The Risks and Rewards of Using PFCGMASSCOLLASSIGN in SAP Security; Mass Composite Role Updates

Estimated read time 5 min read

This post isn’t about explaining how to use PFCGMASSCOLLASSIGN—you can easily figure that out. Instead, it’s focused on highlighting the critical importance of such mass maintenance T-codes and the potential risks and issues that can arise when using them.

The PFCGMASSCOLLASSIGN t-code is incredibly useful for handling mass updates to composite roles. However, it also comes with significant risks, making it advisable for use only by experienced professionals. In this post, I’ll cover both how to use it effectively and the key precautions to keep in mind.

PFCGMASSCOLLASSIGN-

This tcode is used to add/delete one/more single role(s) from one/more composite role(s).

It’s as straightforward as it sounds: enter the composite roles you want to edit, specify the single roles you wish to add or select, and then choose the appropriate action (Add/Delete) accordingly –

Here I am adding ZSINGLE2 role to ZCPMPOSITE1 to ZCOMPOSITE4 (which already have ZSINGLE1 role).

I probably don’t need to explain this, but I’ll still provide a brief one-liner description of the execution modes-

Executing with Simulation mode will not make any changes and will tell what all changes be performed.Executing with Direct Execution mode will directly make the change.Executing with Execute with prior simulation will simulate the changes and we then can execute the change. (Recommended). When executed with this option, below screen appears –

 

The system indicates the changes to be made using “+” and “-” signs. In this case, it shows the addition of new single roles to the composite roles. You can exclude roles from the list if needed, and upon clicking Execute, the changes will be applied as simulated. Whether you choose Direct Execution or Execute with Prior Simulation, you will be prompted to transport the updated roles once the execution is complete.

Now what could Go Wrong! –

The potential risk is human error. For instance, consider a newbie in SAP security experimenting with sensitive T-codes in the development system.

If Executed Add without filling any single / composite role –  It will add all singles to all composites (including SAP standard single/composite roles). When I executed in actual development system, it was making almost 800k updates (Simulation mode 😁)

If Executed Delete without filling any single / composite role – It will delete all single roles from all composite roles.

So, if it is ever executed in dev system, we will eventually end up having all this transported to Prod system. 

That’s it, let me know in comments, if you have any questions.

Bonus Tip – We all love to maintain change definitions in Role Text, we can edit that, mentioning the change / requester details by clicking on Supplement Long Text in the tcode window.

 

​ This post isn’t about explaining how to use PFCGMASSCOLLASSIGN—you can easily figure that out. Instead, it’s focused on highlighting the critical importance of such mass maintenance T-codes and the potential risks and issues that can arise when using them.The PFCGMASSCOLLASSIGN t-code is incredibly useful for handling mass updates to composite roles. However, it also comes with significant risks, making it advisable for use only by experienced professionals. In this post, I’ll cover both how to use it effectively and the key precautions to keep in mind.PFCGMASSCOLLASSIGN-This tcode is used to add/delete one/more single role(s) from one/more composite role(s).It’s as straightforward as it sounds: enter the composite roles you want to edit, specify the single roles you wish to add or select, and then choose the appropriate action (Add/Delete) accordingly -Here I am adding ZSINGLE2 role to ZCPMPOSITE1 to ZCOMPOSITE4 (which already have ZSINGLE1 role).I probably don’t need to explain this, but I’ll still provide a brief one-liner description of the execution modes-Executing with Simulation mode will not make any changes and will tell what all changes be performed.Executing with Direct Execution mode will directly make the change.Executing with Execute with prior simulation will simulate the changes and we then can execute the change. (Recommended). When executed with this option, below screen appears – The system indicates the changes to be made using “+” and “-” signs. In this case, it shows the addition of new single roles to the composite roles. You can exclude roles from the list if needed, and upon clicking Execute, the changes will be applied as simulated. Whether you choose Direct Execution or Execute with Prior Simulation, you will be prompted to transport the updated roles once the execution is complete.Now what could Go Wrong! -The potential risk is human error. For instance, consider a newbie in SAP security experimenting with sensitive T-codes in the development system.If Executed Add without filling any single / composite role –  It will add all singles to all composites (including SAP standard single/composite roles). When I executed in actual development system, it was making almost 800k updates (Simulation mode 😁)If Executed Delete without filling any single / composite role – It will delete all single roles from all composite roles.So, if it is ever executed in dev system, we will eventually end up having all this transported to Prod system. That’s it, let me know in comments, if you have any questions.Bonus Tip – We all love to maintain change definitions in Role Text, we can edit that, mentioning the change / requester details by clicking on Supplement Long Text in the tcode window.   Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog

You May Also Like

More From Author