Re: Mass role creation and addition of tcodes to r...

Former Member · ‎2012 Jan 18

Hi Folks,

We've a requirement of building 1000's of single roles for an implementation. Our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles. What I would like to know is if we can automate a part of the process of role building i.e the following 3 steps only.

1. Creation of the Role

2. Addition of the tcodes in the role menu

3. Save

I'm aware of Ecatt/LSMW through which we can create the roles but i'm not sure if we can add the tcodes to the menu of the roles since the number of tcodes to be populated in each role will vary.

Could anyone of you shed some light if it is possible to automate the addition of tcodes to the role menu taking into consideration that each role will have different number of tcodes to be added to the menu and what's the best possible way to achieve this if there exists one.

Thanks in advance for your time and suggestions!

Guest...

Former Member · ‎2012 Jan 18

Its simple Friend,

Find one IDES Client or Reference Client and Copy All Roles from this System and Update at you System.

IDES has all Roles Standard.

jurjen_heeck · ‎2012 Jan 18

How big do you think the chance is that a standard role set will match OP's matrix?

To add transactions to a role in an automated way you should record your script in such a way that it always adds one transaction to one role at a time. In that way it doesn't matter if the amount of transactions varies. More transactions will only mean more lines in the input file with the same role name.

Jurjen

Edited by: Jurjen Heeck on Jan 18, 2012 2:43 PM

arpan_paik · ‎2012 Jan 19

For role with same name length, UL can also be done with following entries only in an excel.

LOADED_AGRS

AGR_DEFINE

AGR_TCODES

AGR_TEXTS

Here for Tcodes AGR_TCODES need replication.

Edited : SECATT is much simpler. Role UL should be the last option as a simple mistake will lead to mess...

Regards,

Arpan Paik

Edited by: P Arpan on Jan 19, 2012 8:52 PM

Former Member · ‎2012 Jan 20

Hi Saby,

This you can do just by breaking your own idea of creating SECATT scripts from single to double. I have done it before also that's why advising.

1. First script just to create the role

Input will be only 2 thing

- Role Name

- Role Text (Description)

2. Second script is to add transaction to role menu.

Input will be 2 things only

- Role Name

- Transaction code

This wayall roles can be build by first script. and second script will populate all the transactions in the roles.

Otherwise there is no way you can automate adition of transactions to roles in a single script, as the number of transactions will be variable.

Remember there is a depedency here in execution of the scripts, first -> then second scripts should be run.

I hope it will help you.

Thanks and Regards,

Vinod

Former Member · ‎2012 Jan 30

Hi Vinod,

I have created 2 scripts, one for Role name and description and other one for Addition of tcode to the role, as you have mentioned in your post. The first script runs successfully but when I executed the second Test configuration for adding tcodes to role, it comes up with errors and Log says:

S S# 287 No favorites exist

S 00 344 No batch input data for screen SAPLPRGN_TREE 0300

A TT 377 Control data is obsolete, rerecord (VERBS-NAME: CREATEOBJECT CATT: GETEVENTPARAM Callno: 000202)

Appreciate if you can provide me with your inputs. Also if you have any document prepared for this, specially when we switch to simulation mode to parametrize the steps we ran in PATTERN.

Thanks,

Ashwini

Edited by: A Sonwani on Jan 30, 2012 1:37 PM

Former Member · ‎2012 Jan 30

Hi

May I ask how many users you are catering for and if there is a reason for having to create thousands of roles?

Cheers

David

Former Member · ‎2012 Jan 31

Hi David,

We have around 1000 of roles that needs to be build for implementation and our security matrix is ready with the role names and the list of tcodes to be embedded in each of these roles.

There are 3 of us who would be building these roles in a short span of time so it would be easier for us if this gets automated. As of now, we only want to have this 3 steps done for role building.

1. Creation of the Role

2. Addition of the tcodes in the role menu

3. Save

Cheers

Ashwini

Former Member · ‎2012 Jan 31

Why so many roles? Do you really need 1000's of roles? This might be a difficult task to automate because most tcodes will require a manual entry on activity type and field values.

Going back to David's question... how many SAP users do you have in your system?

Former Member · ‎2012 Mar 14

Whilst I agree that there are probably too many roles being built here, which is more of an issue with the role design / strategy, the issue of how to easily create a role for a given list of transactions is something that SAP supports via the import menu from text file option in PFCG.

Yes you may need to write a script to cycle through all the possible role names, but we have recently had to build some roles based on actual usage, so exported transaction usage history to excel and then formatted the transactions into text files that could be imported to build the role menu.

You will still then need to ensure any object authorisation object have the correct values set - i.e. not just starred in - but as one of the pains in build a role is getting the menu to look reasonable, I'd suggest having a look at this approach.

Copy Menus -> Import from File is the function in PFCG in the menu tab for the role you are building

OSS note 389675 has details of what the text file of transactions for the menu should look like.

That should answer the question posed, rather than criticising the role design being followed.

Former Member · ‎2012 Mar 14

Hi Chris

Good point on actually answering the question rather than querying the design - I just wondered if there may be another way of doing things...

I've just been experimenting with the .txt/excel format for the upload file and I think I would prefer to maintain the menu in PFCG rather than the import option.

You must have the patience of a saint! 🙂

Cheers

David

Former Member · ‎2012 Mar 14

Yes it can be painful to get the format right, but once I'd got a working version, I stuck with that.

More complex sub-folders etc. is very difficult, but for a fairly simple menu of top level, grouping folders and 40 or so transactions it works very nicely.

I just paste the transactions and their decriptions in to a data sheet, then have formulae work out the correct sequence numbers and parent nodes.

I'd like to get a macro written that would make it even easier, but have something that works for now.

arpan_paik · ‎2012 Mar 14

Hi David,

In a implementation project 1000 roles should not be considered as huge role. In fact I am sure these are part of requirement. I have seen lot more than that in a system. If there is around 3/4K users then surely the number of roles will go up. That also apply to the number of business process, respective tasks, segregation of.

Regards,

Arpan Paik

PS - My 1st post in new SCN!!!!

Former Member · ‎2016 Jun 19

hi sabyasachi rudra,

could you please tell me how you solved the issue even i do have the same requirement and same problem.

Thanks,

sravanthi

Ashish222 · ‎2025 Jan 15

LSMW will help on Mass roles creation and for update Organizational/Field value, please use PFCGMASSVAL

Ashish Semwal

Mass role creation and addition of tcodes to role menu