Question:
Hi all,
Do anyone has the idea of the difference between a Role that we make using T-Code PFCG and the Profile,
Why at all there is a Profile when we never use it?
what is its role?
bye
Answer:
You do use profiles, you just never see them... OFCG is "Profile Generator", a fancy front end to take the drudgery out of creating profiles that are assigned to the user and gives them their access. If you look in SU01 there is a tab to assign roles and if you look at the Profiels tab you will see the profiles added to the ID that represent the role....
A role is "all the access a user needs to do their job" corrolay: " a user may have more than one job"
Answer:
Hi,
But my question here is why at all there was a need to introduce profile when we actually play with a Role ,
Its clear that as soon as we generate a role a profile also gets generated with it , but why ?
Can we play only with thw profiles ?
bye
Answer:
In its simplest terms the Role is jsut a collection of menu items, transactions and reports. The profile is the collection of associated authorisatioin objects and their values which are brought through to the Role when you add the transactions etc.
Back before profile generator (PFCG) you created Profiles directly and added and maintained authorisations manually, including S_TCODE. Very labour intensive, lots more tracing of actions and so on to determine what was required. The Profile Generator won't create the perfect profile for you but if you keep SU24 properly configured it'll go a long wa towards it.
_________________
Sandi
~~~~
Apparently Father Christmas, the Easter Bunny, the Tooth Fairy and Star Wars aren't real
Tuly kiwi.
Answer:
But my question here is why at all there was a need to introduce profile when we actually play with a Role , Because the profile is the results of "playing with the role" and what you are after. The role is a pretty front end that makes it easier to create a profile. Without the ROLE ( PFCG) you will have to use SU02 and create each authorizaion that goes in the Profile yourself. You will also have to find all the authorization object you need to use, by your self either by running tests on the tcode and using SU53 to find what is missing in your profile, add, retest or use ST01 to trace the authorizations, then manually create all the authorizations.
Its clear that as soon as we generate a role a profile also gets generated with it , but why ? You do NOT generate a role. you generate a profile FROM a role. A role is a collection of data that has no meaning untill you hit the genreate button and create/maintain a profile.
Can we play only with thw profiles ? Yes you can but the amount of effort to do so is 20 to 30 time more than using PFCG and you cannot play with profiles only either from maintaining access or assigning access to a user.
The roel is a focal point that keeps all the pieces together. If your role is large enough PFCG may create SEVERAL profiles. if you use only the profile then you may not assign all you need or find the pieces you need to maintain.
Answer:
I have read all that has been posted under this topic.
I am currently reading the intro to the document Authorisations made easy, I note that the document related 4.5A/B. I find no mention of the word 'role' in the document. My question is whether 'Role' is something that 4.6x introduced?
Answer:
the terms Activity Group and Roles are interchangeable, and should just be seen as two words for the same thing.
Answer:
It is a part of SAP's bigger plan to either keep anyone who does not look beyond the screen in the dark, or confuse the living daylights out of them.
Tarr
Answer:
the terms Activity Group and Roles are interchangeable, and should just be seen as two words for the same thing.
You will also have the term Responsibilities in some versions of 4.0
Answer:
Role is ajust a word. Before 4.6c they were called activity groups but a 4.5 activity group is technically identical to a 4.6c role.
A history lesson is necessary. Before there was a real profile gnerator there were only profiles. Profiles were built with transaction SU02. They were tedious to build. There was no SU24. Customers complained about the high cost of security so SAP responded with the profile generator so that customers could hire lazy security people that didn't know how to think. The first modern profile generator was introduced in version 3.1g.
From 3.1g to 4.0 the changes were evolutionary. From 4.0 to 4.5 the technical changes were significant. However in all cases an old pre-3.1g profile with authorizations was generated. The user still derives his authority from the authorizations in the profile. It is possible for the role to disappear entirely but if the profile and authorizations are still there (and assigned to a user) it will still work.
Just a note. There was a crude profile generator in the 2.1 version of R/3 but it disappeared by 2.2.
Over the years we have read that SAP would eliminate old style profiles and authorizations and just use the data in roles but as late as 6.4 WAS this hasn't happened and it seems less likely all the time.
Answer:
Many thanks to all esp the history lesson.
to sum up the sequence will be
Role-Authorisation Obj-Authorisations-Profiles-User
right?
Answer:
Ultimately when SAP loads the buffer it is authorizations to user. Profile just facilitates management and to be sure you are correct at the user management level.
Answer:
Many thanks to all esp the history lesson.
to sum up the sequence will be
Role-Authorisation Obj-Authorisations-Profiles-User
right?
Role (PFCG) gives a visual presentation of objects (it is also just a tool) -> enter the authorization values for them -> generate the profiles for those auths (the visual bit is usually gone now) -> assign user to role or role to user (or responsibility to user or even worse... role to composite activity group and composite roles to user...) -> this will use the profiles (search forum for "SAp does not care") to match the auths in the user buffer.
The full disaster.
Depending on your auth new buffering and some other things, you may or may not get the result you originally set out to achieve when the lights went green in PFCG and your consultant patted you on the back and said "well done son!" and you reported SoD being 1:1 in technical terms as well as your tool and security being as as tight as a Scotsmanīs wallet.
Just my pennies worth,
Tarr