Retaining old authorizations while copying the Role
In any role based SAP system we often come across the situation, where we have to copy the authorization of one user to a new user. For this we create new roles from the roles assigned to the existing users. But when we copy a role to a new role we have to regenerate the authorization. Here the problem comes, as we regenerate the authorization, all the previous data get lost and new objects are generated with different values(Plant, activity, organisation level…etc).Now we have to change the value for each object by seeing the values from old role.This is arduous.
But SAP provides a solution for this. Whenever you copy a role generate the authorization in export mode and ” select edit old status ” and your old authorization value will remain intact.
Hello,
this is pretty basic and also dangerous/ misleading/ often damaging the authorization concept. Would you care to elaborate on this so that you provide enough clues for the beginners to be careful?
thanks, Otto
Hi Otto,
I know this is pretty basic. But I don't understand your comment:'dangerous/ misleading/ often damaging the authorization concept'. Would you care to elaborate on this?
Hi
If the original role has always been updated using the edit old status it will be 'screaming in agony' every time it is updated (say by adding a tcode) as the SU24 entries relating to it are trying to help you maintain the role and not being allowed to do so.
Read about SU24...
When you create a copy of the existing role the same situation exists whether derived (edit - not sure) or single.
Using expert mode updates the role, using edit old is the "insect in amber" route - eventually it will hatch out and bite you 🙂
Cheers
David
thats the whole point. In this method you are not supposed to add any tcode in menu. you have to just copy and generate the authorization.
Regards,
Deepak
Hi
Sorry - I think you may be missing the 'whole point' bit I was trying to hint at but I am happy to dig further 🙂 to help
The way the existing role which you are copying from has (it looks like according to your explanation) been maintained historically in an 'edit old status' mode or something very similar?
If you were to create a new temporary role with the transactions in it from 'scratch' what does it look like? Same as the original role or more like the newly created copied role?
Do you use SU24 and then expert mode when in PFCG/SUPC?
Edit - the 'insect in amber' comment refers to the fact that the roles are no longer running on the latest USOB* table entries..
Kind regards
David