SAP role admins tips: Leverage OK-code commands
Have you ever wondered why clicking on a role assignment in SU01 opens PFCG, albeit in a new session?But why you cannot do the same in PFCG to navigate to a user? Or maybe you would like to navigate from PFCG to SU24 to correct a proposal and then go back to the role without having to deal with multiple sessions. In this article I’ll show you how you can do all that with ease!
Leveraging OK-code commands
When you click on any visible icon in PFCG, the program uses so-called OK-code commands to instruct the program what you clicked and what ABAP statement to follow next. For example, creating a role calls a different function module than deleting a role. Some of these commands are also implemented as CALL TRANSACTION or SUBMIT .. AND RETURN statements, which have the advantage that the option to go back to the previous screen or application is retained. We can leverage that, if the call target is SU01, SU24 or something similar.
The trick is, that these OK-code commands are sent from the user to the server via the normal transaction start command window. There the commands are usually mapped to the names of the transactions you might want to navigate to and back from.
So if you are in PFCG and want to quickly return to SU01, you do not need to go back to the SESSION_MANAGER or start a new session. Instead, you can simply enter the command SU01 and hit Enter. PFCG will take you to SU01 (if authorized) and from there, you can quickly return to PFCG by using the green “Back” button. You will land directly back in PFCG where you left off instead of having to start over again.
The same applies to SU01 – by entering the OK-code command PFCG you will be brought into the Profile Generator and when clicking “Back” you will be brought back to SU01 again, exactly where you left off.
Other transactions compatible with this “back and forth” principal include SU24 (authorization proposals), SU25 (upgrade tools) and SUIM (user information system). All three of these can also be navigated to (and back from) directly using OK-code commands, without losing the context of the transaction you departed from.
Additionally, there are some other useful and lesser-known commands for features which are hidden in the menus.
More Tips & Tricks
The OK-code command SCUA will run a text comparison from PFCG or from SU01.
WHEN ‘SCUA’. “Send ‘Textcompare’ to CUA master system
CALL FUNCTION ‘SUSR_ZBV_GET_REMOTE_PROFILES’.
The OK-code command ROLE_CMP compares the menus of the current role in PFCG to a defined local or remote role in the system landscape.
CALL TRANSACTION ‘ROLE_CMP’.
The OK-code command XPRI lists all attributes of the role (such as menu, documentation, etc) and additionally also all the authorization data in a format which can either be printed or downloaded as a file to the workstation.
SUBMIT suprn_print_complete_agr WITH agr_name = agr_name_neu
Once you got used to some of the above tips and tricks, you can safe a lot of time back and forth between transactions you use every day.
- SAP Security Hardening – Implement Security by Design and Zero Trust - 12. July 2022
- SAP Security Orchestration with Xiting’s Security Solutions - 21. October 2021
- CMMC Compliance in SAP - 24. August 2021