Programatically Creating Profiles via ABAP

alexander_schuchman — Fri, 22 Sep 2006 19:46:57 GMT

I'm posting this little "prototype" that I've been researching to see if anyone has done something similiar. Also hoping that someone will let me know what I've missed in my thought process. This is something I put together for a CRM project but applies to all basis systems(4.6C to Netweaver 2004s).

Here's my code, self explanatory(se38 program):

&----

*& Report Z_PFCG_AUTOMATION_HACK *

*& *

&----

*& Test security program to create a copy of a Profile, then create *

*& the authorization profile, and finally set the value and generate *

&----

REPORT Z_PFCG_AUTOMATION_HACK .

DATA I_PROF LIKE PT1016 OCCURS 10 WITH HEADER LINE.

data: AGR_PROF type table of AGR_PROF with header line.

data: s_agr_define like agr_define.

data: my_agr_define like agr_define.

data: my_bp_number type STRING.

data: P_G_PROFILE like agr_1016-profile.

data: PROFILE_TEXT like agr_prof-ptext.

*Establish some fake values to work with

s_agr_define-agr_name = 'CRM1:11111'.

my_agr_define-agr_name = 'CRM1:22222'.

my_bp_number = '11111'.

P_G_PROFILE = 'TESTING123'.

PROFILE_TEXT = 'testing123'.

*Step 1: Copy an existing role into a new role

CALL FUNCTION 'PRGN_COPY_AGR'

EXPORTING

SOURCE_AGR = my_agr_define-agr_name

TARGET_AGR = s_agr_define-agr_name

DISTRIBUTE_SINGLE_ROLE = ' '

EXCEPTIONS

TARGET_AGRNAME_NOT_FREE = 1

SOURCE_AGR_NOT_EXISTS = 2

NO_AUTHORITY_FOR_USER_INSERT = 3

NO_AUTHORITY_FOR_TCODES_INSERT = 4

NO_AUTHORITY_FOR_OBJECT_INSERT = 5

NO_AUTHORITY_FOR_SROLE_INSERT = 6

NO_AUTHORITY_FOR_SROLE_SHOW = 7

FLAG_NOT_EXISTING = 8

ACTION_CANCELLED = 9

NO_AUTH_FOR_OBJECTS_AND_USERS = 10

NO_AUTH_FOR_SROLES_AND_USERS = 11

OTHERS = 12.

IF SY-SUBRC <> 0.

MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO

WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

ENDIF.

*Step 2: Create the authorization profile

CLEAR AGR_PROF.

AGR_PROF-MANDT = SY-MANDT.

AGR_PROF-AGR_NAME = s_agr_define-agr_name.

AGR_PROF-PROFILE = P_G_PROFILE.

AGR_PROF-PTEXT = PROFILE_TEXT.

AGR_PROF-LANGU = SY-LANGU.

if AGR_PROF-PROFILE is initial.

delete agr_prof.

exit.

else.

APPEND AGR_PROF.

endif.

I_PROF-PROFILE = P_G_PROFILE.

I_PROF-GENERATED = 'X'.

CLEAR: I_PROF-VARIANT, I_PROF-PSTATE.

APPEND I_PROF.

CALL FUNCTION 'PRGN_1016_SAVE_PROFILE_NAME'

EXPORTING

ACTIVITY_GROUP = AGR_PROF-AGR_NAME

TABLES

I_PROF = I_PROF

EXCEPTIONS

OTHERS = 1.

*These two function calls are necessary to commit the change

CALL FUNCTION 'PRGN_UPDATE_DATABASE'

EXCEPTIONS

OTHERS = 1.

CALL FUNCTION 'PRGN_CLEAR_BUFFER'

EXCEPTIONS

OTHERS = 1.

*Must also do a generate to have it active before changing

*Do the Generate!

CALL FUNCTION 'SUPRN_PROFILE_BATCH'

EXPORTING

ACT_OBJID = AGR_PROF-AGR_NAME

ENQUEUE = 'X'

EXCEPTIONS

OBJID_NOT_FOUND = 1

NO_AUTHORIZATION = 2

GENERATION_NOT_ACTIVE = 3

EMPTY_AUTHORIZATIONS = 4

ENQUEUE_FAILED = 5

NOT_GENERATED = 6

OTHERS = 7.

IF SY-SUBRC <> 0.

MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO

WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

ENDIF.

*Step 3: Modify the person responsible- Table AGR_1251

data: my_auth_data type table of PT1250 with header line.

*Returns the Profile Name for the Role, don't actually use this

*CALL FUNCTION 'PRGN_1250_READ_AUTH_DATA'

EXPORTING
ACTIVITY_GROUP = AGR_PROF-AGR_NAME
TABLES
AUTH_DATA = my_auth_data
EXCEPTIONS
NO_DATA_AVAILABLE = 1
OTHERS = 2.

*IF SY-SUBRC <> 0.

MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

*ENDIF.

data: my_field_values type table of PT1251 with header line.

CALL FUNCTION 'PRGN_1251_READ_FIELD_VALUES'

EXPORTING

ACTIVITY_GROUP = AGR_PROF-AGR_NAME

TABLES

FIELD_VALUES = my_field_values

EXCEPTIONS

NO_DATA_AVAILABLE = 1

OTHERS = 2.

IF SY-SUBRC <> 0.

MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO

WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

ENDIF.

*Change the value of the Person Responsible here!(agr_1251)

*my_bp_number has the value of the new person responsible

data: my_itab type table of PT1251 with header line.

read table my_field_values with key object = 'CRM_TPMRES'

FIELD = 'MKTPL_RESP' into my_itab.

if sy-subrc = 0.

my_itab-LOW = my_bp_number.

modify my_field_values from my_itab INDEX sy-tabix TRANSPORTING LOW.

endif.

CALL FUNCTION 'PRGN_1251_SAVE_FIELD_VALUES'

EXPORTING

ACTIVITY_GROUP = AGR_PROF-AGR_NAME

TABLES

FIELD_VALUES = my_field_values.

*Not sure if this is necessary but seems to work so better be safe

CALL FUNCTION 'PRGN_UPDATE_DATABASE'

EXCEPTIONS

OTHERS = 1.

CALL FUNCTION 'PRGN_CLEAR_BUFFER'

EXCEPTIONS

OTHERS = 1.

*Step 4: Generate the profile so that it's active

*Could use SUPRN_PROFILE_GENERATOR but it has a SAPGUI,

*you'd have to click the icon to generate it, maybe good to show the

*data to security

*Check to see if you have authority to perform the generate!

CALL FUNCTION 'PRGN_AUTH_ACTIVITY_GROUP'

EXPORTING

ACTIVITY_GROUP = AGR_PROF-AGR_NAME

ACTION_GENERATE = 'X'

EXCEPTIONS

NOT_AUTHORIZED = 1

OTHERS = 2.

IF SY-SUBRC <> 0.

MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO

WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

ENDIF.

*Do the Generate to make sure the profile is ready for user compare!

*This is like clicking the "Generate" button in PFCG.

CALL FUNCTION 'SUPRN_PROFILE_BATCH'

EXPORTING

ACT_OBJID = AGR_PROF-AGR_NAME

ENQUEUE = 'X'

EXCEPTIONS

OBJID_NOT_FOUND = 1

NO_AUTHORIZATION = 2

GENERATION_NOT_ACTIVE = 3

EMPTY_AUTHORIZATIONS = 4

ENQUEUE_FAILED = 5

NOT_GENERATED = 6

OTHERS = 7.

IF SY-SUBRC <> 0.

MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO

WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

ENDIF.

*Step 5: Add the user to the role using the BAPI

break-point.

*Didn't bother to put in this code since we know the BAPI works!

*Step 6: perform the user compare to get the green light for the role.

*This can only be called after the profile exists!!

*Not sure if this is really necessary but I like that everything is

*green afterwords

CALL FUNCTION 'PRGN_ACTIVITY_GROUP_USERPROF'

EXPORTING

ACTIVITY_GROUP = AGR_PROF-AGR_NAME

EXPERT_MODE_WITHOUT_UPDATE = ' '

HR_MODE = ' '

ACTION_INSERT = 'X'

ACTION_DELETE = 'X'

DISPLAY_MESSAGES = 'X'

DELETE_INVALID_PROFILES = 'X'

ONLY_IMPORTANT_MESSAGES = ' '

ONLY_DISTRIBUTE_USERS = ' '

EXCEPTIONS

NO_AUTHORITY_FOR_USER_COMPARE = 1

AT_LEAST_ONE_USER_ENQUEUED = 2

AUTHORITY_INCOMPLETE = 3

NO_PROFILES_AVAILABLE = 4

TOO_MANY_PROFILES_IN_USER = 5

CHILD_AGR_ENQUEUED = 6

OTHERS = 7.

IF SY-SUBRC <> 0.

MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO

WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.

ENDIF.

*All Done!

Re: Programatically Creating Profiles via ABAP

Former Member — Sat, 23 Sep 2006 08:23:54 GMT

Hi Alexander,

Did you put it in a user exit to create personalized profiles on the fly when the user accesses the transaction for the first time? There have already been a few posts here looking for this sort of stuff.

Your break-point refers to a BAPI which implies that the user themself (or another on their behalf) possibly needs authorizations to assign profiles to users. Or did you do that dynamically?

Interesting topic...

Cheers,

Julius

topic Re: Programatically Creating Profiles via ABAP in Application Development and Automation Discussions

Programatically Creating Profiles via ABAP

Re: Programatically Creating Profiles via ABAP