Does any one know abt combining SAP auth profiles/roles.
goal is to combine tr codes,auth objects with attribute values assigned, <b>from two 0r more profiles/roles to single profile/role.</b>
we are in process of streamlining the authoorization across system and thus want to reduce number of roles/profiles assigned to user to one.
Thanks in Advance
I really don't know exactly what you're asking for but in role maintanance (PFCG) you have the possibility to maintain "Single Roles" and "Composite Roles" (which consist of 1-n single roles). This is also possible for profiles. In profile maintanance (SU02) you're able to maintain "Single profiles" and "Composite profiles".
Is it that what you're looking for?
I have worked out a solution for this issue. For example your fives roles are A,B,C,D and E. Create a new role F now. After creating the role go straight to authorizations tab and open it in Expert mode for profile generation with EDIT OLD STATUS mode.
Don't select any of the templates that SAP will ask you for.
Then in menu bar go to EDIT, then to INSERT AUTHORIZATIONS and then to FROM PROFILES. Now A,B,C,D and E all of them will have their respective profiles(You can check for the profile under authorizations tab of the pre-exisitng roles; of course make sure all the roles A,B,C,D and E are pre-generated). A pop up will come up and you can give the profiles of all the existing roles one by one. Complete this activity in toto.
Once you have finished this activity you will find that few of the authorizations are in red color. For this all you need to do is to go to organizational levels tab and input the appropriate values. These are of course organization specific but you can check the values from the original roles. Once you have done this all authorization objects will be in green color. All you need to do is to generate this new role.
Their is only one issue with this approach- the transaction codes will not show up in the role menu but this is not an problem since the authority-check is done with authorization object S_TCODE. We have quite a few roles like this in our system and they are working absolutely fine.
Let me know if this worked for you.