Question:
We have nearly 2,000 users and 200 Plants and have about 12,000 old Composite Roles which are now converted into Roles in 4.6c. We are having some performance problems with Transactions pgcg so we have switched to using su01 / su10 and it is much better. The problem is that when we upgraded from 4.ob to 4.6c we assigned the new roles to the users. This was middle of last year. Users therefore have the old composite profiles and the corresponsing new roles. I started last week to clean up the user masters and remove the old composite profiles but have had to stop and reverse things as users were loosing access to some objects. It seems that the profiles converted okay to the new roles for the transactions but it has not given exactly the same access for all objects. What is the best way now to check that they match okay before removing the old ones. I need to do this as there are approx 25,00 old simple profiles that make up the 12,000 old composite ones and I need to remove these also from the system to improve performance. Any help would be appreciated.
Answer:
It would be far easier to create a role for each user than proceed with your actions. 2000 users 12000 COMPOSITE roles??????????????????????????????? WHAT!? Something wrong with this picture....
A conversion does not ensure the new roles will work or that you have bleed through and more access than the user needs. After and upgrade of this sort you MUST open each role and "merge-old and new" and address the New and missing objects in the new version.
Answer:
Urgent is not allowed.
Read basic rules.
_________________
SapFans Moderator
NetWeaver ‘04–SAP Web AS for ORACLE certified
Search: /forums/search.php
SAP Notes: http://service.sap.com/notes
SAP Help: http://help.sap.com
Basic Rules: /forums/viewtopic.php?t=222759
Answer:
John,
Thanks...that's what I thought you would say. I inherited an old system and my view is that we need to start again with the Roles as the current system is too complex . What is the approx average number of Roles that should exist for a Plant covering MM/PM/FI/CO or what is the best way to start again ?
Answer:
Without Org level limitaions you will need 85 to 125 base roles encompasing most all modules including Basis and Security. Corporate controls may require a few others based on their list of SOD's.
Easiest place to start is a list of tcodes and build roles from that.
If you are adept at ABAP you can create a ROLE MERGE utility to convert the roles on a user into a single role and delete all the duplicates. You will then need to analyse the results and adjust the roles and delete the identicle roles. and then analyse for SOD violations
THere is no SIMPLE answer except Keep it Simple.