https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099606#M1616229 <HTML><HEAD></HEAD><BODY><P>Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.</P><P></P><P>Depending upon the volume of work my SAP implementation has, the approarch to me looks practical.</P><P></P><P>Secondly, SAP profile is also available for these adminstrators but it is not working the way it is supposed to.</P></BODY></HTML> Sun, 17 Jul 2011 12:49:06 GMT Former Member 2011-07-17T12:49:06Z https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099604#M1616227 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>My question is wrt to implementation of "principle of treble control" i.e three SAP administrators i.e. </P><P></P><P>1. Authorization data administrator</P><P>2. Authorization profile administrator</P><P>3. User Administrator</P><P></P><P>I have created a role &amp; added a transaction to it e.g. "FAGLL03" or "FF67".</P><P></P><P>No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field &amp; generate profile. Even when I save the profile with the proposed name, it status still says "No authorization data exists". Since no authorization data is available, administrator 2 is unable to generate profile. If administrator 1 has to generate profile then why is administrator 2 required.</P><P></P><P>Definition of Administrator 1 is:</P><P>The authorization data administrator creates the roles, selects transactions and</P><P>maintains the authorization data. He or she simply saves the data in the Profile</P><P>Generator since he does not have the necessary authorization for generating the</P><P>profile. He or she accepts the proposed profile name &#147;T-...&#148;. The authorization data</P><P>administrator may not change users, nor generate profiles.</P><P></P><P>Definition of Administrator 2 is:</P><P>The authorization profile administrator starts transaction &#147;SUPC&#148; and chooses All</P><P>Roles. He or she then restricts his selection, for example by entering the ID of the</P><P>role to be edited. On the next screen, he or she chooses Display Profile to check</P><P>the data. If all the data is correct, he or she generates the authorization profile. The</P><P>authorization profile administrator may not change users, change the data for roles,</P><P>nor generate profiles containing authorization objects beginning with S_USER*.</P><P></P><P>Thanks.</P></BODY></HTML> Sun, 17 Jul 2011 09:33:45 GMT https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099604#M1616227 Former Member 2011-07-17T09:33:45Z https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099605#M1616228 <HTML><HEAD></HEAD><BODY><PRE><CODE><P></P><P>If administrator 1 has to generate profile then why is administrator 2 required.</P><P></P></CODE></PRE><P>I think that is the question you need to get answered. What risk is there if you combine the two functions? I do not see why one would try to separate the creation of the roles and the generation of the profile.</P><P></P><P>Can you tell us why it has been designed in this way?</P><P></P><P>Jurjen</P></BODY></HTML> Sun, 17 Jul 2011 09:51:38 GMT https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099605#M1616228 jurjen_heeck 2011-07-17T09:51:38Z https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099606#M1616229 <HTML><HEAD></HEAD><BODY><P>Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.</P><P></P><P>Depending upon the volume of work my SAP implementation has, the approarch to me looks practical.</P><P></P><P>Secondly, SAP profile is also available for these adminstrators but it is not working the way it is supposed to.</P></BODY></HTML> Sun, 17 Jul 2011 12:49:06 GMT https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099606#M1616229 Former Member 2011-07-17T12:49:06Z https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099607#M1616230 <HTML><HEAD></HEAD><BODY><PRE><CODE><P></P><P>Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.</P></CODE></PRE><P>I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.</P><P></P><P>On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field &amp; generate profile." </P><P></P><P>It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:</P><P>Create role</P><P>Add transactions to menu</P><P>Edit profile, org levels &amp; authroization data.</P><P>Hit 'save'.</P><P>Accept proposed profile name.</P><P>Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')</P><P></P><P>And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"</P><P></P><P>So it should be possible to maintain roles and profiles separately.</P></BODY></HTML> Sun, 17 Jul 2011 13:06:15 GMT https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099607#M1616230 jurjen_heeck 2011-07-17T13:06:15Z https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099608#M1616231 <HTML><HEAD></HEAD><BODY><PRE><CODE><P>Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.</P></CODE></PRE><P>The standard role SAP_BC_ENDUSER mentioned in that course is typically enough to perform all three tasks anyway...</P><P></P><P>Anyway, with modern workflows and provisioning this double and triple concept decreasingly relevant.</P><P></P><P>A better option would be to implement a QA step in the transporting of the roles and profiles. That will still be with us for some time to come IMHO. You can also integrate other checks into the CTS.</P><P></P><P>Cheers,</P><P>Julius</P></BODY></HTML> Sun, 17 Jul 2011 20:27:13 GMT https://community.sap.com/t5/application-development-and-automation-discussions/difference-between-change-authorization-data-display-authorization-data/m-p/8099608#M1616231 Former Member 2011-07-17T20:27:13Z