role that attach
to the it
6) Click the 'tick" icon to continue to start the child role
refresh
7) Click "Generate"
8) Back to the child role and observe that the child role been
updated with the TCODE and authorization data from master role
9) Enter the relevant "Org Level" for the child role
10) Done, "save" and "generate profile" for the child role and
it ready to be use
11) Here you go, you can create multiple child roles base on the
master role as template. Any TCODE / authorization object value
added in the master role will be able push to all the child roles
easily without impacting on the child role "Org Level".
12) The master and child role relationship could be display by
usingSQVIor TCODE: SE16" on table: AGR_DEFINE.
