Question:
Does anyone know if there is a way in 4.0 (or 4.7, client is upgrading soon) that you can report which activity groups/roles have had an object manually inserted or have objects that are in "Changed" status. Well, besides going through them one by one in profile generator? I am trying to figure out which activity groups have had manual changes to the S_TCODE object.
Answer:
I beleive in 4.6 and 4.7 SAP provides a report that list Manul S_TCODE the report name should be PFCG_AGRS_WITH_MANUAL_S_TCODE , If not you can look in AGR_1251 or AGR_1252 field MODIFIED.
Answer:
I beleive in 4.6 and 4.7 SAP provides a report that list Manul S_TCODE the report name should be PFCG_AGRS_WITH_MANUAL_S_TCODE , If not you can look in AGR_1251 or AGR_1252 field MODIFIED.
I have been looking for a solution for this for some time now, but beyond the s_tcode modifications in PROD.
If the activity groups have a batch job running which regenerates them (often a daily job), the modified field will not give you the manual changes but rather that of the job in PROD.
One way is a cross-system comparison, but I do not know of any nice reports for this. Another way is if SM19 is configured for this, you will find an event for change / create authorization.
Does anyone know a water-tight way of checking this?
Bob
Answer:
Your posting is not too clear...but In Higer versions of SAP there is no need Generate the roles daily ( nor in earlier versions on if the role changes). If your posting is refering to WHO changed it last to "manual" then you can run the SUIM change history reports on Authorization and find it there. In higher versions where the report is you can always find if there IS a manual, who put it in is in the role change history in PFCG you just have to look deep enough
Answer:
Your posting is not too clear...
Can the SUIM reports show whether the change occured as a result of a transport, or alternately as a result of a change directly in production?
What I am refering to is SU02 use in a higher version.
Bob
Answer:
Change history is for only the actual changes made in the system ( unless you transport the USHxx tables) . So if there is a change record in SUIM in production it means it was changed in PRD. In earlier versions of SAP you had to regen the roles ( activity groups) once transported so there was a change record.
Since you are supose to single source your role and NOT make chagne in PRD and use change management (transport) you should never have a chagne document on changein the contens ot the role or profile.
Answer:
Change history is for only the actual changes made in the system ( unless you transport the USHxx tables) . So if there is a change record in SUIM in production it means it was changed in PRD. In earlier versions of SAP you had to regen the roles ( activity groups) once transported so there was a change record.
Since you are supose to single source your role and NOT make chagne in PRD and use change management (transport) you should never have a chagne document on changein the contens ot the role or profile.
It depends on the configuration. The regeneration of the authorizations via job can still be used in higher versions.
For the change docs, the STMS change log can also be active for the table changes, which creates a change doc for the transported change. Filtering the change user field between user account and transport request is tedious.
Imagine the requirement: You already have an appreciation for the authorizations at object and characteristic level and the assignment at user level, irrespective of which roles / profiles which are enabling the authorizaton. Check in 1 minute whether authorizations (profiles and roles) are being maintained / changed in Production. If yes, then in 10 minutes, get an overview of which changes and to what extent (perhaps completely for period x years) the correct development, testing and approval of the concept has not been followed?
I think that the variables are too many to be able to meet this requirement, or at least I donīt know how to.
Any tricks available?
Bob
Answer:
It may not be what you are after but you can report on object status in roles via AGR_1250 (normal caveats apply).
I'm not on SAP right now but if I recall correctly the field Object Status will tell you if objects are Manual, Standard etc.
Cheers,
Al.