Transporting and Distributing
Roles
Use
In role administration, you have the following options for transporting roles:
● You can download the roles from one system and upload them into another
● You can import the role from a remote system using RFC
● You can transport the roles with the transport function.
Role upload loads all role data, including authorization data from a file into the SAP system. The user assignments for the role and the generated profiles for the role are exceptions in this case.
Transporting Roles with the Role Transport Function
...
1. Start the role administration function by choosing Tools ® Administration ® User Maintenance ® Role Administration ® Roles (transaction PFCG).
2. Enter the role to be transported and choose Transport Role.
The Mass Transport of Roles screen appears. You can control the default settings for the options Also transport single roles for composite roles and Also transport generated profiles for roles using Customizing switches (see Role Administration Functions in the section Functions of the Utilities Menu).
You should not change the authorizations profiles of the role after you have included the role in a transport request. If you need to change the profiles or generate them for the first time, transport the entire role again afterwards.
3. In the following dialog box, specify whether the user assignment and the personalization data should also be transported.
If the user assignments are also transported, they will replace the entire user assignment of roles in the target system. To lock a system so that user assignments of roles cannot be imported, enter it in the Customizing table PRGN_CUST using transaction SM30. Add the line USER_REL_IMPORT and the value NO.
If you are using Central User Administration (CUA) with global role assignment, you should not transport the user assignments of a role together with the role. In this case, you can only create user assignments in the central system. You can then send these to the system group that you have defined, if appropriate. If you nevertheless import user assignments for roles into the child systems of the CUA in these circumstances, the central system is not informed about the changes to the user master records. This means that data for the users in the child systems that you have changed in this way is overwritten with the data from the central system during the next distribution. Therefore, the user assignments created locally in the child systems with the role import are deleted.
4. Enter a transport request.
The role is entered in a Customizing request. Use Transaction SE10 to display this.
The authorization profiles are transported along with the roles, unless the profile parameter transport/systemtype is set in this SAP system to value SAP. In this case, only the profiles whose roles are assigned to customer-relevant delivery classes are transported.
You can also use a Customizing entry to prevent authorization profiles from being transported with the roles. In the transport source system, add the entry PROFILE_TRANSPORT with the value NO in table PRGN_CUST. In this case, you must use transaction SUPC (mass generation) or transaction PFCG (generation of profiles for individual roles) to generate the profiles in the target system after the transport.
5. Perform a user master comparison in the target system.
You can create perform a user master comparison in the following ways:
○ To perform the comparison in the background, schedule the report PFCG_TIME_DEPENDENCY periodically in the background.
○ To perform the comparison immediately, start report PFCG_TIME_DEPENDENCY.
○ To perform the comparison immediately, in transaction PFCG, choose Utilities ® Mass Comparison and enter the affected roles in the Role field on the User Master Comparison screen. Then choose Perform User Master Comparison.
Distributing Roles
In role administration, you can distribute roles on the Menu tab page, as long as the target system has a release status of at least SAP Basis 4.6A.