Working as a SAP Security Consultant in an upgrade project, remediating roles is like washing your car. Tiresome, messy, and never ending are some ways to describe it. A process so stressful can still be worked upon, making life easier for every security consultant working on it.
Usually when a role is up for remediation we find some new objects popping up, which are either organizational level objects or non-organizational object. The values for both the objects are supposed to be found and updated in the role. But finding the values is a demanding job. We have to open some tables like AGR_1251, AGR_1252 and even AGR_AGRS. With all the tables opened and values verified from the tables and then checking for any discrepancies from the previous systems, it takes time and effort with lots of confusion involved in the process. In the upgrade project that I am currently working in, it has an L-S-T format, that is Local-Slave-Temporary roles would exist in the Composite role. So if any org level roles show up in the local role, they would have to be copied to the slave roles. Just another catch in this- a local role can exist in many composite roles and for each of those composite roles there can be different slave roles. In that case, if we encounter some org level objects in the local role, we would end up copying all those roles and pasting them to each of the slave roles. All this copying and pasting would surely consume a lot of your precious time.
We faced this exact problem in our project, so we came up with this fantastic tool which really saved our souls. The tool requires us to feed the name of the local role and it has three different functionalities that can be used. One was to find the missing values of the non org-object that showed up in the role. Hence the AGR_1251 table which had to be opened to check over and over again is no longer a mandatory step. The second functionality that we added was that the tool finds all the org-level objects that exist in the role. The third functionality of the tool finds if the org-level objects that we just found (which we got from the second functionality) exists in all the corresponding slaves or not. That indicates that the manual copying of the org-level objects would no longer be needed and constant referring to the table like AGR_AGRS would surely reduce.
This is just one way to save some time while working on the demanding role remediations. We can still make some more changes to this which would further decrease the time we consume. Like in some cases we are referring to the transactions of the corresponding objects and we refer to USOBT_C to check if these transactions existed in the older system, which we are updating. This functionality can also be added to our tool, which might enhance it further saving more time of ours. But all this depends on the requirement of each project. All these are ideas that can be implemented accordingly to save some effort and energy.