Question:
Hi,
I have been using "change authorisation data" to generate profiles for a while now. Never pay much attention to the "expert mode". what a joke!
Can anyone tell me what "change authorisation data" actually does and if there is an equivilant option in "expert mode". or what are the major differences. It appears to me if I added in a tcode, for example, the "change authorisation data" normally works fine, but if I use "expert mode", I should choose " read old data and merge with new".
Thanks.
Answer:
If your roles are done correctly and SU24 is used correctly to minimize your maintenance you ALWAYS want to enter the role in expert mode and always use read old merge new. (There are a few exceptions, a display role created form change tcodes)
This ensures the role always have the latest configuration of SU24. SU24 should be updated to remove dangerious access, add missing access and meet your contorl needs. this prevents you form having to reseach the answer each time you encounter the same tcode in a role.
Answer:
but what does "change authorisation data" do? what are the major difference between this one and "read old merge new" in expert mode?
Thanks.
Answer:
but what does "change authorisation data" do? what are the major difference between this one and "read old merge new" in expert mode?
Have you tried both to determine the difference?
change authorisation data = Present the authorization EXACTLY as last saved so you can maintain the fields, authorizations or Orglevels at your discretion.
"read old merge new" = Reference the tcodes in the menu and retreive the current values from your SU24 configuration, analyse the previously saved authorization, add the missind authorization and merge any existing or new authorization using the base rule not to increase access.
Answer:
thanks John.
It looks to me only su24 matters in choosing which option. If we have never maintained su24, often add objects maually, then the safer way would just go to "change authorisation data". However, since merge new doesn't touch maually modified authorisations, it should be safe to use this option too.
Answer:
You should change your practice and use SU24 and use merge old new and never use a manual unless you have a corresponding Standard to support it. By not using SU24/merge and anning manuals, if you remove a tcoe you are not removing the underlying access so the user can still perform the business function. Further if you add a tcode to the menu the default is merge and your role will light up in yellow and red and you will have to rework many of the authorization you already resolve.
The use of su24 corrects your roles ove time and minimized maintenance.