Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Diff.in profiles and role.How to check change history of roles/authorisatio

Former Member
0 Kudos

Hi,

I am bascically from MM.Just wanted to know difference in profile and role.I am aware that based on business requirement different roles are created through which authorisation is given to different T codes.

Not aware use of Profiles.

Also how can i check change history (date and time ) of my 1) role 2) profile 3)Authorisation to different t codes.

Thanks and regards

Sap learner.

8 REPLIES 8

martin_voros
Active Contributor
0 Kudos

Hi,

usually, it's good to start with [SAP documentation|http://help.sap.com/saphelp_nw04/helpdata/en/9d/39d0401117dd50e10000000a1550b0/frameset.htm]. You can see change documents for roles and profiles in transaction SUIM - section Change documents. You can see assignment of authorization objects to transaciton used by PFCG in transaction SU24.

Cheers

Former Member
0 Kudos

>

> Also how can i check change history (date and time ) of my 1) role 2) profile 3)Authorisation to different t codes.

>

Goto SUIM->Change Documents->For Profile and select the profile of the role for which you would like to see the changes.

After running the report, you will see the Objects added/removed. Click on each Object & it will show all the details, as in: who did, at what date, time, values entries etc

Similarly, you can see the same for Roles also, if you want to see for Transaction codes

Former Member
0 Kudos

Hi Sap learner

SUIM -> Choose the Execute option for roles _> enter the required details

and execute

You can select an individual role or a particular change document with the

fields Name of the Role and Change Number of the Document. You can use the

fields Changed By and To Date or To Time to further restrict the selection.

You can use the button next to Changed By to enter your user name in the

input field.

or

retreive user history from tables USH02,USH04,USH10 and USH12.

ROLE : is a collection of activites that enables the user to participate in different scenarios.

PROFILE : conatins instances for different auth obj. Auth are not directly assigned to the users,instead auth are assign as auth profiles. Once you add the role to the user,user will get access unless you do user comparsion.

Thanks,

Sri

0 Kudos

Hi

Thanks for useful information.Say for ex.I want to have access to T code ME21n.Then can i add this T code in say Purchasing manager role and will get access.

I have seen that profiles are maintained in Roles.Can you please explain procedure means whether i had to create profile and roles in which sequence.If in role we can assign T code what is use of profile.

Thanks

SAP learner

0 Kudos

Hi,

In versions like 3.X or below there was no concept of roles or profile generator. In those older version direct profiles were assigned to the users and if tcode needs to be added then associated profile need to be modified.

But in heigher verions like 4.6C etc role concept was introduced where roles are nothing but a bucket having multiple profiles. Any tcode changes addition/deletion can directly be done in roles and need not to be done in profile. These roles automatically generate profiles, hence after making your changes, you are supposed to generate profiles in order to reflect your changes in assosiated profiles.

Also check "agr_prof" table which will show you the role and its assosiated profile(s).

Hope this has clear your doubt to an extent.

Edited by: sap.sec.akshay on Jun 10, 2010 10:00 AM

Former Member
0 Kudos

Profiles are two types.

1) SAP has given standard profiles. SAP_ALL and SAP_NEW will provide maximum authorization.

2)profiles are getting created based on the user roles.

If the roles are assigned to user, profiles will be authomatically assinged in the profile tab.

If you want to assign any profiles manually such sap_all,sap_new, you have to assign in the profiles tab

of the user.

If you want to check roles,user modifications , use SUIM which gives variety of reports.

sdipanjan
Active Contributor
0 Kudos

If I understood your requirement, then the answer will be like this:

In earlier releases, we had profiles only where the development of profiles with proper authorization objects was really dependent on security admin'sr skill, expertise and experience to great extent together with STAD and SU53 analysis reports.

To reduce this pain SAP has come up with the concept of Profile Generator where a Table will hold all relationship between a TCode and it's relevant authorization objects. In this proforma we Security admins will not need to look after profiles by manual methods to visualize the authorizations for any action or permission level access. We used to follow the Role from our end through the tool Profile generator to bring those predefined authorization objects for the TCodes and SAP itself used to take care of the profile which contains the exact authorization for that role what users will get.

To say it one statement, Role is Human friendly, Profile is system friendly but describes the same thing at last.

Regards,

Dipanjan

Former Member
0 Kudos

Thanks all for useful information.Points awarded.Thresd is closed