Merge Function for the Authorization Data of PFCG Roles
After you have change the role menu, use the merge function to automatically adjust the authorization default values contained in a role. The field values maintained in transaction SU24 for the authorization objects assigned the check indicator Check/Maintain are used as the source of the default values.
The subject of the merge process is the authorization default values defined in transaction SU24, which have the maintenance status Standard and which are therefore called standard authorizations. All authorizations with other maintenance statuses (Maintained, Changed, Manual) do not change during the merge (there is a single exception: see Removing Transactions, point 2).
During the merge process, the Profile Generator collectors all authorization default values for the transactions in the role menu and checks which must be included in the authorization list. The result depends on the menu changes made previously and on the authorizations that already exist.
The functions for updating the authorizations using menu changes are presented in the following.
When you include transactions in the role menu, this has the following effect on the authorizations.
- If the authorization default values contain objects that were previously did not exist or only had authorizations in the status Changed or Manual, the program adds new standard authorizations for these objects.
- If there were already authorizations in the status Maintained (active or inactive) or Inactive Standard before the merge, the program compares the values and the maintenance status of all authorization fields to determine whether new standard authorizations must be extended. A new standard authorization is not included if the authorization fields contain identical authorizations in the status Standard in both authorizations, and the fields maintained in the old authorizations are empty in the new standard authorization.
- If both criteria are fulfilled, the default values from the old and new authorization most probably come from the same transaction. It is therefore not necessary to insert a new standard authorization, because the data already exists.Tip
In the first example of any authorization object with three fields, the new standard authorization is not added, since both criteria are fulfilled.
Example 1: Authorization status before and after the merge
| Field | Field Values and Status of the Old Authorization Object with Status Maintained | Field Values and Status of the New Authorization Object with Status Standard |
|---|---|---|
|
Field 1 |
A, B, Status: Standard |
A, B, Status: Standard |
|
Field 2 |
C, D, Status: Standard |
C, D, Status: Standard |
|
Field 3 |
1, 2, 3, Status: Maintained |
(empty), Status: Standard |
In contrast, in the second example, the new standard authorization is transferred, although all fields contain identical fields. The second criterion is not fulfilled due to the different maintenance status in field 3 and therefore the origin of the two authorizations is different.
Example 2: Authorization status before and after the merge
| Field | Field Values and Status of the Old Authorization Object with Status Maintained | Field Values and Status of the New Authorization Object with Status Standard |
|---|---|---|
|
Field 1 |
A, B, Status: Standard |
A, B, Status: Standard |
|
Field 2 |
C, D, Status: Standard |
C, D, Status: Standard |
|
Field 3 |
1, 2, 3, Status: Maintained |
1, 2, 3, Status: Standard |
The maintenance status of individual fields is not explicitly shown in the authorization list. Only the status of the entire authorization is displayed. However, fields with maintained or changed content have a darker background color as fields in status Standard (see also the Legend function).
When you remove transactions from the role menu, this has the following effect on the authorizations.
- A standard authorization for which the associated transaction was removed from the role menu is removed during the merge, unless at least one other transaction that remains in the menu uses the same authorization default value. This applies both for active and inactive standard authorizations.
- Authorizations with the status Maintained are only deleted if the last transaction with default values for the corresponding object has first been removed from the role menu.
- Authorizations in the statuses Changed and Manual are not affected by the merge. They are therefore always retained.
It is not necessary to include a separate standard authorization in the authorization list for each transaction contained in the menu, since a range of transactions have identical or at least very similar authorization default values. It is therefore useful only to take into account the authorizations that are actually required, to avoid the storage of unnecessary data in the role, and the profile to be generated from it.
The profile generator contains a compression function for this reasons that combines authorizations in accordance with the following rules:
- Authorizations must match both in their active status (Active or Inactive) and in their maintenance status (Standard, Maintained, Changed, or Manual).
Exception:
Changed authorizations can be combined with manual authorizations if the active status is identical.
- Two authorizations that fulfill the prerequisites in the above point are combined, if
- An authorization relating to all fields in the other is contained (This also includes the identity as a special case.)
- The values of both authorizations differ in exactly one field, but are identical in all others
Exception:
Authorizations that contain empty fields are not combined with others, unless the contents of all fields are completely identical.