Question:
Hi when ever i user merge with old and get new option in pfcg , system gets new authorization object every time i change it , and also the state is changed from maintained to changed state , how can i make sure that every time it does not bring in new values and change into changed state ? does edit old status stop me from from bringing new values? whats the best practice to do so
Answer:
will a changed state in pfcg automatically change to maintained if we make changes in su24 properly after the changes ?
Answer:
Hi when ever i user merge with old and get new option in pfcg , system gets new authorization object every time i change it , and also the state is changed from maintained to changed state , Working as designed. Your configuration in SU24 is ou of sync for transactino cdoes that use the same objects, generally caused by missing Activites. PFCG will continulally do this until you:
1. Configure SU24 correctle ( the overview icon will show which tcodes to fix) or
2. take the lazy way and inactivate the oject brought in ( but you will not know which ones are actually good "new" or poorly configure SU24 "new"
how can i make sure that every time it does not bring in new values and change into changed state ? Conigure SU24 correctly. If the authorization is in CHNAGED state it is because YOU changed a SAP value delived from SU24, SAP does not bring in changed state, itonly is responsible for STANDARD and MAINTIANED
does edit old status stop me from from bringing new values? Yes but it is poor practice, you want to read-old-merge-new EVERY entry ( there is always an exception) to a role so you are continulaly correcting and updating your roles with the lates configuration in SU24. If SU24 is properly configure the ONLY "new" objects are [resent because you added a tcode or changed configuration. You should ONLY have authorizations in status STANDARD or MAINTAINED, and NEVER have a CHANGED State. You should only have a MANUAL if you have a Standard/maintianed to support is existance ( there is one or two exceptions).
will a changed state in pfcg automatically change to maintained if we make changes in su24 properly after the changes ? No, nor will it ever disapear if you remove the tcode. Once in the changed state, SAP leaves it alone. (Do note, there is one patch level where this in not true, but it also causes major damage to your role
Answer:
thanks John,
please explain me how to maintain Manual , does it mean that after configuring su24 to the msot restrive way , click on manually button on top and add the standard object for which we need to provide excess access? doesnt manual caause any problem as SAP will not check for these values too in future?
so when removing any tcode we need to manually delete these options?
Answer:
please explain me how to maintain Manual , does it mean that after configuring su24 to the msot restrive way , click on manually button on top and add the standard object for which we need to provide excess access? Yes
doesnt manual caause any problem as SAP will not check for these values too in future? It does not cause a problem , and if there is an org level and you let the org level screen do the maintenance then SAP will continue to maintaint he org level. But manual causes SAP to leave the authorization alone.
so when removing any tcode we need to manually delete these options?All Manual authorizations should have a standard/maintained to support the need for the manual
Answer:
Please explain me in these two cases
1. for a tcode sap checks for s_tabu_dis for activity 03 and auth grp ppm , but before in su24 we just has configured for this tcode as 03 and empty, now in pfcg , it will be in yellow as 03 and empty , if i try to change the empty auth group values it wil turn as changed state? but atleast one auth group has to be filled in the empty value? so how can i do without changing it to changed state , lets assume i add all other activity groups required as manual for the same object ,
also can we will fill the minimal auth groups required for this tcode inside su24?
2.any changes in su24 asks for a transport request so once it goes to production for every change we need to transport from dev to prod?
thanks for all
Answer:
john can you please clarify on these two please , so one who has knowledge on this please guide me
Answer:
1. for a tcode sap checks for s_tabu_dis for activity 03 and auth grp ppm , but before in su24 we just has configured for this tcode as 03 and empty, now in pfcg , it will be in yellow as 03 and empty , if i try to change the empty auth group values it wil turn as changed state? but atleast one auth group has to be filled in the empty value? so how can i do without changing it to changed state , lets assume i add all other activity groups required as manual for the same object ,
also can we will fill the minimal auth groups required for this tcode inside su24?
SAP gave 03 and Blank for S_TABU_DIS. If you fill an Authorization group it will become a "MAINTAIN" state but not "CHANGE" state. If you know the minimal values that goes into the field, then you can fill it in SU24. For S_TABU_DIS will there be any minimal auth. group???? I guess NO.
2.any changes in su24 asks for a transport request so once it goes to production for every change we need to transport from dev to prod?
For every change in SU24 we do need to transport from Dev to PRO
Answer:
For every change in SU24 we do need to transport from Dev to PRO If you follow the standard of ONLY single sourcing your roles (both create and change) from development and NEVER hit read old merge new in PRoduction, the only REQUIRED transport is if you change the SU24 from 'N' to any other value or any value to 'N'. Other thatn that a periodic transport to sync the table is nice but not needed. PROVIDED all your work is done in DEV.
Do note some of the SOD third party tools require a correct SU24 to be of any value and if this is the case you need to keep Production up-to-date so the SOD reports are "accurate".