Changing SU24 values for transactions

Question: We have roles built but everytime we add or remove transaction code alot of yellow lights appear.

Do we:
a: add manually in menu and S_tcode with relavant objects in edit old status (this option we have decided is not viable)

b: maintain the SU24 values for the transactions.

c: make them inactive but not delete them

we are half way through a staggered go live. We have gone live with 4 countries and will be going live with another in the next 3 years.
Adding a single transaction to a live role from an su53 is a mission..it should not be like this.
Thank you
Version 4.6B

Answer:
Maintaining SU24 with is the only viable long term solution. If an object is duplicated and requires population you can inactivate it, however if you maintain SU24 for all transactions you are using you will reduce this.

What do you mean by

"Adding a single transaction to a live role from an su53 is a mission..it should not be like this."

Any transactions should be pre apporved by the business and role owners before being inserted. Where transactions are missing they should go through a thorough review process before you having to add them to the roles. Adding transactions "here and there" will only cause you problems in the future.

Answer:
Working as you have configured. SU24 should be configured so that adding a tcode to a role ONLY brings in yellow lights associated to the NEW tcode. MANY times Security does not take the time to correct the SU24 entries to prevent Yellow lights from reoccuring when they do not have to. The MAIN cause is the ACTIVITY field being BLANK. The code in PFCG tries to prevent giving away unintended access. If the activity field is empty in SU24 SAP will ALWAYS bring in a new authorization (yellow lights) when you MERGE-OLD-NEW or add a tcode. You must update SU24 wil the missing values. Other causes is a field, like company code specified, in SU24 for some tcode and not others.

No comments:

topics