Question:
IF I have created a role and set the appropriate activity levels to the required authorization level...
and then add a object via add tcode or add from role...the objects that were changed now have additional objects as new? which means more yellow lights?
What is the difference between standard new/old, maintained new/old, change new/old?
Am I doing something wrong by deleting the "yellow" objects that are new objects since I know have been maintained "old" values correctly...
Thanks
Mike b
Answer:
and then add a object via add tcode or add from role...the objects that were changed now have additional objects as new? which means more yellow lights? When you add a tcode to the role, which should be added to the menu tab and not inserted or inserted from a role in the auth tab, SAP gives you a choice to "read old...Merge new" authorization, which you should do on EVERY entry into the authorizations. This is a required step so SAP can reference the configuration in SU24 for the tcode added to the menu and create authorizations based on the objects configured in SU24. If SAP sees a conflict between what it will add and what exists and it beleives by merging the authorizations extra access could be added, SAP will not merge an authorization but add a new one, generally in "yellow". The phenomonon is caused by inconsistent configuration of the tcodes in SU24. The biggest offender is the blank activity, followed by some tcodes having some fields supplied and some blank. They all need to be consistent and there should never be a blank activiy. If your settings are set correctly in the authorizations tab, there is an overview ICON (mountain with sun over it) that will show you what tcodes brought the authorization in and the values.
What is the difference between standard new/old, maintained new/old, change new/old? Standard is the authorization "as SAP delivered it from SU24", the prefered setting. This can be either green or yellow ( the Yellow will have to be resolved and become Maintained). Maintained - the customer supplies the missing values and DOES NOT touch the supplied values; prefered setting.
change - NEVER HAVE A CHANGED setting in a role, this means the customer changed a SAP supplied value and SAP will never remove these when the tcode responsible for adding it is removed.
Am I doing something wrong by deleting the "yellow" objects that are new objects since I know have been maintained "old" values correctly... Well, Yes. SAP will always add these back and is trying to tell you your configuratin for the tcodes in SU24 are inconsistent.
Answer:
For example I add tcode and I only want display access so when I change it to 03 the object status is now changed.....
What is wrong with being in change status.....because the object is at the exact activity code.....
John can you elaborate?
Mike B
Answer:
The object may be what you want, but if the tcode form SU24 brings in 02 ( and it is correct) and not 03 then the tcode probably will not work and you need to replace the tcode with the proper one that is a display tcode and not change the value in the supplied authorization. In some cases the tocode will toggle to display ( a lot of the config tcodes) if the user only has display but genreally gets a message interupting the tcode. In this case the SU24 needs to be configured tot he most restrictive (DISPLAY) and if other used need change then add a manual authorization with the 02 value.
If you change the supplied values SAP never touches the authorization again and if you remove the tcode an auhtorization in CHANGED status remains and the user keeps the access. Also you run the risk of the org values not changing if you change the master list of org levels. Change status in a role is poor practice. You should ALWAYS have an auhtorization in STANDARD/MAINTIANED If you need something out of th ordinary, add a manual. then you have a standard to support manual and if no STANDARD/MAINTIANED exist you should question the need for the manual.
Answer:
Thanks John,
Appreciate the explanation and it makes sense now that I understand the correct process.....
Mike Brogan