When you encounter errors during testing of roles, you can use SU53 and ST01 to analyze the error.

1. Ask the user to run SU53 to display the result of the last failed authorization. It is important the user run SU53 immediately after failed authorization check, as only the last object the failed the authorization check is saved.
2. You can run trace using ST01 to further analyze the error.

• Authorization objects enable complex checks of an authorization, which allows a user to carry out an action. An authorization object can group up to 10 authorization fields that are checked in an AND relationship.
• For an authorization check to be successful, all field values of the authorization object must be maintained accordingly. The fields in an object should not be seen as input fields on a screen. Instead, fields should be regarded as system elements, such as infotypes, which are to be protected.
• You can define as many system access authorizations as you wish for an object by creating a number of allowed values for the fields in an object. These value sets are called authorizations. The system checks these authorizations in OR relationships.

Once I had couple of roles which where made just t hold reports. The number of reports where huge. Here is how I did it.
First create a CATT script with a dummy role and add one tcode. Make the role and T-code as variant. Once you have this you can add any number of tcode to any existing role. Icould resuse this tocreate another roles where I had to insert lot of T-codes.

1. Open two sessions

2. Execute transaction ST01 in one of the sessions

3. Select the authorisation checkbox, note the other traces you can perform (SQL, RFC, Table Buffer etc)

4. Click the ‘Trace On’ button

5. Within your other session execte the transaction/report you want to trace or get the user in question to do it

6. Return to the session where you turned the trace on and click on ‘Trace Off’ otherwise it will continue to record all athorisation checks

7. Click on the ‘Analysis’ button

8. Enter appropriate data into selection screen such as Username, type of trace records (i.e. Authorization check)

9. Click on the Execute button.

10. Report displaying trace results will now be displayed

Administrators who use the Profile Generator require authorization for the following authorization objects: S_USER_AGR Authorization Check for Activity Groups

S_USER_TCD Transaction Assignment of Transactions to Activity Groups

S_USER_GRP User Master Maintenance: User groups S_USER_PRO User Master Maintenance: Authorization Profile S_USER_AUT User Master Maintenance: Authorizations S_USER_VAL Maintenance of Authorization Values in Activity Groups

This all depends. In some cases authorization groups must exist in a custom table before they can be used. This is true for table authorization groups (authorization group in table TBRG assigned to tables in table TDDAT via transaction SE54) and user groups (created in transaction SUGR). In some cases authorization groups are merely created when they are assigned to the object in a standard maintenance transaction (e.g. vendor master data, customer master data, material master data etc.) In other cases the authorization group has an optional validation table that is used in search helps but no where else (ABAP programs in table TPGP and TPGPT, report writer authorization groups (via table TBRG) etc. Authorization groups are essentially labels that you assign to objects (tables, programs, master data etc.) that allow authorization checks for access to the objects with the label.

Role & Profile

What is the difference between role and a profile?

Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template, where you can add T-codes, reports..... Profile is one which gives the user authorization. When you create a role, a profile is automatically created.

What is the use of role templates?

User role templates are predefined avtivity groups in SAP consisting of tyransactions, reports and web addresses.

What is the different between single role & composite role?

A role is a container that collects the transaction and generates the associated profile. A composite reole is a container which can collect several different roles

What profile versions?

Profile versions are nothing but when u modify a profile paarameter through a RZ10 and generate a new profile is created with a different version and it is stored in the database.

Is it possible to change role template? How?

Yes, we can change a user role template. There are exactly three ways in which we can work with user role templates
- we can use it as they are delivered in sap
- we can modify them as per our needs through pfcg
- we can create them from scratch.
For all the above specified we have to use pfcg transaction to maintain them.

Personalization Tab Within PFCG

Please expalin the personalization tab within a role.

Personalization is a way to save information that could be common to users, I meant to a user role... E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role. (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is "usergroup" a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access?)

How to insert missing authorization? Ways?

su53 is the best transaction with which we can find the missing authorizations.and we can insert those missing authorization through pfcg.

Table of authorisation field settings

Is there a table for authorisations where I can quickly see the values entered in a group of fields?
In particular I am looking to find the field values for P_ORGIN across a number of authorisation profiles, without having to drill down on each profile and authorisation.

AGR_1251 will give you some reasonable info.

Table with deleted users

Someone has deleted users in our system, and I am eager to find out who. Is there a table where this is logged?

Debug or use RSUSR100 to find the infos.

Run transaction SUIM and down its Change documents.

How can I make T_Code SPRO Read Only

I have a requirement to make SPRO read only. As you know it has a tree like structure and to make it read only seems like impossible.

You cannot make SPRO 100% display only by ANY setting. The SCC4 option only turns configuration tables to not-modifyable but still allows the non-config delivery class tables (or those configured to be changeable) to be modifed. It does nothing for the tcodes that are NOT table maintenance and not controlled by S_TABU_DIS. These will still allow configuration. All the tcodes in the SPRO are in several tables CUST_ACTOBJ (spelling?) is one.

You only real option is to create a role with all the tcodes in them that are in the SPRO , remove the create and change to display ( generally by changing the last nunmer on the 4 digit tcodes to 3) and removing all the Create and change access in all the activities and allow only the display.

PFCG allows you to create a role from a SPRO project so the usermenu will come close to the SPRO menu, which your changes it will be display.

Mass Delete of Old Roles

How can i do a mass delete of the roles without deleing the new roles.

There is a SAP delivered report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then relase the transport and import them into all clients and systems.

It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS.

To used it, you need to tweak/debug & replace the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that little bit, it works well.