Xiting SAP Security Blog

SAP role admins tips: Leverage OK-code commands

by

Have you ever wondered why clicking on a role assignment in SU01 opens PFCG, albeit in a new session?But why you cannot do the same in PFCG to navigate to a user? Or maybe you would like to navigate from PFCG to SU24 to correct a proposal and then go back to the role without having to deal with multiple sessions. In this article I’ll show you how you can do all that with ease!

Leveraging OK-code commands

When you click on any visible icon in PFCG, the program uses so-called OK-code commands to instruct the program what you clicked and what ABAP statement to follow next. For example, creating a role calls a different function module than deleting a role. Some of these commands are also implemented as CALL TRANSACTION or SUBMIT .. AND RETURN statements, which have the advantage that the option to go back to the previous screen or application is retained. We can leverage that, if the call target is SU01, SU24 or something similar.

The trick is, that these OK-code commands are sent from the user to the server via the normal transaction start command window. There the commands are usually mapped to the names of the transactions you might want to navigate to and back from.

Leveraging OK-code commands

So if you are in PFCG and want to quickly return to SU01, you do not need to go back to the SESSION_MANAGER or start a new session. Instead, you can simply enter the command SU01 and hit Enter. PFCG will take you to SU01 (if authorized) and from there, you can quickly return to PFCG by using the green “Back” button. You will land directly back in PFCG where you left off instead of having to start over again.

The same applies to SU01 – by entering the OK-code command PFCG you will be brought into the Profile Generator and when clicking “Back” you will be brought back to SU01 again, exactly where you left off.

More Transactions

Other transactions compatible with this “back and forth” principal include SU24 (authorization proposals), SU25 (upgrade tools) and SUIM (user information system). All three of these can also be navigated to (and back from) directly using OK-code commands, without losing the context of the transaction you departed from.

More Transactions

Additionally, there are some other useful and lesser-known commands for features which are hidden in the menus.

More Tips & Tricks

The OK-code command SCUA will run a text comparison from PFCG or from SU01.

WHEN ‘SCUA’. “Send ‘Textcompare’ to CUA master system

CALL FUNCTION ‘SUSR_ZBV_GET_REMOTE_PROFILES’.

The OK-code command ROLE_CMP compares the menus of the current role in PFCG to a defined local or remote role in the system landscape.

WHEN ‘ROLE_CMP’.
CALL TRANSACTION ‘ROLE_CMP’.

The OK-code command XPRI lists all attributes of the role (such as menu, documentation, etc) and additionally also all the authorization data in a format which can either be printed or downloaded as a file to the workstation.

WHEN ‘XPRI’.
SUBMIT suprn_print_complete_agr WITH agr_name = agr_name_neu
AND RETURN.

 

More Tips & Tricks

Once you got used to some of the above tips and tricks, you can safe a lot of time back and forth between transactions you use every day.

Alessandro Banzer

Alessandro has worked in the field of IT since 2004, specializing in SAP in 2009 and working on global SAP projects in various roles since that date. Alessandro is an active contributor and moderator in the Governance, Risk and Compliance space on SAP SCN. Alessandro is in charge of Xiting's operations in the United States and a subject matter expert in SAP Access Control and SAP Security.

Latest posts by Alessandro Banzer (see all)