In this blog post, you will learn the SUIM role comparison and its interpretation to analyze the difference in roles and apply the fix.
A comparison of roles in Development and Production indicates no difference in roles but roles have differences.
During the regular SAP support work, one may face challenges with the role comparison.
The role comparison will help you understand any difference in PROD and DEV environments before we start with any role changes. This prevents unintentional role overwrite when there are multiple security team members working on the same role.
During such check, we observed that a role was recently imported to PROD but profile was not generated.
The transport log suggests that one custom object is not present in PROD.
As the transport log indicates the object is missing in PROD, the next step is to compare the role from DEV and PROD for any other issue related to the role.
However, the comparison should indicate the difference as the custom object exist in DEV and not in PROD.
Z_XYZ is marked as “green” for DEV and PRD but role in PROD doesn’t contain this object. Although the role doesn’t contain the object, the comparison shows otherwise.
The role check doesn’t show the object because the object doesn’t exist in the system
As the profile is the container for the authorizations, the profile check will indicate the object present in it.
Although the profile is not active it contains the auth. Object with the field information and you won’t see a difference during role comparison.
It’s crucial to always verify the role which needs to be adjusted in-depth of such issues to avoid any unintentional access issues in PROD systemm.
I hope this has provided more insight into the SUIM role comparison and how to utilize it for day-to-day role changes.