Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Difference between Change Authorization Data / Display Authorization Data

Former Member
0 Kudos
305

Hello,

My question is wrt to implementation of "principle of treble control" i.e three SAP administrators i.e.

1. Authorization data administrator

2. Authorization profile administrator

3. User Administrator

I have created a role & added a transaction to it e.g. "FAGLL03" or "FF67".

No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile. Even when I save the profile with the proposed name, it status still says "No authorization data exists". Since no authorization data is available, administrator 2 is unable to generate profile. If administrator 1 has to generate profile then why is administrator 2 required.

Definition of Administrator 1 is:

The authorization data administrator creates the roles, selects transactions and

maintains the authorization data. He or she simply saves the data in the Profile

Generator since he does not have the necessary authorization for generating the

profile. He or she accepts the proposed profile name “T-...”. The authorization data

administrator may not change users, nor generate profiles.

Definition of Administrator 2 is:

The authorization profile administrator starts transaction “SUPC” and chooses All

Roles. He or she then restricts his selection, for example by entering the ID of the

role to be edited. On the next screen, he or she chooses Display Profile to check

the data. If all the data is correct, he or she generates the authorization profile. The

authorization profile administrator may not change users, change the data for roles,

nor generate profiles containing authorization objects beginning with S_USER*.

Thanks.

4 REPLIES 4

jurjen_heeck
Active Contributor
0 Kudos
146

If administrator 1 has to generate profile then why is administrator 2 required.

I think that is the question you need to get answered. What risk is there if you combine the two functions? I do not see why one would try to separate the creation of the roles and the generation of the profile.

Can you tell us why it has been designed in this way?

Jurjen

Former Member
0 Kudos
146

Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.

Depending upon the volume of work my SAP implementation has, the approarch to me looks practical.

Secondly, SAP profile is also available for these adminstrators but it is not working the way it is supposed to.

0 Kudos
146

Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.

I had never heard of this treble control and the added value of splitting rolebuilding and profile generation doesn't make much sense to me but that's my personal opinion.

On the technical side of things: in your first post you state "No authorization data is displayed in the authorization tab unless I enter authorization tab with change button and provide inputs for org level field & generate profile."

It is also possible to change the data and save this but not generate the profile yet. I just tried this by doing the following:

Create role

Add transactions to menu

Edit profile, org levels & authroization data.

Hit 'save'.

Accept proposed profile name.

Go back to PFCG main screen and ignore message of profile not being generated. (Click 'continue')

And this leaves me with a role with yellow traffic light on the authorization tab an the profile status is: "Current version not generated"

So it should be possible to maintain roles and profiles separately.

0 Kudos
146

Actually I started off my question with the "implementation of treble control" that SAP course AD940 suggests.

The standard role SAP_BC_ENDUSER mentioned in that course is typically enough to perform all three tasks anyway...

Anyway, with modern workflows and provisioning this double and triple concept decreasingly relevant.

A better option would be to implement a QA step in the transporting of the roles and profiles. That will still be with us for some time to come IMHO. You can also integrate other checks into the CTS.

Cheers,

Julius