Kontakt

Ansicht
Dokumentation

PFCG_MASS_VAL - Mass Maintenance of Authorization Values

PFCG_MASS_VAL - Mass Maintenance of Authorization Values

Fill RESBD Structure from EBP Component Structure   General Data in Customer Master  
This documentation is copyright by SAP AG.
SAP E-Book

Purpose

You use this program to change the authorization values of roles.

This includes changing organizational levels, changing the field values of authorizations for an authorization object, and changing the field values of authorizations for an authorization field (for different objects). It is also possible to add and delete a manual authorization for exactly one authorization object.

Integration

Prerequisites

Features

Selection

The program provides three change modes for the roles selected in the standard selection:

  • Simulation
    This mode simulates the changes you want to make and displays them in a results list. During the simulation, the roles are locked and all necessary authorization checks are performed.
  • Execution with Previous Simulation
    In this mode a simulation is performed first. The roles then remain locked and an "Execute" pushbutton is displayed in the menu bar in the results list. This allows you to check the changes before saving them, and prevents the roles from being changed inadvertently in the meantime.
    If you only want to change some of the displayed roles, you can use the "Exclude Role" function above the results list to delete those roles that you have marked. Note that if you mark a line, this applies to the entire role that this line refers to. You cannot exclude individual authorizations or autorization values from the processing.
  • Direct Execution
    In this mode the changes are made immediately and displayed in a results list.

Role Transport

Here you can see whether a setting is active for transporting client-specific customizing objects in transaction SCC4, and if so, which one.

For the "Automatic Recordings of Changes" setting, you can select the generated authorization profiles and the personalization data as optional transport components and enter the required customizing request for role recording. The text in parentheses after the input field indicates that the specified request is only used for roles that are not set in another request by existing recordings. If you do not specify a request on the selection screen, but it is still possible to select a request for at least one of the roles you have selected, you will get the usual dialog window for selecting the request later on when you save the mass changes.

If the SCC4 setting is not active or is set to "Changes Without Automatic Recording", automatic recording does not take place. However, you can select the required roles in the results list after the mass changes have been executed, and record these manually by selecting the transport function in the toolbar.

The setting "Changes without automatic recording, no transports allowed" does not allow automatic or manual recordings.

For detailed information about using the SCC4 setting in relation to role maintenance, see SAP Note 1723881.

Change

For each type of field change you define whether you want to add, delete, or replace values. The following generally applies: As many changes as possible are made. This means: If you are adding a value and the required authorization is missing, or the value is already contained in the authorization, this value is removed from processing.

  • Add: Choose "Values" to enter the values that you want to add.
  • Delete: Choose "Values" to enter the values that you want to delete.
  • Replace All: All existing values of the organizational level or authorization are deleted. Choose "Values" to enter the values that you want to add.
  • Replace: Choose "To Replace" to enter the values that you want to replace. Choose "Values" to enter the values that you want to add instead. This action only takes place if all values to be replaced of all fields exist. You cannot make partial replacements.

Type of Field Change

  • Change Organizational Levels
    You change the values of organizational levels of the selected roles across all objects (global maintenance). This action does not affect authorizations whose organizational levels have already been maintained individually.
  • Change Field Values of Authorizations for an Object
    When you select an authorization object, all its authorization fields are displayed. Maintain the values for those fields that you want to change.
    If any of these fields is an organizational level, a warning icon is displayed. This tells you that the value changes you make to this field only apply to individual authorizations and result in the maintenance status "Changed". The values from the global maintenance (see above) no longer apply for these authorizations.
  • Change Field Values of Authorizations for a Field (Cross-Object)
    With this type of field change you change the field values of authorizations for a specific authorization field, but for all authorization object that contain this field.
    Enter the name of the authorization field and maintain the values that you want to change. Entering the authorization object is optional; an input help is available for you to select the fields of the object. If you are in the "Activity" (ACTVT) field and have specified an object, you are shown which activities are allowed for this object and can make your selection.
    Again, if a field is an organizational level, a warning icon is displayed. The same applies as in the previous section.
  • Add a Manual Authorization to an Object
    This function supplements the selected roles with a manual authorization for exactly one authorization object. Values can be entered for the fields of the authorization to be added, but they can also be left open. When maintaining organizational level fields, note the statements made for the previous two options.
    The manual authorization is added to roles even if they already contain authorizations with the required field value combination. To avoid adding superfluous authorizations, use the processing mode "Execution with Previous Simulation" (see above). This produces a results list containing the authorization to be added and also all existing authorizations for the same object, so that you can exclude any roles that do not need the new authorization before further processing.
  • Delete Manual Authorizations for an Object
    You use this function to delete manual authorizations for exactly one authorization object in the selected roles.
    The function only deletes those authorizations that contain all values of all fields that are maintained on the selection screen. If you do not maintain any values, all manual authorizations of this object are deleted.
  • Activate/Deactivate Authorizations for an Object
    You use this function to activate or deactivate authorizations for exactly one authorization object in the selected roles.
    The function only activates or deactivates authorizations that contain all values of all fields that are maintained on the selection screen. If you do not maintain any values, all authorizations for this object will be activated/deactivated.
    Regardless of which field values are selected, the result list displays all existing authorizations for the specified authorization object in the corresponding role, even if the activation status is unchanged. Authorizations for which the activation status is unchanged are uniquely identified with an equal sign (=) in the 'Activation Status Comparison' column.
  • Add F4 as a default value without changing to status 'Changed'
    The authorization default values of many applications values now have the additional value F4 in different authorization fields. This makes it possible to distinguish between displaying objects and listing them in input helps. You can use this function to add F4 en masse to authorizations of single roles whose menus contain the relevant applications. Since the maintenance status of the enhanced authorizations is retained, the new value can be used very quickly without any individual editing of roles. Note the following:
  • The only authorizations that can be changed are those that are created from the current authorization proposals in the menu applications, but do not contain the default value F4. It is therefore not possible to edit authorizations with the status "Manual".

  • To execute this function, the start authorization for transaction PFCG is also required as a prerequisite for calculating the current authorization proposals per role.

  • The function does not take into account any further changes to authorization proposals, and therefore does not replace the combination of authorization data in roles. In particular, roles contains the authorization status 'To Be Compared' (red traffic light on the "Authorizations" tab in transaction PFCG) if this already existed prior to the automatic insertion of F4. Profile generation as follow-up action is not possible for roles with this status.

  • Automatic addition of F4 enhances the scope of existing authorizations by making it possible to display input help. This can cause problems if personal data is involved. For this reason, use the processing mode ‘Execution with Prior Simulation’ before saving in order to check whether adding F4 would cause previously non-visible personal data to be displayed. Remove all roles that you do not want to modify from the list.

When changing authorizations, you have other options:

  • Authorizations: The change can be restricted to active or inactive authorizations.
  • Old Authorization Status: The change can be restricted to authorizations with the status "Standard", "Maintained", "Changed", or "Manual".
  • No Switch to Status "Changed": It this option is active, any changes that would result in the authorization status changing from"Standard" to "Changed" or from "Maintained" to "Changed" are discarded.
    Note the following: Maintaining organizational levels individually also results in a status change from "Standard" to "Changed".
  • Supplement Long Text: By choosing 'Text', you can save a description that is appended to the long text for all changed roles.
    However, the long text of a role can only be maintained if you are logged on in its original language. Therefore, if you use this option, authorizations are only changed if the logon language matches the original language of the role.

Standard Variants

Output

The output shows the result of the simulation or the execution. Errors are displayed in the error log at the end of the list.

If you are changing organizational levels, you get the following information:

  • Name of Role
  • Value Comparison: Indicates whether a value has been added, deleted, or has stayed the same
  • Organizational level with value range

If you are changing authorizations, the list contains the following columns:

  • Name of Role
  • Authorization Object
  • Authorization
  • Activation Status of Authorization: Active or Inactive
  • Old Maintenance Status: Status of the authorization before the change
  • New Maintenance Status: Status of the authorization after the change
  • Authorization Comparison: Indicates whether an authorization has been changed
  • Value Comparison: Indicates whether a value has been added, deleted, or has stayed the same
  • Field Name with Value Range

If the SCC4 settings "Changes Without Automatic Recording" or "Automatic Recording of Changes" are active, there are two additional output fields for all change types:

  • Transport Request: Request number of an existing recording.
  • Own Recording: X = The executing user has his or her own recording of the role under the specified request.

Activities

Example






Addresses (Business Address Services)   ROGBILLS - Synchronize billing plans  
This documentation is copyright by SAP AG.

Length: 13282 Date: 20240531 Time: 080749     sap01-206 ( 240 ms )