Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

PFCG Authorization Profiles

dan_spitzig
Explorer

‎2025 Sep 02 8:41 PM - edited ‎2025 Sep 11 1:55 PM

0 Likes
803

Hi ABAP experts.

I am creating an ABAP program to do a mass update of roles, rather than manually doing it with transaction PFCG.  I am removing manually-added T-Codes, then adding them to the Role Menu as Authorization Default using method CL_PFCG_MENU_MODIFY->MENU_ADD_SERVICE.  This works well, changing the AGR_1251-MODIFIED field from 'U' to 'S',  However, when the Authorization Profile is generated using PRGN_AUTO_GENERATE_PROFILE_NEW, it also brings in a lot of unwanted authorizations, such as SE16 bringing in S_TABU_DIS and S_TABU_NAM. 

The method CL_PFCG_MENU_MODIFY->MENU_DELETE_NODE will remove them, but they will come back whenever the profile is regenerated.

The solution is to set the Authorization as 'Inactive', but I cannot find a Method or Function Module that will do this.  I tried doing a direct table update (which is not recommended) to AGR_1251, setting the DELETED field to 'X'.  When I do this and look at the role in PFCG and in table AGR_1251, it appears to have worked.  When someone logs into the system with that role, executes SE16, they should not be able to select any table to display.  However, even though the Authorizations are Inactive, they can still display table contents.

Can someone please help me out with how to achieve my goal?

0 REPLIES 0