Goto PFCG and enter the role which you want to transfer to other system. Goto utilities->Mass download it will ask the path where to download/save that role on local desktop give the location and save it.
Next logon to the system where you want that particular role. Go to PFCG-> Role -> upload.
Give the path where the role is saved. it accepts and generates successfully
How to check the missing authorisation for the user not having the option “su53”?
You can use Trace function, ST01, you can trace the user activity and from the log you can see the authorization missing.
Start an authorization trace using the ST01 transaction and carry out the transaction with a user who has full authorizations. On the basis of the trace, you can see which authorizations were checked.
What is the difference between role and a profile?
Role and profile go hand in hand. Profile is bought in by a role. Role is used as a template, where you can add T-codes, reports….. Profile is one which gives the user authorization. When you generate a role, a profile is automatically created.
What is the use of role templates?
User role templates are predefined activity groups in SAP consisting of transactions, reports and web addresses.
What is the difference between single role & composite role?
A role is a container that collects the transaction and generates the associated profile. A composite role is a container which can collect several different roles.
Is it possible to change role template? How?
Yes, we can change a user role template. There are exactly three ways in which we can work with user role templates
For all the above specified we have to use pfcg transaction to maintain them.
Please explain the personalization tab within a role.
Personalization is a way to save information that could be common to users, I meant to a user role… E.g. you can create SAP queries and manage authorizations by user groups. Now this information can be stored in the personalization tab of the role. (I supposed that it is a way for SAP to address his ambiguity of its concept of user group and roles: is “usergroup” a grouping of people sharing the same access or is it the role who is the grouping of people sharing the same access?)
How to insert missing authorization? Ways?
su53 is the best transaction with which we can find the missing authorizations.and we can insert those missing authorization through pfcg.
Someone has deleted users in our system, and I am eager to find out who. Is there a table where this is logged?
Debug or use RSUSR100 to find the info.
Run transaction SUIM and down its Change documents.
How can i do a mass delete of the roles without deleting the new roles?
There is a SAP delivered report that you can copy, remove the system type check and run. To do a landscape with delete, enter the roles to be deleted in a transport, run the delete program or manually delete and then release the transport and import them into all clients and systems.
It is called: AGR_DELETE_ALL_ACTIVITY_GROUPS.
To used it, you need to tweak/debug & replace the code as it has a check that ensure it is deleting SAP delivered roles only. Once you get past that little bit, it works well.
How to compare the roles where created or defined in two different systems?
For role comparison both the roles must be in the same system, in same client
Transaction code SUIM -> Comparison-> Roles
If the roles are in different system, then transport the role into one of the system and do comparison. If no transport connection defined then, you can use the upload and download option in the PFCG
Steps for Role Comparing:
1. Run the t-code SUIM
2. Go To Comparison and select the option of roles
3. Click on Across systems option it will give option to select the sys name under Remote Comparison there enter the SYS ID between which system you want to do comparison and put the role name in compare role section then execute it will give you the result.
4. If there is any difference between the t-codes it will b in red color otherwise in yellow.
What is the procedure for creating new user which have all features define under SAP* user and which could allow me to make the configurations?
Creating new user with superuser authorizations.
1. Goto SU01 —
username : sapuser
|–>Create.
2. In default settings, give
:Mr
first name : sap
last name : user
3. Goto next tab,
give initial password :1234
repeat password : 1234
4. Goto profiles.
type- sap_all (say enter)
sap_new (say enter)
Then save….
See the message in status bar, (user created successfully)
5. Login with the new user. change the password. now this user contains all superuser authorizations
The administrator user cannot be used to log on to the J2EE Engine because it has been locked. How will you correct the situation?
To correct this situation, I had to use an emergency user account.
SAP* user account has full administrator authorizations, but this account doesn’t have a default password. It must be specified when account is activated. Once SAP* is activated, no other user can log in to the system.
Check properties on Config Tool (Edit UME):
– ume.superadmin.activated (set ‘true’);
– ume.superadmin.password (specify a password).
Restart Application Server.
You have all users locked onto ABAP system. How will you deal with this situation?
Make sure your login/no_automatic_user_sapstar profile value is set to 1.
Log on to host system and connect to database.
Use the following query:
– delete sid.USR02 where BNAME=’SAP*’ and MANDT=’xxx’;
Now SAP* user is generated again with default password “pass”.
How would you copy all users from DEV to PRD?
Execute transaction SCC8 and select the profile SAP_USER. Then specify target system and schedule background job. This will export all users from the source system in the form of request.
Now login to the destination system and enter tcode SCC6. Specify the request number generated while exporting and click on “prepare import”.
You can check logs in SCC3 transaction.
SAP Basis Knowledgebase 